Skip to content

Change Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Change Management Policy
Framework Reference: Secure Controls Framework – Change Management (CHG)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Change Management requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to govern changes to information systems, infrastructure, and services to reduce risk and maintain the availability, integrity, and confidentiality of systems handling ePHI.


This standard applies to all changes made to FRHC’s production systems, applications, infrastructure, cloud services, and configurations, including changes to environments supporting PatientRemedi and Credit Balance. It applies regardless of the size or origin of the change.


All proposed changes to FRHC production systems follow a documented change management workflow. Changes are logged and assessed for impact before implementation. Approval is required from designated personnel, including the Information Security Office when warranted by scope or risk. Emergency changes are handled through a separate expedited process but are also documented and reviewed after implementation.

  • Parent Policy Mapping: STH Change Management Policy, Section 3.1
  • SCF Mapping: CHG-01 (Change Management Program)

All changes to the FRHC IT environment are recorded in a centralized Change Tracking list. Each entry includes a detailed description of the change, implementation timeline, affected systems, and any linked documentation. Rollback plans and testing procedures are included where appropriate. The change tracking list is reviewed periodically for auditing and reporting purposes.

  • Parent Policy Mapping: STH Change Management Policy, Section 3.2
  • SCF Mapping: CHG-02 (Configuration Change Control)

Representatives from FRHC’s Information Security Office are involved in change planning to review proposed changes for potential impacts to security controls, data protection mechanisms, and ePHI confidentiality, integrity, or availability. Security review feedback and any required mitigation steps are documented and integrated into the change approval process.

  • Parent Policy Mapping: STH Change Management Policy, Section 3.2
  • SCF Mapping: CHG-03 (Security Impact Analysis for Changes)

FRHC ensures that all users and business stakeholders potentially impacted by a proposed change are notified in advance. Notifications include timelines, expected impacts, and points of contact for questions or feedback. Stakeholders may be asked to participate in testing, provide validation, or approve key components of the change depending on scope.

  • Parent Policy Mapping: STH Change Management Policy, Section 3.3
  • SCF Mapping: CHG-05 (Stakeholder Notification of Changes)

FRHC maintains evidence supporting change management controls, including change requests, approvals, implementation records, security impact analyses, and stakeholder notifications. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Change Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
    • 45 CFR §164.308(a)(8) – Evaluation
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.2, CC7.3)
    • Availability (A1.2)

Framework Alignment:

  • CHG-01 – Change Management Program
  • CHG-02 – Configuration Change Control
  • CHG-03 – Security Impact Analysis for Changes
  • CHG-05 – Stakeholder Notification of Changes

RevDescriptionDateApproved
-Original DocumentAugust 2022M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025May 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only