Last Updated: June 02, 2020
All company employees whose responsibilities include the collection, processing or storage of client data are expected to be vigilant and assist in the protection of that data by adherence to these Principles and reporting any deviations. In following these Principles, Vee Technologies complies with the applicable laws and regulations protecting the privacy of personal data in the jurisdictions in which the company operates alongside HIPAA and GLB.
- These Principles apply to all personal data entrusted to us by our client that is collected, maintained, processed and returned by the company as part of an actual client relationship. The Company will review and amend these Principles from time to time, should it become necessary to do so.
- This principle applied to all Personal data collected by Vee Technologies of its employees and consultants.
“Personal data” means data about an individual that is personally identifiable.
All Employees of Vee Technologies involved in the processing of personally identifiable information.
4.1.1 Notice Principle:
The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
Vee Technologies informs its clients/stake holders the purposes for which personal information is collected, used retained and disclosed
- The type of data Vee Technologies collects,
- The purposes for which Vee Technologies collects and discloses personal data,
- The circumstances under which Vee Technologies discloses personal data, including the types of potential recipients
- That Vee Technologies employs privacy and information safeguards; and
- The circumstances under which individuals may access and correct their personal data.
Vee Technologies provides periodic general notice regarding routine information practices. In addition, Vee Technologies communicates these Principles and any implementing policies and procedures through normal communication channels via HR Portal and email.
4.1.2 Communication to clients and stake holder
Notice is provided to all clientele regarding our commitment to the following privacy policies by share the below listed details:
a. Purpose for collecting personal information
b. Choice and consent
d. Use, retention, and disposal
f. Disclosure to third parties
g. Security for privacy
i. Monitoring and enforcement
4.1.3 Provision of Notice:
Notice is provided to the clients about the Vee Technologies privacy policies and procedures.
- Prior to project initiation
- as and when there are changes in Vee Technologies privacy policies and procedures
- Prior to changes in the work order in case personal information may be used for new purposes not previously identified.
4.1.4 Entities and Activities Covered
An objective description of the Vee technologies and activities covered by the privacy policies and procedures is included in the entity’s privacy notice
For Clients: Privacy Memorandum
For Employee’s: Privacy Notice and Consent
4.2 Choice and Consent
Vee Technologies describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4.2.1 Communication to clients and employees
Clients are informed about
Vee Technologies accesses personal data for medical claims-related business purposes. Where consent of the clients for the collection, use, or disclosure of personal data is required by law (HIPAA) or contract, Vee Technologies will comply with these law or contract.
That implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise
- In the event that a client expresses a concern about the collection, use or disclosure of personal data, Vee Technologies will respond to the clients concern consistent with applicable law. (HIPAA)
- Vee Technologies will abide to the HIPAA law [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] and maintains the Business Associate Agreement (BAA) with its clients to assure that the Electronically maintained protected health information are used for the purposes for which it was engaged and will safeguard the information from misuse.
- All the policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must be documented and reviewed periodically for appropriateness and currency. At each department level implementation of this policy and set of standard must be evident and addressing any additional information systems functionality in such department. The latest revised policies should be uploaded in HR portal and same has to be read and acknowledged by the employees.
- Vee Technologies trains all members of its workforce on all the policies and procedures with respect to protected health information required by (HIPAA) § 164.530 Administrative requirements to safeguard the Electronically maintained PHI information from misuse and use client data for its intended purposes only.
- Vee Technologies provides the training to all its employees on all Security Policies, Code of conduct (FWA), HIPAA Privacy rules to ensure reasonable safeguards for individuals’ health information.
- All the new members of the workforce are trained through Induction or awareness session and entire workforce is re-trained on refresher training programs periodically.
- All the employees are educated on how to safeguard client data while accessing, handling and transmitting.
- Non Disclosure of personally identifiable information of clients to third parties & clients
- To avoid using patients’ names/ PHI details in public areas either through oral or written communication.
- Printer or e-Fax access are restricted to users based on their operational requirement. Permitted users are responsible to shred the hard copies through shredder machines.
- Not allowing users to save client data in local drives.
- Restricted internet services to block file transfer options.
- No use or disclosure of PHI unless permitted or required by the Privacy Rule
- Required Disclosures:
– To the individual who is the subject of the PHI.
– To the Secretary of HHS in order to determine compliance
– To the individual or personal representative
– For treatment, payment and health care operations (TPO)
- Vee Technologies will not retaliate against any company/individual for expressing a concern about the collection, use, or disclosure of his or her personal data, or for exercising a legal right to refuse to provide information.
Employees are also informed about:
- Storage of their personal information
- Disclosure of their personal information to third parties & clients
- Use, retention, and disposal of their personal information.
- Access and update their personal information
- Security of their personal information.
4.2.2 Consent for Online Data Transfers To or From an Individual’s Computer or Other Similar Electronic Devices
4.2.3 Consent is obtained from client before Data containing personal information is transferred to or from an individual’s computer or other similar device.
4.2.4 Consent is obtained from employees as a disclaimer through HR portal.
4.3 Collection Principle:
4.3.1 Collection Limited to Identified Purpose
Vee Technologies collects personal information only for the purposes identified in the Privacy Notice and Consent for relevant and appropriate purposes only in a reasonable and lawful manner. The collection and use of client personal data in the business context is essential to the operation of the company, and particularly to the operation functions. Examples of the purposes for which the company collects and uses client personal data include Medical Billing, Medical coding, insurance processing, logistic processing, financial and accounting processing the client is the only source to provide information to carry out the knowledge processing, the Data is provided to use through reliable and secure resources with appropriate acknowledgments
4.3.2 Collection by Fair and Lawful Means
Methods of collecting personal information are reviewed by Chief Privacy Officer before they are implemented to confirm that personal information is obtained
- fairly, without intimidation or deception,
- Lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information.
4.4 Use, Retention, and Disposal Principle:
Vee Technologies limits the use of personal information to the purposes identified in the notice and for which our Client has provided implicit or explicit consent. Vee Technologies does not retain any personal information as all the information is processed on the clients system and data bases unless and until the client requires us to do so, in such circumstances the data is retained for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately the information is appropriately dispossessed.
Vee Technologies regularly and systematically destroys, erases, or makes anonymous personal information of their employee’s which are no longer required to fulfill the identified purposes or as required by laws and regulations.
Reference: 1 SP- 82-Confidential Information Policy
Reference: 2 SP-821- Data Classification Policy
Vee Technologies does not maintain any personal data, Authenticated non editable data is provided by the client
Disclosure to Third Parties:
- Communication to employees
Specific instructions or requirements for handling personal information are communicated to employees to whom personal information is disclosed.
Vee Technologies places substantial importance on protecting the confidentiality of personal data and seeks the cooperation of all employees in furthering this goal.
To the extent feasible, Vee Technologies restricts access to personal data to those employees, agents, or contractors of Vee Technologies, who have a legitimate business need for such access.
- Vee Technologies requires agents and contractors to whom the company discloses personal data for servicing to commit to protecting the privacy and security of the data and to refrain from any uses or further disclosures or not authorized by the company.
- Vee Technologies will not disclose personal data to unaffiliated third parties
- In addition, under certain exceptional circumstances, the company may, as permitted by law, disclose other personal data without prior notice.
- Vee Technologies will not make onward transfers of PII data for commercial gain,
SP-112-Acceptable Usage Policy
SP-52-Information Security Policy
4.6 Disclosure to Third Parties
4.6.1 Disclosure of Personal Information
Personal information is disclosed to employees only for the purposes described in the notice, and for which the client has provided implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise.
4.6.2 Protection of Personal Information
Personal information is disclosed only to employees who have Signed Non-disclosure agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy policies or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.
4.6.3 Misuse of Personal Information by a Third Party
Vee technologies will take remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
4.7.1 Information Security Program
Vee Technologies Information Security Program
A security program has been
- approved, and
That includes administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program should address, but not be limited to, the following areas1 insofar as they relate to the security of personal information
Reference: ISMS MANUAL
4.7.2 Logical Access Controls
Logical access to personal information is restricted by procedures that address the following matters:
Where Vee Technologies commits to
a. Authorizing and registering employees
b. Identifying and authenticating employees
c. Making changes and updating access profiles
d. Granting privileges and permissions for access to IT infrastructure components and personal information
e. Preventing individuals from accessing anything other than their own personal or sensitive information
f. Limiting access to personal information to only authorized internal personnel based upon their assigned roles and responsibilities
g. Distributing output only to authorized internal personnel
h. Restricting logical access to offline storage, backup data, systems, and media
i. Restricting access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls)
j. Preventing the introduction of viruses, malicious code, and unauthorized software
Reference : SP-911-Access Control Policy
4.7.3 Physical Access Controls
Physical access is restricted to personal information in any form (including the components of the entity’s system(s) that contain or protect personal information).
Reference : SP-911- Access Control Policy
4.7.4 Environmental Safeguards
Personal information, in all forms, is protected against accidental disclosure due to natural disasters and environmental hazards
Reference: SSP-172- Redundancies
4.7.5 Transmitted Personal Information
Vee Technologies ensures that personal information is protected when transmitted by mail or other physical means. Personal information collected and transmitted over the Internet, over public and other nonsecure networks, and wireless networks is protected by deploying industry standard encryption technology for transferring and receiving personal information
Reference: SP-101-Cryptographic Control Policy
4.7.6 Personal Information on Portable Media
Vee Technologies does not store any PII on portable media.
4.7.7 Testing Security Safeguards
Vee technologies carry out Tests of the effectiveness of the key administrative, technical, and physical safeguards protecting personal information
4.8 Quality Principle
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Communication to clients
Clients are notified that they are responsible for providing the entity with accurate and complete personal information, for processing claims
Reference: Privacy Notice Draft.doc
4.9 Monitoring and Enforcement
Vee Technologies maintains an active program to ensure compliance with these Principles, as well as with applicable law or contractual agreements on handling of personal data. Chief Privacy Officer is responsible for implementing and overseeing the administration of these Principles. All Vee Technologies employees whose responsibilities include the collection, processing or storage of personal data are required to adhere to these Principles and implementing policy. Failure to do so may be grounds for discipline up to and including termination.
4.9.2 Roles and responsibilities of compliance team
- Overseeing the Vee Technologies employee privacy education and training programs;
- Overseeing the resolution of privacy inquiries and complaints;
- Overseeing periodic assessments of the company’s internal practices to ensure that they conform to these Principles;
- Working with the company’s legal consultants to ensure the company’s ongoing compliance with applicable privacy laws;
- Overseeing the response to questions regarding these Principles and any implementing policies;
- Overseeing the investigation of complaints regarding possible violations of these Principles; and
- Otherwise administering the implementation and enforcement of these Principles and other human resources privacy matters.
4.9.3 Procedure Compliance measures
- Educating all the company employees as to the purpose and application of these Principles;
- Training human resources employees and others with significant access to personal data on proper procedures for the processing of personal data;
- Requiring agents and contractors with significant access to personal data to make contractual commitments to safeguard the data and use it appropriately;
- Holding employees accountable for violation of these Principles and implementing policies, with sanctions, including the possibility of termination of employment; and
- Holding agents and contractors accountable for violation of their contractual commitments, with sanctions, including the possibility of termination of contracts.
4.9.4 Compliant Resolution:
Any employee who has a concern about the collection, use or disclosure of the individual’s personal data is encouraged to use the Vee Technologies internal Alternative Dispute Resolution program or other internal means of resolving disputes, Open house/Open Forum meeting conducted once a month.
4.9.5 Incident Management
Escalation Matrix is established wherein all employees of Vee Technologies would be able to report a security incident leading to breach through appropriate channel and record the incidence to avoid similar kind of breach in future.
4.10 Risk Assessment
A risk assessment is reviewed yearly to establish a risk baseline to identify new or changed risks to personal information accordingly respective control are inducted to reduce the respective risks
Reference : ISMS-02- Risk Assessment methodology
4.11 Communication to Internal Personnel
Privacy policies and the consequences of noncompliance with such policies are communicated, at least annually, to the Vee technologies internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in privacy policies are communicated to such personnel shortly after the changes are approved
4.12 Review and Approval
Vee Technologies Privacy policies, procedures, client contract, and changes to them, are reviewed and approved by management periodically.
4. 13 Consistency of Privacy Policies and Procedures with Laws and Regulations
Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.
4.14 Privacy Breach Notification Policy
As a policy of Vee Technologies that all employees will access, use and should not disclose PII, and that all employees shall be vigilant with respect to guarding PII. However, in the event that a potential breach of unsecured PII occurs, the following procedures shall be followed
- A breach of PII will be deemed “discovered” as of the first day Vee Technologies knows of the breach or, by exercising reasonable diligence, would or should have known about the breach.
- If a potential breach is discovered, it is very time sensitive and must be immediately reported
4.14.2 INTERNAL REPORTING
- If a potential breach of PII has occurred, it should be immediately notify the Privacy Officer.
- Provide all the available information you have regarding the potential breach, including names, dates, and the nature of the PII potentially breached, the manner of the disclosure (fax, email, mail, verbal), all employees involved, the recipient, all other persons with knowledge, and any associated written or electronic documentation that may exist.
- Notification and associated documentation may itself contain PII and should only be given to the Privacy Officer.
- Do not discuss the potential breach with anyone else, and do not attempt to conduct an investigation. These tasks will be performed by the Privacy Officer.
- This reporting can be done through the HR Portal by individual employees.
- Upon receipt of notification of a potential breach the Privacy Officer will promptly conduct an investigation.
- The investigation shall include interviewing employees involved, collecting written documentation, and completing all appropriate documentation.
- The Privacy Officer shall retain all documentation related to potential breach investigations for a minimum of six years.
- Whatever the privacy incidents raised in the HR Portal will be investigated by the Privacy Officer.
4.14.4 RISK ASSESSMENT AND RECOMMENDATION
After the investigation is complete, the Privacy Officer will perform a Risk Assessment.
The purpose of the Risk Assessment is to determine if a use or disclosure of PII constitutes a breach and requires further notification to the Covered Entity. The Privacy Officer shall appropriately document the Risk Assessment and make a recommendation,
whether notification to the Covered Entity of the potential breach would be prudent.
A “reasoned judgment” standard will be applied to the Risk Assessment, which shall be fact specific and shall include consideration of the following factors:
- Did the disclosure involve Unsecured PII in the first place?
- Who impermissibly used or disclosed the Unsecured PII?
- To whom was the information impermissibly disclosed?
- Was it returned before it could have been accessed for an improper purpose?
- What type of Unsecured PII is involved and in what quantity?
- Was the disclosure made for any improper purpose?
- Is there the potential for significant risk of financial, reputational, or other
- Harm to the individual whose PII was disclosed?
- Was immediate action taken to mitigate any potential harm?
- Do any of the specific breach exceptions apply?
4.14.5 FINAL DETERMINATION BY THE PRIVACY OFFICER
The Vee Technologies Privacy Officer shall have final authority to determine whether a breach of unsecured PII occurred and what, if any, further action is warranted
4.14.6 NOTIFICATION TO COVERED ENTITY/BUSINESS ASSOCIATE
In the event that the Privacy Officer determines that notice to the Covered Entity/Business
Associate is warranted, the Chairperson shall promptly prepare and transmit a CE/BA Notice.
- Content - The CE/BA Notice shall include:
- Identification of each individual whose Unsecured PII is believed to have been breached, the date of the disclosure, the facts and circumstances surrounding the disclosure, and all associated documentation.
- The CE/BA Notice shall include all other available information known to Vee Technologies that the Covered Entity/Business Associate will be required to include in its own Notice to the individual(s)
- If additional information regarding the breach is later discovered by Vee Technologies, that information will be promptly provided to the Covered Entity/Business Associate.
- The CE/BA Notice shall be sent first class mail, return receipt requested, and the receipt and a copy of the CE/BA Notice shall be kept with related documentation.
- Upon receipt of the CE/BA Notice from Vee Technologies, it is the obligation of the Covered Entity/Business Associate to notify affected individuals, HHS, and/or the media unless otherwise specifically agreed upon by contract
- Timing of Notification - Vee Technologies shall notify the Covered Entity/Business Associate “without unreasonable delay” but no later than 3 days after discovery of the breach. The Vee Technologies Services Agreement provides that Vee Technologies is an independent contractor; therefore the Covered Entity’s/Business Associate’s time to provide the requisite notice begins to run on the date that Vee Technologies notifies the CE/BA of the breach.
- Unjustified Delay - If it appears to the Privacy Officer that the investigation will not be completed within a reason able time, the Covered Entity/Business Associate will be notified before completion of the investigation.
- Law Enforcement Delay - A delay in notification is permissible if a law enforcement official states that a breach notification would impede a criminal investigation or cause damage to national security.
- In that event, the law enforcement statement must be in writing and must specify the length of the delay required.
- If the request for a delay in notification is oral, Vee Technologies must document the statement and request written confirmation within a day. If no written request for a delay is received within that time, Vee Technologies must send notification of the breach to the Covered Entity/Business Associate.
All phases of the process must be documented in detail on a case-specific basis, in a manner sufficient to demonstrate that all appropriate steps were completed. All supporting documentation associated with the potential breach shall be kept on file for a period of 6 years.
4.15 Infrastructure and Systems Management
Vee Technologies ensures potential privacy impact is assessed when new processes involving personal information are implemented, and when changes are made to such processes (including any such activities outsourced to third parties or contractors), and personal information continues to be protected in accordance with the privacy policies. For this purpose, processes involving personal information include the design, acquisition, development, implementation, configuration, modification and management of the following:
• Products and services
• Data bases and information repositories
• Mobile computing and other similar electronic devices
The use of personal information in process and system test and development is prohibited unless such information is anonymized or otherwise protected in accordance with the entity’s privacy policies and procedures.
4.16 Personal Information Identification and Classification
Vee Technologies ensures identifying the types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Such information is covered by the Vee Technologies privacy and related security policies and procedures.
Reference: SP-821-Data Classification Policy
4.17 Qualifications of Internal Personnel
Vee Technologies establishes qualifications for personnel responsible for protecting the privacy and security of personal information and assigns such responsibilities only to those personnel who meet these qualifications and have received needed training
Reference: SSP-7-HR Operating Procedure
4.18 Privacy Awareness and Training
Vee Technologies A privacy awareness program about the entity’s privacy policies and related matters, and specific training for selected personnel depending on their roles and responsibilities, are provided.
Reference: SSP-7- HR Operating Procedure