VMware vcloud Air HIPAA Matrix

Similar documents
HIPAA Security Checklist

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

SECURITY RISK ASSESSMENT SUMMARY

An Effective MSP Approach Towards HIPAA Compliance

HIPAA Security Series

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Krengel Technology HIPAA Policies and Documentation

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Information Security Overview

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security Alert

HIPAA Security and HITECH Compliance Checklist

Healthcare Management Service Organization Accreditation Program (MSOAP)

ITS HIPAA Security Compliance Recommendations

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Compliance Guide

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security. assistance with implementation of the. security standards. This series aims to

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Policies and Compliance Guide

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

New Boundary Technologies HIPAA Security Guide

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA/HITECH Compliance Using VMware vcloud Air

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Healthcare Compliance Solutions

Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

HIPAA Security Matrix

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

State HIPAA Security Policy State of Connecticut

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Datto Compliance 101 1

HIPAA/HITECH: A Guide for IT Service Providers

How To Write A Health Care Security Rule For A University

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security Rule Compliance

HIPAA Compliance Guide

HIPAA and HITECH Regulations

HIPAA Compliance: Are you prepared for the new regulatory changes?

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Security Manual for Protected Health Information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

CHIS, Inc. Privacy General Guidelines

How Managed File Transfer Addresses HIPAA Requirements for ephi

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA Assessment HIPAA Policy and Procedures

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Overview of the HIPAA Security Rule

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

C.T. Hellmuth & Associates, Inc.

Joseph Suchocki HIPAA Compliance 2015

HIPAA BUSINESS ASSOCIATE AGREEMENT

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

itrust Medical Records System: Requirements for Technical Safeguards

M E M O R A N D U M. Definitions

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

Healthcare Network Accreditation Program (HNAP-EHN) Criteria

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA: In Plain English

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Visa Inc. HIPAA Privacy and Security Policies and Procedures

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Security Is Everyone s Concern:

District of Columbia Health Information Exchange Policy and Procedure Manual

STANDARD ADMINISTRATIVE PROCEDURE

Procedure Title: TennDent HIPAA Security Awareness and Training

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

HIPAA Security Education. Updated May 2016

HIPAA Security Compliance for Konica Minolta bizhub MFPs

Table of Contents INTRODUCTION AND PURPOSE 1

Montclair State University. HIPAA Security Policy

Transcription:

goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory requirements of of HIPAA to service the needs and requirements of our Healthcare Industry customers. To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to all interested customers using our US- based data centers. The BAA was designed in conjunction with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for healthcare providers, insurers, and other organizations. A high- level overview of this program is available online: http://www.vmware.com/files/pdf/vcloud- air/hipaa- hitech- compliance- using- vmware- vcloud- air.pdf This document serves as a detailed account of the controls outlined in the vcloud Air Information Security Management System as it relates to HIPAA requirements. The Information Security Management System (ISMS) governing the vcloud Air service addresses essential elements of the HIPAA Security Rule and the HITECH Act. The criteria used in making this assertion were the information security program detail, and applicable control implementation guidance, located in the HIPAA Security Rule and HITECH requirement documentation. These controls include the following standards and specifications: Administrative Safeguards; Physical Safeguards; Technical Safeguards and Breach Notification This matrix includes all of the HIPAA and HITECH regulations that vcloud Air has been assessed against by an independent third- party audit firm. This matrix is a tool that can assist your organization in quickly identifying the applicable regulations that the vcloud Air service is in compliance with and the control activity that satisfy those regulations. **DISCLAIMER The scope of the vcloud Air HIPAA assessment and of this document is strictly limited to the regulations as they apply to VMware delivering the vcloud Air service. Any regulations listed with an N/A are regulations deemed to be outside the scope of VMware s responsibility. All regulations applicable to covered entities are assumed to be the customer s responsibility. This matrix should be used as guidance only and is not a guarantee that a customer is in compliance with the HIPAA regulations based on vcloud Air s assessment against the HIPAA and HITECH regulations. 1

To request a copy of the vcloud Air HIPAA assessment report, please contact your VMware salesperson. Regulation 164.308(a)(1)(i) Standard: Security Management Process. A covered entity or business associate must implement policies and procedures to prevent, detect, contain, and correct security violations. 164.308(a)(1)(ii)(A) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 164.308(a)(1)(ii)(B) implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). 164.308(a)(1)(ii)(C) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. 164.308(a)(1)(ii)(D) Control Activity Administrative Safeguards vcloud Air has documented policies and procedures in place to guide personnel in security practices, including but not limited to information security policy, access control policy and a risk management framework. Documented policies and procedures are in place to guide personnel in performing risk assessments on a periodic basis. A risk assessment is conducted on at least an annual basis. Additionally, information technology security awareness and HIPAA privacy awareness training programs are in place to communicate VMware security and HIPAA privacy policies to employees on an annual basis. Documented HIPAA violation sanction policies and procedures are in place to guide compliance personnel in applying sanctions to employees who fail to comply with security policies. 2

implement procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking. 164.308(a)(2) identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate. 164.308(a)(3)(i) Standard: Workforce Security. A covered entity or procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under 164.308(a)(4), and to prevent those workforce members who do not have access from obtaining access to EPHI. 164.308(a)(3)(ii)(A) implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed. 164.308(a)(3)(ii)(B) implement procedures to determine that the access of a workforce member to EPHI is appropriate. 164.308(a)(3)(ii)(C) Security monitoring applications and manual reviews are used to monitor and analyze in- scope systems. Tracking tools for incidents are in place and user access reviews are regularly performed to help ensure that access to data is restricted to authorized personnel. The vice president of information security is designated to develop, maintain, review, and approve the security policies. Documented policies and procedures are in place to guide personnel in adding new users, modifying access levels, and removing users who no longer need access. User access reviews are regularly performed to help ensure that access to data is restricted to authorized personnel. Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. Documented access authorization policies are in place to guide personnel in granting access to electronic protected health information. User access reviews are regularly performed to help ensure that access to data is restricted to authorized personnel. Documented policies and procedures are in place to guide personnel in removing 3

implement procedures for terminating access to EPHI when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b). 164.308(a)(4)(i) Standard: Information Access Management. A covered entity or business associate must implement policies and procedures for authorizing access to EPHI that are consistent with the applicable requirements of subpart E of this part. 164.308(a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must procedures that protect EPHI of the clearinghouse from unauthorized access by the larger organization. 164.308(a)(4)(ii)(B) procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process or other mechanism. 164.308(a)(4)(ii)(C) procedures that, based upon the covered entity s or business associate s access for terminated employees. Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. N/A Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. A termination form is completed and access revoked for employees as a component of the employee termination process. 4

access authorization policies, establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process. 164.308(a)(5)(i) Standard: Security Awareness Training: A covered entity or business associate must implement a security awareness and training program for all members of its workforce (including management). 164.308(a)(5)(ii)(A) provide periodic information security updates. 164.308(a)(5)(ii)(B) implement procedures for guarding against, detecting, and reporting malicious software. 164.308(a)(5)(ii)(C) implement procedures for monitoring login attempts and reporting discrepancies. 164.308(a)(5)(ii)(D) implement procedures for creating, changing, and safeguarding passwords. 164.308(a)(6)(i) Standard: Security Incident Procedures: A covered entity or business associate must implement policies and procedures to A security awareness training program is in place to communicate the security obligations of internal users and employees are required to complete training annually. The VMware information technology security group monitors the security impact of potential security vulnerabilities and emerging technologies, and the impact of applicable laws or regulations are considered by senior management. A central antivirus server is configured with antivirus software to protect registered production Windows and Mac workstations and Windows production servers. Security monitoring applications and manual reviews by the security operations personnel are utilized to monitor and analyze the in- scope systems for possible or actual security breaches. The in- scope systems are configured to enforce predefined user account and minimum password requirements. Documented incident response policies and procedures for reporting security incidents are in place to guide personnel in identifying, reporting, and acting upon system security incidents. 5

address security incidents. 164.308(a)(6)(ii) identify and respond to suspected or known security incidents; mitigate, to the extent practicable, the harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. 164.308(a)(7)(i) Standard: Contingency Plan: establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI. 164.308(a)(7)(ii)(A) establish and implement procedures to create and maintain retrievable exact copies of EPHI. 164.308(a)(7)(ii)(B) establish (and implement as needed) procedures to restore any loss data. 164.308(a)(7)(ii)(C) establish (and implement as needed) procedures to enable continuation of critical business processes Documented incident response policies and procedures are in place to guide personnel in responding to suspected security incidents and to mitigate the effects of any security incidents. Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event. An automated backup system is in place to perform scheduled backups of production data and systems on a daily basis. IT operations personnel perform backup media restores as a component of normal business operations to verify that system components can be recovered from system backups. Documented disaster recovery plans are in place to guide personnel in restoring lost data. Documented contingency plans are in place to guide personnel in the continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. 6

and for protection of the security of EPHI while operating in emergency mode. 164.308(a)(7)(ii)(D) implement procedures for periodic testing and revision of contingency plans. 164.308(a)(7)(ii)(E) assess the relative criticality of specific applications and data in support of other contingency plan components. 164.308(a)(8) Standard: Evaluation. A covered entity or business associate must perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of EPHI, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. 164.308(b)(1) A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity s behalf only if the covered entity obtains satisfactory assurances, in accordance Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event. Business continuity and disaster recovery plans are documented and include criticality assessments of applications and data to support the contingency plan. A risk assessment is conducted on at least an annual basis and policies and procedures are updated periodically based on results of operational and environment risk assessments. N/A 7

with 164.314(a) that the business associate or subcontractor business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. 164.308(b)(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit EPHI on its behalf only if the business associate obtains satisfactory assurances, in accordance with 164.314(a), that the subcontractor will appropriately safeguard the information. 164.308(b)(3) Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a). 164.310(a)(1)(i) Standard: Facility Access Control. A covered entity or procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Nondisclosure agreements are utilized to document requirements for handling personal information by third parties. Physical Safeguards N/A Documented policies and procedures are in place for physical access to help ensure that properly authorized access is allowed to electronic information systems. 8

164.310(a)(2)(i) establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. 164.310(a)(2)(ii) procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. 164.310(a)(2)(iii) implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. 164.310(a)(2)(iv) procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks). 164.310(b) Standard: Workstation Use. Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event. Documented policies and procedures are in place for physical access to help ensure that properly authorized access is allowed to electronic information systems. Procedures are in place to control and validate access to facilities based on role or function, including visitor control, and control of access to software programs for testing and revision. Documented policies and procedures are in place to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks). Personnel are required to adhere to acceptable use policies while performing respective job duties. Additionally, policies and procedures are in place to guide personnel in workstation security to apply appropriate protection to unattended 9

procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI. 164.310(c) Standard: Workstation Security. A covered entity or implement physical safeguards for all workstations that access EPHI to restrict access to authorized users. 164.310(d)(1) Standard: Device and Media Controls. A covered entity or business associate must implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. 164.310(d)(2)(i) procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored. 164.310(d)(2)(ii) implement procedures for removal of EPHI from electronic media before the media are available for equipment. Documented policies and procedures are in place to guide personnel in workstation security and usage. Additionally, documented physical access policies and procedures are in place to guide personnel in physical security practices. Documented hardware and media accountability policies and procedures are in place to guide personnel in device and media control practices. A documented media disposal policy is in place to guide personnel in the disposal of sensitive data and information. A documented media re- use policy is in place to guide personnel in media re- use practices. 10

reuse. 164.310(d)(2)(iii) maintain a record of the movements of hardware and electronic media and the person responsible for its movement. 164.310(d)(2)(iv) create a retrievable, exact copy of EPHI, when needed, before movement of equipment. 164.312(a)(1) Standard: Access Control. implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). 164.312(a)(2)(i) assign a unique name and/or number for identifying and tracking user identity. 164.312(a)(2)(ii) establish (and implement as needed) procedures for obtaining for obtaining necessary EPHI during an emergency. 164.312(a)(2)(iii) VMware IT management maintains and inventory listing to track movement of hardware and electronic media. Documented policies and procedure are in place to guide personnel in asset security during movements of hardware and electronic media. An automated backup system is in place to perform scheduled backups of production data and systems on a daily basis. IT operations personnel also perform backup media restores as a component of normal business operations to verify that system components can be recovered from system backups. Technical Safeguards Documented policies and procedures are in place to guide personnel in limiting access control to only those persons or systems that have been granted access. Additionally, administrative access privileges to the in- scope systems are restricted to user accounts accessible by authorized personnel. The in- scope systems are configured to enforce predefined user account and minimum password requirements. Disaster recovery plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event. The in- scope systems are configured to lock or log off user sessions after a predefined inactivity threshold. 11

implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 164.312(a)(2)(iv) mplement a mechanism to encrypt and decrypt EPHI. 164.312(b) Standard: Audit Controls. A covered entity or business associate must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI. 164.312(c)(1) Standard: Integrity. A covered entity or business associate must implement policies and procedures to protect EPHI from improper alteration or destruction. 164.312(c)(2) implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. 164.312(d) Standard: Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. 164.312(e)(1) Web servers utilize SSL encryption for web communication sessions. Encrypted VPNs are required for remote access to help ensure the security and integrity of the data passing over the public network. Security monitoring applications are utilized to monitor network events and configured to produce a monitoring report on a daily basis. Documented data integrity policies and procedures are in place to guide personnel in data integrity practices. N/A The in- scope systems are configured to enforce predefined user account and minimum password requirements. Web servers utilize SSL encryption for web communication sessions. Encrypted VPNs 12

Standard: Transmission Security. A covered entity or implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. 164.312(e)(2)(i) Implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of. 164.312(e)(2)(ii) implement a mechanism to encrypt EPHI whenever deemed appropriate. 164.410(a)(1) A business associate shall, following the discovery of a breach of unsecured protected health information, notify covered entity of breach. are required for remote access to help ensure the security and integrity of the data passing over the public network. N/A N/A HITECH Breach Notification Safeguards Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach of unsecured protected health information no later than 30 days following the discovery. 164.410(a)(2) For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable Documented policies and procedures are in place to guide personnel in responding to discovery of a breach. 13

diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency). 164.410(b) Except as provided in 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. 164.410(c)(1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. Documented policies and procedures are in place to guide personnel in responding to discovery of a breach. Notification to covered entity upon discovery of a breach of unsecured protected health information no later than 30 days following the discovery. Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach of unsecured protected health information and include, to the extent possible, the identification of each individual(s) whose unsecured protected health information was, or is reasonably believed to have been accessed, acquired, used or disclosure during the breach. 14

164.410(c)(2) Business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under 164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available. Documented policies and procedures are in place to guide personnel in breach notifications, in plain language, to the covered entity that include. VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information