Visa Inc. HIPAA Privacy and Security Policies and Procedures

Transcription

1 Visa Inc. HIPAA Privacy and Security Policies and Procedures Originally Effective April 14, 2003 (HIPAA Privacy) And April 21, 2005 (HIPAA Security) Further Amended Effective February 17, 2010, Unless Otherwise Noted

2 Visa Group Health Plans HIPAA Policies and Procedures Table of Contents Sec. Topic Citation Introduction 1.0 Administrative 1.1 HIPAA Policy and Procedure Development and Approval 45 CFR (i) 1.2 Group Health Plans and Plan Document 45 CFR (f) 1.3 Designation of a Privacy Officer 45 CFR (a)(1)(i) 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of Protected Health Information (PHI) 45 CFR (f) 1.5 Record Retention 45 CFR (b)(6), (j)(2) 1.6 Reporting of Non-Compliance with the HIPAA Rules 45 CFR Work Force Sanctions 45 CFR (e) 1.8 Verification of Person s Identity 45 CFR (h)(1) 1.9 Safeguards 45 CFR (c) 1.10 Audit of Privacy Standards 45 CFR (a)(1), (a); (a)(1), , (i), (b)(1)(iii)(A) - (C), Authorization 2.1 Authorization for Uses and Disclosures of PHI 45 CFR , (a) 3.0 Business Associates 3.1 Business Associates and Contracts 45 CFR (e), (e), , (b)(2), (b), (f), (d) and (b)(1) 4.0 Disclosure of PHI to Plan Sponsor 4.1 Disclosure of PHI to Plan Sponsor 45 CFR (f) 4.2 Granting Levels of Access to PHI 45 CFR , Table of Contents

3 Sec. Topic Citation 5.0 Individual Rights 5.1 Individual s Right to Access PHI 45 CFR Individual Request to Amend PHI 45 CFR Individual s Rights to Request Privacy Protection for PHI 45 CFR Complaint Process 45 CFR (a)(1)(ii), (d) 5.5 Notice of Privacy Practices 45 CFR Minimum Necessary 6.1 Minimum Use of PHI 45 CFR (b) and (d) 7.0 Training 7.1 Training Workforce Regarding Protection of Health Information 8.0 Uses and Disclosures 45 CFR, (b) 8.1 Uses and Disclosures of PHI 45 CFR (a) and (g), , , Accounting (Logging) of Disclosures of Member PHI 9.0 Administrative Safeguards 45 CFR Security Management Process Risk Analysis Risk Management Sanctions Information System Activity Review 45 CFR (a)(1)(i) 45 CFR (a)(1)(ii)(A) 45 CFR (a)(1)(ii)(B) 45 CFR (a)(1)(ii)(C) 45 CFR (a)(1)(ii)(D) and 45 CFR (b) (c)(2) 9.2 Assigned Security Responsibility 45 CFR (a)(2) 9.3 Workforce Security 45 CFR (a)(3)(i) Authorization and/or Supervision (A) 45 CFR (a)(3)(ii)(A) Workforce Clearance Procedure (A) 45 CFR (a)(3)(ii)(B) Termination Procedures (A) 45 CFR (a)(3)(ii)(C) 9.4 Information Access Management 45 CFR (a)(4)(i) Access Authorization (A) 45 CFR (a)(4)(ii)(B) Access Establishment and 45 CFR (a)(4)(ii)(C) Modification (A) Table of Contents

4 Sec. Topic Citation 9.5 Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) 9.6 Security Incident Procedures Response and Reporting 45 CFR (a)(5)(i) 45 CFR (a)(5)(ii)(A) 45 CFR (a)(5)(ii)(B) 45 CFR (a)(5)(ii)(C) 45 CFR (a)(5)(ii)(D) 45 CFR (a)(6)(i) 45 CFR (a)(6)(ii) 9.7 Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) 45 CFR (a)(7)(i)(A) (E) 45 CFR (a)(7)(ii)(A) 45 CFR (a)(7)(ii)(B) 45 CFR (a)(7)(ii)(C) 45 CFR (a)(7)(ii)(D) 45 CFR (a)(7)(ii)(E) 9.8 Periodic Evaluation 45 CFR (a)(8) 10.0 Physical Safeguards 10.1 Facility Access Controls 45 CFR (a)(1) Contingency Operations (A) 45 CFR (a)(2)(i) Facility Security Plan (A) 45 CFR (a)(2)(ii) Access Control and Validation (A) 45 CFR (a)(2)(iii) Maintenance Records (A) 45 CFR (a)(2)(iv) 10.2 Workstation Use 45 CFR (b) 10.3 Workstation Security 45 CFR (c) 10.4 Device and Media Controls Disposal Media Re-Use Accountability (A) Data Backup and Storage (A) 45 CFR (d)(1) - (2)(iv) 45 CFR (d)(2)(i) 45 CFR (d)(2)(ii) 45 CFR (d)(2)(iii) 45 CFR (d)(2)(iv) Table of Contents

5 Sec. Topic Citation 11.0 Technical Safeguards 11.1 Access Control 45 CFR (a)(1) Unique User Identification 45 CFR (a)(2)(i) Emergency Access Procedure 45 CFR (a)(2)(ii) Automatic Logoff (A) 45 CFR (a)(2)(iii) Encryption and Decryption (A) 45 CFR (a)(2)(iv) 11.2 Audit Controls 45 CFR (b) 11.3 Integrity 45 CFR (c)(1) Mechanism to Authenticate ephi (A) 45 CFR (c)(2) 11.4 Person or Entity Authentication 45 CFR (d) 11.5 Transmission Security 45 CFR (e)(1) Integrity Controls (A) 45 CFR (e)(2)(i) Encryption (A) 45 CFR (e)(2)(ii) 12.0 Breach of Unsecured PHI 12.1 Notification to Individuals Notificatioin to the Media Notification to the Secretary Administrative Requirements 45 CFR CFR CFR CFR Appendices Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Topic Definitions of HIPAA Terms Authorization Form Business Associate Inventory Business Associate Agreement and Certification Notice of Privacy Practices Role of the Privacy and Security Officer Table of Contents

6 Administrative INTRODUCTION TO THE Visa GROUP HEALTH PLAN HIPAA POLICIES AND PROCEDURES In compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Visa Inc. (Visa) has established these HIPAA Policies and Procedures (Policies and Procedures) to guard the confidentiality, integrity and availability of its employees protected health information maintained by the Visa Group Health Plans (referred to in this document as either Plan or Plans ). These Policies and Procedures were originally enacted effective April 14, 2003 as the Visa Group Health Plan HIPAA Privacy Policies and Procedures and the Visa Group Health Plan Security Rule Policies and Procedures effective April 21, They are now combined for HIPAA Privacy and HIPAA Security (as those terms are defined below) and further amended effective February 17, 2010, unless otherwise noted. HIPAA OVERVIEW Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), addresses the privacy and security requirement as they apply to health plans, (including employer group health plans), and certain health care providers. The HIPAA Privacy Rules, which became effective in 2003, are intended to protect each Individual employee s privacy regarding their health care information, called Protected Health Information (PHI). PHI, as defined by the law, includes individually identifiable information from medical, dental, vision, flex, EAP and other health-related benefit plans. The HIPAA Privacy Rules protect information on an Individual s past, present or future health care or payment for health care. PHI is protected whether it is used or disclosed orally, on paper, or electronically. The law defines the authorized and required uses and disclosures of PHI. ELECTRONIC PROTECTED HEALTH INFORMATION ( ephi ) In contrast to the HIPAA Privacy Rules, the HIPAA Security Regulations, effective in 2005, are applicable only to Electronic Protected Health Information (ephi). This means individually identifiable health information that is transmitted by electronic media or maintained in electronic media. The scope of the HIPAA Security Regulations is more limited than that of the HIPAA Privacy Regulations, which broadly apply to protected health information (PHI) in any and all forms (i.e. electronic, paper, oral). Furthermore, similar to the Privacy Regulations, employment records held by an employer group health plan, in its role as employer, are exempt from the Security Regulations. The final rules cover ephi at rest (that is, in storage) as well as during transmission. However, information that has been de-identified (i.e. not able to be identified with any particular employee), pursuant to the requirements of the HIPAA Privacy Regulations, is not PHI and thus is not subject to the security rules. 1.1 HIPAA Policy and Procedure Development and Approval

7 Administrative HIPAA SECURITY RULE REQUIREMENTS Under the HIPAA Security Regulations, employer group health plans need to satisfy four broad requirements: Ensure the confidentiality, integrity, and availability of all ephi that the group health plan creates, receives, maintains or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of ephi; Protect against any reasonably anticipated impermissible uses and disclosures of ephi; and Ensure that the covered entity s workforce is in compliance with the Security Regulations. POLICIES AND PROCEDURES The objectives of the policies and procedures discussed in this document are to define how Visa safeguards PHI and ephi. These include: Privacy Safeguards, meaning those requirements that apply to PHI that is not electronic in form. The Privacy requirements also protect Individual access to health information and contain certain notice requirements that health plans must meet. Security Safeguards including Administrative Safeguards, which mean the administrative actions, policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect ephi; Physical Safeguards, which mean the physical measures, policies and procedures to protect Visa s electronic information systems, and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion; and Technical Safeguards, which mean the technology and the policy and procedures for its use that protect ephi and control access to it. Employer group health plans are required to comply with 22 standards described in the final Security Regulations. Most of the standards are implemented through "required" and "addressable" implementation specifications. An employer group health plan must comply with a "required" implementation specification. However, when an implementation specification is "addressable", an employer group health plan must assess whether the specification is a reasonable and appropriate safeguard given Visa group health Plans unique environment. Factors that can be used to determine whether a specification is reasonable and appropriate include risk analysis performed, risk mitigation strategy, security measures already in place, and the cost of implementation. With respect to "addressable" implementation specifications: 1.1 HIPAA Policy and Procedure Development and Approval

8 Administrative If the Visa group health plan determines that the specification is reasonable and appropriate, it must be implemented. If the implementation specification is determined to be an inappropriate and/or unreasonable security measure, but the standard cannot be met without implementation of an additional security safeguard, Visa group health plan may implement an alternative measure that accomplishes the same end as the addressable implementation specification. An employer group health plan that meets a given standard through alternative measures must document the decision, the rationale behind the decision, and the alternative safeguard implemented. Visa has implemented all the required and addressable implementation standards of the Security Regulations, except for the implementation specification requiring Isolating Health Care Clearinghouse Functions (45 CFR (a)(4)(ii)(A)) which would only apply if a health care clearinghouse is part of a larger organization. Visa has no such clearinghouse functions and therefore need not comply with this implementation specification. Visa has conducted an assessment of its existing safeguards against the Privacy Requirements and the Security Requirements including the required and addressable security implementation specifications. Visa has implemented reasonable and appropriate protection of ephi, will periodically monitor and review its security measures in place, and will amend this policies and procedures document when necessary to reflect organizational, environmental, technology, and regulatory changes. APPLICATION OF THESE POLICIES AND PROCEDURES The objective of the practices outlined in this document is to define how the Plans may handle and share PHI and how Visa has established reasonable and appropriate safeguards to ensure the confidentiality, integrity and availability of Individuals ephi and to protect this information from reasonably anticipated improper or unauthorized access, alteration, deletion and transmission. The safeguards include: Administrative Procedures, including how to verify an Individual s identity and how to audit the Privacy Standards; Authorizations, including when one is needed in using and disclosing PHI; Business Associates, including how to identify them and the contract language needed for the sharing of PHI by and with Business Associates; Individual Rights, including the right to request PHI and restrict some of its Disclosures; Administrative Safeguards, including an overview of the Plans Security management process, Security Incident procedures, access management, and periodic evaluation policy; Physical Safeguards, including the Plans Facility access controls, Workstation use and Security policies, and device and media controls; Technical Safeguards, including technology-based access and audit controls, Authentication methods, and data transmission and Integrity controls; and 1.1 HIPAA Policy and Procedure Development and Approval

9 Administrative Training and awareness for employees who handle PHI and ephi. It is important for you to read this document carefully and understand your role in handling and protecting PHI and ephi under HIPAA. There is a Glossary of Terms and Definitions in Appendix A of this Manual. Please refer to Appendix A for a complete description/definition of the capitalized terms whenever you see them in this Manual. If, after reading this document and attending HIPAA security awareness and training session, you still have questions, please contact Human Resources. 1.1 HIPAA Policy and Procedure Development and Approval

10 Administrative TOPIC: SUBJECT: HIPAA Policy and Procedure Development and Approval Process for Development and Approval of the Plans HIPAA Policy EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 This Section of the Visa policies and procedures document addresses Visa group health plan (GHP) documentation requirements under the Privacy and Security Regulations. Policies and Procedures An employer GHP must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Regulations. Further, an employer GHP must maintain its policies and procedures in written (including electronic) form. Group Health Plan Document An employer GHP must generally ensure that its Plan documents provide that a plan sponsor will reasonably and appropriately safeguard ephi created, received, maintained, or transmitted to or by the plan sponsor on behalf of the Visa GHPs. POLICY STATEMENT: The Plans will establish and maintain a methodology for consistent organization-wide development, Training, review, approval, assessment and updates of policies and procedures as required by the HIPAA Rules. PROCEDURES: The Plans policies and procedures will be reviewed and agreed upon by the Plans Privacy Officer or individuals to whom such Officer has delegated responsibility for compliance with the HIPAA Rules identified in this policy. Policies and procedures and any communications materials will be kept in written or electronic form as the Plans documentation. 1.1 HIPAA Policy and Procedure Development and Approval

11 Administrative TOPIC: SUBJECT: Group Health Plans and Plan Document Process to ensure that the Plans restrict Uses and Disclosures of PHI to the Plan sponsor consistent with the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans, including the components which may be insured and self-insured, are covered entities. In order for the Plans to disclose PHI to the Plan sponsor or to provide for or permit the Disclosure of PHI to the Plan sponsor by a Health Insurance Issuer or HMO with respect to the Plans, Visa will ensure that the Plan documents restrict Uses and Disclosures of PHI by the Plan sponsor consistent with the HIPAA Rules, including those relating to Genetic Information for Underwriting Purposes. In order for the Plan sponsor to obtain PHI from the Plans without Authorization, the Plan documents will be amended to: Describe the permitted Uses and Disclosures of PHI by the Plan sponsor; Specify that Disclosure is permitted only upon receipt of a written certification by the Plan sponsor that the Plan documents have been amended in accordance with the HIPAA Rules; Provide adequate firewalls which identify the employees or classes of employees or other person under the Plan sponsor s control who will have access to PHI; Provide that the Plan sponsor will implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Availability and Integrity of the ephi it creates, receives, maintains or transmits on behalf of the Group Health Plans; Ensure that the separation between the Plans and the Plan sponsor is supported by reasonable and appropriate Security Measures; Require that the Plan sponsor report to the Plans any Security Incident of which it becomes aware; Ensure that any agents, including subcontractors, authorized to receive PHI agree to implement reasonable and appropriate Security Measures to protect the information; and Provide an effective mechanism for resolving any issues of non-compliance by the employees or class of employees who will have access to PHI. The Plans or a health issuer or HMO with respect to the Plans may disclose Summary Health Information to the Plan sponsor without regard to whether the Plan documents have been amended, if the Plan sponsor requests the Summary Health Information for the purpose of: Obtaining premium bids from Health Plans for providing health insurance coverage under the Plans; or Modifying, amending or terminating the Plans. 1.2 Group Health Plan and Plan Document

12 Administrative Additionally, the Plans (or a health issuer or HMO with respect to the Plans) may disclose to the Plan sponsor information on whether the Individual is participating in the Plans, or is enrolled in or has disenrolled from a Health Insurance Issuer or HMO without regard to whether the Plan documents have been amended by Visa. Effective as of the date determined by the Secretary, any disclosure of Summary Health Information provided to the Plan sponsor from a health issuer or HMO with respect to the Plans must not include Genetic Information for Underwriting Purposes. PROCEDURES: The Plans will: Determine and establish the permitted and required Uses and Disclosures of PHI by the Plan sponsor. Establish procedures for preventing the improper Uses and Disclosures of PHI by the Plan sponsor. Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Availability and Integrity of the ephi it creates, receives, maintains or transmits on behalf of the Plans. Ensure that the separation between the Plans and the Plan sponsor is supported by reasonable and appropriate Security Measures. Determine the key employees (by job function/description) of the Plan sponsor who shall have access to the Plans PHI. Reports from third party administrators back to the Plans contain both aggregated data and individually identifiable data. These practices are intended to continue in the future. To the extent it is necessary to continue to receive Individually identifiable data, Visa will certify to its third party administrators that it has amended its Plan documents appropriately and disclose to them the identity of the Individuals within the Plans who are authorized to continue to view this data. Effective as of the date determined by the Secretary, the Plan sponsor will not accept any disclosure of Summary Health Information provided to the Plan sponsor by a health issuer or HMO with respect to the Plans that includes Genetic Information for Underwriting Purposes. Notwithstanding anything contained in this Manual to the contrary, effective as of the date determined by the Secretary, if the Plans receive PHI for the purpose of premium rating or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the Plans, the Plans may only use or disclose such PHI for such purpose or as may be Required by Law, subject to the prohibition against using or disclosing PHI that is Genetic Information for Underwriting Purposes. 1.2 Group Health Plan and Plan Document

13 Administrative TOPIC: SUBJECT: Designation of a Privacy Officer Designation of a Privacy Officer who is responsible for the development and implementation of the Plans Privacy policies and procedures. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will designate a Privacy Officer who is responsible for the development and implementation of the Plans HIPAA policies and procedures. The Privacy Officer will ensure a central point of accountability within Visa for Privacy- related issues. The Privacy Officer is charged with developing and implementing the policies and procedures for the Plans, as required throughout the HIPAA Rules and for compliance with the HIPAA Rules generally. The Privacy Officer may be an additional responsibility given to an existing employee of Visa. The Privacy Officer or a designee will be available to answer employee questions about the HIPAA Rules throughout the employee's appointment as the Privacy Officer. PROCEDURES: The Privacy Officer will be trained and able to review the Plans Privacy compliance. The Privacy Officer, or a designee, will: Conduct employee Training Establish a system for logging uses of PHI Document procedures for Individual access to PHI Establish employee Sanctions for failure to comply Maintain compliance records Monitor and respond to employee complaints The Privacy Officer, or a designee, will be responsible for monitoring the Plans Privacy procedures and practices internally on a periodic basis. Rick Leweke currently has been designated the HIPAA Privacy Officer for the Plans. A description of the role of the Privacy Officer is found in Appendix F. 1.3 Designation of a Privacy Officer

14 Administrative TOPIC: SUBJECT: Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI Process to mitigate any harmful effect of a Use or Disclosure of PHI in violation of the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will develop and implement procedures to mitigate, to the extent practical, any harmful effect that is known to the Plans. This includes unauthorized Use or Disclosure of PHI by the Plans or its Business Associates. The Plans will be responsible for mitigating harm when the Plans have actual knowledge of harm even if a deleterious effect cannot be shown. The Plans will ensure (via its contracting process) that its Business Associates agree to mitigate, to the extent practicable, any harmful effect that is known to those Business Associates of a Use or Disclosure of PHI by a Business Associate in violation of the requirements of the HIPAA Rules. PROCEDURES: The Plans will take reasonable steps based on knowledge of where the information has been disclosed, how it might be used to cause harm to the patient or another Individual, and what steps can actually have a mitigating effect in that specific situation. The Plans will use flexibility and judgment by those familiar with the circumstances to dictate the approach that is the best to mitigating the harm. Visa Employees within the Firewall: Visa employees within the Firewall typically have access to PHI through day-to-day telephone calls, messages or personal visits from employees with benefits-related issues. If, in the administration of these tasks, an employee becomes aware of an inadvertent misuse, the employee, on his or her own or by seeking assistance of another employee within the Firewall, will take reasonable measures to end or limit the misuse. If PHI is disclosed to an unauthorized Individual, Visa (the Privacy Officer, or his designee or designees) will contact the person to whom the unauthorized disclosure was made, explain that they mistakenly received information and notify them that the information they received contains PHI which may not be used or further disclosed for any purpose. Reasonable steps should be taken to retrieve the information from the person who received it. Business Associate Other than the day to day assistance to employees and the functions described in this Section and Section 1.2 of the policies and procedures, all handling of PHI is done by Business 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI

15 Administrative Associates who have contractually agreed to comply with the requirements of the HIPAA privacy regulations, including mitigation of harmful effects provision. If Visa becomes aware of an unauthorized use or disclosure of PHI, the HIPAA Privacy Committee will evaluate the specific situation and determine if any corrective action is needed. If a vendor s practice or pattern of activity has violated the privacy regulations, then Visa is obligated to take reasonable steps to cure the violation and have the vendor s practices changed. If such steps are unsuccessful, Visa will need to terminate the contract or if such termination is not feasible, Visa will report the problem to the Secretary of Health and Human Services. If an internal area within Visa has violated the privacy regulations, appropriate steps including outreach to the plan participants involved, application of sanctions, retraining, and other measures will be determined by the Benefits Committee. Examples: The Plans become aware that Business Associate discusses PHI with Individuals not on the list of employees within the Plans firewall (i.e., discussing a participant s claim with a supervisor or colleague). The Plans will contact the Business Associate and take reasonable steps to cure the violation, including verifying that that Business Associate is utilizing the proper list of Plan employees. Business Associate is sharing or selling participant names and/or diagnoses to a pharmaceutical company. The Plans will contact the Business Associate and take reasonable steps to cure the violation, terminate the contract, or contact the secretary and inform that person of the practice. An employee within the firewall receives a claims data report from a Business Associate and forwards to an employee within the firewall for review and analysis. The report is accidentally sent to the wrong person via or interoffice mail. Once the error has been detected, the employee shall take reasonable steps to retrieve the file from the person who received it. As a reasonable precaution against this contingency, employees who handle e- mails, files or reports containing PHI electronically shall be required to establish address listings specifically for others within the firewall for their electronic address book. The Plans become aware of an electronic breach of the corporate firewall, either intentional or unintentional. In such a case, the Plans internal Information Technology specialists may be required to evaluate whether specific data may have been improperly accessed. If such data is determined to have contained ephi, the Plans will use all reasonable efforts to contact the Individuals about whom the ephi related, and to see that the ephi is reobtained or destroyed. The Plans internal Information Technology specialists will be informed about and trained in regard to the sensitive and confidential nature of ephi so that any incidental Disclosure of PHI to them in the course of their job function may be properly contained. The Plans become aware that a Business Associate has mailed ID cards or other documentation containing PHI: (i) the wrong participant; or (ii) in such a way that PHI is visible through the envelope window. The Plans will contact the Business Associate and require it to take reasonable steps to correct the mailing, including identifying and contacting all Individuals who may have had PHI inadvertently disclosed in this manner. 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI

16 Administrative TOPIC: SUBJECT: Record Retention Process for retaining the Plans Individual Health Information, including the development, implementation and maintenance of appropriate processes to provide healthcare records as requested. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will maintain all PHI and related documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later, to meet the applicable requirements of the HIPAA Rules. The Plans intent is to ensure an Individual s PHI is available so that the Plans can comply with the Individual s requests for an accounting of Uses and Disclosures of their PHI. (See also, Accounting (Logging) of Disclosures of Member PHI, Section 8.2) Business Associate contracts will include contract language that meets the HIPAA record retention requirements, accessibility of records (i.e., for accounting purposes), and how records will be transferred upon termination. (See also, Business Associates and Contracts, Section 3.1). PROCEDURES: The Privacy Officer and or the assigned person will be designated to oversee the process used for record retention. Other managers may be charged with maintaining healthcare information as required within their department to be HIPAA compliant regarding record retention. A log for HIPAA Privacy complaints and a log for non-routine permissible Uses and Disclosures of protected Health Information will be developed and maintained. The contracts of the Business Associates have been amended to ensure that the Business Associates will comply with all aspects of the HIPAA Rules, including record retention. 1.5 Record Retention

17 Administrative TOPIC: SUBJECT: Reporting of Non-Compliance with the HIPAA Rules A process for filing a complaint with the Secretary when a person believes that the Plans, a Business Associate or other Covered Entity is not complying with the HIPAA Rules. EFFECTIVE DATE: February 17, 2010 REVISION DATES: POLICY STATEMENT: The Plans will support the HHS policy that states that an Individual may file a complaint with the Secretary when such an Individual believes that the Plans are not complying with the HIPAA Rules. The Plans will also allow persons other than the Individual, such as personal representatives, to exercise the rights of the Individual under certain circumstances (e.g., for a deceased Individual). Any person may become aware of conduct by the Plans that is in violation of the HIPAA Rules. This can include the Plans employees, Business Associates, members, or other organizations. Complaints can be filed by any person, group, or organization. The person or organization who files the complaint will not be subject to any embarrassing or retaliatory action or threat of action. PROCEDURES: Any Individual or organization that becomes aware of conduct by the Plans, its Business Associate(s), or another related Covered Entity that is in violation of the HIPAA Rules does not have to use the Plans internal HIPAA complaint process and can file a complaint directly with HHS. This includes the Plans employees and their dependents, Business Associates, and accrediting, oversight, and advocacy organizations. The Plans will provide the information necessary for the Individual or organization to contact HHS as part of the Notice of Privacy Practices and also upon further request. An Individual or organization who believes that an agreement can be reached with the Plans may also use the Plans HIPAA internal complaint process or other means to seek resolution before filing a complaint with the Secretary. (See, Complaint Process, Sec. 5.4.) 1.6 Reporting of Non-Compliance with the HIPAA Requirements

18 Administrative TOPIC: SUBJECT: Workforce Sanctions Process for applying appropriate Sanctions against the members of the Workforce who fail to comply with the Plans HIPAA Policies and Procedures or the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have established policies and procedures regarding disciplinary actions which are communicated to all employees, agents, contractors and other persons under the Plans direct control. Sanctions will be implemented for those Individuals who do not follow the outlined policies and procedures. This will be applied to all violations, not just repeat violations. The Plans will have disciplinary actions that are communicated to all employees, agents, and contractors. The Plans will make employees, agents, and contractors aware that violations may result in notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. In addition to internal Plan Sanctions, employees, agents, and contractors of the Plans or the Plan sponsor will be advised of civil or criminal penalties for misuse or misappropriation of Health Information. The Plans will inform employees, agents and contractors that violations may result in notification to Law Enforcement Officials and regulatory, accreditation and licensure organizations. These Sanctions will be supported, and may be supplemented by Visa as needed, and may be added to all Business Associate agreements. PROCEDURES: Visa will determine what types of sanctions to apply. Violations of the outlined policies and procedures will be handled on a case-by-case basis through the Individual s manager and with the support of appropriate personnel organizations within Visa. If it is determined that a violation of the outlined policies and procedures has occurred, Visa will take timely and effective remedial action commensurate with the severity of the offense, including disciplinary action, up to immediate termination of employment. Employees of Business Associates are not employees of the Group Health Plan and are subject to the provisions outlined in the Business Associate contracts. Employees will be made aware of what actions are prohibited and punishable. Training will be provided and expectations will be made clear so Individuals are not sanctioned for doing things which they did not know were wrong or inappropriate. 1.7 Work Force Sanctions

19 Administrative Employee Sanctions may include any of the following: (a) Verbal warning (b) Re-Training and/or education (c) Notice of disciplinary action placed in personnel files (d) Other Sanctions, up to and including, termination of employment Business Associate Sanctions may include any of the following: (a) Verbal warning (b) Implementation of contract provisions that include contract penalties (c) Termination of contract (d) Notification to HHS The Human Resources Department will be responsible for notifying Workforce members who fail to comply with the HIPAA policies and procedures. The Privacy Officer and/or the Security Officer will assist Visa s Human Resources Department with the necessary information to appropriately apply disciplinary action, including notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. Please refer to section of this Manual for Security Sanction procedures. 1.7 Work Force Sanctions

20 Administrative TOPIC: SUBJECT: Verification of Person s Identity Process to verify the identity of a person requesting PHI and the authority of any person to have access to PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have procedures reasonably designed to verify and identify the authority of persons requesting PHI. The Plans will verify the identity of a person requesting PHI and the authority of any person to have access to PHI if the identity or authority of the person is not known to the Plans. The Plans will obtain any documentation, Statements, or representations, whether oral or written, from the person requesting PHI when it is a condition of the Disclosure. This applies to all Disclosures of PHI, including Treatment, Payment and Health Care Operations, where the identity of the recipient is not known to the Plans. The Plans will establish reasonable procedures to address verification in Routine Disclosures under Business Associate agreements. PROCEDURES: For communications with the Plans members, the Plans will already have information about each Individual, collected during enrollment that can be used to establish identity, especially for verbal or electronic inquiries. For example, the Plans may ask for the social security number or employee number of Individuals seeking information or assistance by telephone. The Plans will make a reasonable effort to send/mail PHI to the entity authorized to receive it. A form of photo identification such as a driver s license or certain personal information such as date of birth may also be used to verify the identity of the Individual. Disclosures that require an opportunity for the Individual to agree or to object will not require verification of the person requesting PHI. Law Enforcement Official The requirement to disclose PHI for law enforcement purposes may be satisfied by the administrative subpoena or similar process or by a separate written statement that demonstrates the applicable requirements have been met. Public Health Officials The Plans may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the Disclosure of PHI is to a public official or a person acting on behalf of the public official: 1.8 Verification of Person s Identity

21 Administrative If the request is made in person, presentation of an agency identification badge, or other official credentials, or other proof of government status; If the request is in writing, the request is on appropriate government letterhead; A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority; or If the disclosure is made to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official. Exercise of Professional Judgment The Plans may also rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the Disclosure of PHI is to a public official or a person acting on behalf of the public official: A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; or If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority. Verification is met if the Plans rely on the exercise of professional judgment in making a use or disclosure in accordance with: The uses and disclosures that require an opportunity for the Individual to agree or to object; Emergency situations Where the Individual is unable to agree or object to disclosure due to incapacity or other emergency circumstance Disclosure to family members, close personal friends, and others involved in the Individual s care in emergency situations Acts on a good faith belief in making a disclosure in accordance with uses and disclosures to avert a serious threat to health or safety. Business Associates The Plans will ensure that the contracts of Business Associates have been amended to ensure that such Business Associates comply with HIPAA Rules. Typically, the third party administrator s use personal access codes/benefits access numbers for purposes of identify verification. 1.8 Verification of Person s Identity

22 Administrative TOPIC: SUBJECT: Safeguards Creating, implementing and maintaining reasonable processes and safeguards for the protection of PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have appropriate Administrative, Technical, and Physical Safeguards in place to protect the privacy of PHI and the Confidentiality, Integrity, and Availability of ephi. The Plans will reasonably safeguard PHI from any intentional or unintentional Use or Disclosure that is in violation of the HIPAA Rules. The Plans will have reasonable and appropriate Administrative, Physical, and Technical Safeguards in place to protect against the inadvertent Disclosure of PHI to persons other than the intended recipient. PROCEDURES: The list of appropriate safeguards will include: All materials and documents containing PHI must be removed from desktops when not in use and locked in appropriate desk drawers, file cabinets, etc. Ensure that computer monitors are shielded from the view of unauthorized Individuals. Ensure that fax transmissions are shielded from the view of unauthorized Individuals and that fax machines are not located in high-traffic areas. For walk-in employees who wish to discuss health-related issues, ensure that unauthorized Individuals do not overhear discussions or see any PHI being discussed. All documents containing PHI are required to be disposed of in shredding bins. All doors accessing areas where PHI is stored are required to remain locked after business hours, or when the area is unattended. All desk drawers and/or file cabinets housing PHI are required to be locked at the end of the work day. Personnel who are authorized to key or pass code access to PHI shall be limited. All computer system access should be password protected. Ensure that documents containing PHI, on desktops and workstations, are not in plain view of unauthorized Individuals. Other access controls or physical protections (i.e., locking devices on Workstations); Automatic data backups; Firewalls; and Automatic updates to anti-virus software. Additional safeguards applying to ephi may be found in Sections 9 through 11 of this Manual. 1.9 Safeguards

23 Administrative 1.9 Safeguards

24 Administrative TOPIC: SUBJECT: Audit of Privacy Standards Process for auditing the Plans handling of PHI, including the development, implementation and maintenance of appropriate Privacy monitoring practices. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will conduct periodic audits of Privacy practices. The goal is to determine if the Plans is in compliance with documented and implemented Privacy practices, policies, and procedures and is generally meeting the requirements of the HIPAA Rules governing Privacy. The Plans overall intent is to ensure that PHI is not released inappropriately or easily accessible to those who are not authorized to have access. For each Privacy audit that is undertaken, the Plans will describe what needs to be provided to support the audit and prove compliance. The Plans also will provide documentation in the form of an audit trail to be used as needed in the audit process. PROCEDURE: The Privacy Officer will be responsible for the overall Privacy audit process and will be assisted by other Human Resources Department staff as necessary to implement and maintain the Privacy audit policy and procedures. An Individual responsible to implement the Privacy audit process will be designated by the Privacy Officer. Selection of the Individual will be based on knowledge of the Human Resources Department and Visa s organization, as well as the HIPAA standards being reviewed. Privacy audits of the Plans will be completed on a periodic basis, with the exception of audits that result from incident reports or other specific events. As appropriate, Privacy audits will be incorporated into ongoing business process audits that follow other pre-existing audit requirements adopted by the Plans or the Plan sponsor. To consistently safeguard the Privacy of PHI, the audit will include the following areas to determine HIPAA compliance: Uses and Disclosures of PHI are compliant with HIPAA Levels of access to PHI are appropriately and consistently assigned De-identification of data is done when required Identity verification is done before PHI is given to a requestor The Minimum Necessary policy for PHI is followed routinely Authorizations are completed for Disclosures that are neither Routine nor non-routine but permissible PHI requests are appropriately logged 1.10 Audit of Privacy Standards

25 Administrative Responses to Individual requests for accounting of Disclosures are completed within the necessary time frame Individuals are given copies and able to inspect their healthcare information within the necessary time frame Privacy Notices are given to all Individuals as required under the Privacy Rules Complaints are reviewed and appropriate steps taken as needed for resolution of issues Business Associate contracts are up-to-date and include HIPAA requirements The Privacy Officer, or a designee, will review the Privacy audit reports to determine appropriate follow up actions, if any, if the audit scores are below the acceptable threshold level. The Plans Business Associates must make their internal practices, books, and records relating to the Use and Disclosure of PHI received from the Plans, or created or received by the Business Associate on behalf of the Plans, available to the Plans or, at the request of the Plans, to the Secretary, in a time and manner designated by the Plans or the Secretary, for purposes of the Secretary determining the Plans compliance with the HIPAA Rules. This agreement must be included and documented in the formal contract entered into between the Plans and its Business Associates. Please refer to section 9.8 of this Manual for Security evaluation procedures Audit of Privacy Standards

26 Authorization TOPIC: SUBJECT: Authorizations for Uses and Disclosures of PHI Process for authorizing Uses and Disclosures of PHI when it is not used for Payment, Treatment or operations, or non-routine, permissible Uses and Disclosures of PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: Authorizations are required for the Use and Disclosure of PHI for purposes other than the permitted Uses and Disclosures specified in the Privacy Rule. The Plans will obtain the Individual s permission prior to using or disclosing PHI when it is not used to carry out Routine (Payment, Treatment or Health Care Operations) or non-routine Uses and Disclosures. Except as listed in the Uses and Disclosures of PHI Policy, Section 8.1, the Plans will not use or disclose PHI without an Authorization. When the Plans receive a properly authorized request for the release of PHI, the Plans will adhere to the terms of the Authorization. Effective as of the date determined by the Secretary, the Plans will not accept any Authorization that permits the Plans to use or disclose PHI that is Genetic Information for Underwriting Purposes. The Plans will document and retain any signed Authorizations and will provide the Individual with a copy of the signed Authorization. PROCEDURES: The Plans do not need to obtain an Authorization from the Individual to: Use or disclose PHI for the Plans Payment or Health Care Operations; Disclose PHI to a Health Care Provider for the Individual s Treatment; Disclose PHI to another Covered Entity or a Health Care Provider for that entity s Payment activities; and Disclose PHI to another Covered Entity for that entity s Health Care Operations if both entities have or had a relationship with the Individual whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the Disclosure is for: A Health Care Operations activity for which the Privacy Rule states an Authorization is not required; or Detection of Health Care fraud and abuse or compliance with Health Care fraud and abuse laws. 2.1 Authorization for Uses and Disclosures of PHI

27 Authorization Use or disclose PHI as specifically permitted by the Privacy Rule pursuant to an exception. When an Authorization is needed, the Individual is provided with a copy of the Authorization form and asked to sign it. Signing an Authorization form is voluntary and the Individual may refuse to sign it. A copy of the signed Authorization must be provided to the Individual. The Individual may revoke the Authorization, in writing, at any time. The permissions granted in the Authorization should not be acted upon if the Authorization has been revoked or if it has expired. The Authorization will be documented and retained for a period of six (6) years after it was created or expired, whichever date is later. Most Uses and Disclosures requiring an Authorization will be handled by the Plans third party administrators. These will include all Uses and Disclosures not identified in Parts I or II of Section 8.1, such as the Disclosure of PHI to another Covered Entity for Health Care operations purposes where that Covered Entity does not have a relationship with that Individual or it is not for one of the purposes listed in Section 8.1. The most likely instance in which an employee within the firewall may need an Authorization is when a participant wishes to name a personal representative (such as an employee s Manager, Union Representative or an Executive s Administrative Assistant). Any Authorizations will be filed and retained on-site for six (6) years at a central location within the Visa Human Resources Department, including copies of any Authorizations obtained at the local level. Employees within the firewall will honor revocations made in writing. Authorizations acquired by Business Associates will need to be revoked via the Business Associate and not by the Plans. When the need for an authorization arises, the Plan or Plans will get a signed authorization from the Individual whose PHI is going to be used or disclosed. As a reminder, authorization forms are not required when disclosing PHI for workers compensation claims, but are required for disclosing PHI for STD and LTD claims. Only the Plan or Plans standard authorization form should be used. The Individual disclosing the PHI must make sure that the authorization is not defective. A signed copy of all authorization and revocation forms must be sent to Visa s Benefits Department. The Benefits Department retains copies of all signed forms. When the Benefits Department receives a request for a revocation of an authorization, it first must research to see if the revocation can be honored. Then the Benefits Department will respond in writing to the Individual stating if the authorization has been revoked and, if not, the reason why. Copies of this letter are retained with the signed revocation request form. The Benefits Department is also responsible for contacting the person/entity listed as the person receiving the PHI on the initial authorization form and informing him or her of the revocation. 2.1 Authorization for Uses and Disclosures of PHI

28 Authorization Effective as of the date determined by the Secretary, the Plans will not accept any Authorization received by the Plans that permits the Plans to use or disclose PHI that is Genetic Information for Underwriting Purposes. A sample copy of the Plans Authorization Form is attached as Appendix B. 2.1 Authorization for Uses and Disclosures of PHI

29 Business Associates TOPIC: SUBJECT: Business Associates and Contracts Contracting issues to assure that Business Associates comply with the Plans HIPAA policies and procedures. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans Business Associates are required to provide satisfactory assurances that they will safeguard and maintain the Confidentiality, Integrity and Availability of the PHI of the Plans Individuals and only use and disclose PHI for the purposes for which it was provided and in accordance with the HIPAA Rules. The Plans will amend existing and new business associate agreements to comply with changes applicable to business associates effective February 17, PROCEDURES: Existing and new relationships with the Plans service providers have been reviewed to determine if the relationship requires the Use and/or Disclosure of PHI and thus, whether the entity is a Business Associate. A current listing of Business Associates has been compiled and is attached to these Policies and Procedures as Appendix C. This listing will be reviewed periodically to determine whether any updates to the listing are required Business Associates are required to sign a written contract that provides satisfactory assurances that they will adhere to the Plans HIPAA practices. The Plans require Business Associates to determine the Minimum Necessary type and amount of PHI required to perform the services under the agreement and to represent to the Plans that it has requested the Minimum Necessary PHI for the stated purpose. The Plans rely on the professional judgment of Business Associates to determine the type and amount of PHI necessary for their purposes. The Privacy Officer, Security Officer, or a designee, will monitor the return or destruction of PHI used, created or obtained by the Business Associate upon termination of the contract (or the extension of protection if not returned or destroyed). The Privacy Officer, Security Officer, or a designee, will ensure that any complaints regarding privacy violations by Business Associates are reviewed. If the Privacy Officer or Security Officer is aware of a pattern or practice that is a material violation of the Business 3.1 Business Associates and Contracts

30 Business Associates Associate s duties with regard to privacy, the Privacy Officer, Security Officer, or a designee, will take reasonable steps to end the violation. If such steps are unsuccessful, the Privacy Officer or Security Officer will determine, in consultation with the Plans, whether termination of the agreement is feasible. If not, the Privacy Officer or Security Officer will report the violation to the Secretary. A copy of Visa s current Business Associate Inventory, including the current status of contracts, is attached as Appendix C. A copy of Visa s Business Associate Agreement is attached as Appendix D. If and when any new vendors are engaged, template Business Associate language will be worked into any new agreements or contracts. 3.1 Business Associates and Contracts

31 The Firewall TOPIC: SUBJECT: Disclosure of PHI to Plan Sponsor Requirements concerning when and how the Plans may disclose PHI to the Plan sponsor. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans do not disclose PHI to the Plan sponsor, except in the manner and for the purposes specifically permitted under the Privacy Rule. The Plan sponsor is required to certify that Plans documents have been amended before Disclosure may occur. The Plans only disclose PHI to the Plan sponsor if one of the following applies: The Plans receive written Authorization from an Individual to disclose PHI to the Plan sponsor; The Plans disclose information to the Plan sponsor on whether an Individual is participating in the Plans; The Plans provide the Plan sponsor with PHI in the form of Summary Health Information for the purpose of obtaining premium bids from Health Insurance Issuers; The Plans provide the Plan sponsor with PHI in the form of Summary Health Information for the purpose of assessing, modifying, amending or terminating the Health Plans; or The Plans receive certification from the Plan sponsor that the Plan documents have been modified as required by the Privacy Rule, and the Uses and Disclosures of PHI by the Plan sponsor will be restricted to Plan Administration Functions performed by the Plan sponsor on behalf of the Plans in accordance with the Plan document. The Plans will require certification from the Plan sponsor that the Plan sponsor will not use PHI for any employment-related decisions and that Plan documents have been amended as required before disclosing PHI to the Plan sponsor. The Plans have included a separate Statement in the Plans Notice of Privacy Practices informing Individuals that PHI may be disclosed to the Plan sponsor. The Plans will only disclose the Minimum Necessary amount and type of PHI to the Plan sponsor. 4.1 Disclosure of PHI to Plan Sponsor

32 The Firewall PROCEDURES: The Group Health Plan does not disclose PHI to the plan sponsor, except in the manner and for the purposes specifically permitted under the HIPAA privacy regulations. The plan sponsor is required to certify that plan documents have been amended before disclosure may occur. Individual The Group Health Plan and the plan sponsor at all times will comply with the HIPAA privacy regulations and will ensure the adequate separation (the Firewall ) between the Group Health Plan and the plan sponsor. Employees within the Firewall Effective February 17, 2010, the following Individuals/positions are within the firewall: Title Global Head of Head of Total Rewards Benefits Analyst/Program Manager Senior Business Leader - Benefits Benefits Manager Leave and Disability Program Manager The access to, use and disclosure of PHI by the Individuals named above is restricted to the following category or categories of PHI required to carry out their duties and job responsibilities. Categories of PHI: Information regarding eligibility, enrollment, disenrollment and change in status in the Group Health Plans Information relating to claims filed Information relating to adjudication of claims appeals PHI may not be used or disclosed for any employment-related decisions, such as hiring, promotion or termination, and PHI may not be used for any employment-related decisions, such as leave of absence, drug testing and compliance with the Americans with Disabilities Act without proper authorization from the employee. Please refer to Section 1.7 of the Policies and Procedures, which discusses the sanctions for failure to comply with the Visa Group Health Plan Policies and Procedures or the HIPAA privacy regulations. Business Associates The Plans Business Associates have been contacted and provided with a copy of the Plans Certification to Business Associates. This certification has been signed by the Plans to ensure 4.1 Disclosure of PHI to Plan Sponsor

33 The Firewall that PHI is only disclosed by Business Associates to the appropriate Individuals/positions within the firewall and is disclosed only to the extent necessary for those Individuals/positions to carry out their proper Plan functions. 4.1 Disclosure of PHI to Plan Sponsor

34 The Firewall TOPIC: SUBJECT: Granting Levels of Access to PHI Process to identify those persons or classes of persons in the Plans Workforce who need access to PHI to carry out their duties. This includes the category or categories of PHI to which access is needed and any conditions appropriate to such access. This includes the technical Security Measures to protect information and to control Individual access to information. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will identify persons or classes of persons within the Plans who need access to PHI to carry out their duties. For each person or classes of persons identified, the Plans will determine the category/categories of PHI to which access is needed. The Plans will make a reasonable effort to limit the access of such persons or classes to PHI based on Minimum Necessary requirements and the need-to-know principle. For all Disclosures that are made on a Routine and recurring basis, the Plans will follow the Plans policies and procedures to limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the Disclosures. For all other Disclosures, the Plans will develop criteria designed to limit the PHI disclosed to the information reasonably necessary to accomplish the purpose, and will review requests for Disclosure on an Individual basis in accordance with such criteria. The Plans will maintain Administrative, Physical and Technical Security Measures to protect PHI and to control Individual access to information, including both access and authorization controls. The Plans will have formal, documented termination procedures and instructions that include appropriate Security Measures for the termination of an internal/external user s access. PROCEDURES: The Privacy Officer, Security Officer, or a designee, will determine which Individuals or classes of Individuals can access PHI as part of their job functions, and identify the categories of PHI to which these access rights apply. The Privacy Officer, Security Officer, and/or a designee will review requests for non-routine Disclosures on an Individual basis, using set criteria. The need for an extensive screening process will be based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures already in place. Effective screening processes will be applied to allow a range of implementation, from minimal procedures to more stringent procedures commensurate with the sensitivity of the data to be accessed and the magnitude of harm or loss that could be caused by an Individual. 4.2 Granting Levels of Access to PHI

35 The Firewall Persons or entities will be removed from access lists when they are terminated or no longer need access to PHI. User accounts will be removed from access when they no longer have a need to know the information to which they have access. This procedure includes eradicating an Individual s or entity s access privileges through removal from access lists within 24 business hours of Visa s notification by taking one or more of the following actions (as appropriate for the Individual situation): Changing locks; Removal from access lists; Removal of user account(s); and/or Turning in of keys, tokens or cards that allow access. 4.2 Granting Levels of Access to PHI

36 Individual Rights TOPIC: SUBJECT: Individual s Rights to Access PHI Process for assuring that members have the right of access to their PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have implemented policies and procedures to ensure Individual s Privacy rights as required by and specified in the Privacy Rule. Individuals have the right to request to inspect or obtain a copy of their PHI in the Designated Record Set. Individuals in the Plans have the right to: Receive a paper copy of the Plans Notice of Privacy Practices ( Notice ), even if the Individual has agreed previously to receive the Notice electronically; Request restrictions on the Uses and Disclosures of PHI; Request to receive confidential communication by an alternative means or at an alternative location if appropriate cause is shown; Access documents in the Designated Record Set for inspection and/or copying; Request to amend documents in the Designated Record Set that are inaccurate or incomplete; and Obtain an accounting of certain Disclosures of their PHI. Effective February 17, 2010, an Individual may, (1) To the extent that a Plan uses or maintains an electronic health record with respect to the PHI of such Individual: Obtain a copy of such electronic health record in electronic format; and Direct a Plan to transmit the Individual s electronic health records directly to an entity or person designated by the Individual, provided that any such direction is clear, conspicuous, and specific. Individuals may be charged a fee for requests to access electronic health records, but such fee will be limited to the cost of labor involved in responding to the request. (2) Request that a Plan restrict the Disclosure of the PHI of the Individual and, notwithstanding the right of a Plan to otherwise not agree with the request to restrict the Disclosure, a Plan must comply with the requested restriction if: Except as otherwise Required by Law, the Disclosure is to a Health Plan for purposes of carrying out Payment or Health Care Operations (and is not for purposes of carrying out Treatment); and The PHI pertains solely to a health care item or service for which the health Care Provider involved has been paid out of pocket in full. The Plans adhere to policies and procedures developed and implemented to ensure Individual privacy rights. The Plans provide plan sponsor Workforce members who perform Plan 5.1 Individual s Right to Access PHI

37 Individual Rights Administration Functions with periodic Training regarding Individuals rights with respect to their PHI. PROCEDURES: The Plans will require and inform Individuals that requests for access to, including for a copy of an electronic record or transmission of such records, or restriction of Disclosure of PHI must be made in writing. This will include requests received via telephone calls to the contact number provided in the Notice. Such callers will be directed to submit their requests in writing to the contact address provided on the Notice. When a request for access to or restriction of Disclosure of PHI is received, it will be acted upon according to the following timeframes: Within thirty (30) days if the requested information is maintained and accessible on site (i.e., information lodged and maintained with Visa s Human Resources Department); or Within sixty (60) days if the requested information is maintained offsite. The Privacy Officer, or a designee, will triage all such requests to access or restriction of Disclosure of PHI and either: Respond directly to the Individual if PHI is maintained on-site at Visa s Human Resources Department, and/or Refer the request out the appropriate contact at the local worksite who will respond directly to the Individual regarding any PHI maintained at that level. If the request is granted, the Plans will inform the Individual and provide the access or restriction requested, within the timeframes above. The timeframes stated above may be extended one time for no more than thirty (30) days. If the extension is necessary, the Plans will provide the Individual, within the timeframes above, a written statement that specifies the reason(s) for the delay and the date by which the Individual may expect to receive a decision on the request to access the PHI for inspection and/or copying or restriction of Disclosure of PHI. The Plans will document the records that comprise the Designated Record Set that is subject to access or restriction requests and maintain such records for a period of six (6) years from the date they were created or were last in effect, whichever is later. The Plans will maintain the titles of the persons/offices responsible for receiving and processing access or restriction requests for a period of six (6) years. When the Plans deny a request for access or restriction of Disclosure (in whole or in part): The Individual is given a statement written in plain language that includes: The reasons for the denial decision; If applicable, the Individual s right to a review of the decision with an explanation of how to exercise this right; and A description of how the Individual may file a complaint with the Plans and the Secretary, including the title and telephone number of a Plan contact person. To the extent possible, the Plan will grant access to other PHI for which there are no grounds to deny access. If the denial is reviewable and the Individual requests such a review, the Plan will designate a licensed Health Care professional, not involved in the original denial decision, to serve as a reviewing official. Upon receipt of a review request, the Plan will promptly refer the denial to the reviewing official for reevaluation. The Plan will provide written notice to the Individual 5.1 Individual s Right to Access PHI

38 Individual Rights of the reviewing official s determination. If the Plans deny access or restriction of Disclosure of because it does not maintain the PHI requested but knows where the requested PHI is maintained, the Plans will inform the Individual of where to direct the request. When a request for access is accepted (in whole or in part): The Individual is notified of the decision and may choose to inspect the PHI, copy it, or both, in the form or format requested. In lieu of providing access, the Plans may provide a summary of the requested PHI for an additional charge if the Individual agrees to the summary and to the additional fee. The Plans and the Individual will arrange a mutually convenient time and place for the Individual to inspect and/or obtain a copy of the requested PHI. The Plans will mail a copy of the requested PHI if the Individual prefers this method of obtaining a copy. When the request to restrict the Disclosure of PHI is accepted (in whole or in part): The Plans will restrict the Disclosure of PHI as requested if: Except as otherwise Required by Law, the Disclosure is to a Health Plan for purposes of carrying out Payment or Health Care Operations (and is not for purposes of carrying out Treatment); and The PHI pertains solely to a health care item or service for which the health Care Provider involved has been paid out of pocket in full. Fees charged by the Plans for access to PHI: The Plans may charge a reasonable, cost-based fee for copying, including labor and supplies (for instance, paper, computer disks). The Plans may charge the cost of postage when the Individual requests that the information be mailed. No fee is charged for retrieving or handling the PHI or for processing the Individual s access request. The Plans may charge a nominal fee for preparing an explanation or summary of the requested PHI if the Individual is informed of and agrees to receive a summary of the PHI and is willing to pay the fee. Effective February 17, 2010, the Plans may charge fee for requests to access electronic health records, but such fee will be limited to the cost of labor involved in responding to the request. 5.1 Individual s Right to Access PHI

39 Individual Rights TOPIC: SUBJECT: Individual Request to Amend PHI Process for assuring an Individual s Rights to have the Plans Amend the Individual s PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: Individuals have the right to request amendment of incorrect or incomplete PHI contained in a Designated Record Set. The Plans may deny an Individual s request for amendment if it determines that the PHI or record is/was: Not created by Visa, unless the Individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment Not available for inspection under the Individual s right to access Accurate and complete The Plans will document the titles of persons or offices responsible for receiving and processing these requests for amendments and retain the documentation. The Plans will require providers, insurers and Business Associates to agree to make any amendments to PHI in a designated record set that Visa directs or agrees to pursuant to this policy at the request of a covered entity or an Individual in order to meet the requirements under this policy. PROCEDURES: The Plans will require and inform Individuals that request for amendment of their PHI must be made in writing and must include a reason to support acceptance of the amendment. If the request for amendment is not received in writing, or if the written request does not include a reason in support of the request, the Plans will not act on the request. When a request for amendment of PHI is received, it will be acted on within sixty (60) days. If necessary, this timeframe may be extended for thirty (30) days. The Individual requesting the amendment will be informed in writing of the reason(s) for the delay and the date by which action will be taken on the request. The extension notice will be provided within sixty (60) days of receipt of the original request. The Plans will document the titles of the persons/offices responsible for receiving and processing requests for amendment and retains such documentation for a period of six (6) years. When a request for amendment is denied: The Individual is given a notice written in plain language that: Includes a permissible basis for denial. 5.2 Individual Request to Amend PHI

40 Individual Rights For example, that the information requested was not created by the Plans, is accurate and complete, is not part of the record, or may not legally be changed (e.g., information compiled in anticipation of a civil, criminal or administrative proceeding) Informs the Individual of the right to submit a statement of disagreement, and how to file the statement; States that if the Individual does not file a statement of disagreement the Individual may request that the Plans provide the request for amendment and the denial in any future release of the disputed PHI; and Includes a description of the procedure to file a complaint with the Plans or the Secretary. If the Individual chooses to write a statement of disagreement with the denial decision: The Plans may write a rebuttal statement and will provide a copy to the Individual; and The Plans will include the request for amendment, denial letter, statement of disagreement, and rebuttal (if any), with any future Disclosures or the disputed PHI. If the Individual does not choose to write a statement of disagreement with the denial decision, the Plans are not required to include the request for amendment and denial decision letter with future Disclosures of the disputed PHI unless requested by the Individual. When a request for amendment is accepted (in whole or in part): The Plans will identify the record(s) that are the subject of the amendment request and will append the amendment to the record(s). The Plans will inform the Individual that the Individual s request for amendment has been accepted and request the identification of and permission to contact other Individuals or Health Care entities that need to be informed of the amendment(s). The Plans will make reasonable efforts to provide the amendment within a reasonable time to the persons/entities identified by the Individual as well as persons and Business Associates who the Plans know have the disputed PHI and may rely on it to the Individual s detriment. Receipt of notification of amendment from other Covered Entities: When the Plans receive notification from another Covered Entity that an Individual s PHI has been amended: The Plans will ensure that the amendment is appended to all applicable records of the Individual, and The Plans will inform the Plans Business Associates that may use or rely on the Individual s PHI of the amendment and require them to make the necessary corrections. 5.2 Individual Request to Amend PHI

41 Individual Rights TOPIC: SUBJECT: Individuals Rights to Request Privacy Protection for PHI Process for assuring that Individual s rights to request privacy protection for PHI are met. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: Individuals have the right to request restrictions on how their PHI is used and/or disclosed for Treatment, Payment and Health Care Operations. An Individual may request confidential communications at any time. Visa will protect member rights to request privacy protection for PHI. However, the Plans are not required to agree to a restriction. All requests must be in writing. PROCEDURES: Visa employees within the Firewall will only become involved in a request if the Plans maintain the PHI requested. If the Plans do not maintain the PHI, the Plan sponsor Visa will inform the Individual where to direct the request for access. A covered entity or a Business Associate is not required to agree to a restriction. The provider, insurer or Business Associate will accommodate reasonable requests by Individuals to receive communications of PHI by alternative means or at alternative locations. When the provider, insurer or Business Associate does agree to such a restriction, it will not use or disclose PHI in violation of the restriction. The provider, insurer or Business Associate will not require an explanation from the Individual as to the basis for the request as a condition of providing communications on a confidential basis. Restrictions may be terminated if: The Individual agrees to or requests the termination in writing; The Individual orally agrees to the termination and the oral agreement is documented; or The Individual is informed that his or her agreement to a restriction is terminated, except that the terminations will only be effective with respect to PHI created or received after the Individual has been informed. The provider, insurer or Business Associate will notify the appropriate covered entities or Business Associate(s) of any such restriction to the use or disclosure of PHI which the provider, insurer or Business Associate has agreed to in accordance with this policy to the extent that such restriction may affect the provider s, insurer s or Business Associate s use or disclosure of PHI. 5.4 Complaint Process

42 Individual Rights The provider, insurer or Business Associate will maintain a copy of the written requests and a record of actions. With respect to the right to request privacy protection, the following shall apply: Individuals will be informed of their right to request restrictions on the Use and Disclosure of their PHI in the Plans Notice of Privacy Practices ("Notice"). All requests by Individuals for restrictions on the Use and Disclosure of their PHI must be made in writing and forwarded to the Privacy Officer, Security Officer or designee for approval. Individuals who desire their PHI to be communicated in an alternative manner or location than the Plans would otherwise use, will be required to specify the alternative location or other method of communication. The Individual will be required to clearly state that the restriction is necessary to prevent a Disclosure that could endanger the Individual. Workforce members or Business Associates who perform plan functions may not grant or deny an Individual's request for restrictions without prior authorization from the Privacy Officer or designee. When a request for restriction(s) is accepted: The Individual will be informed of any potential consequences of the restriction, including that the Plans are not required to comply with the agreed upon restriction(s) in emergency Treatment situations when the restricted PHI may be needed for Treatment; The Plans will not refuse to accommodate such requests unless the request imposes an unreasonable administrative burden on itself or the Plans Business Associates. The Plans will not use or disclose PHI inconsistent with the agreed restriction, nor will the Plans Business Associates; The Use and/or Disclosure of PHI will be consistent with the status of the restriction in effect on the date it is used or disclosed; and Written documentation of the agreed to restriction will be maintained for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. When a request for restriction(s) is denied by the Plans: The Individual will be given the opportunity to discuss the Individual s privacy concerns, if desired; and Efforts will be made to assist the Individual in modifying the request for restrictions to accommodate the Individual s concerns and obtain acceptance by the Plans. 5.4 Complaint Process

43 Individual Rights TOPIC: SUBJECT: Complaint Process A process for filing a complaint with the Plans when a person believes that the Plans, other Covered Entity or Business Associate is not complying with the HIPAA requirements. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have a means of receiving complaints concerning violations of the HIPAA privacy rules and Visa s privacy practices. Visa has designated the HIPAA Privacy Committee to receive complaints related to Visa s compliance with the HIPAA privacy regulations. The HIPAA Privacy Committee is responsible for providing further information about those areas covered under Visa the Plans notice and for maintaining a record of complaints that are filed as well as a brief explanation of their resolution, if any. Responding to complaints will be the responsibility of the Privacy Officer/Security Officer, or designees. PROCEDURES: Plan participant complaints related to the HIPAA privacy regulation shall be received by the HIPAA Privacy Committee and/or its designees. The Committee will be responsible in reviewing and assuring consistency with health plan-wide privacy policies and procedures. Visa s complaint tracking procedures addresses violations by its Business Associates as well as any internal areas. An Individual who wishes to file a complaint concerning a violation of the HIPAA privacy rules and Visa s privacy practices should file a written complaint with the Privacy Officer. A thorough, objective, complete and timely investigation of the complaint will be conducted and at the conclusion of the investigation a written report outlining the results of the investigation will be prepared. If it is determined that the HIPAA privacy rules or Visa s privacy practices have been violated, Visa will take timely and effective remedial action commensurate with the severity of the offense, including disciplinary action, up to immediate termination of employment. Inquiries regarding how to obtain Individual PHI that are received by the HIPAA Privacy Committee will be addressed through a standard response explaining how to obtain PHI from vendors. 5.4 Complaint Process

44 Individual Rights TOPIC: SUBJECT: Notice of Privacy Practices An Individual has a right to adequate notice of the Uses and Disclosures of PHI that may be made by the Plans, and of the Individual s rights and the Plans legal duties with respect to PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans Privacy practices, designed to protect the Privacy, Use and Disclosure of PHI, are described and clearly delineated in the Plans Notice of Privacy Practices ("Notice") which was developed and is used in accordance with the Privacy Rule. The Plans will provide Individuals with a notice written in plain language and including all of the elements required under the privacy regulations of uses and disclosures of PHI made by Visa, as well as of the Individual s rights and Visa s legal duties with respect to PHI. The Plans will promptly revise and distribute this notice whenever there is a material change to the uses or disclosures, the Individual s rights, the covered entity s legal duties, or other privacy practices stated in this notice. The Plans will provide the notice to named enrolled Individuals under the Group Health Plan no later than the compliance date for the HIPAA privacy regulations (April 14, 2003), to new employees, or within 60 days of a material revision to the notice, but no less frequently than once every three years. To the extent that such limitation(s) may affect Business Associates use or disclosure of PHI, the Plans will inform its Business Associates of any limitation(s) in its notice of privacy practices in accordance with this policy. PROCEDURES: Visa will deliver the initial privacy notice to Individuals via regular mail. Visa will provide Individuals the opportunity to agree to the electronic provision of the notice and may deliver subsequent notices via if the Individual agrees to electronic notifications and such agreement has not been withdrawn. The Individual will retain the right to obtain a paper copy of the notice from Visa upon request. If Visa knows that the transmission has failed, a paper copy of the notice will be provided to the Individual. However, a return receipt is not required. In addition, Visa will post its notice on its intranet Web site. 5.5 Notice of Privacy Practices

45 Individual Rights The Benefits Department is responsible for maintaining the privacy notice and for updating the privacy notice as necessary. The Benefits Department will seek approval for any changes to the privacy notice from the Privacy Officer or a designee or designees. With respect to the Notice, the following shall apply: The Notice is distributed to all new Individuals upon hire. All Individuals receive a revised Notice within sixty (60) days of any material revision to the Notice. The Notice is provided to the named Individual or employee for the benefit of all dependents. The Notice is available to anyone who requests it. Individuals have the right to receive a paper copy of the Notice, even if they previously agreed to receive the Notice electronically. All current Individuals are notified at least once every three (3) years of the Availability of the Notice and provided with instructions on how to obtain it. Beyond this requirement, the Plans will also distribute the Notice annually with open enrollment materials. The Notice is given to all Business Associates. The Notice is reviewed with all current Plan sponsor Workforce members who perform administration functions for the Plans during their initial Training and annually thereafter. The Notice is revised as needed to reflect any changes in the Plans Privacy practices. Revisions to the policies and procedures are not implemented prior to the effective date of the revised Notice. When revisions to the Notice are necessary, all current Individuals, Workforce members who perform Health Plan functions and Business Associates receive a revised copy of the Notice. The Privacy Officer will retain copies of the original Notice and any subsequent revisions for a period of six (6) years from the date of its creation or when it was last in effect, whichever is later. All Workforce members who perform Health Plan functions and Business Associates are required to adhere to the privacy practices as detailed in the Notice, privacy policies and procedures and Business Associate contracts. Violations of the Plans privacy practices will result in disciplinary action up to and including termination of employment or contracts. (See also, Workforce Sanctions) 5.5 Notice of Privacy Practices

46 Minimum Necessary TOPIC: Minimum Use of PHI and ephi SUBJECT: The Plans will make reasonable efforts to ensure that the minimum amount of PHI necessary to accomplish the intended purpose of the Use or Disclosure is used or disclosed. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will develop criteria designed to limit the PHI and ephi disclosed to the information reasonably necessary to accomplish the purpose for which the request is made; and review requests for Disclosure on an individual basis in according to the criteria. The Plans will make reasonable efforts to limit PHI Disclosures to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure, or request. The Plans will reasonably safeguard PHI from any intentional or unintentional Use or Disclosure that is in violation of the HIPAA Rules, Standards, Implementation Specification or other requirements. The following situations are exceptions to the Plans Minimum Necessary standards: Visa Disclosures or requests by a health provider for Treatment; Uses or Disclosures made pursuant to the Individual s Authorization; Uses and Disclosures made to the Individual to whom the PHI applies as permitted or required by HIPAA Rules When the Secretary requests access to the information to ensure compliance or investigate a complaint; Uses or Disclosures that are Required by Law; or Use or Disclosures that are required to comply with requirements of the HIPAA Rules. Visa will limit requests by other covered entities for individually identifiable health information to what is reasonably necessary for the purpose intended. Visa will determine who has access to what PHI and will make every effort to ensure consistency. The Plans will make determinations of Minimum Necessary Use based on the types of people who are to have access to designated categories of information and the conditions, if any, of that access. The Plans will take appropriate means for protecting the privacy of member information. For non-routine Disclosures, the Plans will develop reasonable criteria to limit the PHI disclosed to the Minimum Necessary to accomplish the purpose for which Disclosure is sought, and to implement procedures for review of Disclosures on an individual basis. Where Disclosures are done on a Routine and recurring basis, such as in on-going relationships between the Plans and Business Associates, individual review of each Routine Disclosure is not necessary. The Plans will develop and follow standard protocols to apply to such Routine and recurring Disclosures. 6.1 Minimum Use of PHI

47 Minimum Necessary The following shall apply with respect to access to PHI or ephi held by the Plans: 1. Access to PHI and/or ephi is granted consistent with the Group Health Plan s determination of the minimum amount required by members of the workforce to perform his or her job. 2. Documentation is maintained regarding authorized access privileges. 3. Reviews of access rights are conducted at regular intervals to ensure continued appropriateness of levels of access. The Senior Business Leader of Benefits for Visa is responsible for approving access to systems and applications based on business needs and job descriptions. 4. Access is modified or revoked when a user s job function or access needs change. 5. Access privileges are immediately revoked when a user is no longer employed by Visa or whose job function no longer includes duties associated with the Group Health Plan. Special care is taken in deactivating access when employment is terminated. 6. Workforce members limit the exchange of ephi via . Archival of s containing ephi is permissible, but discouraged. containing ephi should be deleted following the disposition of the issues to which they relate. If, however, the information must be retained beyond the disposition of the issue(s), the information should be stored in secured electronic folders with limited access. 7. Members of the workforce using laptops or remote dial-in systems must use caution when accessing ephi from remote locations or from any system outside of the benefits team s secure work area. Effective February 17, 2010, the Plans will limit, to the extent practicable, any Use or Disclosure of PHI, or request for PHI to, the Limited Data Set. PROCEDURES: For every type of routine and permissible use and disclosure of PHI, Visa s employees within the Firewall will only provide the minimum information reasonably necessary to achieve the purpose of the type of disclosure. What is reasonable to comply with the minimally necessary policy will vary with the circumstances. Visa will use discretion to determine what is minimally necessary in each situation. When it is practical, the Plans may use selective copying or disclosure of relevant portions of a record. Self-correcting procedure: If an employee within the Firewall receives PHI and believes that he or she is receiving more information than necessary, the employee must notify the individual providing the information and request that the data be limited to only what is necessary to achieve the purpose of the type of disclosure. 6.1 Minimum Use of PHI

48 Minimum Necessary The Plans will implement procedures and standard protocols to limit the Use and Disclosure of PHI to the minimum information reasonably necessary to achieve the purpose of that type of Use or Disclosure. The Plans will determine who needs to have access to PHI and identify the categories of PHI to which access is needed and conditions appropriate to such access. For every type of Routine and permissible Use or Disclosure of PHI, the Plans will consider the minimum information reasonably necessary to achieve the purpose of that type of Use or Disclosure and will make every effort to ensure consistency. What is reasonable to comply with the Minimum Use of PHI Policy will vary based on the circumstances. The Plans will use discretion to determine the Minimum Necessary PHI for each situation. For example, the claims appeals committee may have access to PHI as part of the claims appeal process. The Plans shall limit the amount of information needed to adjudicate the claims and the number of individuals who need to view the information. The name and/or social security number of a claimant may be removed from the information provided to the Committee Members in order to protect the identity of the claimant whose information is being reviewed on appeal. 6.1 Minimum Use of PHI

49 Training TOPIC: SUBJECT: Training Workforce Regarding Protection of Health Information Process for Training the Plans Workforce on the Plans HIPAA policies and procedures with respect to PHI as required by the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will train the Workforce on the Plans HIPAA policies and procedures with respect to PHI as required under the HIPAA Rules as necessary and appropriate for the Workforce to carry out its job function within the Plans. Training will be provided to each Workforce member on the HIPAA Rules that are applicable to each member s work. Training initially was provided for then-current members of the Workforce by April 14, Training will be provided to each appropriate member of the workforce, who is inside the Firewall, on requirements that are applicable to his or her job. Each new hire who will be inside the Firewall will receive training within four weeks of joining Visa. The training is designed to address the types of issues the employee will confront in performing his or her duties as well as to address general privacy issues. When there is a material change in the policies and/or procedures required by the privacy regulations, each member of the workforce whose function is affected by the change will be trained within four weeks after the change becomes effective. PROCEDURES: The Privacy Officer, Security Officer or designee or designees, will determine the method to train and to document the training program for appropriate staff. This may include memos, notices, self-learning packets, policies and procedures, written orientation packet, face-to-face training, etc. The appropriate information can be presented at departmental meetings, training meetings, one-on-one training or by self-teaching using the methods listed. The person responsible for the training sessions will provide a list of who has received the training, the trainer s name, and date of training. Visa will document the training in written or electronic form and maintain such documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. The Privacy Officer, his designee or designees, will maintain and periodically review the training records. A copy of the training completion will be placed in the employee s file. Training will be provided to each Workforce member on the HIPAA Rules that are applicable to each member s work. This will include all employees behind the firewall. (See also, Disclosure of PHI to Plan Sponsor, Section 4.1). Members of the Workforce at the time the HIPAA Privacy 7.1 Training Workforce Regarding Protection of Health Information

50 Training Rule became effective received initial training before April 14, Additionally, as of April 21, 2005, the Plans implemented a Security awareness and training program for all members of the Workforce. Training was provided to each Workforce member on the HIPAA Security Rule that is applicable to the member s work. Then-current members of the Workforce received Security training before April 21, Training will be provided prior to February 17, 2010 to each Workforce member on the changes to the Plans HIPAA policies and procedures, generally effective February 17, 2010, based on changes to the HIPAA Rules, including those for Breach notification for Unsecured PHI. Ongoing Training will be conducted periodically, or within a reasonable time whenever there is a material change to the HIPAA Rules or to the Plans HIPAA policies and procedures. The delivery method for such on-going Training may vary or be revised as the circumstances allow. New employees entering into roles/functions within the firewall will be logged in and trained within thirty (30) days from the date they begin working with PHI as part of their designated job function. 7.1 Training Workforce Regarding Protection of Health Information

51 Uses and Disclosures TOPIC: SUBJECT: Uses and Disclosures of Protected Health Information (PHI) Process to identify the permitted Uses and Disclosures of the Plans PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: Visa will not use or disclose PHI except as permitted or required by the HIPAA Rules or in this policy. I. Routine Uses and Disclosures of PHI The Plans may: Use or disclose PHI to carry out its own Payment, or Health Care Operations functions. Disclose PHI to the Individual to whom the PHI applies. Disclose PHI to another Covered Entity for Payment activities of the entity that receives the information. Disclose PHI for Treatment activities for a Health Care Provider. Disclose PHI to another Covered Entity for Health Care Operations activities of the entity that receives the information, if both entities have or had a relationship with the Individual who is the subject of the PHI being requested and the Disclosure is for purposes of quality assessment and improvement, case management, care coordination, contacting Individuals regarding Treatment alternatives, reviewing Health Plan performance, detecting Health Care fraud and abuse, and any other purposes permitted by applicable regulations. II. Non-Routine Uses and Disclosures of PHI The Plans will log all requests for Disclosures of non-routine permissible PHI for both internal and external Disclosures. An Authorization or opportunity to agree or object will not be required for the following categories of Use or Disclosure of PHI: (a) Required by Law. The Plans may use or disclose PHI to the extent that such Use or Disclosure is Required by Law and the Use or Disclosure complies with and is limited to the relevant requirements of such law. (b) Public Health Activities. The Plans may disclose PHI for public health activities to the following: A Public Health Authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or to an official of a foreign government agency that is acting in collaboration with a Public Health Authority. 8.1 Uses and Disclosures of PHI

52 Uses and Disclosures A Public Health Authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purposes of activities related to the quality, safety, or effectiveness of such FDAregulated product or activity. A person who will have been exposed to a communicable disease or will otherwise be at risk of contracting or spreading a disease or condition where the law authorizes notification as necessary in the conduct of public health intervention or investigation. (c) Victims of abuse, neglect or domestic violence. The Plans may disclose PHI about an Individual whom the Plans reasonably believes to be a victim of abuse, neglect or domestic violence to a government authority. The Plans will disclose PHI regarding such Individual when the Disclosure is Required by Law, when the Individual agrees to the Disclosure, or when the Disclosure is authorized by statute or regulation. (d) Health oversight activities. The Plans may disclose PHI to a health oversight agency for oversight activities authorized by law for appropriate oversight of the Health Care system, government benefit programs for which Health Information is relevant to beneficiary eligibility, government regulatory programs for which Health Information is necessary for determining compliance with program standards or entities subject to civil rights law for which Health Information is necessary in determining compliance. (e) Judicial and administrative proceedings. The Plans may disclose PHI in the course of any judicial or administrative proceeding in response to a court or administrative tribunal order provided that only PHI expressly authorized by the order is disclosed; or in response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal if satisfactory assurances, as provided for in the regulation, are received by the Plans. The Plans will prohibit the parties from using or disclosing PHI for any purpose other than the litigation or proceeding and will require the return of the PHI, including all copies made, at the end of the litigation or proceeding. (f) Law enforcement purposes. The Plans may disclose PHI to a Law Enforcement Official for the following purposes: When the subject of the Disclosure is an Individual who is or is suspected to be a victim of a crime, abuse, or other harm. The reporting of certain types of wounds or other physical injuries A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer or a grand jury subpoena. An administrative subpoena or summons, a civil or an authorized investigative demand when the information sought is relevant to a legitimate law enforcement inquiry. The request must be specific and limited in scope to the extent reasonably practicable for the purpose for which the information is sought. Limited information for identification and location purposes will be disclosed by the Plans for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. 8.1 Uses and Disclosures of PHI

53 Uses and Disclosures About an Individual who has died, for the purpose of alerting law enforcement of the death of the Individual if the Plans have a suspicion that such death resulted from criminal conduct. Pursuant to the Plans good faith belief that the Disclosure constitutes evidence of criminal conduct that occurred on the Plans or Plan sponsor premises. (g) To avert a serious threat to health or safety. The Plans may use or disclose PHI, based on a good faith belief that it is necessary to prevent or lessen a serious imminent threat, including to the target of the threat, or is necessary for law enforcement authorities to identify or apprehend an Individual under specified circumstances. (h) Specialized government functions. Subject to certain conditions, the Plans may disclose PHI for certain military and veteran s activities, national security and intelligence activities, and to correctional institutions, as specified in applicable regulations. (k) Worker s Compensation. The Plans may disclose PHI to the extent necessary to comply with laws relating to workers compensation or other similar programs, established by law, that provide benefits for work related injuries or illness. III. Uses and Disclosures for which an Authorization is required Except as listed in Sections I and II of this policy, the Plans will not use or disclose PHI without securing the Individual s prior written Authorization. When the Plans receive a request for PHI, the Plans will adhere to the terms of the Authorization; to the extent an Authorization was necessary to permit the Disclosure. IV. Personal Representatives If a person has the authority under applicable law to act on behalf of an Individual who is an adult or an emancipated minor in making decisions related to PHI, the Plans will treat such person as a personal representative with respect to PHI. If a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an Individual who is an unemancipated minor in making decisions related to PHI, the Plans will treat such person as a personal representative of an unemancipated minor. The Plans will, consistent with State or other applicable law, provide a right of access to PHI of an unemancipated minor either to a parent, guardian, or other person acting in loco parentis, as the personal representative of the unemancipated minor, or the unemancipated minor, or both. V. Access to Records The Plans will permit access by the Secretary during normal business hours to the Plans books, records and accounts and other sources of information, including PHI that are pertinent to ascertaining compliance with the Privacy requirements. If such information is in the exclusive possession of another person, institution or entity that fails or refuses to furnish the information, the Plans will certify and set forth the efforts it made to obtain the information. 8.1 Uses and Disclosures of PHI

54 Uses and Disclosures VI. Other Requirements Relating to the Uses and Disclosures of PHI For Payment Purposes: Notwithstanding anything contained in this Manual to the contrary, effective as of the date determined by the Secretary, the Plans shall not use or disclose PHI that is Genetic Information for Underwriting Purposes. For Health Care Operations Purposes: Notwithstanding anything contained in this Manual to the contrary, effective as of the date determined by the Secretary, if the Plans receive PHI for the purpose of premium rating or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the Plans, the Plans may only use or disclose such PHI for such purpose or as may be Required by Law, subject to the prohibition against using or disclosing PHI that is Genetic Information for Underwriting Purposes. PROCEDURES: The Plans will use or disclose PHI or any categories of PHI only to the extent and for the purposes described in this Manual. Effective as of the date determined by the Secretary, the Plans will not use or disclose PHI that is Genetic Information for Underwriting Purposes. The Plans will catalog/list Routine permitted Uses and Disclosures approved by the Privacy Officer or the designated committee. The catalog will include the specific type of information (demographic, Health Information), purpose, mode and category of recipients to whom the information is being given. Information provided will be identified as a Use and/or a Disclosure. The Plans will log all non-routine Disclosures and will maintain all written Authorizations submitted by Individuals in a secure, designated location within Visa s Human Resources Department. The log will include the specific type of information disclosed (i.e., demographic, Health Information), the purpose, the mode, and the category of recipients to whom the information is being given. For example, if the Plans were to receive a valid judicial Request for the Production of Documents relating to claims files it holds, the Plans might enter the following information into the Plans log: Individual / Subject of the PHI Date Specific PHI Disclosed Purpose Mode Recipients to Whom PHI was Disclosed John Doe 4/15/03 File relating to claims appeal number XXX Judicial request pursuant to discovery process in civil case (MA District Copy of claim file delivered via courier Jane Smith, Attorney 123 Main St. Worcester, MA Uses and Disclosures of PHI

55 Uses and Disclosures Court, docket # ) The Privacy Officer, or a designee, will be responsible for maintaining and updating the log of Disclosures of PHI. Updates will be done as new and/or changes in Disclosures occur within the Plans. The Privacy Officer, or a designee, will be responsible to schedule and oversee a quarterly review to evaluate current documented lists. Any revisions to the inventory at the local level will be reviewed for approval by the Privacy Officer or a designee. 8.1 Uses and Disclosures of PHI

56 Uses and Disclosures TOPIC: SUBJECT: Accounting (Logging) of PHI Disclosures Process for logging and providing an accounting of all requests for Uses and Disclosures of PHI to the extent required by applicable regulations. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will develop and maintain a log that provides for a written accounting of Disclosures of PHI. This will support an Individual s right to receive an accounting of Disclosures of PHI made by the Plans for a period of up to six (6) years prior to the date on which the accounting is requested, except an accounting will not be given for the following Disclosures: (a) To carry out Treatment, Payment and Health Care operations; (b) To Individuals of PHI about themselves; (c) For national Security or intelligence purposes; (d) To correctional institutions or Law Enforcement Officials; (e) That occurred prior to April 14, 2003; (f) Those made pursuant to the Individual s Authorization; or (g) Those that are incidental to a permitted or required Use or Disclosure. An Individual may request an accounting of Disclosures for a period of time less than six (6) years from the date of the request. The Plans will temporarily suspend an Individual s right to receive an accounting of Disclosures to a health oversight agency or Law Enforcement Official for the time specified by such agency or official, if the agency or official provides with a written Statement that such an accounting to the Individual would be likely to impede the agency s activities and specifying the time for which a suspension is required. The first accounting to an Individual in any 12-month period will be provided without charge. The Plans will impose a reasonable, cost-based fee for each subsequent request for an accounting by the same Individual within the 12-month period. The Plans will inform the Individual in advance of the fee and provide the Individual with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee. The Plans will require the Plans Business Associates to agree to maintain a log, in a database, of the following elements regarding Disclosures of PHI for which an accounting may be required: The date of the Disclosure; 8.2 Accounting of Disclosures of PHI

57 Uses and Disclosures The name of the entity or person who received the PHI and, if known, the address of the entity or person; A brief description of the PHI disclosed; A brief Statement of the purpose of the Disclosure that reasonably informs the Individual of the basis of the Disclosure; and The frequency or number of the Disclosures made, including the date of the last such Disclosure during the accounting period. Upon termination of the Business Associate Agreement, the Plans will require that the Business Associate maintain all logs that contain the accounting of PHI Disclosure or transfer them to a third party designated by the Plans. To the extent that the Plans use or maintain an electronic health record of PHI, an Individual will have the right to receive an accounting of electronic Disclosures from the Plans if the information was used for Payment, Treatment or Health Care Operations ( TPO ) during the past three (3) years. This Individual right applies to: TPO Disclosures on or after January 1, 2014 for electronic records held as of January 1, 2009, and TPO Disclosures made after the later of January 1, 2011 or the date the Plan acquires the electronic health record, for electronic health records acquired after January 1, PROCEDURES: Visa Employees Within the Firewall Visa employees will not take requests for accounting but will steer individuals to the appropriate providers, insurers or Business Associates who will only contact Visa employees within the Firewall if they do not have access to the information required Providers, Insurers and Business Associates Requests for accounting will be handled by the provider, insurer or Business Associate holding the information. The accounting will provide the Individual with a written account of all applicable Disclosures of PHI that occurred during the six (6) years prior to the date of the request for an accounting (or a shorter time period at the request of the Individual), including Disclosures to or by Business Associates of the Plans and will include for each Disclosure: The date of the Disclosure The name of the entity or person who received the PHI and, if known, the address of the entity or person. A brief description of the PHI disclosed; and A brief Statement of the purpose of the Disclosure that reasonably informs the Individual of the basis for the Disclosure. If during the period covered by the accounting, the Plans have made multiple Disclosures of PHI to the same person or entity for a single purpose, the Plan will provide the following additional information: 8.2 Accounting of Disclosures of PHI

58 Uses and Disclosures The frequency, periodicity, or number of the Disclosures made during the accounting period; and The date of the last Disclosure during the accounting period. The provider, insurer or Business Associate will respond to the individual s request for an accounting no later than 60 days after receipt of that request. If the provider, insurer or Business Associate is unable to provide the accounting within 60 days, the provider, insurer or Business Associate may extend the time to provide the accounting by no more than 30 days. The provider, insurer or Business Associate will provide the individual with a written statement of the reason for the delay and the date by which the provider, insurer or Business Associate will provide the accounting. The provider, insurer or Business Associate may only have one extension of time for action. The provider, insurer or Business Associate will document and retain the information supplied according to this policy, the written accounting that is provided to the individual, and the title(s) of the person(s) responsible for receiving and processing requests for an accounting by individuals. In response to a request for an accounting of electronic Disclosures from the Plans if the information was used for Payment, Treatment or Health Care Operations ( TPO ), the provider, insurer or Business will elect to provide either an: (1) An accounting for disclosures of PHI that are made by the Plans and by a Business Associate acting on behalf of the Plans; or (2) An accounting for such Disclosures that are made by the Plans and provide a list of all Business Associates acting on behalf of the Plans, including contact information for such associates (such as mailing address, phone, and address). 8.2 Accounting of Disclosures of PHI

59 Administrative Safeguards TOPIC: SUBJECT: Security Management Process Implement policies and procedures to prevent, detect, contain and correct Security violations. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will implement policies and procedures to prevent, detect, contain and correct Security violations. These policies will include the following HIPAA Implementation Specifications: Risk Analysis an accurate and thorough assessment of the potential risks and vulnerabilities to the Confidentiality, Integrity, and Availability of the Plans ephi will be conducted Risk Management sufficient Security Measures to reduce the risks and vulnerabilities to the Plans ephi to a level sufficient to comply with the HIPAA Security Rule will be implemented Sanctions appropriate Sanctions against Workforce members who fail to comply with these policies and procedures will be applied Information System Activity Review records of Information System activity will be regularly reviewed. PROCEDURES: Risk Analysis The Plans specifically incorporates herein by reference those policies and procedures contained in Visa Key Controls, Polices and Procedures (KCPP) and other administrative and information technology documents together with any amendments or revisions thereto. As part of the Plans initial HIPAA Security Rule risk analysis, the Plans will assess the technical and non-technical components of the Plans Security environment as they related to ephi, including hardware, software, system interfaces, data and information and people. All Information Systems that house electronic PHI, including all hardware and software that are used to collect, store, process, or transmit electronic PHI were identified. Functions and ownership and control of Information System elements were analyzed and verified as necessary. The Plans also will review and make a reasoned, well-informed and good-faith determination to implement all applicable Standards and Implementation Specifications under the HIPAA Security Rule. 9.1 Security Management Process

60 Administrative Safeguards A risk analysis summary was created to summarize the findings of the risk analysis. This summary will be maintained by the Security Officer for a period of not less than six (6) years from the date it was completed or last updated. The risk analysis summary will be reviewed periodically to assess the Plans compliance with the Security Rule and will be updated as may be necessary. (See also, Evaluation Policy, Section 1.8) Risk Management Visa s risk management plan, the information security program, is documented in the Visa Business Continuity Management Online documents as well as the Enterprise Resiliency Program: Crisis Management Team and Emergency Operations Center Procedures Manual. The Plans have analyzed the data collected during the risk analysis and identified the risks and vulnerabilities of any ephi stored, processed or transmitted by the Plans. The Plans will implement reasonable and appropriate Security Measures to reduce risks to the Confidentiality, Integrity and Availability of ephi to a reasonable and appropriate level, taking into consideration the Plans size, complexity, technical capabilities, risk analysis and the costs of Security Measures. All Security Measures which are implemented and/or adopted by the Plans will be documented and the effectiveness of those Security Measures will be reviewed and audited as part of the Security Officer s periodic evaluations of the Plans Security environment Sanctions Visa The Plans have established policies and procedures regarding disciplinary actions which are communicated to all employees, agents, contractors and other persons under the Plans direct control. The Plans will make employees, agents, and contractors aware that violations may result in notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations and will advise employees, agents, and contractors that civil or criminal penalties may apply for the misuse, disclosure or misappropriation of Health Information. These sanctions and guidelines may be supplemented by policies and sanctions for misconduct under the provisions of the Visa Employee Handbook. Sanctions will be implemented for those Individuals who do not follow the outlined policies and procedures. This will be applied to all violations, not just repeat violations. These Sanctions will be supported, and may be supplemented by Visa and may be required in all Business Associate agreements. Employees, agents, and contractors will be made aware of what actions are prohibited and punishable. Training will be provided and expectations will be made clear so Individuals are not sanctioned for doing things which they were not aware were wrong or inappropriate. Employee Sanctions may include any of the following: (a) Verbal warning; 9.1 Security Management Process

61 Administrative Safeguards (b) (c) (d) Re-Training and/or education; Notice of disciplinary action placed in personnel files; and Other Sanctions, up to and including, termination of employment Business Associate Sanctions may include any of the following: (a) (b) (c) (d) Verbal warning; Implementation of contract provisions that include contract penalties; Termination of contract; and Notification to HHS Specific Sanctions will be determined based on the nature of the violation, its severity and whether or not it was intentional. Sanctions will be applied uniformly across all job categories. All Sanctions will be documented, with documentation retained for a period of not less than six (6) years. No Sanctions will be taken against Workforce members who, in good faith, lodge a complaint with any entity regarding a Security Rule violation or who refuse to follow a policy or procedure which they believe, in good faith, violates the Security Rule. The Security Officer will be responsible for notifying the Plans about Workforce members who fail to comply with the Security policies. The Security Officer will assist with providing the necessary information to appropriately apply disciplinary action, including notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. Please refer to section 1.7 of this Manual for Privacy Sanction procedures Information Systems Activity Review Records of information system activity are reviewed on a regular basis to detect, correct, prevent, and contain security violations. The Group Health Plan specifically incorporates herein by reference those policies and procedures contained in Visa s KCPP document, together with any amendments or revisions thereto. The Security Officer or designee working in conjunction with Visa s information technology and information security staff, will be responsible for coordinating the Information System activity record review as it relates to the Plans ephi. Information system activity will be reviewed periodically to detect or correct Security violations. The Plans maintain the following: (a) (b) (c) (d) (e) Audit logs; Access reports; Security Incident logs; Paper based logs; and Other internal Security controls and monitoring tools. Workforce members will be informed that records of Information System activity may be reviewed and can be used to investigate causes of reported or suspected Security Incidents or Security violations. 9.1 Security Management Process

62 Administrative Safeguards TOPIC: SUBJECT: Assigned Security Responsibility Designation of a Security Officer. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have identified and designated a Security Officer who is responsible for the development and implementation of the Plans Security policies and procedures. The Security Officer ensures a central point of accountability within the Plans for Securityrelated issues. The Security Officer is responsible for developing and implementing the policies and procedures for the Plans and for compliance with the HIPAA Security Rule generally. The role of Security Officer may be an additional responsibility given to an existing employee of Visa. PROCEDURES: The Security Officer will be trained and responsible for reviewing the Plans Security program. The Security Officer coordinates efforts across the Plans to identify key Security initiatives and standards including virus protection, Security monitoring, intrusion detection, and physical access control and Security of Health Information held by the Plans. The Security Officer s responsibilities are described in Appendix F: Role of the Privacy and Security Officer. The Security Officer, or a designee, will be responsible for: (a) (b) (c) (d) (e) Conducting or overseeing employee Training; Establishing employee Sanctions for failure to comply with the Security Rule; Maintaining compliance records; and Monitoring the Plans Security procedures and practices internally on a periodic basis and implementing changes as necessary. Working with Visa s business units, legal counsel, and other related parties to assist in representing the Group Health Plan s informational security interests with external parties (e.g., federal, state or local government bodies) who undertake to adopt or amend related security legislation, regulations, or standards Rick Leweke has been designated to serve as the HIPAA Security Officer for the Plans. This designation has been communicated to the Plans Workforce. 9.2 Assigned Security Responsibility

63 Administrative Safeguards TOPIC: SUBJECT: Workforce Security Ensuring appropriate access and preventing inappropriate access to ephi. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans HIPAA policies and procedures are designed to ensure that all members of the Workforce have appropriate access to ephi and to prevent those members of the Workforce who do not require access to ephi from obtaining such access. These policies will include addressing the following HIPAA Implementation Specifications: Authorization and/or Supervision (A) procedures for the authorization and/or supervision of Workforce members who work with ephi or in locations where it may reasonably be anticipated to be accessed will be adopted Workforce Clearance Procedures (A) procedures to determine that the access of a Workforce member to ephi is appropriate will be implemented Termination Procedures (A) procedures for terminating access to ephi when the employment of a Workforce member ends will be implemented. The Plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCCP document. PROCEDURES: Authorization and/or Supervision (A) Only those Workforce members who require access to ephi to perform appropriate activities on behalf of the Plans will be permitted to have access to such information. The HIPAA Privacy Officer, Security Officer, or a designee, will determine which persons or classes of persons can access PHI and ephi as part of their job functions, and identify the categories of PHI and ephi to which these access rights apply. The HIPAA Privacy Officer, Security Officer, or a designee will review requests for non-routine Disclosures on an Individual basis, using set criteria. The Plans maintain a listing of personnel who are authorized to access PHI and ephi. The following employees, or classes of employees, or other persons under the control of the plan sponsor shall be given access to PHI: Benefits Personnel The need for a screening process will be based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures in place. Effective screening processes will be applied to allow a range of implementation, from minimal procedures to more stringent 9.3 Workforce Security

64 Administrative Safeguards procedures commensurate with the sensitivity of the data to be accessed and the magnitude of harm or loss that could be caused by the Individual. Workforce members who work with ephi or in areas where it may reasonably be anticipated to be accessed will be appropriately trained and supervised. Non-Workforces members and others who work in areas where ephi may be inadvertently or incidentally viewed or accessed, will receive appropriate Training and instruction regarding such information. Please refer to section 2 of this Manual for Privacy Authorization procedures. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Workforce Clearance Procedures (A) The Plans perform Workforce clearance procedures in several ways: (a) (b) (c) The Plans have implemented recruiting and hiring policies, procedures and practices on a corporate wide basis; Background checks are conducted on prospective employees; and Reference checks and other appropriate mechanisms are also employed by the Plans. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Termination Procedures (A) Upon termination of employment, access privileges to ephi, the Plans Information Systems and work areas where ephi may reasonably be anticipated to be accessed will be terminated. Termination of privileges and access will be effected immediately upon/within 24 hours of the termination of employment, or sooner if circumstances warrant (e.g., in the case of an employee terminated for cause). When access to ephi is no longer needed for a Workforce member to perform the member s job, access privileges will be revoked or modified as needed. The listing of personnel who are authorized to access PHI and ephi (maintained in Section 4.1 of the Plans HIPAA Privacy Policies) will be updated to reflect this change. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plan will rely on current practices. 9.3 Workforce Security

65 Administrative Safeguards TOPIC: SUBJECT: Information Access Management Ensuring that access to ephi is authorized, established, maintained and modified based on the minimum amount necessary for a Workforce member to perform the member s job effectively. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans shall only allow for and authorize access to ephi in a manner that is consistent with the requirements of the HIPAA Privacy Rule. Access to ephi is therefore authorized, established, maintained and modified based on the minimum amount of information necessary for a Workforce member to perform the member s job effectively. These policies will include addressing the following HIPAA Implementation Specifications: Access Authorization (A) policies and procedures for granting access to ephi, for example, through a Workstation, Transaction, program, process or other mechanism will be implemented Access Establishment and Modification (A) policies and procedures, that based on the Plans Access Authorization policies, establish, document, review, and/or modify a User s right of access to a Workstation, Transaction, program or process will be implemented. The plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: Access Authorization (A) Access to ephi is granted in a manner that is consistent with the Plans determination of the minimum amount of information required by a member of the Workforce to perform the member s job. The Plans policy on the Minimum Use of PHI (and ephi) is documented in Section 6.1. This includes procedures and standard protocols to limit the Use and Disclosure of PHI/ePHI to the minimum information reasonably necessary to achieve the purpose of that type of Use or Disclosure. The Plans have determined who needs to have access to PHI/ePHI and identify the categories of such information to which access is needed and conditions appropriate to such access. For every type of Routine and permissible Use or Disclosure of PHI, the Plan will consider the minimum information reasonably necessary to achieve the purpose of that type of Use or Disclosure and will make every effort to ensure consistency. What is reasonable to comply with this policy will vary based on the circumstances. The Plan will use discretion to determine the Minimum Necessary information in each situation. 9.4 Information Access Management

66 Administrative Safeguards The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. The Plans established procedures, together with any amendments or revisions thereto, that establishes how an employee is granted access to information. Therefore, no additional procedures will be implemented and the Plan will rely on current practices Access Establishment and Modification (A) The Plan maintains documentation regarding authorized access privileges. Access is modified or revoked when a User s job function or access needs change. Reviews of access rights are conducted at regular intervals to ensure continued appropriateness of levels of access. Access privileges are immediately revoked when a User is no longer employed by Visa or whose job function no longer includes duties associated with the Plan. Special care is taken in deactivating access when employment is terminated, as described under the Terminations Procedures policy (See, Sec ). The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plan will rely on current practices. Specific Procedures 1. The access to, use and disclosure of ephi by the workforce members is restricted to the category or categories of ephi required to carry out their duties and job responsibilities. The Security Officers, or their designee or designees, will determine if an individual s level of access to ephi is permissible. 2. Decide how the person with the assigned security responsibility will consistently grant access to others within the organization 3. Document which process will be used to select the basis for restricting access. 4. Choose between identity-based access (by name) or role-based access (by job or by other appropriate means). 5. Determine who should be authorized to access information systems. 6. Evaluate existing security measures related to access controls. 7. Coordinate with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails, identification and authentication of users, and physical access controls. 9.4 Information Access Management

67 Administrative Safeguards TOPIC: SUBJECT: Security Awareness and Training Security awareness and Training for members of the Workforce. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have implemented a Security awareness and Training program for all members of its Workforce, including management. Training on the Plans HIPAA policies and procedures will be conducted in an appropriate manner so as to enable the members of the Workforce to carry out their job function(s) within the Plan. Training will be provided to each appropriate member of the Workforce on Privacy, Confidentiality and Security requirements that are applicable to their work. Training initially was provided for then-current members of the Workforce by April 21, Each new member of the Workforce will receive the Training within a reasonable period of time after joining the Plans Workforce. When there is a material change in the privacy policies and/or procedures, each member of the Workforce whose function is affected by the change will be trained within a reasonable period of time after the change becomes effective. These policies will include addressing the following HIPAA Implementation Specifications: Security Reminders (A) periodic Security updates will be implemented Protection from Malicious Software (A) procedures for guarding against, detecting, and reporting Malicious Software will be implemented Log-in Monitoring (A) procedures for monitoring log-in attempts and reporting discrepancies will be implemented Password Management (A) procedures for creating, changing and safeguarding Passwords will be adopted. The plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: A formal Security Training program will be provided for all existing and new members of the Workforce regarding the Security and privacy of ephi and the Plans Information Systems. The Security Officer or designee will determine the method of Training and documented orientation program to train appropriate staff. This may include memos, ed notices, self-learning packets, distribution of policies and procedures, presentation materials, or other methods. The information can be taught at departmental meetings, Training meetings, one-on-one Training or by self-teaching using the methods listed. The person responsible for the Training session will provide a listing of who has received the Training, the trainer, and date of Training and copies of information disseminated to the Security Officer. 9.5 Security Awareness and Training

68 Administrative Safeguards Prior to the compliance deadline, Training will be conducted via the delivery and review of printed material provided to all Plan employees within the firewall. (See also, Section 4.1 of the Plans HIPAA Policies). A Training program will be delivered to such employees via facilitated sessions prior to the compliance date. On-going Training will be conducted periodically, or within a reasonable time whenever there is a material change to the HIPAA Security requirements or to the Plans policies and procedures. The delivery method for such on-going Training may vary and/or be revised as the circumstances allow. New employees entering into roles/functions within the firewall will be logged in and trained within thirty (30) days from the date they begin working with ephi or PHI as part of their designated job function. The Plan will document the Plans Training in written or electronic form and maintain such documentation for six (6) years from the date of its creation or the date when it was last in effect, whichever is later Security Reminders (A) Security reminders will be sent out periodically to members of the Workforce, including management, to promote and raise awareness of Security issues, both in general and as those concerns relate to ephi. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Protection from Malicious Software (A) All desktops, laptops and servers associated with Workforce members and ephi include antivirus software with current virus definition files installed and programmed to conduct automatic virus scanning. Security updates and patches for computer operating systems and software are installed as needed to reduce known vulnerabilities. When a virus is suspected or detected, the Security Officer or designee will be notified as soon as possible. Workforce members are not allowed to precede with virus eradication efforts without appropriate authorization and/or supervision from Visa s Information Technology Department. The infected machine, along with any other machines that may have been contaminated must be isolated from the network, scanned and repaired by the appropriate technology support personnel. 9.5 Security Awareness and Training

69 Administrative Safeguards Information on virus and Malicious Software protection is included in the Plans Security Training program. Workforce members are instructed not to download software from the Internet or install software on desktops or laptops without prior authorization. Workforce members are instructed not to open attachments from unknown or untrustworthy sources. All attachments are scanned for the presence of viruses. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Log-in Monitoring (A) Log-in attempts will be monitored beginning in first quarter of 2005 by Visa s Information Security system. If an Individual attempts to log into the system using an incorrect User name or Password three (3) times, the Workstation and/or User account will be automatically locked out for a period of not less than thirty (30) minutes. Documentation of log-in violations will be retained according to the Plans record retention guidelines. [The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Password Management (A) Members of the Workforce must follow the Plans established guidelines for creating, changing and safeguarding Passwords: Creating Passwords: (a) (b) (c) (d) Workforce members must create unique Passwords for each network User account, account and for screensaver protection; Passwords must contain at least eight characters and should incorporate a mix of alpha (lower and upper case), numeric and non-alpha (complex) characters; Passwords should not be words that are found in a dictionary; and Passwords should be easy to remember, but should not be based on personal information, such as family names, pet names, birth dates or other information that may be easily guessed. The more characters that are used in a Password, the more secure the Password will be. The following is an example of how to create a strong Password: (a) (b) (c) (d) Choose an eight character word or two unrelated words; Replace a letter with a number; Replace a letter with a special character; and Change one letter to uppercase. 9.5 Security Awareness and Training

70 Administrative Safeguards Password becomes OR footrake becomes Changing Passwords: (a) (b) Workforce members are required to change Passwords consistent with Visa s corporate standards, which requires that such change be done at least once every thirty (30) days; and Any previously used Password may not be reused. Safeguarding Passwords: (a) (b) (c) Workforce members should not write down their Passwords and post them in a visible location or close to their Workstation; Passwords should not be stored in a public area or on PDAs (Personal Digital Assistants) without any Encryption; and Passwords should not to be shared with other Individuals including co-workers, assistants, or systems administrators; The sharing of Passwords or use of group Passwords is not allowed. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices. 9.5 Security Awareness and Training

71 Administrative Safeguards TOPIC: SUBJECT: Security Incident Procedures Policies and procedures to address Security Incidents. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans maintain policies and procedures which are reasonably designed to address and identify all Security Incidents, including the attempted or successful unauthorized access, Use, Disclosure, modification, or destruction of information or interference with systems operations in an Information System. These policies will include the following HIPAA Implementation Specification: Response and Reporting The Plans will identify and respond to suspected or known Security Incidents; mitigate, to the extent practicable, harmful effects of known Security Incidents; and document Security Incidents and their outcomes. The plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: Response and Reporting Plan Workforce members are trained to report suspected or actual Security Incidents dealing with unauthorized access, Use, Disclosure, modification, or destruction of ephi to the Security Officer as soon as practicable. This includes incidents such as denial of service attacks, malicious code, viruses and worms. Specific procedures for the operation, monitoring, and logging of Visa s corporate intrusion detection system, including virus and malicious code attacks, can be found in Visa s corporate standards in addition to any amendments or revisions thereto. All known Security Incidents will be investigated and documented. An appropriate response to a Security Incident will be determined based on the nature and severity of the Security Incident. Responses may include, but are not be limited to: (a) (b) (c) (d) the application of Sanctions against responsible personnel; the initiation of (additional) Security reminders; additional and/or updated Training on Security practices; and an evaluation of the adequacy of the Plans existing Security Measures. Any harm resulting from a Security Incident will be mitigated to the extent practicable. All known Security Incidents, together with the results of associated investigations will be documented and the results maintained according to the Plans record retention guidelines. 9.6 Security Incident Procedures

72 Administrative Safeguards Security Incidents involving an improper Disclosure of ephi will be logged and maintained in conjunction with Sec. 8.2 of the Plans HIPAA Privacy policies for a period of not less than six (6) years. 9.6 Security Incident Procedures

73 Administrative Safeguards TOPIC: SUBJECT: Contingency Plan Policies and Procedures for Responding to Systems Emergencies. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will establish, and implement as necessary, policies and procedures for responding to emergencies and other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damage systems containing ephi. Such policies and/or business continuity plans are required for all critical business functions of the Plans. These policies will establish the elements involved with business resumption in the event of a disaster and will include the following HIPAA Implementation Specifications: Data Backup Plan procedures to create and maintain exact, retrievable copies of ephi will be established and implemented Disaster Recovery Plan procedures to restore any loss of data will be established Emergency Mode Operation Plan procedures to enable continuation of critical business processes for the protection of the Security of ephi while operating in emergency mode will be established (and implemented as needed) Testing and Revision Procedures (A) procedures for periodic testing and revision of contingency plans will not be implemented Applications and Data Criticality Analysis (A) the relative criticality of specific applications and data in support of other contingency plan components will be assessed. The Security Officer will provide support and direction for the implementation of the contingency plan as it may relate to ephi. The plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. 9.7 Contingency Plan

74 Administrative Safeguards PROCEDURES: Data Backup Plan Procedures have been adopted on a corporate wide basis to allow the Plans to retrieve and/or restore exact copies of data, including ephi: (a) Full backup of all data directories, files and software are performed over the weekend (b) Incremental backup only data that has changed since the last backup; typically performed daily (c) Month-end backups from the last weekend of every month (d) Database backups are typically created daily utilizing specialized software processes Where the Plans have not created the ephi or does not otherwise maintain original ephi, the data backup procedures may include recovering any lost or corrupted data from its original source, including but not limited to the Individual to whom the ephi pertains Disaster Recovery Plan Procedures have been established to allow for the restoration of any loss of data and/or ephi. These procedures include the following and can be found in the Disaster Recovery Plan maintained by Visa Emergency Mode Operation Plan Procedures have been established to allow the continuation of the Plans critical business processes and to protect ephi while operating in emergency mode. These procedures include the following and can be found in Visa s Business Continuity Plan Testing and Revision Procedures (A) The Plans contingency plan will be reviewed periodically and updated annually. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Applications and Data Criticality Analysis (A) The relative criticality of the Plans applications and data are periodically reviewed by the Security Officer in conjunction with the assessment of other contingency plan components. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plan will rely on current practices. 9.7 Contingency Plan

75 Administrative Safeguards TOPIC: SUBJECT: Evaluation Evaluating safeguards under the Security Rule and performing periodic technical and non-technical evaluations. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will evaluate the Plans safeguards under the Security Rule and perform periodic technical and non-technical evaluations, based initially upon the standards implemented under the Security Rule, and subsequently in response to environmental or operational changes affecting the Security of ephi, to establish the extent to which the Plans policies and procedures meet the Security Rule's requirements. PROCEDURES: The Security Officer will coordinate the resources necessary to periodically evaluate the Plans compliance with the Security Rule, as well as the overall Security environment of the Group Health Plans and the Plans ephi. Evaluations will be conducted whenever there are changes affecting the ephi created, received, maintained or transmitted by the Plans, provided however that a periodic evaluation will be conducted at least once per year. Additional, ad hoc evaluations of the technical and non-technical components of the Plans Security environment and the Plans compliance with the requirements of the HIPAA Security Rule may be conducted as deemed necessary and appropriate to ensure the adequacy of Security Measures and compliance with the Security Rule by the Security Officer. Documentation of known Security Incidents may be reviewed periodically and included in the decision of whether to conduct an ad hoc evaluation. The results of the any evaluations will be documented and retained for a period of at least six (6) years from the date the evaluation was conducted. Please refer to section 1.10 of this Manual for Privacy audit procedures. 9.8 Evaluation

76 Physical Safeguards TOPIC: SUBJECT: Facility Access Controls Limiting physical access to the Plans electronic Information Systems and facilities. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have implemented and maintains policies and procedures regarding Facility access controls to limit physical access to the company s facilities, work areas and electronic Information Systems, while ensuring that properly authorized access is allowed. These policies will include addressing the following HIPAA Implementation Specifications: Contingency Operations (A) procedures to allow Facility access in support of restoration of lost data under the disaster recovery plan and emergency operation plan in the event of an emergency will be established and implemented as necessary Facility Security Plan (A) policies and procedures to safeguard the Facility and the equipment therein from unauthorized physical access, tampering and theft will be implemented Access Control and Validation Procedures (A) procedures to control and validate a person s access to facilities based upon their role or function, including visitor control, and control of access to software programs for testing and revision will be implemented Maintenance Records (A) policies and procedures to document repairs and modifications to the physical components of a Facility which are related to Security (for example, hardware, walls, doors and locks) will be implemented. The Plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: Contingency Operations (A) Temporary authorization to access electronic Information Systems is granted to repair personnel or technicians during emergencies for the purpose of restoring lost data or repairing damaged equipment. Members of the Plans Workforce are restricted from accessing ephi during emergencies until data and/or damaged equipment is restored or repaired. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Facility Access Controls

77 Physical Safeguards Facility Security Plan (A) The Plans maintain a Facility Security plan to document physical Security Measures to prevent unauthorized access to the Plans facilities and employee work areas and to prevent tampering with or the theft of its equipment. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Access Control and Validation Procedures (A) Access to employees work areas is controlled and validated through key card access to the Facility. Access to servers and other electronic equipment requires an additional level of Security with access codes distributed on a limited basis. Visitors to the Facility must sign a log that records the time of arrival and departure. Visitors must be escorted as appropriate and, if working near or with ephi, have appropriate authorization and/or supervision. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Maintenance Records (A) All Facility repairs or modifications that are related to Security are documented. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Facility Access Controls

78 Physical Safeguards TOPIC: SUBJECT: Workstation Use Specifying the proper functions, manner of use and physical attributes of Workstations. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical surroundings of a specific Workstation or class of Workstations that can access ephi. The Plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: Workforce members utilize Employer-owned and maintained Workstations in the course of normal business on behalf of the Plans. The functions that can be performed by Workforce members is determined by their role and based upon approved and authorized User access requests. Workstations are configured with the appropriate software and applications based upon these approved functions. Only software packages approved by Visa s Information Technology Department may be installed on Employer computing systems or Workstations. The use of unapproved software is prohibited, as is the use of file sharing software or any hardware or software tools that could be employed to evaluate or compromise the Information Systems Security. Workforce members will not use profanity, obscenities or derogatory remarks in electronic communications. E-communications usage will be consistent with the standards of ethical and polite conduct as outlined in Visa s corporate standards of employee conduct. Websites and other areas containing sexually explicit, racist, violent, criminal or other offensive or inappropriate materials may not be accessed by Workforce members. Workforce members who receive unsolicited offensive materials from third parties will not respond to, forward or redistribute such materials either internally within the Plans or externally, unless it is to the Information Technology Department to assist in the investigation of a complaint. Such unsolicited materials should be deleted upon receipt. Workstations and display screens should be positioned in such a manner that any ephi displayed is not easily viewable by others. When display screens are located in cubicles or open areas within a Facility, privacy screens should be used to reduce or eliminate the possibility of peripheral viewing. Training is provided to members of the Workforce regarding acceptable uses of Workstations that contain or permit access to ephi are provided to members of the Workforce. Additional Training may be provided on an as needed basis to ensure Workforce members understand all procedures for compliance Workstation Use

79 Physical Safeguards TOPIC: SUBJECT: Workstation Security Physical safeguards for all Workstations with access to ephi to restrict access to authorized Users. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will implement Physical Safeguards for all Workstations that access ephi in order to restrict access to authorized Users. The Plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: All persons or classes of persons whose Workstations contain or permit access to ephi have been identified. The Plans have taken reasonable precautions to confirm that such Workstations are physically safeguarded in a manner that maximizes Security and prevents unauthorized access. Workforce members are required to take reasonable steps to prevent unauthorized access of unattended Workstations, limit the ability of unauthorized persons to view sensitive information, and erase sensitive information as needed. Additional care must be given to safeguarding portable electronic computing devices, such as laptops, Personal Digital Assistants (PDAs), and wireless devices. This additional level of care applies whether the portable device is located within or outside of the Plans Facility. Portable devices must not be left unsecured and unattended. Whenever possible the portable should be secured to the Workforce member s desk or workspace by means of a secure locking device. Any loss or theft of a portable electronic device containing ephi must be reported immediately to the Security Officer and the Information Technology Department. Mitigation procedures such as those contained in Section 1.4 of the Plans HIPAA Privacy Policies must be implemented promptly. Members of the Workforce using laptops or remote dial-in systems are discouraged from downloading ephi onto laptops or remote systems. Workforce members must use reasonable caution when accessing ephi from remote locations or from any system outside of that Workforce member s secure work area. Additional Training may be provided on an as needed basis to ensure Workforce members understand all procedures for compliance Workstation Security

80 Physical Safeguards TOPIC: SUBJECT: Device and Media Controls Management of the receipt, removal and movement of hardware and Electronic Media that contain ephi. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have implemented policies to govern the receipt and removal of hardware and Electronic Media that contain ephi into and out of its facilities, as well as the movement of these items within its facilities. These policies will include the following HIPAA Implementation Specifications: Disposal policies and procedures to address the final disposition of ephi and/or the hardware or Electronic Media on which it is stored will be implemented Media Re-Use procedures to remove ephi from Electronic Media before the media are made available for reuse will be established Accountability (A) a record of the movements of hardware and Electronic Media and the person responsible for that record will be maintained Data Backup and Storage (A) exact, retrievable copies of ephi will be created, when needed, prior to the movement of equipment. The Plans specifically incorporate herein by reference the policies and procedures contained in Visa s KCPP document. PROCEDURES: Within the Plans, ephi may be stored or maintained on hardware and Electronic Media such as storage devices (servers and hard disk drives), Workstations, laptops, diskettes, CDs, and other portable devices used to access (e.g., Blackberries or PDAs) Disposal Any ephi that is stored on the hard drives of computers or other Electronic Media is removed and permanently erased by magnetically removing any and all information from the Media before the disposal of the hardware or Electronic Media Media Reuse Any ephi that is stored on the hard drives of computers or other Electronic Media is removed and permanently erased by magnetically removing any and all information from the Media before the reuse of the hardware or Electronic Media Accountability (A) 10.4 Device and Media Controls

81 Physical Safeguards Records are maintained of the movement of hardware and Electronic Media that contain ephi into, out of, or within the Facility, preferably to ensure that system activity can be traced to a specific user. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Data Backup and Storage (A) An exact, retrievable copy of ephi is created before moving equipment that may result in damage or the loss of data. Creation of the backup copy is the responsibility of the Workforce members who have been authorized to work with ephi. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Device and Media Controls

82 Technical Safeguards TOPIC: SUBJECT: Access Control Technical Security measures for the Plans electronic Information Systems. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: Technical Security measures, policies and procedures have been implemented for electronic Information Systems that maintain ephi to allow access only to those persons or software programs that have been granted access rights. These policies will include the following HIPAA Implementation Specifications: Unique User Identification a unique name and/or number for identifying and tracking User identity will be assigned Emergency Access Procedure procedures for obtaining necessary ephi during an emergency will be established and implemented as necessary Automatic Logoff (A) electronic procedures that terminate an electronic session after a predetermined period of inactivity will be implemented Encryption and Decryption (A) a mechanism to encrypt and decrypt ephi will be implemented. PROCEDURES: Unique User Identification All Workforce members are assigned unique User Identification names or numbers that enable Visa s Information System to identify, authenticate and track User identity. Access control lists containing the records of such unique User IDs are updated within 24 hours when access privileges are terminated or changed Emergency Access Procedure Temporary access to the Plans Information Systems and/or ephi is provided in the event of emergencies. The Plans contingency plan (see also the policies and procedures set forth under Contingency Plan standard in the Administrative Safeguards section) sets forth the Plans emergency access procedures Automatic Logoff (A) The Plans have determined that the following automatic logoff/lock-out procedures are sufficient to meet the Plans Security needs: 11.1 Access Control

83 Technical Safeguards (a) Password protected screen saver implemented after thirty (30) minutes inactivity. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Encryption and Decryption (A) Alternative #1: The Plans have determined that Encryption and decryption generally are not required for the electronic maintenance of ephi as it may be used by the Plans in the Plans day-to-day activities. Access to such ephi is restricted to those Workforce members who require it to perform their job functions. Numerous other safeguards are also in place to protect ephi as described in this Manual. At the present time, due to the limited risk of inappropriate Use or Disclosure of ephi and the limited technological capability of the Plans to encrypt and decrypt ephi in storage for its operating systems and storage platforms, the Plans have determined that the Plans policy will not be to encrypt ephi in storage. The alternate controls described in this Manual have been determined to be reasonable and appropriate to mitigate the risk to ephi. The Security Officer may nevertheless authorize or mandate the use of Encryption and decryption on an as needed basis as may be appropriate given the nature of the information stored and the potential risks posed. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices. Alternative #2: The Plans have determined that Encryption and decryption are required for the electronic maintenance of ephi as it may be used by the Plans in the Plans day-to-day activities and as it is stored. The Plans policy is to encrypt all ephi Access Control

84 Technical Safeguards TOPIC: SUBJECT: Audit Controls Recording and examining activity in Information Systems that contain or use ephi. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will implement hardware, software, and/or procedural mechanisms that record and examine activity in Information Systems that contain or use ephi. PROCEDURES: The Plans are required to implement mechanisms that record and examine activity in Information Systems that contain or use ephi. The Plans maintain the following audit controls: (a) (b) (c) (d) Audit logs; Access reports; Security Incident logs; Other internal Security controls and monitoring tools. All activities that alter applications containing ephi are tracked using one or more of the above audit controls. Additional change management procedures may be utilized when necessary. Additionally, changes to, or activities altering ephi in systems or applications (such as creates, reads, updates or deletes) may be reviewed or tracked by the Plans. Such activity records may consist of any of the following elements: (a) (b) (c) (d) The type of activity performed; The date and time or access or alteration; The unique User ID of the person performing the activity; and/or The identifier of the record being accessed or altered Integrity

85 Technical Safeguards TOPIC: SUBJECT: Integrity Protecting ephi from improper alteration or destruction. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: All ephi maintained in the Plans Information Systems is protected from improper alteration or destruction. The Plans have considered the risk and potential for improper alteration or destruction of ephi maintained in its systems and has determined that the policies and procedures set forth herein are reasonable and sufficient to ensure the Integrity of the ephi. These policies will include addressing the following HIPAA Implementation Specification: Mechanism to Authenticate ephi (A) electronic mechanisms to corroborate that ephi has not been altered or destroyed in an unauthorized manner will be implemented. PROCEDURES: All approved Users with the ability to alter or destroy data have been identified as have been scenarios that may result in modification to the ephi by unauthorized sources (e.g., hackers, disgruntled employees, business competitors) Mechanism to Authenticate ephi (A) The Plans policies to protect ephi from improper alteration or destruction include the following: (a) (b) (c) (d) (e) Full backup of all data directories, files and software are performed over the weekend Incremental backup only data that has changed since the last backup; typically performed daily Month-end backups from the last weekend of every month Database backups are typically created daily utilizing specialized software processes Manual audit controls including quarterly access list review and periodic system and security reviews by internal audit 11.3 Person or Entity Authentication

86 Technical Safeguards TOPIC: SUBJECT: Person or Entity Authentication Verifying that a person or entity seeking access to ephi is the one claimed. EFFECTIVE DATE: April 21, 2005 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have implemented reasonable procedures to verify that a person or entity seeking access to ephi is the one claimed. PROCEDURES: Unique User IDs are assigned to all members of the Workforce. That User ID, in conjunction with an Individually selected Password is required to logon to the Plans Information Systems. Workforce members are required to follow the Plans Password management policies and procedures (see also the Password Management policies and procedures set forth under Security Awareness and Training standard in the Administrative Safeguards section) to create and safeguard their User ID and Passwords to prevent unauthorized access to the Plans Information System. Workforce members may not share their logon ID or Password. Workforce members may not misrepresent themselves to the Plans Information System by using another person s unique User ID Unauthorized Access

87 Technical Safeguards TOPIC: SUBJECT: Transmission Security Technical Security measures to guard against unauthorized access to ephi that is transmitted over an electronic communications network. EFFECTIVE DATE: April 21, 2005 REVISION DATES: September 23, 2009 POLICY STATEMENT: The Plans have implemented technical Security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. These policies will include addressing the following HIPAA Implementation Specifications: Integrity Controls (A) Security measures to ensure that electronically transmitted ephi is not improperly modified without detection until disposed of will be implemented Encryption (A) a mechanism to encrypt ephi whenever deemed appropriate will be implemented. PROCEDURES: ephi has been classified by the Plans as high risk information and should not be transmitted electronically unless reasonable methods have been taken to protect its Security. Only authorized Individuals may transmit ephi. If ephi is transmitted via communications, only the minimum amount of PHI needed to achieve the purpose of the communication is allowed to be transmitted. This should be determined in accordance with the Plans Minimum Use of PHI policy contained in Section 6.1 of the Plans HIPAA Privacy Policies. When transmitting PHI via communications, the following Statement (or its equivalent) should be included: This message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer Integrity Controls (A) Methods of enabling secure transmissions and data Integrity during transmission include the following: 11.5 Unauthorized Access

88 Technical Safeguards (a) (b) Digital Certificates to transit data securely Obtain vendor transmission through vendor secure website which requires the benefits department employee to utilize a username and password Workforce members should limit the exchange of ephi via . Archival storage of s containing ephi is permissible, but discouraged. containing ephi should be deleted following the disposition of the issues to which they relate. If, however, the information must be retained beyond the disposition of the issue(s), the information should be stored in secured folders with limited access. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices Encryption (A) Alternative #1: Although Encryption is not generally required for the electronic transmittal of ephi that may be used by the Plans, if it is determined by the Security Officer that Encryption is required in a given circumstance, an Encryption method will be coordinated with the recipient of communications containing PHI. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices. Alternative #2: Encryption is required for the electronic transmittal of ephi that may be used by the Plans. An Encryption method will be coordinated with the recipient of communications containing PHI Unauthorized Access

89 Appendix A TOPIC: SUBJECT: Breach of Unsecured PHI Notification to Individuals, the Media and the Secretary. EFFECTIVE DATE: September 23, 2009 REVISION DATES: POLICY STATEMENT: The Plans have established policies and procedures to provide notification following the discovery of a Breach of Unsecured PHI to, as applicable, affected Individuals, the media and the Secretary. Notification to Individuals. The Plans will, following the discovery of a Breach, notify each Individual whose Unsecured PHI has been, or is reasonably believed by the Plans to have been accessed, acquired, used or disclosed as a result of such Breach. Notification to the Media. For a breach of Unsecured PHI involving more than 500 residents of a State or jurisdiction, the Plans will, following discovery of the Breach, notify prominent media outlets serving the State or jurisdiction. Notification to the Secretary. The Plans will, following the discovery of a Breach of Unsecured PHI, notify the Secretary. Discovery of Breach. A Breach will be treated as discovered by the Plans as of the first day on which such Breach is known to the Plans, or, by exercising reasonable diligence would have been known to the Plans. The Plans will be deemed to have knowledge of a Breach if such Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a Workforce member or agent of the Plans (determined in accordance with the federal common law of agency). Risk Assessment. Following discovery of a potential Breach, the Plans will begin an investigation, conduct a risk assessment and, based on the results of the risk assessment, begin the applicable notification process. Administrative Requirements. The Plans will comply with the administrative requirements applicable to this policy for Breach of Unsecured PHI with respect to: Training, Individuals complaints to the Plans, Sanctions against Workforce members who fail to comply with the Plans Breach of Unsecured PHI policies, refraining from intimidating or retaliatory acts, waiver of rights implementation of policies and procedures, and changes to the Plans policies and procedures. PROCEDURES: Breach Investigation Appendix A Definitions of HIPPA Terms

90 Appendix A The Plans will name an Individual to act as the investigator of the Breach (e.g., privacy officer, security officer). The investigator will be responsible for the management of the Breach investigation, completion of a risk assessment, and coordinating with others, as appropriate. All documentation related to the Breach investigation, including the risk assessment, will be retained for a minimum of six (6) years. Risk Assessment To determine if an impermissible use or disclosure of PHI constitutes a Breach and requires notification to an affected Individual or the Secretary, the Plans will perform a risk assessment to determine if there is significant risk of harm to the Individual as a result of the impermissible Use or Disclosure. The Plans will document the risk assessment noting the outcome of the risk assessment process. The Plans have the burden of proof for demonstrating that the required notification to the affected Individual or the Secretary was made or that the Use or Disclosure did not constitute a Breach. In performing the risk assessment, the assessment will be fact specific and the Plans will consider a number of or combination of factors, such as: (1) consideration of who impermissibly used or to whom the information was impermissibly disclosed; (2) the type and amount of PHI involved; and (3) the potential for significant risk of financial, reputational, or other harm. Notification Notification to Individuals. The Plans will provide the notification to an Individual whose Unsecured PHI has been the subject of a Breach without unreasonable delay and in no case later than sixty (60) days after discovery of a Breach. Content of Notification. The notification will include, to the extent possible: a. A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; b. A description of the types of Unsecured PHI that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); c. Any steps Individuals should take to protect themselves from potential harm resulting from the Breach; d. A brief description of what the Plans is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches; and e. Contact procedures for Individuals to ask questions or learn additional information, which will include a toll-free telephone, an address, Web site, or postal address. The notification will be written in plain language. Method of Notification. The notification will be provided in the following form: Written notice. The Plans will provide written notification by first-class mail to the Individual at the last known address of the Individual or, if the Individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. If the Plans know the Individual is deceased and has the address of the next of kin or personal representative of the Individual, the Plans will provide the written notification by first- Appendix A Definitions of HIPPA Terms

91 Appendix A class mail to either the next of kin or personal representative of the Individual. The notification may be provided in one ore more mailings as information is available. Substitute notice. In the case in which there is insufficient or out-of-date contact information that precludes written notification to the Individual as described above, a substitute form of notice reasonably calculated to reach the Individual will be provided. Substitute notice need not be provided in the case in which there is insufficient or out-ofdate contact information that precludes written notification to the next of kin or personal representative of the Individual. In the case in which there is insufficient or out-of-date contact information for fewer than ten (10) Individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. In the case in which there is insufficient or out-of-date contact information for ten (10) or more Individuals, then such substitute notice will: Be in the form of either a conspicuous posting for a period of ninety (90) days on the home page of the Web site of the Plans, or conspicuous notice in major print or broadcast media in geographic areas where the Individuals affected by the Breach likely reside; and Include a toll-free phone number that remains active for at least ninety (90) days where an Individual can learn whether the Individual s Unsecured PHI may be included in the Breach. Additional Notice in Urgent Situations. In any case deemed by the Plans to require urgency because of possible imminent misuse of Unsecured PHI, the Plans may provide information to Individuals by telephone or other means, as appropriate, in addition to the notices described above. Notification to the Media. For a Breach of Unsecured PHI involving more than 500 residents of a State or jurisdiction, the Plans will, upon discovery of the Breach, notify prominent media outlets serving the State or jurisdiction. The Plans will provide the notification without unreasonable delay and in no case later than sixty (60) days after discovery of the Breach. The content of the notification to the media will meet the requirements described above for Notification to Individuals. Notification to the Secretary. The Plans will, following the discovery of a Breach of Unsecured PHI, notify the Secretary. For Breaches of Unsecured PHI involving 500 or more Individuals, the Plans will, subject to the exception noted below, provide this notification contemporaneously with the notice required to Individuals and in the manner specified on the HHS Web site. Exception. If a Law Enforcement Official states to the Plans that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the Plans will: (a) if the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or (b) if the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than thirty (30) days from the date of the oral statement, Appendix A Definitions of HIPPA Terms

92 Appendix A unless a written statement is submitted during that time. Maintenance of Breach Log For Breaches of Unsecured PHI involving less than 500 Individuals, the Plans will maintain a log or other documentation of such Breaches and, not later than sixty (60) days after the end of each calendar year, provide this notification for Breaches occurring during the preceding calendar year, in the manner specified on the HHS Web Site. The Plans will maintain a process to record or log all breaches of Unsecured PHI. The following information will be logged for each Breach: (1) A description of what happened, including the date of the Breach, the date of the discovery of the Breach, and the number of Individuals affected, if known. (2) A description of the types of Unsecured PHI that were involved in the Breach (e.g., full name, Social Security number, date of birth, account number, home address). (3) A description of the action taken with regard to notification of the affected Individuals or the Secretary regarding the breach. Administrative Requirements The Plans will apply the same policies applicable to the Privacy Rule to this policy for Breach of Unsecured PHI with respect to: Training, Individuals complaints to the Plans, Sanctions against Workforce members who fail to comply with the Plans Breach of Unsecured PHI policies, refraining from intimidating or retaliatory acts, waiver of rights, implementation of policies and procedures, and changes to the Plans policies and procedures. Visa Breach Notification Log Incident # 1. Number of Affected Individual(s) Date of Discovery Date of Breach Brief Description of Breach, including description of Unsecured PHI and number of Individuals affected Notification Date to Affected Individuals Actions Taken Appendix A Definitions of HIPPA Terms

93 Appendix A TOPIC: SUBJECT: Definitions of HIPAA Terms HIPAA Terms and Definitions. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 Access The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to Access as used in regard to the HIPAA Security Rule, but not the HIPAA Privacy Rule.) Administrative Safeguards Administrative actions, and the policies and procedures, to manage the selection, development, implementation, and maintenance of Security measures to protect ephi and to manage the conduct of the Covered Entity s Workforce in relation to the protection of that information. Authentication The corroboration that a person is the one claimed. Authorization - The mechanism for obtaining permission for the Use and/or Disclosure of Health Information at any time other than at time of enrollment. Availability The property that data or information is accessible and useable upon demand by an authorized person. Breach - The acquisition, access, Use, or Disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the Security or Privacy of the PHI. For purposes of this definition, compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the Individual to whom the PHI pertains. A Use or Disclosure of PHI that does not include the identifiers listed at 45 CFR (e)(2) (Limited Data Set), date of birth, and zip code does not compromise the Security or Privacy of the PHI. Breach excludes: Any unintentional acquisition, access or use of PHI by a Workforce member or person acting under the authority of a Covered Entity or Business Associate if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further Use or Disclosure in a manner not permitted under the Privacy Rule. Any inadvertent Disclosure by a person who is authorized to access PHI at a Covered Entity or Business Associate to another person authorized to access PHI at the same Covered Entity or Business Associate, or Organized Health Care Arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. A Disclosure of PHI where a Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information. Business Associate - A(n) person / entity outside the Workforce of the Covered Entity who performs or assists in the performance of a function or activity involving the Use or Disclosure of Appendix A Definitions of HIPPA Terms

94 Appendix A Individually Identifiable Health Information or any other regulated function or activity, including but not limited, to claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. Business Associate also may provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such Covered Entity, or to or for an Organized Health Care Arrangement in which the Covered Entity participates. The provision of the service involves the Disclosure of Individually Identifiable Health Information from (a) the Covered Entity, (b) the Organized Health Care Arrangement, or (c) from another Business Associate of the Covered Entity or Organized Health Care Arrangement, to the person / entity. A Covered Entity participating in an Organized Health Care Arrangement can become a Business Associate to the Organized Health Care Arrangement by providing the activities as described above. The Covered Entity does not become a Business Associate of other covered entities participating in the Organized Health Care Arrangement. A Covered Entity may be a Business Associate of another Covered Entity. Confidentiality - The property that data or information is not made available or disclosed to unauthorized persons or processes. Covered Entity - A Health Plan, a Health Care Clearinghouse, or a Health Care Provider who transmits any Health Information in electronic form in connection with a standard or covered Transaction. Covered Functions - Those functions of a Covered Entity the performance of which makes the entity a Health Plan, Health Care Provider, or Health Care Clearinghouse. De-Identification of Information - Information from which the following identifiers have been removed or concealed: Names; All geographic subdivisions smaller than a State, including street address, city, county precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to their current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, or the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; All elements of dates (except year) for dates directly related to an Individual including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older: Telephone numbers; Fax numbers; Electronic mail addresses; Social Security numbers; Medical Record numbers; Health Plan beneficiary numbers; Account numbers; Appendix A Definitions of HIPPA Terms

95 Appendix A Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; Full face photographic images and any comparable images, and Any other unique identifying number, characteristic, or code that the Covered Entity has reason to believe may be available to an anticipated recipient of information. Designated Record Set - A group of Records maintained by or for a Group Health Plan, consisting of enrollment, Payment, claims adjudication, and case or medical management record systems; or used, in whole or in part, by or for the Covered Entity to make decisions about Individuals. Please also refer to the definition of Record. Disclosure - The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. Electronic Media - Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via Electronic Media, because the information being exchanged did not exist in electronic form before the Transaction. Electronic Protected Health Information (ephi) - Protected Health Information that is transmitted by or maintained in Electronic Media. Encryption The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such process or key has not been breached. Facility The physical premises and the interior and exterior of a building(s). Family Member With respect to an Individual, a Family Member is: (1) A dependent of the Individual; or (2) Any person who is a first-degree, second-degree, third-degree, or fourthdegree relative of the Individual or of a dependent of the Individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents). First-degree relatives include parents, spouses, siblings, and children. Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces. Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first Appendix A Definitions of HIPPA Terms

96 Appendix A cousins. Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins. Genetic Information (1) Subject to paragraphs (2) and (3) below, Genetic Information means, with respect to any Individual, information about: (i) Such Individual s Genetic Tests; (ii) The Genetic Tests of Family Members of such Individual; (iii) The Manifestation of a disease or disorder in Family Members of such Individual; or (iv) Any request for, or receipt of, Genetic Services, or participation in clinical research which includes Genetic Services, by such Individual or any Family Member of such Individual. (2) Any reference in this Manual to Genetic Information concerning an Individual or Family Member of an Individual will include the Genetic Information of: (i) A fetus carried by the Individual or Family Member who is a pregnant woman; and (ii) Any embryo legally held by an Individual or Family Member utilizing an assisted reproductive technology. (3) Genetic Information excludes information about the sex or age of any Individual. Genetic Services Genetic Services means: (1) A Genetic Test; (2) Genetic Counseling (including obtaining, interpreting, or assessing Genetic Information); or Genetic education. Genetic Test Genetic Test means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic Test does not include an analysis of proteins or metabolites that is directly related to a Manifested disease, disorder, or pathological condition. Group Health Plan - An employee welfare benefit plan (as defined in the Employee Retirement Income and Security Act of 1974), including insured and self insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that: Has 50 or more Individuals, or Is administered by an entity other than Visa that established and maintains the plan. Health Care - The provision of care, services, or supplies to a patient includes any: preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body; and/or sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription. Health Care Clearinghouse - A public or private entity that conducts either of the following: Appendix A Definitions of HIPPA Terms

97 Appendix A Processes or facilitates the processing of Health Information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard Transaction; or Receives a standard Transaction from another entity and processes or facilitates the processing of Health Information into nonstandard format or nonstandard data content for the receiving entity. Health Care Operations - Any of the following activities of the Covered Entity to the extent that the activities are related to Covered Functions: Conducting quality assessment and improvement activities, including evaluating outcomes, and developing clinical guidelines; Reviewing the competence or qualifications of Health Care professionals, evaluating practitioner and provider performance, Health Plan performance, conducting Training programs in which undergraduate and graduate students and trainees in all areas of Health Care learn under supervision to practice as Health Care Providers (e.g., residency programs, grand rounds, nursing practicums), accreditation, certification, licensing or credentialing activities; Insurance rating and other insurance activities relating to the renewal of a contract for insurance, including underwriting, experience rating, and reinsurance, but only when the Individuals are already enrolled in the Health Plan conducting such activities and only when the Use or Disclosure of such Protected Health Information relates to an existing contract of insurance (including the renewal of such a contract); Conducting or arranging for medical review, legal services, auditing services, including fraud and abuse detection and compliance programs; Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of Payment or coverage policies; and Business management and general administrative activities of the entity, including, but not limited to: o Management activities relating to implementation of and compliance with HIPAA; o Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that Protected Health Information is not disclosed to such policy holder, plan sponsor, or customer; o o o Resolution of internal grievances; The sale, transfer, merger, or consolidation of all or part of the Covered Entity with another Covered Entity, or an entity that following such activity will become a Covered Entity and due diligence related to such activity; and Consistent with the applicable requirements of creating de-identified Health Information or a Limited Data Set, and fundraising for the benefit of the Covered Entity. Health Care Provider - A provider of medical or health services and any other person or organization that furnishes, bills, or is paid for Health Care in the normal course of business. Health Information - Any information, including Genetic Information, whether oral or recorded in any form or medium, that is created or received by a Health Care Provider, Health Plan, Public Appendix A Definitions of HIPPA Terms

98 Appendix A Health Authority, employer, life insurer, school or university, or Health Care Clearinghouse; and that relates to the past, present, or future physical or mental health or condition of an Individual, the provision of Health Care to an Individual, or the past, present, or future Payment for the provision of Health Care to an Individual. Health Insurance Issuer - An insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State Law that regulates insurance. Such term does not include a Group Health Plan. Health Maintenance Organization (HMO) - A federally qualified HMO, an organization recognized as an HMO under State Law, or a similar organization regulated for solvency under State Law in the same manner and to the same extent as such an HMO. Health Plan - An Individual plan or Group Health Plan that provides, or pays the cost of medical care. A Health Plan includes the following, singly or in combination: A Group Health Plan; A Health Insurance Issuer; An HMO; Part A or Part B of the Medicare program; The Medicaid program; The Voluntary Prescription Drug Benefit Program under Part D of Medicare; An issuer of a long-term care policy, excluding a nursing home fixed-indemnity policy; An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers; The Health Care program for uniformed services; The veterans Health Care program; The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); The Indian Health Service program under the Indian Health Care Improvement Act; The Federal Employees Health Benefits Program; An approved State child Health Plan, providing benefits for child health assistance; The Medicare Advantage Program under Part C; A high risk pool that is a mechanism established under State Law to provide health insurance coverage or comparable coverage to eligible Individuals; and Any other Individual or group plan, or combination of Individual or group plans, that provides or pays for the cost of medical care. A Health Plan excludes: Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits; and A government-funded program (other than one listed in the above paragraph of this definition) whose principal purpose is other than providing, or paying the cost of, Health Care; or whose principal activity is: o The direct provision of Health Care to persons; or o The making of grants to fund the direct provision of Health Care to persons. Appendix A Definitions of HIPPA Terms

99 Appendix A HHS - The Department of Health and Human Services. HIPAA The Health Insurance Portability and Accountability Act of 1996, as amended, and any regulations promulgated there under, as may be amended and in effect from time to time. HIPAA Rules The applicable Privacy or Security regulations promulgated under HIPAA, as may be amended and in effect from time to time. Implementation Specification - Specific requirements or instructions for implementing a standard. Incident Report Procedures - The documented formal mechanism employed to document Security Incidents. Individual - The person who is the subject of Protected Health Information. Individually Identifiable Health Information - Information that is a subset of Health Information, including demographic information collected from an Individual, and: Is created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an Individual; the provision of Health Care to an Individual; or the past, present, or future Payment for the provision of Health Care to an Individual; and That identifies the Individual; or With respect to which there is a reasonable basis to believe the information can be used to identify the Individual. Individual Identifiers - Includes the following: name; address, including street address, city, county, zip code, and equivalent geocodes; names of relatives; name of employers; birth date; telephone numbers; fax numbers; electronic mail addresses; social Security number; medical Record number; Health Plan beneficiary number; account number; certificate/license number; any vehicle or other device serial number; web universal resource locator (URL); internet protocol (IP) address number; finger or voice prints; photographic images; and any other unique identifying number, characteristic, or code that the Covered Entity has reason to believe may be available to an anticipated recipient of the information. Information System An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Integrity The property that data or information have not been altered or destroyed in an unauthorized manner. Law Enforcement Official - An officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to: Appendix A Definitions of HIPPA Terms

100 Appendix A Investigate or conduct an official inquiry into a potential violation of law; or Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. Limited Data Set - Protected Health Information that excludes the following direct identifiers of the Individual or of relatives, employers, or household members of the Individual: Names; Postal address information, other than town or city, State, and zip code; Telephone numbers; Fax numbers; Electronic mail addresses; Social Security numbers; Medical Record numbers; Health Plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; Biometric identifiers, including finger and voice prints; and Full face photographic images and any comparable images. Malicious Software Software, for example, a virus, designed to damage or disrupt a system. Manifestation or Manifested Manifestation or manifested means, with respect to a disease, disorder, or pathological condition, that an Individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a Health Care professional with appropriate training and expertise in the field of medicine involved. For purposes of this definition, a disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on Genetic Information. Minimum Necessary - The minimum amount of Health Information necessary to accomplish the intended purpose of the Use or Disclosure is used or disclosed except in the following situations: Disclosures or requests by a health provider for Treatment; When an Individual requests the Health Plan, Health Care Provider, or other Covered Entity to use or disclose his/her information under the Authorization procedure; When the Individual requests access to his/her own Protected Health Information in Designated Record Sets; When the Secretary requests access to the information to ensure compliance or investigate a complaint; When Required by Law or permitted (the instances set forth above in the section on permissible Disclosures); and When the information is made by a Health Care Provider to the Health Plan pursuant to a request for compliance audit and related purposes. Appendix A Definitions of HIPPA Terms

101 Appendix A More Stringent - In the context of a comparison of a provision of State Law and a standard, requirement, or Implementation Specification, a State Law that meets one or more of the following criteria: With respect to a Use or Disclosure, the law prohibits or restricts a Use or Disclosure in circumstances under which such Use or Disclosure otherwise would be permitted, except if the Disclosure is: o Required by the Secretary in connection with determining whether a Covered o Entity is in compliance with this subchapter; or To the Individual who is the subject of the Individually Identifiable Health Information. With respect to the rights of an Individual, who is the subject of the Individually Identifiable Health Information regarding access to or amendment of Individually Identifiable Health Information, permits greater rights of access or amendment; With respect to information to be provided to an Individual who is the subject of the Individually Identifiable Health Information about a Use, a Disclosure, rights, and remedies, provides the greater amount of information; With respect to the form, substance, or the need for express legal permission from an Individual, who is the subject of the Individually Identifiable Health Information, for Use or Disclosure of Individually Identifiable Health Information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission; With respect to recordkeeping or requirements relating to accounting of Disclosures, provides for the retention or reporting of more detailed information or for a longer duration; and With respect to any other matter, provides greater privacy protection for the Individual who is the subject of the Individually Identifiable Health Information. Non-Routine Permissible Uses and Disclosures - Information disclosed for purposes other than Treatment, Payment and Health Care Operations. The following are included in the definition of permissible Disclosure of Protected Health Information: public health activities; mandatory abuse reporting; oversight activities; judicial or administrative activities; Law Enforcement Officials reporting; medical examiners reporting; organ donations; research activities; avert a serious threat activities; Treatment of special government related classes; workers compensation reporting; Secretary of the Department of Health and Human Services requests and as otherwise Required by Law. Organized Health Care Arrangement An Organized Health Care Arrangement includes any of the following: A clinically integrated care setting in which Individuals typically receive Health Care from more than one Health Care Provider; An organized system of Health Care in which more than one Covered Entity participates, and in which the participating covered entities: o Hold themselves out to the public as participating in a joint arrangement; and o Participate in joint activities that include at least one of the following: Utilization review, in which Health Care decisions by participating covered entities are reviewed by other participating covered entities or Appendix A Definitions of HIPPA Terms

102 Appendix A o by a third party on their behalf; Quality assessment and improvement activities, in which Treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or Payment activities, if the financial risk for delivering Health Care is shared, in part or in whole, by participating covered entities through the joint arrangement and if Protected Health Information created or received by a Covered Entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk. A Group Health Plan and a Health Insurance Issuer or HMO with respect to such Group Health Plan, but only with respect to Protected Health Information created or received by such Health Insurance Issuer or HMO that relates to Individuals who are or who have been Individuals or beneficiaries in such Group Health Plan; A Group Health Plan and one or more other Group Health Plans each of which are maintained by the same plan sponsor; or The Group Health Plans and Health Insurance Issuers or HMOs with respect to such Group Health Plans, but only with respect to Protected Health Information created or received by such Health Insurance Issuers or HMOs that relates to Individuals who are or have been Individuals or beneficiaries in any of such Group Health Plans. Password Confidential Authentication information composed of a string of characters. Payment - Activities undertaken by a Health Plan (or by a Business Associate on behalf of a Health Plan) to determine its responsibilities for coverage under the Health Plan policy or contract including the actual Payment under the policy or contract, or by a Health Care Provider (or by a Business Associate on behalf of a provider) to obtain reimbursement for the provision of Health Care. Payment activities include, but are not limited to: Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; Risk adjusting amounts due based on enrollee health status and demographic characteristics; Billing, claims management, collection activities, obtaining Payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related Health Care data processing; Review of Health Care services with respect to medical necessity, coverage under a Health Plan, appropriateness of care, or justification of charges; Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and Disclosure to consumer reporting agencies of any of the following Protected Health Information relating to collection of premiums or reimbursement: o Name and address; o Date of birth; o Social Security number; o Payment history; o Account number; and o Name and address of the Health Care Provider and/or Health Plan. Appendix A Definitions of HIPPA Terms

103 Appendix A Physical Safeguards Physical measures, policies, and procedures to protect a Covered Entity s electronic Information Systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Plan Administration Functions - The administration functions performed by the plan sponsor of a Group Health Plan on behalf of the Group Health Plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor. Privacy or Privacy Rule The HIPAA Rules governing the protection of Individually Identifiable Health Information. Privacy Officer The HIPAA Privacy Officer (or Privacy Official) is the person responsible for the development and implementation of the Plans privacy policies and procedures. Protected Health Information (PHI) - Individually Identifiable Health Information that is transmitted by Electronic Media, maintained in any medium, or transmitted or maintained in any other form or medium, by a Covered Entity. PHI excludes Individually Identifiable Health Information in education records defined and covered by the Family Educational Right and Privacy Act for students in primary and secondary education and employment records held by a Covered Entity in its role as employer. Providing an Accounting of Disclosures - Providing Individuals with an accounting of all Disclosures of their Protected Health Information, except for Disclosures for Treatment, Payment and Health Care Operations, Disclosures pursuant to a valid Authorization and certain Disclosures to health oversight or law enforcement agencies. Providing Individuals Access to their Information and Records - Ensuring that Individuals have access to their own Protected Health Information including access to such information in a Business Associate s Designated Record Set that is not a duplicate of the information held by the provider or plan. Providing for Amendment or Correction of Records - Implementing an Individual s right to request amendment or correction of the Individual s Protected Health Information. Public Health Authority - An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. Reasonable Evidence of Identity - A written Statement from the government agency, on the agency s letterhead, that the person or entity is acting under the agency s authority; or other evidence or documentation, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person or entity is acting on behalf of or under the agency s authority. Appendix A Definitions of HIPPA Terms

104 Appendix A Reasonable Evidence of Authority - A written Statement of the legal authority under which the information is requested (a request for Disclosure made by official legal process issued by a grand jury or a judicial or administrative body is presumed to constitute reasonable legal authority); or, where the request is made orally, an oral Statement of such authority. Record - Any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for a Covered Entity. Relates to the Privacy of Individually Identifiable Health Information - With respect to a State Law, that the State Law has the specific purpose of protecting the privacy of Health Information or affects the privacy of Health Information in a direct, clear, and substantial way. Requesting Restrictions on Uses and Disclosures - Individuals may exercise their right to inform their Health Care Provider of restrictions on the Uses or Disclosures of their Protected Health Information. Required by Law - A mandate contained in law that compels an entity to make a Use or Disclosure of Protected Health Information and that is enforceable in a court of law. This includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to Health Care Providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if Payment is sought under a government program providing public benefits. Routine - Protected Health Information disclosed for the purpose of Treatment, Payment and Health Care Operations. Sanctions - Sanctions against members of its Workforce who fail to comply with Employer Group Health Plans policies and procedures on Protected Health Information or with the privacy or Security requirements in connection with Protected Health Information held by the Health Plan or it s Business Associates. Secretary - The Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated. Security or Security Rule The HIPAA Rules governing the Administrative, Physical and Technical Safeguards applicable to Individually Identifiable Health Information. Security Measures The administrative, physical and Technical Safeguards in an Information System. Security Incident The attempted or successful unauthorized access, Use, Disclosure, modification, or destruction of information or interference with systems operations in an Information System. Security Officer The HIPAA Security Officer (or Security Official) is the person responsible for the development and implementation of the Plans Security policies and procedures. Standard - A rule, condition, or requirement: (1) describing the following information for Appendix A Definitions of HIPPA Terms

105 Appendix A products, systems, services or practices: (i) classification of components, (ii) specification of materials, performance or operations, or (iii) delineation of procedures; or (2) with respect to the Privacy of Individually Identifiable Health Information. State - The 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam. State Law - A constitution, statute, regulation, rule, common law, or other State action having the force and effect of law. Summary Health Information - Information that may be Individually identifiable Health Information, and: That summarizes the claims history, claims expenses, or type of claims experienced by Individuals for whom a plan sponsor has provided health benefits under a Group Health Plan; and From which the information has been de-identified (see De-identification), except that the geographic information need only be aggregated to the level of a five-digit zip code. Technical Safeguards The technology and the policy and procedures for its use that protect ephi and control access to it. Training - Training persons in the Workforce who are likely to obtain access to Protected Health Information or electronic Protected Health Information on the Health Plans policies and procedures, required under the HIPAA privacy and Security regulations, that is relevant to their activities. Transaction - The transmission of information between two parties to carry out financial or administrative activities related to Health Care. A Transaction would mean any of the following: Health claims or equivalent encounter information. This Transaction could be used to submit Health Care claim billing information, encounter information, or both, from Health Care Providers to payers, either directly or via intermediary billers and claims clearinghouses; Health Care Payment and remittance advice. This Transaction could be used by a Health Plan to make a Payment to a financial institution for a Health Care Provider (sending Payment only), to send an explanation of benefits remittance advice directly to a Health Care Provider (sending data only), or to make Payment and send an explanation of benefits remittance advice to a health car provider via a financial institution (sending both Payment and data); Coordination of benefits. This Transaction could be used to transmit Health Care claims and billing Payment information between payers with different Payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the furnishing, billing, and/or Payment of Health Care services within a specific Health Care/insurance industry segment; Health claims status. This Transaction could be used by Health Care Providers and recipients of Health Care products or services (or their authorized agents) to request the status of a Health Care claim or encounter from a Health Plan; Enrollment and disenrollment in a Health Plan. This Transaction could be used to Appendix A Definitions of HIPPA Terms

106 Appendix A establish communication between the sponsor of a health benefit and the payer. It provides enrollment data, such as subscriber and dependents, employer information, and primary care Health Care Provider information. A sponsor would be the backer of the coverage, benefit, or product. A sponsor could be an employer, union, government agency, association, or insurance company. The Health Plan would refer to an entity that pays claims, administers the insurance product or benefit, or both; Eligibility for a Health Plan. This Transaction could be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber s policy. It also could be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and payers) to information receivers (such as physicians, hospitals, third party administrators, and government agencies); Health Plan premium Payments. This Transaction could be used by, for example, employers, employees, unions, and associations to make and keep track of Payments of Health Plan premiums to their health insurers. This Transaction could also be used by a Health Care Provider, acting as liaison for the beneficiary, to make Payment to a health insurer for coinsurance, co-payments, and deductibles; Referral certification and Authorization. This Transaction could be used to transmit Health Care service referral information between Health Care Providers, Health Care Providers furnishing services, and payers. It could also be used to obtain Authorization for certain Health Care services from a Health Plan; First report of injury. This Transaction could be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements; Health claims attachments. This Transaction could be used to transmit Health Care service information, such as subscriber, patient, demographic, diagnosis, or Treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a Health Care services review; and Other Transactions as the Secretary may prescribe by regulation. The Secretary may adopt Standards, and data elements for those Standards, for other financial and administrative Transactions deemed appropriate by the Secretary. These Transactions would be consistent with the goals of improving the operation of the Health Care system and reducing administrative costs. Treatment - The provision, coordination, or management of Health Care and related services by one or more Health Care Providers, including the coordination or management of Health Care by a Health Care Provider with a third party; consultation between Health Care Providers relating to a patient; or the referral of a patient for Health Care from one Health Care Provider to another. Underwriting Purposes (1) Except as provided in the second paragraph of this definition, Underwriting Purposes means: i. Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the Plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program); Appendix A Definitions of HIPPA Terms

107 Appendix A ii. iii. iv. The computation of premium or contribution amounts under the Plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program; The application of any pre-existing condition exclusion under the Plan, coverage, or policy; and Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. (2) Underwriting Purposes does not include determinations of medical appropriateness where an Individual seeks a benefit under the Plan, coverage or policy. Unsecured PHI - PHI that is not rendered unusable, unreadable, or indecipherable to authorized Individuals through the use of technology or methodology specified by the Secretary in the guidance issued under Section 13402(h)(2) of Pub.L on the HHS website. Unsecured PHI includes information in any form or medium, including electronic, paper or oral form. PHI is rendered unusable, unreadable, or indecipherable to authorized Individuals if one or more of the following applies: (1) Electronic PHI has been encrypted as specified in the Security Rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. a. Valid encryption processes for data at rest (i.e., data that resides in databases, file systems, flash drives, memory, and any other structured storage systems) are consistent with NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices. b. Valid encryption processes for data in motion (i.e., data that is moving through a network, including wireless transmission, whether by or structured electronic interchange) are those which comply, as appropriate, with NIST Special Publications , Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; , Guide to IPsec VPNs; or , Guide to SSL VPNs, or others which are Federal Information Processing Standards FIPS) validated. (2) The media on which the PHI is stored or recorded have been destroyed in on of the following ways: a. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction. b. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication , Guidelines for Media Sanitization, such that the PHI cannot be retrieved. Appendix A Definitions of HIPPA Terms

108 Appendix A Use - The sharing, employment, application, utilization, examination or analysis of Individually Identifiable Health Information within an entity that holds the information. User A person or entity with authorized access. Workforce - The employees, volunteers, trainees and other persons under the direct control of a Covered Entity, including persons providing labor on an unpaid basis. Workstation An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and Electronic Media stored in its immediate environment. Appendix A Definitions of HIPPA Terms

109 Appendix B HIPAA Authorization Form Authorization for Use or Disclosure of Protected Health Information ( PHI ) for Purposes Requested by the Visa Group Health Plans (referred to herein as Plans ) I,, hereby authorize the Plans to (check those that apply): Use the following PHI, and/or disclose the following PHI to [Name of entity to receive information]: [Specifically describe the information to be used or disclosed, including, but not limited to, meaningful descriptors such as date(s) and type(s) of information provided, level of detail to be released, origin of information, etc.] This PHI is being used or disclosed for the following purposes: [List specific purposes here.] This Authorization shall be in force and effect until [specify (1) date or (2) event that relates to the participant or the purpose of the Use or Disclosure] at which time this Authorization to use or disclose this PHI expires. I understand that I have the right to revoke this Authorization, in writing, at any time by sending such written notification to [INSERT NAME AND ADDRESS OF CONTACT PERSON]. I understand that a revocation is not effective to the extent that the Plans have relied on the Use or Disclosure of the PHI. I understand that information used or disclosed pursuant to this Authorization may be subject to redisclosure by the recipient and may no longer be protected by federal or State Law. [Employer] will not condition my Treatment, Payment, enrollment in the Plans or eligibility for benefits on whether I provide Authorization for the requested Use or Disclosure. I understand that I have the right to refuse to sign this Authorization. Signature of Participant or Authorized Personal Representative Date Name of Participant or Authorized Personal Representative Description of Authorized Personal Representative s Authority The Plans will not accept any Authorization that permits the Plans to use or disclose PHI that is Genetic Information for Underwriting Purposes. Appendix B Sample Authorization Form

110 Appendix C Business Associate Contract Status Log Business Associate Service Performed Contract Status and Comments Contact Information (Name, address, phone, ) Date Mailed Date Completed Appendix C Business Associate Inventory

111 Appendix D AMENDED BUSINESS ASSOCIATE AGREEMENT BETWEEN Visa AND [Name of Business Associate] AS OF [Insert Date] This Agreement is entered into by and between the Visa [Health/Dental/Vision [identify plan type] Plan (Covered Entity) and (Business Associate) to set forth the terms and conditions under which Protected Health Information (PHI), as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations enacted hereunder, created or received by ( Business Associate ) on behalf of Covered Entity may be used or disclosed. This Agreement amends and supersedes the prior Business Associate Agreement in effect as of 200_ between Covered Entity and Business Associate. This Agreement shall commence on (Date) and the obligations herein shall continue in effect so long as Business Associate uses, discloses, creates or otherwise possesses any protected health information created or received on behalf of Covered Entity and until all protected health information created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity pursuant to Paragraph 28 herein. Business Associate acknowledges the provisions herein are set forth pursuant to the requirements of the regulations promulgated by the Secretary of the Department of Health & Human Services ( Secretary ) pursuant to the Health Insurance Portability and Accountability Act of 1996 (Pub. L ), and promulgated in the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E (the Privacy Rules ) and the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 164, subpart C and subpart D (the Security Rules ). Business Associate further acknowledges that it is, or may be deemed to be, a Business Associate of Plan, as the term is defined under the Privacy Rules. The terms used in this Amendment, but not otherwise defined, shall have the same meanings as those terms in 45 CFR , and PHI shall have the same meaning as it has in 45 CFR Section of the Privacy Rules, limited to the information created or received by Business Associate from or on behalf of Plan. The PHI subject to this Amendment shall be that pertaining to any Individual (as that term is defined in 45 CFR Section of the Privacy Rules, including a person who qualifies as a personal representative in accordance with 45 CFR Section (g)) who has made application to be or is covered under Plan and whose PHI is subject to the Privacy Rules. References to the Privacy Rules or the Security Rules shall mean as enacted and shall include any later amendments, deletions or revisions. Plan and Business Associate agree that the following additions, changes and/or modifications shall be effective with respect to all applicable Agreement(s) between Plan and Business Associate, shall apply notwithstanding conflicting provisions of said Agreement(s), and shall supplement and govern Uses and Disclosures of Protected Health Information ( PHI ) as defined in the Privacy Rules. A. OBLIGATIONS OF BUSINESS ASSOCIATE 1. Business Associate shall use or disclose PHI only as set forth in, and in accordance with, this Amendment or as Required by Law. Business Associate shall not use or disclose PHI in any other manner, or for any other purpose. 2. Business Associate agrees that it may use and disclose PHI only if such Use or Disclosure complies with Section (e) of the Privacy Rules. Appendix D Business Associate Agreement and Certification

112 Appendix D 3. Business Associate acknowledges that it is obligated to comply with the standards set forth in Sections (e) and (e) of the Privacy Rules in the same manner that such Sections apply to the Plan. 4. Business Associate hereby represents that any PHI it shall seek from Plan shall be the Minimum Necessary, as defined by the Privacy Rules, for Business Associate s stated purposes under the Agreement(s) and acknowledges that Plan shall rely upon such representation with respect to any request by Business Associate for PHI. Business Associate shall not use or disclose PHI in a manner that would violate the requirements of the Privacy Rules if such Use or Disclosure were made by Plan, except that: a) Business Associate may use or disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate, provided that (i) (ii) the Disclosure is Required by Law; or Business Associate obtains reasonable assurance from any third person to whom the PHI is disclosed that such PHI will remain confidential and will be used or further disclosed only as Required by Law or for the reasons it was disclosed to the third person, and that the third person will notify Business Associate of any instances of which it is aware in which the Confidentiality of the PHI has been breached; b) Business Associate may use or disclose PHI to provide data aggregation services relating to the Health Care operations (as defined in the Privacy Rules) of Plan if such services are provided for in the Agreement(s) between Plan and Business Associate. 5. Business Associate shall: a) Use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement or as Required by Law; and b) Implement and maintain administrative, physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the electronic Protected Health Information ( ephi ) that it creates, receives, maintains, or transmits on the behalf of Plan; such safeguards are to be consistent with the safeguards described in the Security Rules at Sections through ; and c) Upon the request of Plan, from time to time, provide information to Plan about such safeguards. 6. Business Associate shall report to Plan, in writing and within fourteen (14) days of Business Associate s becoming aware of: a) Any Use or Disclosure of PHI or ephi, not provided for by this Agreement or otherwise Required by Law, or b) Any Security Incident, as that term is defined in Section of the Security Rules. 7. Business Associate shall ensure that any agents, including any subcontractors, to whom it provides PHI received from, or created or received by Business Associate on behalf of Plan agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. Business Associate shall further ensure that any such agent or subcontractor to whom Business Associate provides any such Appendix D Business Associate Agreement and Certification

113 Appendix D ephi agrees in writing to implement reasonable and appropriate safeguards to protect such information; such safeguards are to be consistent with the safeguards described in the Security Rules at Sections through Business Associate shall, within ten (10) days after a request and in the manner designated by Plan or an Individual, provide PHI relating to an Individual that is created or received under an applicable Agreement(s) and contained in a Designated Record Set, to Plan or the Individual, in accordance with Section of the Privacy Rules, as amended, including with respect to access to and transmission of PHI that is used or maintained as an electronic health record. 9. Business Associate shall, within ten (10) days after a request and in the manner designated by Plan or an Individual, make PHI available for amendment or correction by Plan or the Individual and shall incorporate any amendments or corrections to PHI in Business Associate s Designated Record Sets in accordance with Section of the Privacy Rules, when Plan or the Individual notifies Business Associate of the amendments or corrections. 10. Business Associate shall, within ten (10) days after a request and in the manner designated by Plan or an Individual, restrict Disclosures of PHI in accordance with Section of the Privacy Rules, as amended, when Plan or the Individual notifies Business Associate of the request. 11. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for Plan or Business Associate to respond to a request by an Individual for an accounting of Disclosures in accordance with Section of the Privacy Rules, as amended. At a minimum, Business Associate shall document the date of the Disclosure, the name of the entity or person who received the PHI, the address of such entity or person (if known by Business Associate), a brief description of the PHI disclosed, and a brief Statement of the purpose of the Disclosure that reasonably describes the basis for the Disclosure. 12. Business Associate agrees to provide to Plan or an Individual, within fifteen (15) days after a request and in the manner designated by Plan or the Individual, information collected in accordance with Section A (11) of this Amendment during the six years preceding the date of the request, or three years with respect to a request for an accounting of Treatment, Payment or Health Care Operations, (except for Disclosures occurring before the Effective Date), or during a shorter period specified in the request, to permit Plan or Business Associate to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with Section of the Privacy Rules, as amended. 13. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from Plan, or PHI created or received by the Business Associate on behalf of Plan, available to Plan, (or, at the request of Plan, to the Secretary) in a time and manner designated by Plan or the Secretary, to permit the Secretary to determine Plans compliance with the Privacy Rules. 14. Business Associate shall, at termination of the Agreement(s), if feasible, return or destroy all PHI received from Plan, or created or received by the Business Associate on behalf of Plan, that Business Associate still maintains in any form and retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of the Agreement(s), including without limitation the provisions of this Amendment, to the PHI and limit further Uses and Disclosures to those purposes that make the return or Appendix D Business Associate Agreement and Certification

114 Appendix D destruction of the information infeasible. 15. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI in violation of the requirements of this Amendment. 16. In accordance with Section of the Security Rules, Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify the Plan of such Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of Business Associate (determined in accordance with the federal common law of agency). Except as provided in the paragraph below, Business Associate shall provide the notification without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach. Business Associate shall provide Plan with any other available information that Plan is required to include in its notification to the Individual, such information to be provided at the time that Business Associate notifies Plan of the Breach or promptly thereafter as information becomes available. If a Law Enforcement Official states to Business Associate that a notification, notice, or posting required under subpart D of the Security Rules would impede a criminal investigation or cause damage to national security, Business Associate shall: (a) if the statement is in writing and specifies the time for which a delay is required, delay such notification, notice or posting for the time period specified by the official; or (b) if the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than thirty (30) days from the date of the oral statement, unless a written statement as described in (a) above is submitted during that time. 17. Business Associate acknowledges that the Disclosure of PHI may cause irreparable injury to Plan and damages that may be difficult to ascertain. Therefore, Plan shall, upon a Disclosure or threatened Disclosure of any PHI, be entitled to injunctive relief to protect and recover the PHI and Business Associate shall not object to the entry of an injunction or other equitable relief against Business Associate on the basis of an adequate remedy at law, lack of irreparable harm, or any other reason. This provision shall not in any way limit such other remedies as may be available to Plan at law or in equity. 18. Business Associate, at its own expense, shall indemnify and hold harmless Plan, its subsidiaries, affiliates, successors, and assignees, and their directors, officers, employees and agents, and defend any action brought against same with respect to any claim, demand, cause of action, debt, loss, or liability, including without limitation attorneys fees and costs, to the extent based upon a claim that any action or omission by Business Associate or its employee, agent, subcontractor, or representative breaches any of Business Associate s obligations, representations or warranties under this Amendment. This provision shall not in any way limit any other indemnification that may be provided for in the Agreement(s). Appendix D Business Associate Agreement and Certification

115 Appendix D 19. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual. B. OBLIGATIONS OF PLAN 1. Plan shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with the Privacy Rules, to the extent that such limitation may affect Business Associate s Use or Disclosure of PHI. Plan may meet this obligation by providing Business Associate with a copy of the Notice of Privacy Practices Plan produces in accordance with the Privacy Rules. 2. Plan shall provide Business Associate with any changes in, or revocation of, permission by Individuals to use or disclose PHI, to the extent that such changes affect Business Associate s permitted Uses or Disclosures. 3. Plan shall notify Business Associate of any restriction to the Use or Disclosure of PHI Plan agrees to in accordance with the Privacy Rules, to the extent that such restriction may affect Business Associate s Use or Disclosure of PHI. 4. Plan shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rules if done by Plan. C. TERM AND TERMINATION 1. Term. The term of this Amendment shall be effective as of the Effective Date of this Amendment and shall terminate when all of the PHI provided by Plan to Business Associate, or created or received by Business Associate on behalf of Plan, is destroyed or returned to Plan, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this section. 2. Termination for Cause. Upon Plans knowledge of a material breach by Business Associate, Plan shall: a) Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate the Agreement(s) if Business Associate does not cure the breach or end the violation within the time specified by Plan; or b) Immediately terminate the Agreement(s) if Business Associate has breached a material term of this Amendment and cure is not possible; or c) If neither termination nor cure are feasible, report the violation to the Secretary. Business Associate shall have the same obligations as the Plan with respect to a material breach by Plan as provided in this Section C (.2). 3. Effect of Termination. (a) Except as provided in paragraph (b) of this Section, upon termination of the Agreement(s) for any reason, Business Associate shall return or destroy all PHI received from Plan, or created or received by Business Associate on behalf of Plan. This provision also shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. (b) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Plan notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction is infeasible, Business Associate shall extend the Appendix D Business Associate Agreement and Certification

116 Appendix D protections of this Amendment to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI. D. MISCELLANEOUS 1. Regulatory References. A reference in this Amendment to a section in the Privacy Rules means the section as in effect, including any amendment that has become effective. 2. Amendment. This Amendment may be amended at any time and for any reason by a written instrument executed by both Parties. The Parties agree to take such action as is necessary to amend this Amendment and/or the Agreement(s) from time to time as is necessary for Plan to comply with the requirements of the Privacy Rules and the Health Insurance Portability and Accountability Act of 1996, Public Law Survival. The obligations of Business Associate under the Disclosure accounting provision in Section A (12) and the indemnity provision in Section A (18) of this Amendment, and the respective rights and obligations of Business Associate under the termination provision in Section C (3) of this Amendment, shall survive the termination of this Amendment and/or the Agreement(s). 4. Interpretation. Any ambiguity in this Amendment shall be resolved in favor of a meaning that permits Plan to comply with the Privacy Rules. The terms and conditions of this Amendment shall override and control any conflicting terms and conditions in any agreement between Plan and Business Associate related to the privacy and Security of PHI. 5. Effect on Agreement(s). The terms and conditions of this Amendment shall override and control any conflicting terms and conditions in any Agreement(s) concerning the privacy and Security of PHI. Except as amended herein, all terms and conditions of the Agreement(s) between the Parties shall remain in full force and effect in accordance with such Agreement(s). Agreed to and Accepted by: Visa Inc. DATE On Behalf of the Plan NAME DATE Business Associate Appendix D Business Associate Agreement and Certification

117 Appendix D Visa Certification to <<Business Associate>> Visa Group Health Plan ( Plan ) acknowledges and agrees that the federal Privacy Rules (promulgated at 45 CFR Parts 160 and 164) allow the Plan to permit <<Business Associate>> to disclose or provide access to Protected Health Information ( PHI ), as therein defined), other than Summary Health Information (also as therein defined), to [Employer Name] (the Plan Sponsor ) only after the Plan Sponsor has amended its Plan documents to provide for the permitted and required Uses and Disclosures of PHI, and that the federal Privacy Rules require the Plan Sponsor to provide a certification to the Plan that certain required provisions have been incorporated into the Plan documents before the Plan may disclose, either directly or through a Business Associate, such as <<Business Associate>> any PHI to the Plan Sponsor. The Plan hereby represents that Plan documents have been so amended and that the Plans have received such certification from the Plan Sponsor. The Plan acknowledges and agrees that the federal Privacy Rules allow the Plan to permit <<Business Associate>> to disclose or provide access to PHI, other than Summary Health Information, to only those employees or other persons (including third parties) under the control of the Plan Sponsor who are described by position in the Plan documents as the persons who are given access to PHI solely to carry out the Plan Administration Functions that the Plan Sponsor performs for the Plan. Accordingly, to the extent <<Business Associate>> is needs to disclose or provide access to PHI to the Plan Sponsor or any employee or other person under the control of the Plan Sponsor, <<Business Associate>> shall make such Disclosure of or provide such access to PHI only as follows: To any employee or other person under the control of the Plan Sponsor upon such person's written request on behalf of the Plan Sponsor for the purpose of obtaining premium bids for the provision of health insurance, HMO or stop-loss coverage for the Plan or modifying, amending or terminating the Plan; To only the following employees or other persons (including third parties) identified in the Plan documents and under the control of the Plan Sponsor solely for the purpose of carrying out the Plan Administration Functions that the Plan Sponsor performs for the Plan: [List such persons(s) by name and position, currently: Add Name, Title, Location Add Name, Title, Location Add Name, Title, Location Add Name, Title, Location Add Name, Title, Location Add Name, Title, Location Add Name, Title, Location Notwithstanding anything herein to the contrary, effective as of the date determined by the Secretary, the <<Business Associate>> shall not disclose to the Plan Sponsor PHI that is Genetic Information for Underwriting Purposes. Appendix D Business Associate Agreement and Certification

118 Appendix D It is acknowledged and agreed that the federal Privacy Rules require the Plan to maintain policies and procedures to ensure that any PHI that it uses, requests or discloses be no more than the Minimum Necessary to accomplish the intended purpose. Accordingly, the Plan hereby agrees and represents that any requests that it makes for PHI to be disclosed to it or to the Plan Sponsor will be for no more than the minimum amount necessary for their intended purpose. Acknowledged and greed to by: NAME DATE On behalf of the Visa Group Health Plan Appendix D Business Associate Agreement and Certification

119 Appendix E SAMPLE NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. "We" refers to the Visa Group Health Plans also referred to as Plans. "You" or "yours" refers to Individual participants in the Plans. If you are covered by an insured health option under the Plans you will receive a separate notice from the insurer or HMO. Use and Disclosure of Protected Health Information We are required by federal law to protect the privacy of your Individual Health Information (referred to in this notice as "Protected Health Information"). We are also required to provide you with this notice regarding our policies and procedures regarding your Protected Health Information, and to abide by the terms of this notice, as it may be updated from time to time. Under applicable law, we are permitted to make certain types of Uses and Disclosures of your Protected Health Information, without your Authorization, for Treatment, Payment, and Health Care operations purposes. For Treatment purposes, such Use and Disclosure may take place in providing, coordinating, or managing Health Care and its related services by one or more of your providers, such as when your primary care physician consults with a specialist regarding your condition. For Payment purposes, such Use and Disclosure may take place to determine responsibility for coverage and benefits, such as when we confer with other Health Plans to resolve a coordination of benefits issue. We also may Use your Protected Health Information for other Payment-related purposes, such as to assist in making plan eligibility and coverage determinations, or for utilization review activities. For Health Care operations purposes, such Use and Disclosure may take place in a number of ways involving plan administration, including for quality assessment and improvement, vendor review, and underwriting activities. Your information could be used, for example, to assist in the evaluation of one or more vendors who support us, or we may contact you to provide reminders or information about Treatment alternatives or other health-related benefits and services available under the Plans. We may disclose your Protected Health Information to the plan sponsor in connection with these activities. If you are covered under an insured Health Plan, the insurer also may disclose Protected Health Information to the plan sponsor in connection with Payment, Treatment or Health Care operations. Appendix E Notice of Privacy Practices

120 Appendix E The Plans are prohibited from using or disclosing, and will not use or disclose, your information that contains genetic information for underwriting purposes. In addition, we may use or disclose your Protected Health Information without your Authorization under conditions specified in federal regulations, including: as Required by Law, provided the Use or Disclosure complies with and is limited to the relevant requirements of such law, for public health activities, Disclosures to an appropriate government authority regarding victims of abuse or neglect, to a health oversight agency for oversight activities authorized by law, in connection with judicial and administrative proceedings, to a Law Enforcement Official for law enforcement purposes, to a coroner or medical examiner, to cadaveric organ, eye or tissue donation programs, for research purposes, as long as certain privacy-related standards are satisfied, to avert a serious threat to health or safety, for specialized government functions (e.g., military and veterans activities, national Security and intelligence, federal protective services, medical suitability determinations, correctional institutions and other law enforcement custodial situations), and for workers compensation or other similar programs established by law that provide benefits for work-related injuries or illness without regard to fault. We may disclose to one of your family members, to a relative, to a close personal friend, or to any other person identified by you, Protected Health Information that is directly relevant to the person's involvement with your care or Payment related to your care. In addition, we may use or disclose the Protected Health Information to notify a member of your family, your personal representative, another person responsible for your care, or certain disaster relief agencies of your location, general condition, or death. If you are incapacitated, there is an emergency, or you otherwise do not have the opportunity to agree to or object to this Use or Disclosure, we will do what in our judgment is in your best interest regarding such Disclosure and will disclose only the information that is directly relevant to the person's involvement with your Health Care and is otherwise permitted by State Law. Other Uses and Disclosures will be made only with your written Authorization, and you may revoke your Authorization in writing at any time. You may ask us to restrict Uses and Disclosures of your Protected Health Information to carry out Treatment, Payment, or Health Care operations, or to restrict Uses and Disclosures to family members, relatives, friends, or other persons identified by you who are involved in your care or Payment for your care. However, we are not required to agree to your request. You may exercise this right by contacting the Individual or office identified at the end of this notice. They will provide you with additional information. Appendix E Notice of Privacy Practices

121 Appendix E You have the right to request the following with respect to your Protected Health Information: (i) inspection and copying; (ii) amendment; (iii) an accounting of certain Disclosures of this information by us (except as explained in the next paragraph, you are not entitled to an accounting of Disclosures made for Payment, Treatment or Health Care operations, or Disclosures made pursuant to your written Authorization); (iv) to the extent that we maintain an electronic record with respect to your information, a copy of that record in electronic format for which you may be charged a fee; (v) the right to restrict Disclosures for Payment or Health Care Operations (but not for carrying out Treatment) where you have paid the health care provider in full; and (vi) the right to receive a paper copy of this notice upon request, even if you agreed to receive the notice electronically. To the extent that the Plans use or maintain an electronic health record of PHI, an Individual will have the right to receive an accounting of electronic Disclosures from the Plans if the information was used for Payment, Treatment or Health Care Operations ( TPO ) during the past three (3) years. This Individual right applies to: TPO Disclosures on or after January 1, 2014 for electronic records held as of January 1, 2009, and TPO Disclosures made after the later of January 1, 2011 or the date the Plan or Plans acquire the electronic health record, for electronic health records acquired after January 1, You have the right to request in writing that you receive your Protected Health Information by alternative means or at an alternative location regarding communications that your Health Plan initiates. We reserve the right to change the terms of this notice and to make the new notice provisions effective for all Protected Health Information we maintain. If we change this notice you will receive a new notice by mail or by distribution to active employees in the workplace. If you believe that your privacy rights have been violated, you may complain to us in writing at the location described below under Contacting Us or to the Secretary of the Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, DC You will not be retaliated against for filing a complaint. Contacting Us You may exercise the rights described in this notice by contacting the office identified below. They will provide you with additional information. The contact is: [Name] [Title and Address] The effective date of this notice is [INSERT DATE]. Appendix E Notice of Privacy Practices

122 Appendix F ROLES OF THE PRIVACY AND SECURITY OFFICERS Each employer must designate a Privacy Officer and a Security Officer (who may be one and the same person) responsible for the development and implementation of the policies and procedures required by the HIPAA Privacy and Security Regulations. The Privacy Officer ensures a central point of accountability for the group health plans for privacy related issues. The Privacy Officer is charged with developing and implementing the policies and procedures for the group health plans, as required throughout the regulations and for compliance with the regulations generally. Likewise, the Security Officer ensures a central point of accountability within for HIPAA security issues. The Security Officer is responsible for developing and implementing the HIPAA security policies and procedures in compliance with the HIPAA Security Regulations. The designated Privacy/Security Officer is available to answer employee questions throughout the employee's employment. The Privacy/Security Officer role is usually an additional responsibility given to an existing employee. RESPONSIBILITIES OF THE PRIVACY OFFICER: The Privacy Officer will: Possess some level of expertise in Federal and State health care statutes, regulations and Federal health care program requirements; Be independent of the specific functional areas examined; Have access to existing audit resources, relevant personnel and all relevant areas of operation; Present written evaluative reports on HIPAA compliance activities to the Plan Administrator, Board of Directors, and members of any designated HIPAA Committee on an annual basis or more frequently if needed; and Specifically identify areas where corrective actions are needed. The Privacy Officer is responsible for auditing the group health plans privacy procedures and practices internally on a periodic basis. RESPONSIBILITIES OF THE SECURITY OFFICER: The Security Officer, or a designee or designees, is trained and able to review and explain the security policies and procedures. The Security Officer, or a designees or designees will: Be responsible for the overall implementation and maintenance of the security policies and procedures; Cooperate with government agencies on security compliance reviews/investigations; Maintain a written record of any action, activity, or assessment that is required to be documented under the Security Regulations; Appendix F Roles of the Privacy and Security Officers

123 Appendix F Ensure retention of all required documentation for six years from the date of its creation or the date when it was last in effect, whichever is later; Ensure that documentation is made available to those responsible for implementing the procedures to which the documentation pertains; Review documentation periodically, and update as needed; Ensure that appropriate Individuals have received HIPAA security training and that new hires are trained within a reasonable amount of time; Establish employee sanctions for failure to comply with security policies and procedures; Monitor compliance with the HIPAA Security Regulations on an ongoing basis; Monitor ongoing compliance of all Business Associate agreements; and Promote awareness of the HIPAA Security Regulations. The Information Security Office usually works closely with the Security Officer to ensure the confidentiality, integrity and availability of ephi. Appendix F Roles of the Privacy and Security Officers