TX HHS Form 0020. External Entity Information Security Risk Exception Request

Form 0020 serves as a formal mechanism for external entities contracted with Texas Health and Human Services (HHS) to request exceptions for security requirements they cannot meet. It enables the reporting of noncompliance issues, proposes alternative measures, and facilitates HHS's evaluation to safeguard sensitive data.

Purpose and Application of the Form

The primary purpose of Form 0020 is to allow external legal entities with contracts from Texas HHS to submit requests for exceptions when they identify security requirements that cannot be remediated. This process ensures that any noncompliance with contractual security obligations is documented, assessed, and mitigated appropriately to protect Texas HHS data. The form is confidential once completed, emphasizing the sensitive nature of the information shared.

External entities use this form whenever they encounter a security control from the IS-Controls framework that they are unable to comply with fully. It is not a general reporting tool but specifically for requesting exceptions on a per-control basis, requiring a separate form for each noncompliant security control. This structured approach helps Texas HHS understand the risks, evaluate proposed compensating measures, and determine necessary actions, such as approving the exception, requiring further remediation, or adjusting contractual terms.

The form is essential in situations where contractual obligations involve handling Texas HHS data, and noncompliance could pose risks to data security. For example, it applies when an external vendor or partner discovers a technical, financial, or operational barrier to implementing a required security control, such as access control policies or procedures. By submitting this request, entities demonstrate accountability and collaborate with HHS to maintain data integrity and confidentiality.

Who Uses the Form and Requirements

This form is utilized by external legal entities that hold contracts with Texas HHS, including vendors, service providers, or other partners involved in processing or accessing HHS data. The point of contact from the entity typically completes and submits the form to Texas HHS. Key requirements include providing accurate and detailed information about the noncompliance, as incomplete submissions may delay evaluation or lead to rejection.

Submission must occur whenever noncompliance is identified and cannot be resolved through standard remediation efforts. Entities are required to submit one form per noncompliant security control, ensuring focused reviews. All data provided must be truthful, and the form's confidential status mandates secure handling to prevent unauthorized disclosure.

Structure and Sections of the Form

Form 0020 is divided into three main sections, each designed to capture specific details about the entity, the noncompliance issue, and the exception request. This organization allows for a clear, logical flow of information to support HHS's decision-making process.

Section A: External Entity Information

This section collects basic identifying and contact details to establish the context of the request and facilitate communication.

• Date Submitted: The date when the form is being submitted to Texas HHS.
• HHS Contract Number: The unique identifier for the contract between the external entity and Texas HHS.
• External Entity Legal Name: The full legal name of the submitting organization.
• Entity Address: The physical or mailing address of the entity.
• Point of Contact Name: The name of the individual responsible for this request.
• Point of Contact Email Address: The email address for the point of contact.
• Point of Contact Phone Number: The phone number for direct communication with the point of contact.

Section B: Noncompliance Description

This section requires a detailed explanation of the specific security issue, helping Texas HHS assess the nature and potential risk of the noncompliance to HHS data.

• Noncompliant Security Control: Identification of the specific security control from the IS-Controls framework for which the exception is requested, such as "AC-01, Access Control Policy and Procedures." A separate form is needed for each control.
• Description of Finding: A comprehensive description of the aspects of the security control that the entity is noncompliant with, including the reasons for this noncompliance.

Section C: Risk Exception Request

This section outlines the rationale for the exception and proposed mitigations, providing Texas HHS with insights into alternatives and impacts.

• Reason for Nonremediation: A detailed explanation of why the noncompliance cannot be addressed or remediated.
• Compensating Controls: Descriptions of any alternative security measures being implemented to mitigate the risks associated with the noncompliance, aiming to reduce the threat to an acceptable level.
• Costs to Remediate Finding: An overview of the actions required to fix the noncompliance and implement the security control, along with associated costs.
• Business Impact: An analysis of how remediating the issue and implementing the control would affect the entity's operations, finances, or other business aspects.

Key Form Details

Form Name: External Entity Information Security Risk Exception Request

Form Number: 0020

Associated Organization/Region: Texas Health and Human Services (HHS)

Edition Date: May 2019-E