Visa Inc. HIPAA Privacy and Security Policies and Procedures

Transcription

1 Visa Inc. HIPAA Privacy and Security Policies and Procedures Originally Effective April 14, 2003 (HIPAA Privacy) And April 21, 2005 (HIPAA Security) Further Amended Effective February 17, 2010, Unless Otherwise Noted

2 Visa Group Health Plans HIPAA Policies and Procedures Table of Contents Sec. Topic Citation Introduction 1.0 Administrative 1.1 HIPAA Policy and Procedure Development and Approval 45 CFR (i) 1.2 Group Health Plans and Plan Document 45 CFR (f) 1.3 Designation of a Privacy Officer 45 CFR (a)(1)(i) 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of Protected Health Information (PHI) 45 CFR (f) 1.5 Record Retention 45 CFR (b)(6), (j)(2) 1.6 Reporting of Non-Compliance with the HIPAA Rules 45 CFR Work Force Sanctions 45 CFR (e) 1.8 Verification of Person s Identity 45 CFR (h)(1) 1.9 Safeguards 45 CFR (c) 1.10 Audit of Privacy Standards 45 CFR (a)(1), (a); (a)(1), , (i), (b)(1)(iii)(A) - (C), Authorization 2.1 Authorization for Uses and Disclosures of PHI 45 CFR , (a) 3.0 Business Associates 3.1 Business Associates and Contracts 45 CFR (e), (e), , (b)(2), (b), (f), (d) and (b)(1) 4.0 Disclosure of PHI to Plan Sponsor 4.1 Disclosure of PHI to Plan Sponsor 45 CFR (f) 4.2 Granting Levels of Access to PHI 45 CFR , Table of Contents

3 Sec. Topic Citation 5.0 Individual Rights 5.1 Individual s Right to Access PHI 45 CFR Individual Request to Amend PHI 45 CFR Individual s Rights to Request Privacy Protection for PHI 45 CFR Complaint Process 45 CFR (a)(1)(ii), (d) 5.5 Notice of Privacy Practices 45 CFR Minimum Necessary 6.1 Minimum Use of PHI 45 CFR (b) and (d) 7.0 Training 7.1 Training Workforce Regarding Protection of Health Information 8.0 Uses and Disclosures 45 CFR, (b) 8.1 Uses and Disclosures of PHI 45 CFR (a) and (g), , , Accounting (Logging) of Disclosures of Member PHI 9.0 Administrative Safeguards 45 CFR Security Management Process Risk Analysis Risk Management Sanctions Information System Activity Review 45 CFR (a)(1)(i) 45 CFR (a)(1)(ii)(A) 45 CFR (a)(1)(ii)(B) 45 CFR (a)(1)(ii)(C) 45 CFR (a)(1)(ii)(D) and 45 CFR (b) (c)(2) 9.2 Assigned Security Responsibility 45 CFR (a)(2) 9.3 Workforce Security 45 CFR (a)(3)(i) Authorization and/or Supervision (A) 45 CFR (a)(3)(ii)(A) Workforce Clearance Procedure (A) 45 CFR (a)(3)(ii)(B) Termination Procedures (A) 45 CFR (a)(3)(ii)(C) 9.4 Information Access Management 45 CFR (a)(4)(i) Access Authorization (A) 45 CFR (a)(4)(ii)(B) Access Establishment and 45 CFR (a)(4)(ii)(C) Modification (A) Table of Contents

4 Sec. Topic Citation 9.5 Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) 9.6 Security Incident Procedures Response and Reporting 45 CFR (a)(5)(i) 45 CFR (a)(5)(ii)(A) 45 CFR (a)(5)(ii)(B) 45 CFR (a)(5)(ii)(C) 45 CFR (a)(5)(ii)(D) 45 CFR (a)(6)(i) 45 CFR (a)(6)(ii) 9.7 Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) 45 CFR (a)(7)(i)(A) (E) 45 CFR (a)(7)(ii)(A) 45 CFR (a)(7)(ii)(B) 45 CFR (a)(7)(ii)(C) 45 CFR (a)(7)(ii)(D) 45 CFR (a)(7)(ii)(E) 9.8 Periodic Evaluation 45 CFR (a)(8) 10.0 Physical Safeguards 10.1 Facility Access Controls 45 CFR (a)(1) Contingency Operations (A) 45 CFR (a)(2)(i) Facility Security Plan (A) 45 CFR (a)(2)(ii) Access Control and Validation (A) 45 CFR (a)(2)(iii) Maintenance Records (A) 45 CFR (a)(2)(iv) 10.2 Workstation Use 45 CFR (b) 10.3 Workstation Security 45 CFR (c) 10.4 Device and Media Controls Disposal Media Re-Use Accountability (A) Data Backup and Storage (A) 45 CFR (d)(1) - (2)(iv) 45 CFR (d)(2)(i) 45 CFR (d)(2)(ii) 45 CFR (d)(2)(iii) 45 CFR (d)(2)(iv) Table of Contents

5 Sec. Topic Citation 11.0 Technical Safeguards 11.1 Access Control 45 CFR (a)(1) Unique User Identification 45 CFR (a)(2)(i) Emergency Access Procedure 45 CFR (a)(2)(ii) Automatic Logoff (A) 45 CFR (a)(2)(iii) Encryption and Decryption (A) 45 CFR (a)(2)(iv) 11.2 Audit Controls 45 CFR (b) 11.3 Integrity 45 CFR (c)(1) Mechanism to Authenticate ephi (A) 45 CFR (c)(2) 11.4 Person or Entity Authentication 45 CFR (d) 11.5 Transmission Security 45 CFR (e)(1) Integrity Controls (A) 45 CFR (e)(2)(i) Encryption (A) 45 CFR (e)(2)(ii) 12.0 Breach of Unsecured PHI 12.1 Notification to Individuals Notificatioin to the Media Notification to the Secretary Administrative Requirements 45 CFR CFR CFR CFR Appendices Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Topic Definitions of HIPAA Terms Authorization Form Business Associate Inventory Business Associate Agreement and Certification Notice of Privacy Practices Role of the Privacy and Security Officer Table of Contents

6 Administrative INTRODUCTION TO THE Visa GROUP HEALTH PLAN HIPAA POLICIES AND PROCEDURES In compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Visa Inc. (Visa) has established these HIPAA Policies and Procedures (Policies and Procedures) to guard the confidentiality, integrity and availability of its employees protected health information maintained by the Visa Group Health Plans (referred to in this document as either Plan or Plans ). These Policies and Procedures were originally enacted effective April 14, 2003 as the Visa Group Health Plan HIPAA Privacy Policies and Procedures and the Visa Group Health Plan Security Rule Policies and Procedures effective April 21, They are now combined for HIPAA Privacy and HIPAA Security (as those terms are defined below) and further amended effective February 17, 2010, unless otherwise noted. HIPAA OVERVIEW Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), addresses the privacy and security requirement as they apply to health plans, (including employer group health plans), and certain health care providers. The HIPAA Privacy Rules, which became effective in 2003, are intended to protect each Individual employee s privacy regarding their health care information, called Protected Health Information (PHI). PHI, as defined by the law, includes individually identifiable information from medical, dental, vision, flex, EAP and other health-related benefit plans. The HIPAA Privacy Rules protect information on an Individual s past, present or future health care or payment for health care. PHI is protected whether it is used or disclosed orally, on paper, or electronically. The law defines the authorized and required uses and disclosures of PHI. ELECTRONIC PROTECTED HEALTH INFORMATION ( ephi ) In contrast to the HIPAA Privacy Rules, the HIPAA Security Regulations, effective in 2005, are applicable only to Electronic Protected Health Information (ephi). This means individually identifiable health information that is transmitted by electronic media or maintained in electronic media. The scope of the HIPAA Security Regulations is more limited than that of the HIPAA Privacy Regulations, which broadly apply to protected health information (PHI) in any and all forms (i.e. electronic, paper, oral). Furthermore, similar to the Privacy Regulations, employment records held by an employer group health plan, in its role as employer, are exempt from the Security Regulations. The final rules cover ephi at rest (that is, in storage) as well as during transmission. However, information that has been de-identified (i.e. not able to be identified with any particular employee), pursuant to the requirements of the HIPAA Privacy Regulations, is not PHI and thus is not subject to the security rules. 1.1 HIPAA Policy and Procedure Development and Approval

7 Administrative HIPAA SECURITY RULE REQUIREMENTS Under the HIPAA Security Regulations, employer group health plans need to satisfy four broad requirements: Ensure the confidentiality, integrity, and availability of all ephi that the group health plan creates, receives, maintains or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of ephi; Protect against any reasonably anticipated impermissible uses and disclosures of ephi; and Ensure that the covered entity s workforce is in compliance with the Security Regulations. POLICIES AND PROCEDURES The objectives of the policies and procedures discussed in this document are to define how Visa safeguards PHI and ephi. These include: Privacy Safeguards, meaning those requirements that apply to PHI that is not electronic in form. The Privacy requirements also protect Individual access to health information and contain certain notice requirements that health plans must meet. Security Safeguards including Administrative Safeguards, which mean the administrative actions, policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect ephi; Physical Safeguards, which mean the physical measures, policies and procedures to protect Visa s electronic information systems, and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion; and Technical Safeguards, which mean the technology and the policy and procedures for its use that protect ephi and control access to it. Employer group health plans are required to comply with 22 standards described in the final Security Regulations. Most of the standards are implemented through "required" and "addressable" implementation specifications. An employer group health plan must comply with a "required" implementation specification. However, when an implementation specification is "addressable", an employer group health plan must assess whether the specification is a reasonable and appropriate safeguard given Visa group health Plans unique environment. Factors that can be used to determine whether a specification is reasonable and appropriate include risk analysis performed, risk mitigation strategy, security measures already in place, and the cost of implementation. With respect to "addressable" implementation specifications: 1.1 HIPAA Policy and Procedure Development and Approval

8 Administrative If the Visa group health plan determines that the specification is reasonable and appropriate, it must be implemented. If the implementation specification is determined to be an inappropriate and/or unreasonable security measure, but the standard cannot be met without implementation of an additional security safeguard, Visa group health plan may implement an alternative measure that accomplishes the same end as the addressable implementation specification. An employer group health plan that meets a given standard through alternative measures must document the decision, the rationale behind the decision, and the alternative safeguard implemented. Visa has implemented all the required and addressable implementation standards of the Security Regulations, except for the implementation specification requiring Isolating Health Care Clearinghouse Functions (45 CFR (a)(4)(ii)(A)) which would only apply if a health care clearinghouse is part of a larger organization. Visa has no such clearinghouse functions and therefore need not comply with this implementation specification. Visa has conducted an assessment of its existing safeguards against the Privacy Requirements and the Security Requirements including the required and addressable security implementation specifications. Visa has implemented reasonable and appropriate protection of ephi, will periodically monitor and review its security measures in place, and will amend this policies and procedures document when necessary to reflect organizational, environmental, technology, and regulatory changes. APPLICATION OF THESE POLICIES AND PROCEDURES The objective of the practices outlined in this document is to define how the Plans may handle and share PHI and how Visa has established reasonable and appropriate safeguards to ensure the confidentiality, integrity and availability of Individuals ephi and to protect this information from reasonably anticipated improper or unauthorized access, alteration, deletion and transmission. The safeguards include: Administrative Procedures, including how to verify an Individual s identity and how to audit the Privacy Standards; Authorizations, including when one is needed in using and disclosing PHI; Business Associates, including how to identify them and the contract language needed for the sharing of PHI by and with Business Associates; Individual Rights, including the right to request PHI and restrict some of its Disclosures; Administrative Safeguards, including an overview of the Plans Security management process, Security Incident procedures, access management, and periodic evaluation policy; Physical Safeguards, including the Plans Facility access controls, Workstation use and Security policies, and device and media controls; Technical Safeguards, including technology-based access and audit controls, Authentication methods, and data transmission and Integrity controls; and 1.1 HIPAA Policy and Procedure Development and Approval

9 Administrative Training and awareness for employees who handle PHI and ephi. It is important for you to read this document carefully and understand your role in handling and protecting PHI and ephi under HIPAA. There is a Glossary of Terms and Definitions in Appendix A of this Manual. Please refer to Appendix A for a complete description/definition of the capitalized terms whenever you see them in this Manual. If, after reading this document and attending HIPAA security awareness and training session, you still have questions, please contact Human Resources. 1.1 HIPAA Policy and Procedure Development and Approval

10 Administrative TOPIC: SUBJECT: HIPAA Policy and Procedure Development and Approval Process for Development and Approval of the Plans HIPAA Policy EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 This Section of the Visa policies and procedures document addresses Visa group health plan (GHP) documentation requirements under the Privacy and Security Regulations. Policies and Procedures An employer GHP must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Regulations. Further, an employer GHP must maintain its policies and procedures in written (including electronic) form. Group Health Plan Document An employer GHP must generally ensure that its Plan documents provide that a plan sponsor will reasonably and appropriately safeguard ephi created, received, maintained, or transmitted to or by the plan sponsor on behalf of the Visa GHPs. POLICY STATEMENT: The Plans will establish and maintain a methodology for consistent organization-wide development, Training, review, approval, assessment and updates of policies and procedures as required by the HIPAA Rules. PROCEDURES: The Plans policies and procedures will be reviewed and agreed upon by the Plans Privacy Officer or individuals to whom such Officer has delegated responsibility for compliance with the HIPAA Rules identified in this policy. Policies and procedures and any communications materials will be kept in written or electronic form as the Plans documentation. 1.1 HIPAA Policy and Procedure Development and Approval

11 Administrative TOPIC: SUBJECT: Group Health Plans and Plan Document Process to ensure that the Plans restrict Uses and Disclosures of PHI to the Plan sponsor consistent with the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans, including the components which may be insured and self-insured, are covered entities. In order for the Plans to disclose PHI to the Plan sponsor or to provide for or permit the Disclosure of PHI to the Plan sponsor by a Health Insurance Issuer or HMO with respect to the Plans, Visa will ensure that the Plan documents restrict Uses and Disclosures of PHI by the Plan sponsor consistent with the HIPAA Rules, including those relating to Genetic Information for Underwriting Purposes. In order for the Plan sponsor to obtain PHI from the Plans without Authorization, the Plan documents will be amended to: Describe the permitted Uses and Disclosures of PHI by the Plan sponsor; Specify that Disclosure is permitted only upon receipt of a written certification by the Plan sponsor that the Plan documents have been amended in accordance with the HIPAA Rules; Provide adequate firewalls which identify the employees or classes of employees or other person under the Plan sponsor s control who will have access to PHI; Provide that the Plan sponsor will implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Availability and Integrity of the ephi it creates, receives, maintains or transmits on behalf of the Group Health Plans; Ensure that the separation between the Plans and the Plan sponsor is supported by reasonable and appropriate Security Measures; Require that the Plan sponsor report to the Plans any Security Incident of which it becomes aware; Ensure that any agents, including subcontractors, authorized to receive PHI agree to implement reasonable and appropriate Security Measures to protect the information; and Provide an effective mechanism for resolving any issues of non-compliance by the employees or class of employees who will have access to PHI. The Plans or a health issuer or HMO with respect to the Plans may disclose Summary Health Information to the Plan sponsor without regard to whether the Plan documents have been amended, if the Plan sponsor requests the Summary Health Information for the purpose of: Obtaining premium bids from Health Plans for providing health insurance coverage under the Plans; or Modifying, amending or terminating the Plans. 1.2 Group Health Plan and Plan Document

12 Administrative Additionally, the Plans (or a health issuer or HMO with respect to the Plans) may disclose to the Plan sponsor information on whether the Individual is participating in the Plans, or is enrolled in or has disenrolled from a Health Insurance Issuer or HMO without regard to whether the Plan documents have been amended by Visa. Effective as of the date determined by the Secretary, any disclosure of Summary Health Information provided to the Plan sponsor from a health issuer or HMO with respect to the Plans must not include Genetic Information for Underwriting Purposes. PROCEDURES: The Plans will: Determine and establish the permitted and required Uses and Disclosures of PHI by the Plan sponsor. Establish procedures for preventing the improper Uses and Disclosures of PHI by the Plan sponsor. Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Availability and Integrity of the ephi it creates, receives, maintains or transmits on behalf of the Plans. Ensure that the separation between the Plans and the Plan sponsor is supported by reasonable and appropriate Security Measures. Determine the key employees (by job function/description) of the Plan sponsor who shall have access to the Plans PHI. Reports from third party administrators back to the Plans contain both aggregated data and individually identifiable data. These practices are intended to continue in the future. To the extent it is necessary to continue to receive Individually identifiable data, Visa will certify to its third party administrators that it has amended its Plan documents appropriately and disclose to them the identity of the Individuals within the Plans who are authorized to continue to view this data. Effective as of the date determined by the Secretary, the Plan sponsor will not accept any disclosure of Summary Health Information provided to the Plan sponsor by a health issuer or HMO with respect to the Plans that includes Genetic Information for Underwriting Purposes. Notwithstanding anything contained in this Manual to the contrary, effective as of the date determined by the Secretary, if the Plans receive PHI for the purpose of premium rating or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the Plans, the Plans may only use or disclose such PHI for such purpose or as may be Required by Law, subject to the prohibition against using or disclosing PHI that is Genetic Information for Underwriting Purposes. 1.2 Group Health Plan and Plan Document

13 Administrative TOPIC: SUBJECT: Designation of a Privacy Officer Designation of a Privacy Officer who is responsible for the development and implementation of the Plans Privacy policies and procedures. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will designate a Privacy Officer who is responsible for the development and implementation of the Plans HIPAA policies and procedures. The Privacy Officer will ensure a central point of accountability within Visa for Privacy- related issues. The Privacy Officer is charged with developing and implementing the policies and procedures for the Plans, as required throughout the HIPAA Rules and for compliance with the HIPAA Rules generally. The Privacy Officer may be an additional responsibility given to an existing employee of Visa. The Privacy Officer or a designee will be available to answer employee questions about the HIPAA Rules throughout the employee's appointment as the Privacy Officer. PROCEDURES: The Privacy Officer will be trained and able to review the Plans Privacy compliance. The Privacy Officer, or a designee, will: Conduct employee Training Establish a system for logging uses of PHI Document procedures for Individual access to PHI Establish employee Sanctions for failure to comply Maintain compliance records Monitor and respond to employee complaints The Privacy Officer, or a designee, will be responsible for monitoring the Plans Privacy procedures and practices internally on a periodic basis. Rick Leweke currently has been designated the HIPAA Privacy Officer for the Plans. A description of the role of the Privacy Officer is found in Appendix F. 1.3 Designation of a Privacy Officer

14 Administrative TOPIC: SUBJECT: Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI Process to mitigate any harmful effect of a Use or Disclosure of PHI in violation of the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will develop and implement procedures to mitigate, to the extent practical, any harmful effect that is known to the Plans. This includes unauthorized Use or Disclosure of PHI by the Plans or its Business Associates. The Plans will be responsible for mitigating harm when the Plans have actual knowledge of harm even if a deleterious effect cannot be shown. The Plans will ensure (via its contracting process) that its Business Associates agree to mitigate, to the extent practicable, any harmful effect that is known to those Business Associates of a Use or Disclosure of PHI by a Business Associate in violation of the requirements of the HIPAA Rules. PROCEDURES: The Plans will take reasonable steps based on knowledge of where the information has been disclosed, how it might be used to cause harm to the patient or another Individual, and what steps can actually have a mitigating effect in that specific situation. The Plans will use flexibility and judgment by those familiar with the circumstances to dictate the approach that is the best to mitigating the harm. Visa Employees within the Firewall: Visa employees within the Firewall typically have access to PHI through day-to-day telephone calls, messages or personal visits from employees with benefits-related issues. If, in the administration of these tasks, an employee becomes aware of an inadvertent misuse, the employee, on his or her own or by seeking assistance of another employee within the Firewall, will take reasonable measures to end or limit the misuse. If PHI is disclosed to an unauthorized Individual, Visa (the Privacy Officer, or his designee or designees) will contact the person to whom the unauthorized disclosure was made, explain that they mistakenly received information and notify them that the information they received contains PHI which may not be used or further disclosed for any purpose. Reasonable steps should be taken to retrieve the information from the person who received it. Business Associate Other than the day to day assistance to employees and the functions described in this Section and Section 1.2 of the policies and procedures, all handling of PHI is done by Business 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI

15 Administrative Associates who have contractually agreed to comply with the requirements of the HIPAA privacy regulations, including mitigation of harmful effects provision. If Visa becomes aware of an unauthorized use or disclosure of PHI, the HIPAA Privacy Committee will evaluate the specific situation and determine if any corrective action is needed. If a vendor s practice or pattern of activity has violated the privacy regulations, then Visa is obligated to take reasonable steps to cure the violation and have the vendor s practices changed. If such steps are unsuccessful, Visa will need to terminate the contract or if such termination is not feasible, Visa will report the problem to the Secretary of Health and Human Services. If an internal area within Visa has violated the privacy regulations, appropriate steps including outreach to the plan participants involved, application of sanctions, retraining, and other measures will be determined by the Benefits Committee. Examples: The Plans become aware that Business Associate discusses PHI with Individuals not on the list of employees within the Plans firewall (i.e., discussing a participant s claim with a supervisor or colleague). The Plans will contact the Business Associate and take reasonable steps to cure the violation, including verifying that that Business Associate is utilizing the proper list of Plan employees. Business Associate is sharing or selling participant names and/or diagnoses to a pharmaceutical company. The Plans will contact the Business Associate and take reasonable steps to cure the violation, terminate the contract, or contact the secretary and inform that person of the practice. An employee within the firewall receives a claims data report from a Business Associate and forwards to an employee within the firewall for review and analysis. The report is accidentally sent to the wrong person via or interoffice mail. Once the error has been detected, the employee shall take reasonable steps to retrieve the file from the person who received it. As a reasonable precaution against this contingency, employees who handle e- mails, files or reports containing PHI electronically shall be required to establish address listings specifically for others within the firewall for their electronic address book. The Plans become aware of an electronic breach of the corporate firewall, either intentional or unintentional. In such a case, the Plans internal Information Technology specialists may be required to evaluate whether specific data may have been improperly accessed. If such data is determined to have contained ephi, the Plans will use all reasonable efforts to contact the Individuals about whom the ephi related, and to see that the ephi is reobtained or destroyed. The Plans internal Information Technology specialists will be informed about and trained in regard to the sensitive and confidential nature of ephi so that any incidental Disclosure of PHI to them in the course of their job function may be properly contained. The Plans become aware that a Business Associate has mailed ID cards or other documentation containing PHI: (i) the wrong participant; or (ii) in such a way that PHI is visible through the envelope window. The Plans will contact the Business Associate and require it to take reasonable steps to correct the mailing, including identifying and contacting all Individuals who may have had PHI inadvertently disclosed in this manner. 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI

16 Administrative TOPIC: SUBJECT: Record Retention Process for retaining the Plans Individual Health Information, including the development, implementation and maintenance of appropriate processes to provide healthcare records as requested. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will maintain all PHI and related documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later, to meet the applicable requirements of the HIPAA Rules. The Plans intent is to ensure an Individual s PHI is available so that the Plans can comply with the Individual s requests for an accounting of Uses and Disclosures of their PHI. (See also, Accounting (Logging) of Disclosures of Member PHI, Section 8.2) Business Associate contracts will include contract language that meets the HIPAA record retention requirements, accessibility of records (i.e., for accounting purposes), and how records will be transferred upon termination. (See also, Business Associates and Contracts, Section 3.1). PROCEDURES: The Privacy Officer and or the assigned person will be designated to oversee the process used for record retention. Other managers may be charged with maintaining healthcare information as required within their department to be HIPAA compliant regarding record retention. A log for HIPAA Privacy complaints and a log for non-routine permissible Uses and Disclosures of protected Health Information will be developed and maintained. The contracts of the Business Associates have been amended to ensure that the Business Associates will comply with all aspects of the HIPAA Rules, including record retention. 1.5 Record Retention

17 Administrative TOPIC: SUBJECT: Reporting of Non-Compliance with the HIPAA Rules A process for filing a complaint with the Secretary when a person believes that the Plans, a Business Associate or other Covered Entity is not complying with the HIPAA Rules. EFFECTIVE DATE: February 17, 2010 REVISION DATES: POLICY STATEMENT: The Plans will support the HHS policy that states that an Individual may file a complaint with the Secretary when such an Individual believes that the Plans are not complying with the HIPAA Rules. The Plans will also allow persons other than the Individual, such as personal representatives, to exercise the rights of the Individual under certain circumstances (e.g., for a deceased Individual). Any person may become aware of conduct by the Plans that is in violation of the HIPAA Rules. This can include the Plans employees, Business Associates, members, or other organizations. Complaints can be filed by any person, group, or organization. The person or organization who files the complaint will not be subject to any embarrassing or retaliatory action or threat of action. PROCEDURES: Any Individual or organization that becomes aware of conduct by the Plans, its Business Associate(s), or another related Covered Entity that is in violation of the HIPAA Rules does not have to use the Plans internal HIPAA complaint process and can file a complaint directly with HHS. This includes the Plans employees and their dependents, Business Associates, and accrediting, oversight, and advocacy organizations. The Plans will provide the information necessary for the Individual or organization to contact HHS as part of the Notice of Privacy Practices and also upon further request. An Individual or organization who believes that an agreement can be reached with the Plans may also use the Plans HIPAA internal complaint process or other means to seek resolution before filing a complaint with the Secretary. (See, Complaint Process, Sec. 5.4.) 1.6 Reporting of Non-Compliance with the HIPAA Requirements

18 Administrative TOPIC: SUBJECT: Workforce Sanctions Process for applying appropriate Sanctions against the members of the Workforce who fail to comply with the Plans HIPAA Policies and Procedures or the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have established policies and procedures regarding disciplinary actions which are communicated to all employees, agents, contractors and other persons under the Plans direct control. Sanctions will be implemented for those Individuals who do not follow the outlined policies and procedures. This will be applied to all violations, not just repeat violations. The Plans will have disciplinary actions that are communicated to all employees, agents, and contractors. The Plans will make employees, agents, and contractors aware that violations may result in notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. In addition to internal Plan Sanctions, employees, agents, and contractors of the Plans or the Plan sponsor will be advised of civil or criminal penalties for misuse or misappropriation of Health Information. The Plans will inform employees, agents and contractors that violations may result in notification to Law Enforcement Officials and regulatory, accreditation and licensure organizations. These Sanctions will be supported, and may be supplemented by Visa as needed, and may be added to all Business Associate agreements. PROCEDURES: Visa will determine what types of sanctions to apply. Violations of the outlined policies and procedures will be handled on a case-by-case basis through the Individual s manager and with the support of appropriate personnel organizations within Visa. If it is determined that a violation of the outlined policies and procedures has occurred, Visa will take timely and effective remedial action commensurate with the severity of the offense, including disciplinary action, up to immediate termination of employment. Employees of Business Associates are not employees of the Group Health Plan and are subject to the provisions outlined in the Business Associate contracts. Employees will be made aware of what actions are prohibited and punishable. Training will be provided and expectations will be made clear so Individuals are not sanctioned for doing things which they did not know were wrong or inappropriate. 1.7 Work Force Sanctions

19 Administrative Employee Sanctions may include any of the following: (a) Verbal warning (b) Re-Training and/or education (c) Notice of disciplinary action placed in personnel files (d) Other Sanctions, up to and including, termination of employment Business Associate Sanctions may include any of the following: (a) Verbal warning (b) Implementation of contract provisions that include contract penalties (c) Termination of contract (d) Notification to HHS The Human Resources Department will be responsible for notifying Workforce members who fail to comply with the HIPAA policies and procedures. The Privacy Officer and/or the Security Officer will assist Visa s Human Resources Department with the necessary information to appropriately apply disciplinary action, including notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. Please refer to section of this Manual for Security Sanction procedures. 1.7 Work Force Sanctions

20 Administrative TOPIC: SUBJECT: Verification of Person s Identity Process to verify the identity of a person requesting PHI and the authority of any person to have access to PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have procedures reasonably designed to verify and identify the authority of persons requesting PHI. The Plans will verify the identity of a person requesting PHI and the authority of any person to have access to PHI if the identity or authority of the person is not known to the Plans. The Plans will obtain any documentation, Statements, or representations, whether oral or written, from the person requesting PHI when it is a condition of the Disclosure. This applies to all Disclosures of PHI, including Treatment, Payment and Health Care Operations, where the identity of the recipient is not known to the Plans. The Plans will establish reasonable procedures to address verification in Routine Disclosures under Business Associate agreements. PROCEDURES: For communications with the Plans members, the Plans will already have information about each Individual, collected during enrollment that can be used to establish identity, especially for verbal or electronic inquiries. For example, the Plans may ask for the social security number or employee number of Individuals seeking information or assistance by telephone. The Plans will make a reasonable effort to send/mail PHI to the entity authorized to receive it. A form of photo identification such as a driver s license or certain personal information such as date of birth may also be used to verify the identity of the Individual. Disclosures that require an opportunity for the Individual to agree or to object will not require verification of the person requesting PHI. Law Enforcement Official The requirement to disclose PHI for law enforcement purposes may be satisfied by the administrative subpoena or similar process or by a separate written statement that demonstrates the applicable requirements have been met. Public Health Officials The Plans may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the Disclosure of PHI is to a public official or a person acting on behalf of the public official: 1.8 Verification of Person s Identity

21 Administrative If the request is made in person, presentation of an agency identification badge, or other official credentials, or other proof of government status; If the request is in writing, the request is on appropriate government letterhead; A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority; or If the disclosure is made to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official. Exercise of Professional Judgment The Plans may also rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the Disclosure of PHI is to a public official or a person acting on behalf of the public official: A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; or If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority. Verification is met if the Plans rely on the exercise of professional judgment in making a use or disclosure in accordance with: The uses and disclosures that require an opportunity for the Individual to agree or to object; Emergency situations Where the Individual is unable to agree or object to disclosure due to incapacity or other emergency circumstance Disclosure to family members, close personal friends, and others involved in the Individual s care in emergency situations Acts on a good faith belief in making a disclosure in accordance with uses and disclosures to avert a serious threat to health or safety. Business Associates The Plans will ensure that the contracts of Business Associates have been amended to ensure that such Business Associates comply with HIPAA Rules. Typically, the third party administrator s use personal access codes/benefits access numbers for purposes of identify verification. 1.8 Verification of Person s Identity

22 Administrative TOPIC: SUBJECT: Safeguards Creating, implementing and maintaining reasonable processes and safeguards for the protection of PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have appropriate Administrative, Technical, and Physical Safeguards in place to protect the privacy of PHI and the Confidentiality, Integrity, and Availability of ephi. The Plans will reasonably safeguard PHI from any intentional or unintentional Use or Disclosure that is in violation of the HIPAA Rules. The Plans will have reasonable and appropriate Administrative, Physical, and Technical Safeguards in place to protect against the inadvertent Disclosure of PHI to persons other than the intended recipient. PROCEDURES: The list of appropriate safeguards will include: All materials and documents containing PHI must be removed from desktops when not in use and locked in appropriate desk drawers, file cabinets, etc. Ensure that computer monitors are shielded from the view of unauthorized Individuals. Ensure that fax transmissions are shielded from the view of unauthorized Individuals and that fax machines are not located in high-traffic areas. For walk-in employees who wish to discuss health-related issues, ensure that unauthorized Individuals do not overhear discussions or see any PHI being discussed. All documents containing PHI are required to be disposed of in shredding bins. All doors accessing areas where PHI is stored are required to remain locked after business hours, or when the area is unattended. All desk drawers and/or file cabinets housing PHI are required to be locked at the end of the work day. Personnel who are authorized to key or pass code access to PHI shall be limited. All computer system access should be password protected. Ensure that documents containing PHI, on desktops and workstations, are not in plain view of unauthorized Individuals. Other access controls or physical protections (i.e., locking devices on Workstations); Automatic data backups; Firewalls; and Automatic updates to anti-virus software. Additional safeguards applying to ephi may be found in Sections 9 through 11 of this Manual. 1.9 Safeguards

23 Administrative 1.9 Safeguards

24 Administrative TOPIC: SUBJECT: Audit of Privacy Standards Process for auditing the Plans handling of PHI, including the development, implementation and maintenance of appropriate Privacy monitoring practices. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will conduct periodic audits of Privacy practices. The goal is to determine if the Plans is in compliance with documented and implemented Privacy practices, policies, and procedures and is generally meeting the requirements of the HIPAA Rules governing Privacy. The Plans overall intent is to ensure that PHI is not released inappropriately or easily accessible to those who are not authorized to have access. For each Privacy audit that is undertaken, the Plans will describe what needs to be provided to support the audit and prove compliance. The Plans also will provide documentation in the form of an audit trail to be used as needed in the audit process. PROCEDURE: The Privacy Officer will be responsible for the overall Privacy audit process and will be assisted by other Human Resources Department staff as necessary to implement and maintain the Privacy audit policy and procedures. An Individual responsible to implement the Privacy audit process will be designated by the Privacy Officer. Selection of the Individual will be based on knowledge of the Human Resources Department and Visa s organization, as well as the HIPAA standards being reviewed. Privacy audits of the Plans will be completed on a periodic basis, with the exception of audits that result from incident reports or other specific events. As appropriate, Privacy audits will be incorporated into ongoing business process audits that follow other pre-existing audit requirements adopted by the Plans or the Plan sponsor. To consistently safeguard the Privacy of PHI, the audit will include the following areas to determine HIPAA compliance: Uses and Disclosures of PHI are compliant with HIPAA Levels of access to PHI are appropriately and consistently assigned De-identification of data is done when required Identity verification is done before PHI is given to a requestor The Minimum Necessary policy for PHI is followed routinely Authorizations are completed for Disclosures that are neither Routine nor non-routine but permissible PHI requests are appropriately logged 1.10 Audit of Privacy Standards

25 Administrative Responses to Individual requests for accounting of Disclosures are completed within the necessary time frame Individuals are given copies and able to inspect their healthcare information within the necessary time frame Privacy Notices are given to all Individuals as required under the Privacy Rules Complaints are reviewed and appropriate steps taken as needed for resolution of issues Business Associate contracts are up-to-date and include HIPAA requirements The Privacy Officer, or a designee, will review the Privacy audit reports to determine appropriate follow up actions, if any, if the audit scores are below the acceptable threshold level. The Plans Business Associates must make their internal practices, books, and records relating to the Use and Disclosure of PHI received from the Plans, or created or received by the Business Associate on behalf of the Plans, available to the Plans or, at the request of the Plans, to the Secretary, in a time and manner designated by the Plans or the Secretary, for purposes of the Secretary determining the Plans compliance with the HIPAA Rules. This agreement must be included and documented in the formal contract entered into between the Plans and its Business Associates. Please refer to section 9.8 of this Manual for Security evaluation procedures Audit of Privacy Standards

26 Authorization TOPIC: SUBJECT: Authorizations for Uses and Disclosures of PHI Process for authorizing Uses and Disclosures of PHI when it is not used for Payment, Treatment or operations, or non-routine, permissible Uses and Disclosures of PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: Authorizations are required for the Use and Disclosure of PHI for purposes other than the permitted Uses and Disclosures specified in the Privacy Rule. The Plans will obtain the Individual s permission prior to using or disclosing PHI when it is not used to carry out Routine (Payment, Treatment or Health Care Operations) or non-routine Uses and Disclosures. Except as listed in the Uses and Disclosures of PHI Policy, Section 8.1, the Plans will not use or disclose PHI without an Authorization. When the Plans receive a properly authorized request for the release of PHI, the Plans will adhere to the terms of the Authorization. Effective as of the date determined by the Secretary, the Plans will not accept any Authorization that permits the Plans to use or disclose PHI that is Genetic Information for Underwriting Purposes. The Plans will document and retain any signed Authorizations and will provide the Individual with a copy of the signed Authorization. PROCEDURES: The Plans do not need to obtain an Authorization from the Individual to: Use or disclose PHI for the Plans Payment or Health Care Operations; Disclose PHI to a Health Care Provider for the Individual s Treatment; Disclose PHI to another Covered Entity or a Health Care Provider for that entity s Payment activities; and Disclose PHI to another Covered Entity for that entity s Health Care Operations if both entities have or had a relationship with the Individual whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the Disclosure is for: A Health Care Operations activity for which the Privacy Rule states an Authorization is not required; or Detection of Health Care fraud and abuse or compliance with Health Care fraud and abuse laws. 2.1 Authorization for Uses and Disclosures of PHI

27 Authorization Use or disclose PHI as specifically permitted by the Privacy Rule pursuant to an exception. When an Authorization is needed, the Individual is provided with a copy of the Authorization form and asked to sign it. Signing an Authorization form is voluntary and the Individual may refuse to sign it. A copy of the signed Authorization must be provided to the Individual. The Individual may revoke the Authorization, in writing, at any time. The permissions granted in the Authorization should not be acted upon if the Authorization has been revoked or if it has expired. The Authorization will be documented and retained for a period of six (6) years after it was created or expired, whichever date is later. Most Uses and Disclosures requiring an Authorization will be handled by the Plans third party administrators. These will include all Uses and Disclosures not identified in Parts I or II of Section 8.1, such as the Disclosure of PHI to another Covered Entity for Health Care operations purposes where that Covered Entity does not have a relationship with that Individual or it is not for one of the purposes listed in Section 8.1. The most likely instance in which an employee within the firewall may need an Authorization is when a participant wishes to name a personal representative (such as an employee s Manager, Union Representative or an Executive s Administrative Assistant). Any Authorizations will be filed and retained on-site for six (6) years at a central location within the Visa Human Resources Department, including copies of any Authorizations obtained at the local level. Employees within the firewall will honor revocations made in writing. Authorizations acquired by Business Associates will need to be revoked via the Business Associate and not by the Plans. When the need for an authorization arises, the Plan or Plans will get a signed authorization from the Individual whose PHI is going to be used or disclosed. As a reminder, authorization forms are not required when disclosing PHI for workers compensation claims, but are required for disclosing PHI for STD and LTD claims. Only the Plan or Plans standard authorization form should be used. The Individual disclosing the PHI must make sure that the authorization is not defective. A signed copy of all authorization and revocation forms must be sent to Visa s Benefits Department. The Benefits Department retains copies of all signed forms. When the Benefits Department receives a request for a revocation of an authorization, it first must research to see if the revocation can be honored. Then the Benefits Department will respond in writing to the Individual stating if the authorization has been revoked and, if not, the reason why. Copies of this letter are retained with the signed revocation request form. The Benefits Department is also responsible for contacting the person/entity listed as the person receiving the PHI on the initial authorization form and informing him or her of the revocation. 2.1 Authorization for Uses and Disclosures of PHI