Change Management Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Change Management Policy
Framework Reference: Secure Controls Framework – Change Management (CHG)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Change Management requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to govern changes to information systems, infrastructure, and services to reduce risk and maintain the availability, integrity, and confidentiality of systems handling ePHI.
2. Applicability
Section titled “2. Applicability”This standard applies to all changes made to FRHC’s production systems, applications, infrastructure, cloud services, and configurations, including changes to environments supporting PatientRemedi and Credit Balance. It applies regardless of the size or origin of the change.
3. Standard
Section titled “3. Standard”3.1 Change Management Program
Section titled “3.1 Change Management Program”All proposed changes to FRHC production systems follow a documented change management workflow. Changes are logged and assessed for impact before implementation. Approval is required from designated personnel, including the Information Security Office when warranted by scope or risk. Emergency changes are handled through a separate expedited process but are also documented and reviewed after implementation.
- Parent Policy Mapping: STH Change Management Policy, Section 3.1
- SCF Mapping: CHG-01 (Change Management Program)
3.2 Configuration Change Control
Section titled “3.2 Configuration Change Control”All changes to the FRHC IT environment are recorded in a centralized Change Tracking list. Each entry includes a detailed description of the change, implementation timeline, affected systems, and any linked documentation. Rollback plans and testing procedures are included where appropriate. The change tracking list is reviewed periodically for auditing and reporting purposes.
- Parent Policy Mapping: STH Change Management Policy, Section 3.2
- SCF Mapping: CHG-02 (Configuration Change Control)
3.3 Security Impact Analysis
Section titled “3.3 Security Impact Analysis”Representatives from FRHC’s Information Security Office are involved in change planning to review proposed changes for potential impacts to security controls, data protection mechanisms, and ePHI confidentiality, integrity, or availability. Security review feedback and any required mitigation steps are documented and integrated into the change approval process.
- Parent Policy Mapping: STH Change Management Policy, Section 3.2
- SCF Mapping: CHG-03 (Security Impact Analysis for Changes)
3.4 Stakeholder Notification of Changes
Section titled “3.4 Stakeholder Notification of Changes”FRHC ensures that all users and business stakeholders potentially impacted by a proposed change are notified in advance. Notifications include timelines, expected impacts, and points of contact for questions or feedback. Stakeholders may be asked to participate in testing, provide validation, or approve key components of the change depending on scope.
- Parent Policy Mapping: STH Change Management Policy, Section 3.3
- SCF Mapping: CHG-05 (Stakeholder Notification of Changes)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting change management controls, including change requests, approvals, implementation records, security impact analyses, and stakeholder notifications. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Change Management Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- 45 CFR §164.308(a)(8) – Evaluation
- AICPA SOC 2 Trust Services Criteria:
- Security (CC7.2, CC7.3)
- Availability (A1.2)
Framework Alignment:
- CHG-01 – Change Management Program
- CHG-02 – Configuration Change Control
- CHG-03 – Security Impact Analysis for Changes
- CHG-05 – Stakeholder Notification of Changes
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Original Document | August 2022 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | May 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
