Contact Us Today
And Let Us Transform Your Business Processes

Privacy Policy

Last Updated: June 27, 2023

1.0 Objective

This privacy policy sets out how Vee ensures to protect all personally identifiable information of our clientele that is entrusted and handled within Vee and of its employee’s personal data.

Vee recognizes and supports the need for reasonable protections regarding the privacy of personal data entrusted to us by our clientele for this reason, the company has developed and adopted these general guiding Principles. Individual locations should consider adopting regional implementation policies to put these Principles into practice.

All company employees whose responsibilities include the collection, processing or storage of client data are expected to be vigilant and assist in the protection of that data by adherence to these Principles and reporting any deviations.

In following these Principles, Vee complies with the applicable laws and regulations protecting the privacy of personal data in the jurisdictions in which the company operates alongside HIPAA and GLB.

2.0 Scope

  1. These Principles apply to all personal data entrusted to us by our client that is collected, maintained, processed, and returned by the company as part of an actual client relationship. The Company will review and amend these Principles from time to time, should it become necessary to do so.
  2. This principle applied to all Personal data collected by Vee of its employees and consultants.

"Personal data" means data about an individual that is personally identifiable.

3.0 Responsibility

All Employees of Vee are involved in the processing of personally identifiable information.

4.0 Procedure

4.1 Notice

4.1.1 Notice Principle:

The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
Vee informs its clients/stake holders the purposes for which personal information is collected, used retained and disclosed.

  • The type of data Vee collects,
  • The purposes for which Vee collects and discloses personal data,
  • The circumstances under which Vee discloses personal data, including the types of potential recipients
  • That Vee employs privacy and information safeguards; and
  • The circumstances under which individuals may access and correct their personal data.

Vee provides periodic general notice regarding routine information practices. In addition, Vee communicates these Principles and any implementing policies and procedures through normal communication channels via HR Portal and email.

 4.1.2 Communication to clients and stake holder

Notice is provided to all clientele regarding our commitment to the following privacy policies by share the below listed details:

  1. Purpose for collecting personal information
  2. Choice and consent
  3. Collection
  4. Use, retention, and disposal
  5. Access
  6. Disclosure to third parties
  7. Security for privacy
  8. Quality
  9. Monitoring and enforcement

4.1.3    Provision of Notice:
Notice is provided to the clients about the Vee privacy policies and procedures.

  • Prior to project initiation
  • as and when there are changes in Vee privacy policies and procedures
  • Prior to changes in the work order in case personal information may be used for new purposes not previously identified.

4.1.4    Entities and Activities Covered
An objective description of the Vee and activities covered by the privacy policies and procedures is included in the entity’s privacy notice
For Clients: Privacy Memorandum
For Employee's: Privacy Notice and Consent

4.2 Choice and Consent

Vee describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4.2.1 Communication to clients and employees

Clients are informed about

  • Vee accesses personal data for medical claims-related business purposes. Where consent of the clients for the collection, use, or disclosure of personal data is required by law (HIPAA) or contract, Vee will comply with these law or contract. That implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise
  • In the event that a client expresses a concern about the collection, use or disclosure of personal data, Vee will respond to the clients concern consistent with applicable law. (HIPAA)
  • Vee will abide to the HIPAA law [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] and maintains the Business Associate Agreement (BAA) with its clients to assure that the Electronically maintained protected health information are used for the purposes for which it was engaged and will safeguard the information from misuse.
  • Vee has designated a CPO to develop and implement the policies and procedures of the entity and review them periodically to incorporate latest standards.
  • There is disciplinary procedure in place to take appropriate action against members of its workforce who fail to comply with the privacy policy HIPAA Privacy Rule, 45 C.F.R. Part 160 and Part 164, Subparts A and E.
  • All the policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must be documented and reviewed periodically for appropriateness and currency. At each department level implementation of this policy and set of standards must be evident and addressing any additional information systems functionality in such department. The latest revised policies should be uploaded in HR portal and same must be read and acknowledged by the employees.
  • Vee trains all members of its workforce on all the policies and procedures with respect to protected health information required by (HIPAA) § 164.530 Administrative requirements to safeguard the Electronically maintained PHI information from misuse and use client data for its intended purposes only.
  • Vee provides the training to all its employees on all Security Policies, Code of conduct (FWA), HIPAA Privacy rules to ensure reasonable safeguards for individuals’ health information.
  • All the new members of the workforce are trained through Induction or awareness session and entire workforce is re-trained on refresher training programs periodically.
  • All the employees are educated in how to safeguard client data while accessing, handling and transmitting.
  • Non-Disclosure of personally identifiable information of clients to third parties & clients
  • To avoid using patients’ names/ PHI details in public areas either through oral or written communication.
  • Printer or e-Fax access are restricted to users based on their operational requirement. Permitted users are responsible to shred the hard copies through shredder machines.
  • Not allowing users to save client data in local drives.
  • Restricted internet services to block file transfer options.
  • No use or disclosure of PHI unless permitted or required by the Privacy Rule
  • Required Disclosures:
    • To the individual who is the subject of the PHI.
    • To the Secretary of HHS in order to determine compliance
    • To the individual or personal representative
    • For treatment, payment and health care operations (TPO)
  • Vee will not retaliate against any company/individual for expressing a concern about the collection, use, or disclosure of his or her personal data, or for exercising a legal right to refuse to provide information.

Employees are also informed about:

  • Storage of their personal information
  • Disclosure of their personal information to third parties & clients
  • Use, retention, and disposal of their personal information.
  • Access and update their personal information
  • Security of their personal information.

4.2.2    Consent for Online Data Transfers to or From an Individual’s Computer or Other Similar Electronic Devices

4.2.3    Consent is obtained from client before Data containing personal information is transferred to or from an individual’s computer or other similar device.
Privacy Memorandum

4.2.4    Consent is obtained from employees as a disclaimer through HR portal.

4.3 Collection Principle:

Collection Limited to Identified Purpose

Vee collects personal information only for the purposes identified in the Privacy Notice and Consent for relevant and appropriate purposes only in a reasonable and lawful manner. The collection and use of client personal data in the business context is essential to the operation of the company, and particularly to the operation functions. Examples of the purposes for which the company collects and uses client personal data include Medical Billing, Medical coding, insurance processing, logistic processing, financial and accounting processing the client is the only source to provide information to carry out the knowledge processing, the Data is provided to use through reliable and secure resources with appropriate acknowledgments.

Collection by Fair and Lawful Means

Methods of collecting personal information are reviewed by Chief Privacy Officer before they are implemented to confirm that personal information is obtained

  • fairly, without intimidation or deception,
  • Lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information.

4.4 Use, Retention, and Disposal Principle:

Vee limits the use of personal information to the purposes identified in the notice and for which our client has provided implicit or explicit consent. Vee does not retain any personal information as all the information is processed on the client’s system and data bases unless and until the client requires us to do so, in such circumstances the data is retained for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately the information is appropriately dispossessed.

Vee regularly and systematically destroys, erases, or makes anonymous personal information of their employee’s which are no longer required to fulfill the identified purposes or as required by laws and regulations.

Reference: 1   IMS-PLC-ORG-05-12-Confidential Information Policy
Reference: 2  IMS-PLC-ORG-05-13- Data Classification Policy

4.5 Access

Vee does not maintain any personal data, authenticated non editable data is provided by the client Disclosure to Third Parties:

Communication to employees

  • Specific instructions or requirements for handling personal information are communicated to employees to whom personal information is disclosed.
  • Vee places substantial importance on protecting the confidentiality of personal data and seeks the cooperation of all employees in furthering this goal.
  • To the extent feasible, Vee restricts access to personal data to those employees, agents, or contractors of Vee, who have a legitimate business need for such access.
  • Vee requires agents and contractors to whom the company discloses personal data for servicing to commit to protecting the privacy and security of the data and to refrain from any uses or further disclosures or not authorized by the company.
  • Vee will not disclose personal data to unaffiliated third parties
  • In addition, under certain exceptional circumstances, the company may, as permitted by law, disclose other personal data without prior notice.
  • Vee will not make onward transfers of PII data for commercial gain,

IMS-PLC-ORG-05-11- Acceptable Usage Policy
IMS-PLC-ORG-05-10-Information Security Policy

4.6 Disclosure to Third Parties

Disclosure of Personal Information

Personal information is disclosed to employees only for the purposes described in the notice, and for which the client has provided implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise.

Protection of Personal Information

Personal information is disclosed only to employees who have Signed Non-disclosure agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy policies or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.

Misuse of Personal Information by a Third Party

Vee will take remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.

4.7 Security: 

Information Security Program

Vee's Information Security Program
A security program has been

  • developed,
  • documented,
  • approved, and
  • implemented

That includes administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program should address, but not be limited to, the following areas1 insofar as they relate to the security of personal information.

Reference: IMS MANUAL

Logical Access Controls

Logical access to personal information is restricted by procedures that address the following matters: Where Vee commits to

  1. Authorizing and registering employees
  2. Identifying and authenticating employees
  3. Making changes and updating access profiles
  4. Granting privileges and permissions for access to IT infrastructure components and personal information
  5. Preventing individuals from accessing anything other than their own personal or sensitive information
  6. Limiting access to personal information to only authorized internal personnel based upon their assigned roles and responsibilities
  7. Distributing output only to authorized internal personnel
  8. Restricting logical access to offline storage, backup data, systems, and media
  9. Restricting access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls)
  10. Preventing the introduction of viruses, malicious code, and unauthorized software

Reference: IMS-PLC-ORG-05-14-Access Control Policy

Physical Access Controls

Physical access is restricted to personal information in any form (including the components of the entity’s system(s) that contain or protect personal information).
Reference : IMS-PLC-ORG-05-14-Access Control Policy

Environmental Safeguards

Personal information, in all forms, is protected against accidental disclosure due to natural disasters and environmental hazards.

Transmitted Personal Information

Vee ensures that Personal information is protected when transmitted by mail or other physical means. Personal information collected and transmitted over the Internet, over public and other nonsecure networks, and wireless networks is protected by deploying industry standard encryption technology for transferring and receiving personal information.
Reference: IMS-PLC-ORG-05-03-Cryptographic Control Policy

Personal Information on Portable Media

Vee does not store any PII on portable media,

Testing Security Safeguards

Vee carries out Tests of the effectiveness of the key administrative, technical, and physical safeguards protecting personal information.

4.8 Quality Principle

The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

Communication to clients
Clients are notified that they are responsible for providing the entity with accurate and complete personal information, for processing claims

Reference: Privacy Draft Notice.doc

4.9 Monitoring and Enforcement

Compliance: 

Vee maintains an active program to ensure compliance with these Principles, as well as with applicable law or contractual agreements on handling of personal data. Chief Privacy Officer is responsible for implementing and overseeing the administration of these Principles. All Vee employees whose responsibilities include the collection, processing or storage of personal data are required to adhere to these Principles and implementing policy. Failure to do so may be grounds for discipline up to and including termination.

Roles and responsibilities of compliance team

  • Overseeing the Vee employee privacy education and training programs;
  • Overseeing the resolution of privacy inquiries and complaints;
  • Overseeing periodic assessments of the company’s internal practices to ensure that they conform to these Principles;
  • Working with the company’s legal consultants to ensure the company’s ongoing compliance with applicable privacy laws;
  • Overseeing the response to questions regarding these Principles and any implementing policies;
  • Overseeing the investigation of complaints regarding possible violations of these Principles; and
  • Otherwise administering the implementation and enforcement of these Principles and other human resources privacy matters.

Procedure Compliance measures

  • Educating all the company employees as to the purpose and application of these Principles;
  • Training human resources employees and others with significant access to personal data on proper procedures for the processing of personal data;
  • Requiring agents and contractors with significant access to personal data to make contractual commitments to safeguard the data and use it appropriately;
  • Holding employees accountable for violation of these Principles and implementing policies, with sanctions, including the possibility of termination of employment; and
  • Holding agents and contractors accountable for violation of their contractual commitments, with sanctions, including the possibility of termination of contracts.

Compliant Resolution:

Any employee who has a concern about the collection, use or disclosure of the individual’s personal data is encouraged to use the Vee internal Alternative Dispute Resolution program or other internal means of resolving disputes, Open house/Open Forum meeting conducted in frequently.

Incident Management

Escalation Matrix is established wherein all employees of Vee would be able to report a security incident leading to breach through appropriate channel and record the incidence to avoid similar kind of breach in future.

4.3 Risk Assessment

A risk assessment is reviewed yearly to establish a risk baseline to identify new or changed risks to personal information accordingly respective control are inducted to reduce the respective risks

4.4 Communication to Internal Personnel

Privacy policies and the consequences of noncompliance with such policies are communicated, at least annually, to the Vee internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in privacy policies are communicated to such personnel shortly after the changes are approved

4.5 Review and Approval

Vee Privacy policies, procedures, client contract, and changes to them, are reviewed and approved by management periodically.

4.6 Consistency of Privacy Policies and Procedures with Laws and Regulations

Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.

4.7 Privacy Breach Notification Policy

As a policy of Vee that all employees will access, use and should not disclose PII, and that all employees shall be vigilant with respect to guarding PII. However, in the event that a potential breach of unsecured PII occurs, the following procedures shall be followed.

DISCOVERY

  1. A breach of PII will be deemed "discovered" as of the first day VEE knows of the breach or, by exercising reasonable diligence, would or should have known about the breach.
  2. If a potential breach is discovered, it is very time sensitive and must be immediately reported

INTERNAL REPORTING

  1. If a potential breach of PII has occurred, it should be immediately notify the Privacy Officer.
  2. Provide all the available information you have regarding the potential breach, including names, dates, and the nature of the PII potentially breached, the manner of the disclosure (fax, email, mail, verbal), all employees involved, the recipient, all other persons with knowledge, and any associated written or electronic documentation that may exist.
  3. Notification and associated documentation may itself contain PII and should only be given to the Privacy Officer.
  4. Do not discuss the potential breach with anyone else, and do not attempt to conduct an investigation. These tasks will be performed by the Privacy Officer.
  5. This reporting can be done through the HR Portal by individual employees.

INVESTIGATION

  1. Upon receipt of notification of a potential breach the Privacy Officer will promptly conduct an investigation.
  2. The investigation shall include interviewing employees involved, collecting written documentation, and completing all appropriate documentation.
  3. The Privacy Officer shall retain all documentation related to potential breach investigations for a minimum of six years.
  4. Whatever the privacy incidents raised in the HR Portal will be investigated by the Privacy Officer.

RISK ASSESSMENT AND RECOMMENDATION

After the investigation is complete, the Privacy Officer will perform a Risk Assessment. The purpose of the Risk Assessment is to determine if a use or disclosure of PII constitutes a breach and requires further notification to the Covered Entity. The Privacy Officer shall appropriately document the Risk Assessment and make a recommendation, whether notification to the Covered Entity of the potential breach would be prudent.

A "reasoned judgment" standard will be applied to the Risk Assessment, which shall be fact specific and shall include consideration of the following factors:

  • Did the disclosure involve Unsecured PII in the first place?
  • Who impermissibly used or disclosed the Unsecured PII?
  • To whom was the information impermissibly disclosed?
  • Was it returned before it could have been accessed for an improper purpose?
  • What type of Unsecured PII is involved and in what quantity?
  • Was the disclosure made for any improper purpose?
  • Is there the potential for significant risk of financial, reputational, or other
  • Harm to the individual whose PII was disclosed?
  • Was immediate action taken to mitigate any potential harm?
  • Do any of the specific breach exceptions apply?

FINAL DETERMINATION BY THE PRIVACY OFFICER

The Vee Privacy Officer shall have final authority to determine whether a breach of unsecured PII occurred and what, if any, further action is warranted

NOTIFICATION TO COVERED ENTITY/BUSINESS ASSOCIATE

In the event that the Privacy Officer determines that notice to the Covered Entity/Business Associate is warranted, the Chairperson shall promptly prepare and transmit a CE/BA Notice.

  1. Content - The CE/BA Notice shall include:
    1. Identification of each individual whose Unsecured PII is believed to have been breached, the date of the disclosure, the facts and circumstances surrounding the disclosure, and all associated documentation.
    2. The CE/BA Notice shall include all other available information known to Vee that the Covered Entity/Business Associate will be required to include in its own Notice to the individual(s)
    3. If additional information regarding the breach is later discovered by Vee, that information will be promptly provided to the Covered Entity/Business Associate.
    4. The CE/BA Notice shall be sent first class mail, return receipt requested, and the receipt and a copy of the CE/BA Notice shall be kept with related documentation.
    5. Upon receipt of the CE/BA Notice from Vee, it is the obligation of the Covered Entity/Business Associate to notify affected individuals, HHS, and/or the media unless otherwise specifically agreed upon by contract
  2. Timing of Notification - Vee shall notify the Covered Entity/Business Associate “without unreasonable delay” but no later than 3 days after discovery of the breach. The Vee Services Agreement provides that Vee is an independent contractor; therefore the Covered Entity’s/Business Associate’s time to provide the requisite notice begins to run on the date that Vee notifies the CE/BA of the breach.
      1. Unjustified Delay - If it appears to the Privacy Officer that the investigation will not be completed within a reason able time, the Covered Entity/Business Associate will be notified before completion of the investigation.
      2. Law Enforcement Delay - A delay in notification is permissible if a law enforcement official states that a breach notification would impede a criminal investigation or cause damage to national security.
    1. In that event, the law enforcement statement must be in writing and must specify the length of the delay required.
    2. If the request for a delay in notification is oral, Vee must document the statement and request written confirmation within a day. If no written request for a delay is received within that time, Vee must send notification of the breach to the Covered Entity/Business Associate.

 

DOCUMENTATION

All phases of the process must be documented in detail on a case-specific basis, in a manner sufficient to demonstrate that all appropriate steps were completed. All supporting documentation associated with the potential breach shall be kept on file for a period of 6 years.

privacy-policy-documentation-flow-chart

 

4.8 Infrastructure and Systems Management

Vee ensures potential privacy impact is assessed when new processes involving personal information are implemented, and when changes are made to such processes (including any such activities outsourced to third parties or contractors), and personal information continues to be protected in accordance with the privacy policies. For this purpose, processes involving personal information include the design, acquisition, development, implementation, configuration, modification and management of the following:

  • Infrastructure
  • Systems
  • Applications
  • Websites
  • Procedures
  • Products and services
  • Data bases and information repositories
  • Mobile computing and other similar electronic devices

The use of personal information in process and system test and development is prohibited unless such information is anonymized or otherwise protected in accordance with the entity’s privacy policies and procedures.

4.9 Personal Information Identification and Classification

Vee ensures identifying the types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Such information is covered by the Vee privacy and related security policies and procedures.
Reference: IMS-PLC-ORG-05-13-Data Classification Policy

4.10 Qualifications of Internal Personnel

Vee establishes qualifications for personnel responsible for protecting the privacy and security of personal information and assigns such responsibilities only to those personnel who meet these qualifications and have received needed training

4.11 Privacy Awareness and Training

Vee A privacy awareness program about the entity’s privacy policies and related matters, and specific training for selected personnel depending on their roles and responsibilities, are provided.

 

5.0 Records

4.12 Training Records

4.13 Notice Communication Records

4.14 Notice Acknowledgement Records

4.15 Incident Report Records

4.16 Disciplinary Action Records