Privacy Policy
Lastrev02272015
1
Navia Benefit Solutions Privacy Policy
Contents
I. Introduction ............................................................................................................................................... 3
II. Responsibilities as Business Associate ...................................................................................................... 6
A. Privacy Official and Contact Person ...................................................................................................... 6
B. Workforce Training ............................................................................................................................... 6
C. Safeguards and Firewall ........................................................................................................................ 7
D. Privacy Notice ....................................................................................................................................... 7
E. Complaints ............................................................................................................................................ 8
F. Sanctions for Violations of Privacy Policy ............................................................................................. 8
G. Mitigation of Inadvertent Disclosures of Protected Health Information ............................................. 9
H. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy ....................................................... 9
I. Plan Document ....................................................................................................................................... 9
J. Documentation .................................................................................................................................... 10
III. Policies on Use and Disclosure of Protected Health Information .......................................................... 11
A. Use and Disclosure Defined ................................................................................................................ 11
B. Workforce Must Comply With Plan's Policy and Procedures ............................................................. 11
C. Permitted Uses and Disclosures for Plan Administration Purposes ................................................... 11
D. Permitted Uses and Disclosures: Payment and Health Care Operations ........................................... 12
E. No Disclosure of Protected Health Information for Non-Health Plan Purposes................................. 13
Lastrev02272015
2
F. Mandatory Disclosures of Protected Health Information................................................................... 14
G. Other Permitted Disclosures of Protected Health Information ......................................................... 14
H. Disclosures of Protected Health Information Pursuant to an Authorization ..................................... 14
I. Complying With the "Minimum-Necessary" Standard ........................................................................ 15
J. Disclosures of Protected Health Information to Business Associates ................................................. 16
K. Disclosures of De-Identified Information............................................................................................ 17
L. Breach Notification Requirements ...................................................................................................... 17
IV. Policies on Individual Rights .................................................................................................................. 17
A. Access to Protected Health Information and Requests for Amendment ........................................... 17
B. Accounting .......................................................................................................................................... 18
C. Requests for Alternative Communication Means or Locations .......................................................... 19
D. Requests for Restrictions on Use and Disclosure of Protected Health Information .......................... 19
Appendix A to Privacy Policy: Workforce Member Confidentiality Agreement ......................................... 20
Appendix B to Privacy Policy: Reportable Breach Notification Policy ........................................................ 21
Security Response Plan ............................................................................................................................... 34
Appendix C Miscellaneous Policy Standards............................................................................................... 37
HIPAA Privacy Policy for Self-funded Plans
I. Introduction
Navia administers its own self-funded group health plan and self-funded group health plans for it’s
employer clients.
For purposes of this Privacy Policy, Plans listed above are referred to collectively and singularly as the
"Plan".
Lastrev02272015
3
Members of Navia’s workforce have access to protected health information of Plan participants of
Navias administered by Navia; and of Navia’s own benefits, for administrative functions of Navia
performed by Navia and other purposes permitted by the HIPAA privacy rules.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing
regulations restrict Navia's and Navia’s ability to use and disclose protected health information.
Protected Health Information. Protected health information means information that is
created or received by Navia and relates to the past, present, or future physical or
mental health or condition of a participant; the provision of health care to a
participant; or the past, present, or future payment for the provision of health care to
a participant; and that identifies the participant or for which there is a reasonable
basis to believe the information can be used to identify the participant. Protected
health information includes information of persons living or deceased.
For purposes of this Policy, protected health information does not include the following, referred to in
this Policy as "Exempt Information". This information must be received by Navia in its role as an
employer. If the following information is received by Navia in it’s role as a third-party administrator
then it may be PHI as defined by HIPAA :
1. summary health information, as defined by HIPAA's privacy rules, that is disclosed to Navia solely
for purposes of obtaining premium bids, or modifying, amending, or terminating Navia;
2. enrollment and disenrollment information concerning Navia that does not include any substantial
clinical information;
3. protected health information disclosed to Navia or Navia under a signed authorization that meets
the requirements of the HIPAA privacy rules;
4. health information related to a person who has been deceased for more than 50 years;
5. information disclosed to Navia by an individual for functions that Navia performs in its role as an
employer and not as sponsor of Navia or in providing administrative services to Navia.
Lastrev02272015
4
6. information disclosed directly to Navia for functions that Navia performs in its role as an claims
administrator of Navia or in providing administrative services to Navia.
7. Fraudulent claims or documentation submitted by individuals where the provider has no record
of the patient or services/product rendered or purchased or the services and or values or other
relevant information on the documentation has been altered.
Navia also sponsors and/or administers other benefits such as health savings accounts and
transportation plans, which are not subject to this Privacy Policy. This Privacy Policy will govern the
circumstances, if any, that Plan protected health information may be shared with plan sponsors, covered
entities, providers, benefit advisors, vendors, other business associates and sub-business associates, and
others as required or permitted by law.
Navia shall comply with HIPAA's requirements for the privacy of protected health information. To that
end, all members of Navia’s workforce who have access to protected health information must comply
with this Privacy Policy. For purposes of this Policy and Navia’s more detailed Privacy Use and Disclosure
Procedures, Navia’s workforce includes individuals who would be considered part of the workforce
under HIPAA, such as employees, volunteers, contractors, trainees, leased employees and other persons
whose work performance is under the direct control of Navia, whether or not they are paid by Navia.
The term "workforce member" includes all of these types of workers.
No third-party rights (including but not limited to rights of Plan participants, beneficiaries, or covered
dependents, subcontractors, employers and agents) are intended to be created by this Policy. Navia
reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To
the extent this Policy establishes requirements and obligations above and beyond those required by
HIPAA, the Policy shall be aspirational and shall not be binding upon Navia. This Policy does not address
requirements under other federal laws or under state laws. To the extent this Policy is in conflict with
the HIPAA privacy rules, the HIPAA privacy rules shall govern.
Lastrev02272015
5
II. Responsibilities as Business Associate
A. Privacy Official and Contact Person
Tina Davis will be the Contact Person for Navia. The Contact Person will be responsible for the
development and implementation of Navia’s policies and procedures relating to privacy of protected
health information as the laws apply to Navia, including but not limited to this Privacy Policy and the
Navia's Privacy Use and Disclosure Procedures. The Contact Person will also serve as the contact for
Navia employees and Plan participants who have questions, concerns, or complaints about the privacy
of their protected health information.
Each Plan administered by Navia must designate a Privacy Official. The Privacy Official will be
responsible for the development and implementation of policies and procedures relating to privacy of
Navia's protected health information as the laws apply to the Employer and the Employer’s plan,
including but not limited to adopting and managing a Privacy Policy and Navia's Privacy Use and
Disclosure Procedures. The Privacy Official will also serve as the contact for our client’s employees who
have questions, concerns, or complaints about the privacy of their protected health information.
The Privacy Official is responsible for ensuring that their Plan complies with all provisions of the HIPAA
privacy rules, including the requirement that Navia have a HIPAA-compliant Business Associate Contract
in place. The Privacy Official shall also be responsible for monitoring compliance by all Business
Associates with the HIPAA privacy rules and the terms of their Business Associate Contracts. Tina Davis
will be the Privacy Official for Navia’s Plans (Navia’s Flexible Benefit Plan and Heath Reimbursement
Arrangement).
B. Workforce Training
It is Navia’s policy to train all members of its workforce who have access to protected health information
for familiarity and compliance with Navia's Policy and its Privacy Use and Disclosure Procedures. The
Contact Person is charged with developing training schedules and programs so that all workforce
members receive the necessary and appropriate training to permit them to carry out their job functions
Lastrev02272015
6
in compliance with HIPAA. Workforce training will be updated as necessary to reflect any changes in
policies or procedures and to ensure that workforce members are appropriately aware of their
obligations.
C. Safeguards and Firewall
Navia will establish internal administrative, technical, and physical safeguards to prevent Plans
protected health information from intentionally or unintentionally being used or disclosed in violation of
HIPAA's requirements. Administrative safeguards include implementing procedures for use and
disclosure of protected health information. See Navia's Privacy Use and Disclosure Procedures. Technical
safeguards include limiting access to information by creating computer firewalls. Physical safeguards
include locking doors or filing cabinets. The fact that Navia will establish the above safeguards does not
relieve employers from adopting their own policies, procedures and safeguards as the law applies to
plan sponsors and their respective plans.
Firewalls will ensure that only Navia’s authorized workforce members will have access to protected
health information, that they will have access to only the minimum amount of protected health
information necessary for the administrative functions they perform, and that they will not further use
or disclose protected health information in violation of HIPAA's privacy rules.
D. Privacy Notice
Each employer Plan shall develop and distribute their own privacy notice and policy and Navia may
provide a boilerplate policy attached to our boilerplate summary plan description for the employer to
review and amend. The Privacy Official of each Plan is responsible for developing and maintaining a
notice of Navia's privacy practices that complies with the HIPAA privacy rules and describes:
•
the uses and disclosures of protected health information that may be made by Navia;
•
the rights of individuals under HIPAA privacy rules;
•
Navia's legal duties with respect to the protected health information; and
•
other information as required by the HIPAA privacy rules.
Lastrev02272015
7
The privacy notice will inform participants that the employer will have access to protected health
information in connection with its plan administrative functions. The privacy notice will also provide a
description of Navia's complaint procedures, the name and telephone number of the employer’s contact
person for further information, and the effective date of the notice. The effective date will not be earlier
than the date the notice is published.
The notice of privacy practices may be placed on the employer’s Plan website or otherwise made
available or distributed. The notice also will be individually delivered by the employer:
•
at the time of an individual's enrollment in Navia;
•
to a person requesting the notice; and
•
to participants within 60 days after a material change to the notice. However, if the employer posts
its notice on a Plan specific website and there is a material change to the notice, the employer will
prominently post the change or the revised notice on its website by the effective date of the change,
and provide the change or information about the change and how to obtain the revised notice, in its
next annual mailing to individuals—such annual mailing will likely be facilitated through the
distribution of Navia documents.
Navia or employer will also provide notice of availability of the privacy notice (or a copy of the privacy
notice) at least once every three years in compliance with the HIPAA privacy regulations.
E. Complaints
Tina Davis will be Navia’s contact person for receiving complaints; however, each employer must
designate a Privacy Official to receive complaints.
The Privacy Official is responsible for creating a process for individuals to lodge complaints about Navia's
privacy procedures and for creating a system for handling such complaints.
F. Sanctions for Violations of Privacy Policy
Sanctions for using or disclosing protected health information in violation of HIPAA or this HIPAA Privacy
Policy will be imposed in accordance with Navia’s confidentiality agreement and at the discretion of
Lastrev02272015
8
Navia, up to and including termination of employment. In the event PHI is disclosed the individual(s)
causing the disclosure will be formally written up and a record of such report will be retained in their
employment records. Navia retains the discretion to terminate employment, based upon the
circumstances, due to a single violation or multiple violations of the policies.
All Navia’s workforce members with access to protected health information of Navia must sign the
Confidentiality Agreement.
G. Mitigation of Inadvertent Disclosures of Protected Health Information
Navia shall mitigate, to the extent possible, any harmful effects that become known to it from a use or
disclosure of an individual's protected health information in violation of HIPAA or the policies and
procedures set forth in this Policy. As a result, if a Navia workforce member becomes aware of an
unauthorized use or disclosure of protected health information, either by a workforce member, a
sub-business Associate or the employer client, the workforce member must immediately contact the
Contact Person so that appropriate steps to mitigate harm to the participant can be taken.
H. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No workforce member may intimidate, threaten, coerce, discriminate against, or take other retaliatory
action against individuals for exercising their rights, filing a complaint, participating in an investigation,
or opposing any improper practice under HIPAA. No individual shall be required to waive his or her
privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility under Navia.
I. Plan Document
Navia document shall include provisions to describe the permitted and required uses by, and disclosures
to, employer’s workforce of protected health information for plan administrative or other permitted
purposes. Specifically, Navia document shall require employer to:
•
not use or further disclose protected health information other than as permitted by Navia
documents or as required by law;
Lastrev02272015
9
•
ensure that any agents to whom it provides protected health information agree to the same
restrictions and conditions that apply to Navia;
•
not use or disclose protected health information for employment-related actions or for any other
benefit or employee benefit plan of Navia;
•
report to the Privacy Official any use or disclosure of the information that is inconsistent with the
permitted uses or disclosures;
•
make protected health information available to Plan participants, consider their amendments, and,
upon request, provide them with an accounting of protected health information disclosures in
accordance with the HIPAA privacy rules;
•
make Navia’s internal practices and records relating to the use and disclosure of protected health
information received from Navia available to the Department of Health and Human Services (HHS)
upon request; and
•
if feasible, return or destroy all protected health information received from Navia that Navia still
maintains in any form and retain no copies of such information when no longer needed for the
purpose for which disclosure was made, except that, if such return or destruction is not feasible,
limit further uses and disclosures to those purposes that make the return or destruction of the
information infeasible.
Navia document must also require Navia to (1) certify to the Privacy Official that Navia documents have
been amended to include the above restrictions and that Navia agrees to those restrictions; and (2)
provide adequate firewalls in compliance with the HIPAA privacy rules.
J. Documentation
Navia's privacy policies and procedures shall be documented and maintained for at least six years from
the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply
with changes in the law, standards, requirements and implementation specifications (including changes
and modifications in regulations), and Navia's practices and processes. Any changes to policies or
Lastrev02272015
10
procedures must be promptly documented.
Navia shall document certain events and actions (including authorizations, requests for information,
sanctions, and complaints) relating to an individual's privacy rights. Navia shall also document the dates,
content, and attendance of workforce members at training sessions.
The documentation of any policies and procedures, actions, activities, and designations may be
maintained in either written or electronic form. Navia will maintain such documentation for at least six
years.
III. Policies on Use and Disclosure of Protected Health Information
A. Use and Disclosure Defined
Navia will use and disclose protected health information only as permitted under HIPAA. The terms
"use" and "disclosure" are defined as follows:
•
Use. The sharing, employment, application, utilization, examination, or analysis of protected health
information by any Company workforce member working within the [benefits department] of Navia,
or by a Business Associate of Navia.
•
Disclosure. The release, transfer, provision of access to, or divulging in any other manner of
protected health information to persons who are not Company workforce members working within
the [benefits department] of Navia, or to a person or entity who is not a Business Associate of Navia.
B. Workforce Must Comply With Plan's Policy and Procedures
All members of Navia’s workforce who have access to Plan protected health information must comply
with this Policy and with Navia's Privacy Use and Disclosure Procedures, which are set forth in a separate
document. [Ed. Note: Some smaller companies may wish to expand the scope of this paragraph to all
workforce members.]
C. Permitted Uses and Disclosures for Plan Administration Purposes
Navia may disclose Exempt Information to Navia. Exempt Information is not governed by this Policy, and
Navia may use and disclose it for any lawful purpose.
Lastrev02272015
11
Navia may disclose protected health information to the following Company workforce members to
perform Plan administrative functions ("workforce members with access"):
•
[describe workforce members by name, title, or department (e.g. "Mr. John Doe," "members of
appeals committee," "payroll manager," "all members of employee benefits department")] [Ed.
Note: It is usually preferable to designate the individuals by title or department rather than by
name, to avoid having to revise the document each time an employee with access is terminated,
transferred, or hired. However, in the event of a reorganization of Company functions that includes
title changes, be sure to reflect any relevant title changes here.]
Workforce members with access may disclose protected health information to other workforce
members with access for plan administrative functions (but the protected health information disclosed
must be limited to the minimum amount necessary to perform Navia administrative function).
Workforce members with access may not disclose protected health information to workforce members
(other than workforce members with access) unless a valid, signed authorization is in place or the
disclosure otherwise is in compliance with this Policy and Navia's Privacy Use and Disclosure Procedures.
Workforce members with access must take all appropriate steps to ensure that the protected health
information is not disclosed, available, or used for employment purposes. For purposes of this Policy,
"plan administrative functions" include the payment and health care operation activities described in
section III.D of this Policy.
D. Permitted Uses and Disclosures: Payment and Health Care Operations
Protected health information may be disclosed for Navia's own payment purposes, and protected health
information may be disclosed to another Business Associate for the payment purposes of that Business
Associate.
Payment. Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill
Navia's responsibility for provision of benefits, or to obtain or provide reimbursement for health care.
Payment also includes:
•
eligibility and coverage determinations including coordination of benefits and adjudication or
Lastrev02272015
12
subrogation of health benefit claims;
•
risk-adjusting based on enrollee status and demographic characteristics;
•
billing, claims management, collection activities, obtaining payment under a contract for
reinsurance (including stop-loss insurance and excess loss insurance) and related health care data
processing; and
•
any other payment activity permitted by the HIPAA privacy regulations.
Protected health information may be disclosed for purposes of Navia's own health care operations.
Protected health information may be disclosed to another Business Associate for purposes of the other
Business Associate's quality assessment and improvement, case management, or health care fraud and
abuse detection programs, if the other Business Associate has (or had) a relationship with the
participant and the protected health information requested pertains to that relationship.
Health Care Operations. Health care operations means any of the following activities:
•
conducting quality assessment and improvement activities;
•
reviewing health plan performance;
•
underwriting and premium rating;
•
conducting or arranging for medical review, legal services, and auditing functions;
•
business planning and development;
•
business management and general administrative activities; and
•
other health care operations permitted by the HIPAA privacy regulations.
E. No Disclosure of Protected Health Information for Non-Health Plan Purposes
Protected health information may not be used or disclosed for the payment or operations of Navia’s
"non-health" benefits (e.g., disability, workers' compensation, life insurance), unless the participant has
provided an authorization for such use or disclosure (as discussed in "Disclosures Pursuant to an
Authorization") or such use or disclosure is required or allowed by applicable state law and all applicable
requirements under HIPAA are met.
Lastrev02272015
13
F. Mandatory Disclosures of Protected Health Information
A participant's protected health information must be disclosed, in accordance with Plan's Privacy Use
and Disclosure Procedures, in the following situations:
•
The disclosure is to the individual who is the subject of the information (see the policy for "Access to
Protected Information and Request for Amendment" that follows);
•
The disclosure is required by law; or
•
The disclosure is made to HHS for purposes of enforcing HIPAA.
G. Other Permitted Disclosures of Protected Health Information
Protected health information may be disclosed in the following situations without a participant's
authorization, when specific requirements are satisfied. Navia's Privacy Use and Disclosure Procedures
describe specific requirements that must be met before these types of disclosures may be made. The
requirements include prior approval of Navia's Privacy Official. Permitted are disclosures•
about victims of abuse, neglect, or domestic violence;
•
to a health care provider for treatment purposes;
•
for judicial and administrative proceedings;
•
for law-enforcement purposes;
•
for public health activities;
•
for health oversight activities;
•
about decedents;
•
for cadaveric organ-, eye-, or tissue-donation purposes;
•
for certain limited research purposes;
•
to avert a serious threat to health or safety;
•
for specialized government functions; and
•
that relate to workers' compensation programs.
H. Disclosures of Protected Health Information Pursuant to an Authorization
Lastrev02272015
14
Protected health information may be disclosed for any purpose if an authorization that satisfies all of
HIPAA's requirements for a valid authorization is provided by the participant. All uses and disclosures
made pursuant to a signed authorization must be consistent with the terms and conditions of the
authorization.
I. Complying With the "Minimum-Necessary" Standard
HIPAA requires that when protected health information is used, disclosed, or requested, the amount
disclosed generally must be limited to the "minimum necessary" to accomplish the purpose of the use,
disclosure, or request.
The "minimum-necessary" standard does not apply to any of the following:
•
uses or disclosures made to the individual;
•
uses or disclosures made pursuant to a valid authorization;
•
disclosures made to HHS;
•
uses or disclosures required by law; and
•
uses or disclosures required to comply with HIPAA.
Minimum Necessary When Disclosing Protected Health Information. Navia, when disclosing protected
health information subject to the minimum-necessary standard, shall take reasonable and appropriate
steps to ensure that only the minimum amount of protected health information that is necessary for the
requestor is disclosed. More details on the requirements are found in Navia's Privacy Use and Disclosure
Procedures. All disclosures not discussed in Navia's Privacy Use and Disclosure Procedures must be
reviewed on an individual basis with the Privacy Official to ensure that the amount of information
disclosed is the minimum necessary to accomplish the purpose of the disclosure.
Minimum Necessary When Requesting Protected Health Information. Navia, when requesting protected
health information subject to the minimum-necessary standard, shall take reasonable and appropriate
steps to ensure that only the minimum amount of protected health information necessary for Navia is
requested. More details on the requirements are found in Navia's Privacy Use and Disclosure
Lastrev02272015
15
Procedures. All requests not discussed in Navia's Privacy Use and Disclosure Procedures must be
reviewed on an individual basis with the Privacy Official to ensure that the amount of information
requested is the minimum necessary to accomplish the purpose of the disclosure.
Minimum necessary regarding pulling files. To assist our team with complying with the minimum
necessary requirement and all requirements under our privacy policy and use and disclosure policy
Navia has a policy of only accessing or downloading data that is absolutely necessary to accomplish the
task. Specifically, when accessing or pulling files Navia employees shall only pull files related to a
specific company. It is best practice and our policy to only pull or query data related to a specific
company. If cross company data must be aggregated, pulled, queried, or otherwise this should be the
EXCEPTION. When providing files outside of Navia employees must check the contents for employee
counts, spot check, check tabs, and take any other steps to ensure that only the data that is necessary to
allow the recipient to accomplish their task is provided.
Minimum Necessary regarding participant banking information. Full bank account information is
restricted from view in Navia360.
J. Disclosures of Protected Health Information to Business Associates
Workforce members may disclose protected health information to Navia's Business Associates and allow
Navia's Business Associates to create, receive, maintain, or transmit protected health information on its
behalf. However, prior to doing so, Navia must first obtain assurances from the Business Associate, in
the form of a business associate contract, that it will appropriately safeguard the information. Before
sharing protected health information with outside consultants or contractors who meet the definition of
a "Business Associate," workforce members must contact the Privacy Official and verify that a Business
Associate contract is in place.
A Business Associate is an entity that:
•
creates, receives, maintains, or transmits protected health information on behalf of Navia (including
for claims processing or administration, data analysis, underwriting, etc.); or
Lastrev02272015
16
•
provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or
financial services to or for Navia, where the performance of such services involves giving the service
provider access to protected health information.
K. Disclosures of De-Identified Information
Navia may freely use and disclose information that has been "de-identified" in accordance with the
HIPAA privacy regulations. De-identified information is health information that does not identify an
individual and with respect to which there is no reasonable basis to believe that the information can be
used to identify an individual.
L. Breach Notification Requirements
Navia will comply with the Reportable Breach Notification Policy set forth in Appendix B of this Policy.
IV. Policies on Individual Rights
A. Access to Protected Health Information and Requests for Amendment
HIPAA gives participants the right to access and obtain copies of their protected health information that
Navia (or its Business Associates) maintains in designated record sets. HIPAA also provides that
participants may ask to have their protected health information amended. Navia will provide access to
protected health information, and it will consider requests for amendment that are submitted in writing
by participants.
A Designated Record Set is a group of records maintained by or for Navia that includes:
•
the enrollment, payment, and claims adjudication record of an individual maintained by or for
Navia; or
•
other protected health information used, in whole or in part, by or for Navia to make coverage
decisions about an individual.
If information in one or more designated record sets is maintained electronically, and an individual
Lastrev02272015
17
requests an electronic copy of such information, Navia will provide the individual with access to the
requested information in the electronic form and format requested by the individual, if it is readily
producible in such form and format; if the requested information is not readily producible in such form
and format, the requested information will be produced in a readable electronic form and format as
agreed by Navia and the individual. If Navia and the individual are unable to agree on the form and
format, Navia will provide a paper copy of the information to the individual.
B. Accounting
An individual has the right to obtain an accounting of certain disclosures of his or her own protected
health information. This right to an accounting extends to disclosures made in the last six years, other
than disclosures:
•
to carry out treatment, payment, or health care operations;
•
to individuals about their own protected health information;
•
incident to an otherwise permitted use or disclosure;
•
pursuant to an authorization;
•
to persons involved in the individual's care or payment for the individual's care or for certain other
notification purposes;
•
to correctional institutions or law enforcement when the disclosure was permitted without
authorization;
•
as part of a limited data set;
•
for specific national security or law-enforcement purposes; or
•
disclosures that occurred prior to the compliance date.
Navia shall respond to an accounting request within 60 days. If Navia is unable to provide the accounting
within 60 days, it may extend the period by 30 days, provided that it gives the participant notice
(including the reason for the delay and the date the information will be provided) within the original
60-day period.
Lastrev02272015
18
The accounting must include the date of the disclosure, the name of the receiving party, a brief
description of the information disclosed, and a brief statement of the purpose of the disclosure that
reasonably informs the individual of the basis for the disclosure (or a copy of the written request for
disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to
reasonably inform the individual of the basis of the disclosure.
The first accounting in any 12-month period shall be provided free of charge. The Privacy Official may
impose reasonable production and mailing costs for subsequent accountings.
C. Requests for Alternative Communication Means or Locations
Participants may ask to receive communications regarding their protected health information by
alternative means or at alternative locations. For example, participants may ask to be called only at work
rather than at home. Navia may, but need not, honor such requests. The decision to honor such a
request shall be made by the Privacy Official.
However, Navia must accommodate such a request if the participant clearly states that the disclosure of
all or part of the information could endanger the participant. The Privacy Official has responsibility for
administering requests for confidential communications.
D. Requests for Restrictions on Use and Disclosure of Protected Health
Information
A participant may request restrictions on the use and disclosure of the participant's protected health
information. Navia may, but need not, honor such requests. However, Navia will comply with a
restriction request if (1) except as otherwise required by law, the disclosure is to a health plan for
purposes of carrying out payment or health care operations (and is not for purposes of carrying out
treatment); and (2) the protected health information pertains solely to a health care item or service for
which the health care provider involved has been paid in full by the individual or another person, other
than Navia. The decision to honor restriction requests shall be made by the Privacy Official.
Lastrev02272015
19
Appendix A to Privacy Policy: Workforce Member Confidentiality Agreement
I, _____, have read and understand the Privacy Policy of Navia’s Plan, for the protection of the privacy of
protected health information, as mandated by the Health Insurance Portability and Accountability Act of
1996 (HIPAA). In addition, I acknowledge that I have received training in Navia's policies concerning
protected health information use, disclosure, storage, and destruction as required by HIPAA.
In consideration of my employment or compensation by Navia, I hereby agree that I will not at any
time-either during my employment or association with Navia or Plan or after my employment or
association ends-use, access, or disclose protected health information to any person or entity, internally
or externally, except as is required and permitted in the course of my duties and responsibilities with
Navia, as set forth in Navia's privacy policies and procedures or as permitted under HIPAA. I understand
that this obligation extends to any protected health information that I may acquire during the course of
my employment or association with Navia or Navia, whether in oral, written, or electronic form and
regardless of the manner in which access was obtained.
I understand and acknowledge my responsibility to apply Navia's policies and procedures during the
course of my employment or association. I also understand that any unauthorized use or disclosure of
protected health information will result in disciplinary action, up to and including the termination of
employment or association with Navia and the imposition of civil penalties and criminal penalties under
applicable federal and state law, as well as disciplinary sanctions as appropriate.
I understand that this obligation will survive the termination of my employment or end of my
association with Navia, regardless of the reason for such termination.
Or Version II
I, ___________________, acknowledge that I have received training in the policies concerning PHI use,
disclosure, storage, and destruction as required by HIPAA. In consideration of my employment or
compensation by Navia, I hereby agree that I will not at any time—either during my employment or
association with Navia or after my employment or association ends—use, access, or disclose PHI to any
Lastrev02272015
20
person or entity, internally or externally, except as is required and permitted in the course of my duties
and responsibilities with Navia, as set forth in Navia’s privacy policies and procedures or as permitted
under HIPAA.
I understand that this obligation extends to any PHI that I may acquire during the course of my
employment or association with Navia, whether in oral, written or electronic form and regardless of the
manner in which access was obtained. I understand and acknowledge my responsibility to apply Navia’s
policies and procedures during the course of my employment or association.
I also understand that any unauthorized use or disclosure of PHI will result in disciplinary action, up to
and including the termination of employment. I understand that this obligation will survive the
termination of my employment or end of my association with Navia, regardless of the reason for such
termination.
Signed: _____________ Date: _________
Appendix B to Privacy Policy: Reportable Breach Notification Policy
I. Introduction
This Reportable Breach Notification Policy is intended to comply with the final HITECH regulations at 45
CFR §164.400 et seq. for breaches occurring on or after September 23, 2013 ("Breach Regulations").
Under the Breach Regulations, if a Reportable Breach of unsecured protected health information has
occurred, Navia must comply with certain notice requirements with respect to the affected individuals,
HHS, and, in certain instances, the media (depending on the business associate agreement).
II. Identifying a Reportable Breach
The first step is to determine whether a Reportable Breach has occurred. If a Reportable Breach has not
occurred, the notice requirements do not apply.
Lastrev02272015
21
The Privacy Official is responsible for reviewing the circumstances of possible breaches brought to his or
her attention and determining whether a Reportable Breach has occurred in accordance with this
Reportable Breach Notification Policy and the Breach Regulations. All sub-business Associates, and all
Navia workforce members are required to report to the Privacy Official any incidents involving possible
breaches.
Acquisition, access, use, or disclosure of unsecured protected health information in a manner not
permitted under the privacy rules is presumed to be a Reportable Breach, unless the Privacy Official
determines that there is a low probability that the privacy or security of the protected health
information has been or will be compromised.
The Privacy Official's determination of whether a Reportable Breach has occurred must include the
following considerations:
•
Was there a violation of HIPAA Privacy Rules? There must be an impermissible use or disclosure
resulting from or in connection with a violation of the HIPAA Privacy Rules by Navia or a Business
Associate of Navia. If not, then the notice requirements do not apply.
•
Was protected health information involved? If not, then the notice requirements do not apply.
•
Was the protected health information secured? For electronic protected health information to be
"secured," it must have been encrypted to NIST standards or destroyed. For paper protected health
information to be "secured," it must have been destroyed. If yes, then the notice requirements do
not apply.
•
Was there unauthorized access, use, acquisition, or disclosure of protected health information? The
violation of HIPAA Privacy Rules must have involved one of these. If it did not, then the notice
requirements do not apply.
•
Is there a low probability that privacy or security was compromised? If the Privacy Official
determines that there is only a low probability of compromise, then the notice requirements do not
apply. [for breaches discovered on or after September 23, 2009 and before September 23, 2013, the
"significant risk of harm" standard applies.]
To determine whether there is only a low probability that the privacy or security of the protected health
information was compromised; the Privacy Official must perform a risk assessment that considers at
least the following factors:
Lastrev02272015
22
•
The nature and extent of the protected health information involved, including the types of identifiers
and the likelihood of re-identification. For example, did the disclosure involve financial information,
such as credit card numbers, Social Security numbers, or other information that increases the risk of
identity theft or financial fraud; did the disclosure involve clinical information such as a treatment
plan, diagnosis, medication, medical history, or test results that could be used in a manner adverse
to the individual or otherwise to further the unauthorized recipient's own interests.
•
The unauthorized person who used the protected health information or to whom the disclosure was
made. For example, does the unauthorized recipient of the protected health information have
obligations to protect the privacy and security of the protected health information, such as another
entity subject to the HIPAA privacy and security rules or an entity required to comply with the
Privacy Act of 1974 or the Federal Information Security Management Act of 2002, and would those
obligations lower the probability that the recipient would use or further disclose the protected
health information inappropriately? Also, was the protected health information impermissibly used
within a Business Associate or business associate, or was it disclosed outside a Business Associate or
business associate? Did we receive written and or oral confirmation from the recipient that the
information was destroyed and not further disclosed?
•
Whether the protected health information was actually acquired or viewed. If there was only an
opportunity to actually view the information, but the Privacy Official determines that the
information was not, in fact, viewed, there may be a lower (or no) probability of compromise. For
example, if a laptop computer with was lost or stolen and subsequently recovered, and the Privacy
Official is able to determine (based on a forensic examination of the computer) that none of the
information was actually viewed, there may be no probability of compromise.
•
The extent to which the risk to the protected health information has been mitigated. For example, if
Navia can obtain satisfactory assurances (in the form of a confidentiality agreement or similar
documentation) from the unauthorized recipient of that the information will not be further used or
disclosed or will be destroyed, the probability that the privacy or security of the information has
been compromised may be lowered. The identity of the recipient (e.g., another Business Associate)
may be relevant in determining what assurances are satisfactory.
•
Upon suspected Breach caused by Navia, employer, broker or employer’s TPA (incorrect file upload,
incorrect employee entered into a company, employer/broker provides erroneous file etc.) review all
of the following communications, databases, reports and information to ensure that the information
involved in the error has been fully corrected/scrubbed.
The expectation is that all data is secured the day the use or disclosure is discovered. Secured
means the information is not available to anyone outside of Navia (employer and employee facing)
until further notice. If you are unable to secure/scrub the data by the end of the day please notify
the Privacy Officer and your manager so that others can assist.
Lastrev02272015
23
•
•
•
•
•
•
Determine whether immediate suspension of access to data is necessary—if so, restrict
all access.
Determine the date the error was made and email your 1) manager 2) Privacy Officer
and 3) the individual that caused the error (if any). Provide as many details as you can
with regard to how the error was discovered.
Conduct an employer login query "M:\Programs\Queries\Navia.com\Logins by User.sql"
Request an employee log-in report from Development from the time the error was
made until the time the data was scrubbed (including online and phone application).
Check all document downloads in the Company Documents Tab during the time in
question.
If the duration of time the information was available was short (hours-couple days)
request a log of pages visited by HR from Development.
ER Facing Information
•
•
•
•
•
•
•
•
•
•
•
Review and remove all participant information from all benefits (FSA, Day Care FSA,
HSA, HRA, GoNavia, COBRA, and Retiree Administration). This requires correcting
documents in Doc Lib. (Updating any spreadsheets in the Doc Lib means removing the
bad data, and recalculating the spreadsheet totals – column totals and participant
counts.) The Doc Lib address is: \\FILE4SVR\DocLib
YTD reports
Disbursement reports
EDR – Check for any pending EDRs created for the employer that have not yet been
submitted to us. If EDRs have already been submitted with the bad data on them,
Development will need to be notified so that they can scrub the EDR history.
Check for shared documents that may have been uploaded and make sure that they are
expired so that they are no longer accessible.
Payroll deduction report (GoNavia)
GoNavia export files
This may require recalculating the participant count, contributions amounts or other
totals listed on the reports.
Determine whether any administration fees need to be refunded.
Determine whether any funding corrections need to be made (for both the incorrect
company and the correct company).
We may need to request the employer destroy any downloaded reports and
communicate the name of the individual to ensure.
EE Facing Information
•
•
Review all communications that could have been sent out during the time in question.
Welcome emails – FSA, HRA, HSA, GoNavia, COBRA
Lastrev02272015
24
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
PEST statements
End of the year reminder emails
Claims notifications
Denials
Reimbursement notifications
Debit card related emails
Review all account information
Review debit card activity (all correspondence)
Term debit card (and any dependent issued cards)
Reissue debit card
Adjust out all debit card activity out of wrong account and into correct account.
Correct and enter all correct data in the correct company.
Review all paid claims (direct deposits and hard copy checks)
Review all denials
Review phone application activity
Check for pending claims in the phone application – need Megan’s help
Check for pending claims online – need Megan’s help
Check for mailed/emailed/faxed claims a few days later (won’t have metadata to
search)
Other general corrective measures
•
•
•
•
•
•
Check the employee as “Do Not Use”
Zero out election and record a termination date equal to the eligibility date.
Remove email and date of birth from incorrect account (use dummy SSN) click “apply”
then save to send information to Alegeus.
Insert “dummy” SSN in the Emp ID and SSN fields.
Click ‘apply’ to ensure that the data update is sent over to Alegeus.
Click Save.
Wrap up
• Keep track of all the corrections made and use that information to fill out the incident
report.
• If communications, debit card, or online activity has been generated, CSR team will need
to be notified so that any corrections may be communicated to the participant.
• Once all steps of clean up have been taken and the form has been filled out return it to
the Privacy Officer.
•
Upon suspected Breach caused by external factors (compromise, worm, hacker see “SECURITY
RESPONSE PLAN).
Lastrev02272015
25
If the Privacy Official determines that there is only a low probability that the privacy or security of the
information was compromised, the incident will be documented in writing, and no notice will be sent.
However, as a curtesy, notices may be provided to the employer and if agreed a notice to the employee
provided. On the other hand, if the Privacy Official is not able to determine that there is only a low
probability that the privacy or security of the information was compromised, Navia will provide
notifications in the following order:
-
Notice to the employer/client with a specific description of the occurrence.
-
Notice to the affected individual upon approval of communication by employer.
-
Notice to HHS, media, and other agencies (consumer credit, FBI, etc.) by client with Navia’s
assistance.
If an exception applies, then a Reportable Breach has not occurred, and the notice requirements are not
applicable.
•
Exception 1: A Reportable Breach does not occur if the breach involved an unintentional access, use,
or acquisition of protected health information by a workforce member or Business Associate, if the
unauthorized access, use, acquisition, or disclosure-(a) was in good faith; (b) was within the scope of
authority of the workforce member or Business Associate; and (c) does not involve further use or
disclosure in violation of the HIPAA privacy rules. For example, the exception might apply if an
employee providing administrative services to Navia were to access the claim file of a participant
whose name is similar to the name of the intended participant; but if the same employee
intentionally looks up protected health information of his neighbor, the exception does not apply.
•
Exception 2: A Reportable Breach has not occurred if the breach involved an inadvertent disclosure
from one person authorized by Navia to have access to protected health information to another
person at the same Business Associate or Business Associate also authorized to have access to the
protected health information, provided that there is no further use or disclosure in violation of the
HIPAA privacy rules. For example, the exception might apply if an employee providing administrative
services to Navia inadvertently emailed protected health information to the wrong co-worker; but if
the same employee emailed the information to an unrelated third party, the exception likely does
not apply.
•
Exception 3: A Reportable Breach has not occurred if the breach involved a disclosure where there is
a good faith belief that the unauthorized person to whom the disclosure was made would not
reasonably have been able to retain the protected health information. For example, the exception
Lastrev02272015
26
may apply to an EOB mailed to the wrong person and returned to Navia unopened, or if a report
containing protected health information is handed to the wrong person, but is immediately
retrieved before the person can read it. However, the exception does not apply if an EOB was
mailed to the wrong person and the unintended recipient opened the envelope before realizing the
mistake.
III. If a Reportable Breach Has Occurred: Notice Timing and Responsibilities
If the Privacy Official determines that a Reportable Breach has occurred, the Privacy Official will
determine (in accordance with the Breach Regulations) the date the breach was discovered in order to
determine the time periods for giving notice of the Reportable Breach. Navia has reasonable systems
and procedures in place to discover the existence of possible breaches, and workforce members are
trained to notify the Privacy Official or other responsible person immediately so Navia can act within the
applicable time periods.
The Privacy Official [and if applicable, the employer] is responsible for the content of notices and for the
timely delivery of notices in accordance with the Breach Regulations. However, the Privacy Official will
work with the employer to ensure that any communications are reviewed and approved by the
employer.
The Breach Regulations may require a breach to be treated as discovered on a date that is earlier than
the date Navia had actual knowledge of the breach. The Privacy Official will determine the date of
discovery as the earlier of-(1) the date that a workforce member (other than a workforce member who
committed the breach) knows of the events giving rise to the breach; and (2) the date that a workforce
member or agent of Navia, such as a Business Associate (other than the person who committed the
breach) would have known of the events giving rise to the breach by exercising reasonable diligence.
Except as otherwise specified in the notice sections that follow, notices must be given "without
unreasonable delay" and in no event later than 60 calendar days after the discovery date of the breach.
Accordingly, the investigation of a possible breach, to determine whether it is a Reportable Breach and
the individuals who are affected, must be undertaken in a timely manner that does not impede the
Lastrev02272015
27
notice deadline.
There is an exception to the timing requirements if a law-enforcement official asks Navia to delay giving
notices. If a law enforcement official states that a notification, notice, or posting would impede a
criminal investigation or cause damage to national security, Navia shall:
-
If the statement is in writing and specifies the time for which a delay is required, delay such
notification, notice, or posting for the time period specified by the official; or
-
If the statement is made orally, document the statement, including the identity of the official
making the statement, and delay the notification, notice, or posting temporarily and no longer
than 30 days from the date of the oral statement, unless a written statement as described
above is submitted during that time.
Navia will review employer’s business associate agreement to determine whether the parties have
negotiated a shorter timeframe for reporting breaches to the employer.
IV. Business Associates
If a sub-Business Associate commits or identifies a possible Reportable Breach relating to Plan
participants, the sub-Business Associate must give notice to Navia. Navia may agree to be responsible
for providing required notices of a Reportable Breach to individuals, although the employer is
responsible for reporting to HHS, and (if necessary) the media, Navia may assist in that process.
Unless otherwise required under the Breach Regulations, the discovery date for purposes of Navia's
notice obligations is the date that Navia receives notice from the Business Associate.
In its Business Associate contracts, Navia will require Business Associates to•
report incidents involving breaches or possible breaches to the Privacy Official in a timely manner;
•
provide to Navia any and all information requested by Navia regarding the breach or possible
breach, including, but not limited to, the information required to be included in notices (as
described below); and
Lastrev02272015
28
•
establish and maintain procedures and policies to comply with the Breach Regulations, including
workforce training.
V. Notice to Individuals
Notice to the affected individual(s) is always required in the event of a Reportable Breach. Notice will be
given without unreasonable delay and in no event later than 60 calendar days after the date of
discovery (as determined above) unless some other earlier date is determined by contract.
A. Content of Notice to Individuals
Notices to individuals will be written in plain language and contain all of the following, in accordance
with the Breach Regulations:
•
A brief description of the incident.
•
If known, the date of the Reportable Breach and the Discovery Date.
•
A description of the types of unsecured protected health information involved in the Reportable
Breach (for example, full name, Social Security numbers, address, diagnosis, date of birth, account
number, disability code, or other). (Ed. Note: It is not required-and probably not appropriate-to
include the unsecured information itself in the notice. That is, Navia might say that Social Security
numbers or credit card numbers were included in an unauthorized disclosure, but it does not have
to include the Social Security or credit card numbers themselves in the notice.)
•
The steps individuals should take to protect themselves (such as contacting credit card companies
and credit monitoring services).
•
A description of what Navia is doing to investigate the Reportable Breach, such as filing a police
report or reviewing security logs or tapes.
•
A description of what Navia is doing to mitigate harm to individuals.
•
A description of what measures Navia is taking to protect against further breaches (such as
sanctions imposed on workforce members involved in the Reportable Breach, encryption, and
installation of new firewalls).
•
Contact information for individuals to learn more about the Reportable Breach or ask other
Lastrev02272015
29
questions, which must include at least one of the following: Toll-free phone number, email address,
website, or postal address.
B. Types of Notice to Individuals
Navia will deliver individual notices using the following methods, depending on the circumstances of the
breach and Navia's contact information for affected individuals.
Actual Notice will be given in all cases, unless Navia has insufficient or out-of-date addresses for the
affected individuals. Actual written notice•
will be sent via mail to last known address of the individual(s);
•
may be sent via email instead, if the individual has agreed to receive electronic notices;
•
will be sent to the parent on behalf of a minor child or parent of an adult child for benefit or tax
purposes; and
•
will be sent to the next-of-kin or personal representative of a deceased person, if Navia knows the
individual is deceased and has the address of the next-of-kin or personal representative.
Substitute Notice will be given if Navia has insufficient or out-of-date addresses for the affected
individuals.
•
If addresses of fewer than ten living affected individuals are insufficient or out-of-date, substitute
notice may be given by telephone, an alternate written notice, or other means.
•
If addresses of ten or more living affected individuals are insufficient or out-of-date, substitute
notice must be given via either website or media. Substitute notice via website. Conspicuous
posting on home page of the website of Navia or Plan Sponsor for 90 days, including a toll-free
number that remains active for at least 90 days where individuals can learn whether the individual's
unsecured information may have been included in the breach. Contents of the notice can be
provided directly on the website or via hyperlink. Substitute notice via media. Conspicuous notice in
major print or broadcast media in the geographic areas where the affected individuals likely reside,
including a toll-free number that remains active for at least 90 days where individuals can learn
Lastrev02272015
30
whether the individual's unsecured information may have been included in the breach. It may be
necessary to give the substitute notice in both local media outlet(s) and statewide media outlet(s)
and in more than one state.
•
Substitute Notice is not required if the individual is deceased and Navia has insufficient or
out-of-date information that precludes written notice to the next-of-kin or personal representative of
the individual.
Urgent Notice may be given, in addition to other required notice, in circumstances where imminent
misuse of unsecured protected health information may occur. Urgent notice must be given by telephone
or other appropriate means.
•
Example: Urgent notice is given to an individual by telephone. Navia must also send an
individual notice via first-class mail.
VI. Notice to HHS
Notice of all Reportable Breaches will be given to HHS by the client unless agreed by the employer and
Navia otherwise. The time and manner of the notice depends on the number of individuals affected. The
Privacy Official may work with the employer for both types of notice to HHS.
Immediate Notice to HHS. If the Reportable Breach involves 500 or more affected individuals, regardless
of where the individuals reside, notice will be given to HHS without unreasonable delay, and in no event
later than 60 calendar days after the date of discovery (as determined above). Notice will be given in the
manner directed on the HHS website.
Annual Report to HHS. The Privacy Official will report Breaches that involve fewer than 500 affected
individuals, to the employer to report to HHS. The reports are due within 60 days after the end of the
calendar year. The reports will be submitted as directed on the HHS website.
VII. Notice to Media (Press Release)
Notice to media (generally in the form of a press release) will be given if a Reportable Breach affects
Lastrev02272015
31
more than 500 residents of any one state or jurisdiction. For example:
•
If a Reportable Breach affects 600 individuals who are residents of Oregon, notice to media is
required.
•
If a Reportable Breach affects 450 individuals who are residents of Oregon and 60 individuals who
are residents of Idaho, notice to media is not required.
If notice to media is required, the employer will give notice to prominent media outlets serving the state
or jurisdiction. For example:
•
If a Reportable Breach involves residents of one city, the prominent media outlet would be the city's
newspaper or TV station.
•
If a Reportable Breach involves residents of various parts of the state, the prominent media outlet
would be a statewide newspaper or TV station.
•
If a Reportable Breach affects 600 individuals who are residents of Oregon, and 510 individuals
who are residents of Washington, notice to media in both states is required.
If notice to media is required, it will be given without unreasonable delay, and in no event more than 60
calendar days after the date of discovery (as determined above). The content requirements for a notice
to media are the same as the requirements for a notice to individuals.
VII. Reporting to Law Enforcement (California)
Sacramento Valley Hi-Tech Crimes Task Force
Telephone: 916-874-3002
www.sachitechcops.org
Southern California High Tech Task Force
Telephone: 562-347-2601
Northern California Computer Crimes Task Force
Telephone: 707-253-4500
www.nc3tf.org
Rapid Enforcement Allied Computer Team (REACT)
Telephone: 408-494-7186
http://reacttf.org
Lastrev02272015
32
Computer and Technology Crime High-Tech Response Team (CATCH)
Telephone: 619-531-3660
http://www.catchteam.org/
FBI
Local Office: http://www.fbi.gov/contact/fo/fo.htm
National Computer Crime Squad
Telephone: 202-324-9164
E-mail: nccs@fbi.gov
www.emergency.com/fbi-nccs.htm
U.S. Secret Service
Local Office: www.treas.gov/usss/index.shtml
Cyber Threat/Network Incident Report: www.treas.gov/usss/net_intrusion_forms.shtml
Procedures for Prior to Becoming a Computer Crime Victim and After a Violation Has Occurred--Guidance from the FBI National Computer Crime Squad
www.emergency.com/fbi-nccs.htm
•
•
•
•
•
•
•
•
•
•
•
Consider complete shut down while internal assessment is made.
Place a login banner to ensure that unauthorized users are warned that they may be subject to
monitoring.
Ensure audit trails are turned on.
Consider keystroke level monitoring if adequate banner is displayed.
Request trap and tracing from your local telephone company.
Consider installing caller identification.
Make backups of damaged or altered files.
Maintain old backups to show the status of the original.
Designate one person to secure potential evidence
Evidence can consist of tape backups and printouts. These should be initialed by the person obtaining the evidence. Evidence should be retained in a locked cabinet with access limited.
Keep a record of resources used to reestablish the system and locate the perpetrator.
Be prepared to provide the following information when reporting a computer crime:
· Name and address of the reporting agency.
· Name, address, e-mail address, and phone number(s) of the reporting person.
· Name, address, e-mail address, and phone number(s) of the Information Security Officer (ISO).
· Name, address, e-mail address, and phone number(s) of the alternate contact (e.g., alternate ISO, system administrator, etc.).
· Description of the incident.
Lastrev02272015
33
· Date and time the incident occurred.
· Date and time the incident was discovered.
· Make/model of the affected computer(s).
· IP address of the affected computer(s).
· Assigned name of the affected computer(s).
· Operating System of the affected computer(s).
· Location of the affected computer(s).
Security Response Plan
This section of the policy discusses the steps taken during an incident response plan. The person who
discovers the incident will call FPS Owners, IT or legal. Once notice has been provided to one of the below named individuals they will contact the others on the list.
1) Matt Aitken cell (206) 2950523, work (425) 452-3456
2) Hilarie Aitken cell (206) 390-6809, work (425) 452-3506
3) James Aitken cell (425) 503-7511, work (425) 452-3502
4) Tina Davis cell (206) 351-6207, work (425)452-3510
IT will determine the following:
•
•
•
•
•
Does the incident affect critical business operations?
What is the severity of the potential impact?
Name of system being targeted, along with operating system, IP address, and location.
IP address and any information about the origin of the attack.
Are there any ancillary systems, processes, website, access points, or links that may be affected?
Review the website, vendor, and subcontractor log for a complete list.
Contacted members of the response team will meet or discuss the situation and determine a response
strategy.
•
•
•
•
•
•
•
•
•
•
Is the incident real or perceived?
Is the incident still in progress? If so, shall we halt/stop/cease certain operations?
What data or property is threatened and how critical is it?
What is the impact on the business should the attack succeed? Minimal, serious, or critical?
What system or systems are targeted, where are they located physically and on the network?
Is the incident inside the trusted network?
Is the response urgent?
Can the incident be quickly contained?
Will the response alert the attacker and do we care?
What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
Lastrev02272015
34
The incident will be categorized into the highest applicable level of one of the following categories:
•
•
•
•
Category one - A threat to public safety or life.
Category two - A threat to sensitive data
Category three - A threat to computer systems
Category four - A disruption of services
Team members will establish and follow one of the following procedures basing their response on the
incident assessment:
•
•
•
•
•
•
•
•
•
•
Worm response procedure
Virus response procedure
System failure procedure
Active intrusion response procedure - Is critical data at risk?
Inactive Intrusion response procedure
System abuse procedure
Property theft response procedure
Website denial of service response procedure
Database or file denial of service response procedure
Spyware response procedure.
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for
the incident.
Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs,
reviewing intrusion detection logs, and interviewing individuals to determine how the incident was
caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
Team members will recommend changes to prevent the occurrence from happening again or infecting
other systems. Upon management approval, the changes will be implemented.
Team members will restore the affected system(s) to the uninfected state. They may do any or more of
the following:
•
•
•
•
•
•
Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
Make users change passwords if passwords may have been sniffed.
Be sure the system has been hardened by turning off or uninstalling unused services.
Be sure the system is fully patched.
Be sure real time virus protection and intrusion detection is running.
Be sure the system is logging the correct events and to the proper level.
Lastrev02272015
35
Documentation—the following shall be documented:
•
•
•
•
•
•
•
•
How the incident was discovered.
The category of the incident.
How the incident occurred, whether through email, firewall, etc.
Where the attack came from, such as IP addresses and other related information about the attacker.
What the response plan was.
What was done in response?
Whether the response was effective.
Was notice required to be made to individuals, employers, brokers, subcontractors, or other
service providers? If so see breach notification procedures.
Evidence Preservation—make copies of logs, email, and other communication. Keep lists of witnesses.
Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.
Notify proper external agencies—review privacy policy for list of contacts (i.e. credit monitoring agencies, FBI, other law enforcement).
Assess damage and cost—assess the damage to the organization and estimate both the damage cost
and the cost of the containment efforts. Review response and update policies—plan and take preventative steps so the intrusion can't happen again.
Consider whether an additional policy could have prevented the intrusion.
Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
•
•
•
•
•
•
•
•
Was the incident response appropriate? How could it be improved?
Was every appropriate party informed in a timely manner?
Were the incident-response procedures detailed and did they cover the entire situation? How
can they be improved?
Have changes been made to prevent a re-infection? Have all systems been patched, systems
locked down, passwords changed, anti-virus updated, email policies set, etc.?
Have changes been made to prevent a new and similar infection?
Should any security policies be updated?
What lessons have been learned from this experience?
Review Breach notice requirements.
Lastrev02272015
36
Appendix C Miscellaneous Policy Standards
I. Introduction
This section of the Privacy Policy relates to specific actions or duties that are subject to modification or
improvement.
II. Procedures for Ad-Hoc Query and Report Requests (Development Team)
External Queries – ad-hoc query requests from other internal users to provide a list of data based specified criteria that will be shared externally. Output is typically Excel or a text file.
•
•
•
•
Query should have a standard comment header
o Author, Date, Description
Query should be unit tested by spot checking results and looking at total row count
Query is code reviewed and executed by another person on the team
Query is checked into SVN, with a name that describes the purpose of the query
M drive queries – requests to create a query that will be executed by other users via a Sql Client
•
•
Same as above
It is better to modify an existing report than to create new ad-hoc queries. Most reports are
easy to modify to add a data column or filter. This should be considered before creating a new
query
Data update queries – requests to update production data, including updates we may need to make to
resolve a bug or functional issue
•
•
•
•
Same as above
One-off data fixes do not need to be saved to SVN
Updates must be done inside a transaction with rollback if there is an error or expected row
count doesn’t match (see next page)
Data updates that will be repeated should be encapsulated into a sproc, all sprocs are checked
into SVN
SVN folder structure
•
DB
o
Navia
 DBMods – schema changes related to a bug or enhancement
Lastrev02272015
37
o
•
Projects
 ProjectName – schema changes and conversion scripts related to a project
Queries
o Daily Queries – Run daily or weekly by the dev team to look for inconsistent data
o Data Updates – Data update queries
o External Queries - Query request where data will be shared externally
o Mdrive – Queries run by internal users in Sql Query Analyzer
o Utilities – Dev infrastructure scripts
USE NAVIA
DECLARE @EXPECTEDROWCOUNT INT
-- SET THE NUMBER OF ROWS EXPECTED TO BE AFFECTED BY INSERT/UPDATE/DELETE STATEMENT
HERE
SET @EXPECTEDROWCOUNT = 0
BEGIN TRAN txn
-- PASTE INSERT/UPDATE/DELETE STATEMENT HERE
IF @@ROWCOUNT <> @EXPECTEDROWCOUNT
GOTO errLabel
GOTO doneLabel
errLabel:
BEGIN
ROLLBACK TRAN txn
Print 'Rolled back'
Return
END
doneLabel:
COMMIT TRAN txn
Print 'Done'
III. Policy Regarding Change Files—Navia360 Bundled Information Functionality
and Tracking
Employees shall upload the file, and bundled the original file and the change file, and upload them into
Navia360.
This eliminates the need to email the files and retains the critical ability to gather all necessary information in one area for auditing purposes. New upload capabilities have been added to the Company
Correspondence tab. If the Upload Email button is clicked and the browser window is cancelled, an
email form will open up with From and To lines defaulted to the current user’s email address. Documents can be dragged and dropped onto this form as attachments and saved. This will allow users to
Lastrev02272015
38
save multiple files in a single package in the Correspondence tab without having to consolidate them all
via Outlook. Allowed file types include pdf, doc, docx, csv, xls, xlsx, zip, txt, msg, jpg, jpeg, bmp, gif, tif,
png, html, edi, and pgp.
IV. File Share Policy
Sharing data with the employer is essential to accurately administer employee benefits. Our policy at
Navia is to upload files to a secure site and not email files. Files may be emailed as an exception to the
rule of uploading files. Files are uploaded, they are available within an hour to allow time to pull back
data, and the files drop off the site after a specified timeframe.
The following details this process:
Under the Company Documents tab you will find a document type called Shared File. If this doc type is
selected, the expiry date field auto-populates 10 days from today. Shared file documents become available on the employer portal one hour after they are added, but checking the Override Delay box will
make them available immediately. You may only override the delay if the circumstances necessitate the
override. Any notes entered into the Notes field will also be available online. Note that if you add the
document using the Quick Add feature, you will have to reopen the document record to complete the
upload process.
If you check the Override Delay box or update the expiration date, a pop-up will appear.
Lastrev02272015
39
A new menu item has been added to the Tools and Resources menu on the employer portal.
Clicking it opens the File Sharer page, where any non-expired Shared File documents are available.
Clicking the little icon next to the document name will download the document. Each time a document
is downloaded, that download is tracked in the database. Download history for each Shared File document can be found by clicking the View Downloads button on the Document form in Navia360.
Lastrev02272015
40
Once a document’s expiration date passes, the document will no longer be available on the ER portal,
though it will still be available in Navia360. If no Shared File documents are available, the ER portal page
renders as below.
Internal File Sharing
When sharing files internally (among Navia employees) files are not attached to email but placed in the
employee Drop Box. Employee A then emails a link to the file contained in their drop box to Employee
B. The file is processed accordingly. This link is not accessible to any recipient outside of Navia and
prevents accidental disclosures.
V. Remote Access Policy
VPN is provided to IT, the Development Team, management as needed, and other employees as needed
to accomplish a particular task. Use of the tools is monitored and logged. ID & authentication requirements are found in the Password Policy below and employees must sign a VPN Agreement (see below).
Remote access terminates after 10 minutes of inactivity. Except as indicated in the preceding sentences,
no Navia employee has capability to access to our network.
VPN Agreement
Lastrev02272015
41
Navia’s VPN POLICY
Approved employees may utilize the benefits of VPNs. In order to access the VPN you agree as follows:
1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not
allowed access to FPS internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as a token device
or a public/private key system with a strong pass phrase.
3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC
over the VPN tunnel: all other traffic will be dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. VPN gateways will be set up and managed by FPS IT.
6. All computers connected to FPS internal networks via VPN or any other technology must use the
most up-to-date anti-virus software that is FPS approved; this includes personal computers.
7. VPN users will be automatically disconnected from FPS’s network after 10 minutes of inactivity.
The user must then logon again to reconnect to the network. Pings or other artificial network
processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours.
9. All computers used to access the VPM must either personal computers reviewed by IT or computers issued by FPS. Users of computers that are not FPS owned equipment must configure the
equipment to comply with FPS's VPN and Network policies.
10. By using VPN technology with personal equipment, users must understand that their machines are
a de facto extension of FPSs network, and as such are subject to the same rules and regulations
that apply to FPS-owned equipment.
11. VPN access may be permitted on a temporary or full-time basis depending on the duties of the
employee and needs of FPS.
12. If you are permitted administrative rights due to access, control, your roll at FPS, or otherwise then
you agree not to adjust or disable any security features enabled or implemented by FPS IT.
13. All computers used to access the VPN must be encrypted.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including
termination of employment.
Employee Name: _________________________________________
Signature:
__________________________________________
Date:
__________________________________________
Lastrev02272015
42
VI. Password Policy
Navia employees: Passwords expire every 90 days. Employees cannot replicate last 15 passwords.
Complexity Requirements are: at least 8 characters, at least 3 of the 4 following groups [uppercase,
lowercase, numeric character, and special character]. Upon termination of a Navia employee, their Navia360 username is deactivated within one month of the date of termination by the former employee’s
department head. Note that the Navia360 username cannot be used outside of the office, because access to the Admin site it limited to internal use and a few special IP addresses only (company laptops
and Development VPN primarily). Upon termination the following is conducted by the client support
manager:
• Remove access to systems:
o Navia360, Wealthcare Admin, Wired Commute, FTP, Benaissance
• Phones
o Review all voice mail
o IT disables the extension and resets the password
• Computer
o Password reset by IT and computer is wiped.
• Email
o OOO set prior to departure
o redirect emails to designated contact
o review and clear all old email
o Disable email after 2 weeks.
• Immediately collect FPS badge/FOB
• IT disables remote access to Outlook
Clients and Brokers: Upon notice of employer termination (termination of contact at employer), that
employer’s Navia.com username is deactivated immediately and all communications to that employer
contact cease. The accounting team terminates the online access of a client contact for terminated clients (clients that terminate services with Navia but contact is still employed with employer). Under this
procedure any client contact is completely restricted from online access. Specifically, the accounting
team deactivates online access for client contacts 90 days after the end of the claims run-out period of a
terminated plan. Additionally, the accounting team deactivates online access for any client contact upon receipt of notice of termination of employment. Complexity Requirements are: at least 8 characters,
at least 3 of the 4 following groups [uppercase, lowercase, number, and alpha-numeric punctuation].
If an employer contact is also enrolled as a participant, they may use the same username and password
to access both the employer and employee portals. This can be done during the employer portal registration process.
Lastrev02272015
43

Plan years are available on the employer portal for management from the moment of creation (in
Pending status) until 90 days after the posted claim runout period.
Participants: Participants are restricted from accessing plan level information for all expired plans. Plans
are expired 90 days after the end of the claims run-out period. Complexity Requirements are: at least 8
characters, at least 3 of the 4 following groups [uppercase, lowercase, number, and alpha-numeric
punctuation]. Participants do not have access to online accounts for terminated plans (clients no longer
using our services).
Username Requirements
Usernames must be unique amongst all Navia360 and Navia.com employer and employee usernames.
Password Requirements
All Navia.com passwords must be at least six characters in length and contain at least three of the following:
•
•
•
•
One uppercase letter
One lowercase letter
One number
One special character
Failed Logins
Both Navia360 and Navia.com employee and employer usernames may be locked out after five (5) failed
login attempts.
Lastrev02272015
44
Forgot Password
If an employee or employer user initiates a forgot password request through Navia.com, their password
is reset with a temporary password and a setting on their account is updated so that the next time the
participant successfully logs in, they will be required to reset their password. The username and password are emailed to the participant’s current email address in separate email messages.
Employers resetting their password must enter a company code and email address. If there are two
contacts within the same company that share an email address, they will be not be able to reset their
password online and will be advised to contact customer service.
Participants are required to enter their email address and date of birth. If a match cannot be found, they
will be advised to contact customer service.
If the participant forgets their username or password (or both) we will guide them to the website and
aid them in clicking on “Help” below the login section, and clicking “Forgot Username and/or Password”.
They should receive a temporary password and their username via email. If participant fails to receive
an email with the temporary password and username, after checking their spam/junk folder, then we
can set a temporary password for them only after verifying identify fully
If the participant cannot access the email address associated with the account we must first verify their
identity (see Verifying Identity rules).
•
After verifying their identity, we email them with the following template:
Please confirm the below information:
Old email:
Name:
Employer:
Month and day of birth:
Home zip code:
Once we receive a reply from the new email address we update the email in the participants account.
The CSR then updates the email address on file so the participant can use the “Forgot
Username/Password” link to get this information sent to an accessible email address.
The employee should also send any changes to their employer to ensure the employer does not override
their data. If the participant can access the email on file, they would complete step 1.
Lastrev02272015
45
If the participant would like their username changed the CSR must contact a supervisors to then contact
development. Navia employees do not change participant username unless there is a special circumstance such as divorce or marriage.
Account Creation and Maintenance
The creation of Navia360 usernames is permission-based (supervisors and Development only). Employees may change their own Navia360 passwords while logged in, but if they are locked out due to failed
logins, only those with the aforementioned permissions may reset the password. Usernames may only
be updated by a member of Development.
Navia.com employee and employer usernames may only be created via online registration. Only users
with the Change Password permission in Navia360 may update passwords for employers and employees, though any user may reset the login fail count, update the username, or change the username status (Active, Deleted, or Disabled) for an employee or employer.
Navia360 – Unique username and password. Application only available from within network (after
signing into the desktop).
Alegeus Monitor - Unique username and password. Application only available from within network (after signing into the desktop). Passwords do not expire. Password requirements are:
•
•
•
•
•
•
8-13 characters
Must contain at least 3 of the following:
Upper case
Lower case
Numeric character
Special character
Wired Commute - Single sign on via the Participant portal, see password requirements below
Person to person communions (call in) require verification using our Identification Verification Policy.
Banking – Password + key fob. You must login with a company ID, user name, and a password that requires at least 8 characters (at least 1 letter and 1 number) to get general access to the site. This password is changed every 60 days. Anything that prompts changes (adding a user, changing user access,
uploading debit files or check issue reports) also requires a 4 digit unique pin number plus a key fob
number from an individually assigned fob (this number changes every 60 seconds).
VPN – Access is provided to the development team and IT. It is also provided to management as needed
and others as needed for a limited duration (duration to complete the particular task). Password and
key fob required. The Password requirements are the same as desktop passwords.
Lastrev02272015
46
FPS Laptop Computers/tablets - Password protected + key fob. Password requirements are:
•
8-13 characters long
•
Contain at least 3 of the following character types:
•
Uppercase letter
•
Lowercase letter
•
Numeric character
•
Special Character
•
Passwords do not expire
VI. Physical Security Policy
All doors locked after normal business hours (between 6 pm – 6 am). 1st level entry requires photo
badge. 2nd level entry requires FPS issued fob. Fob logs are maintained and monitored by IT.
One to two persons at the front desk at all times during normal business hours.
All visitors must sign in at the front desk.
All visitors are accompanied by a Navia employee while in the back office area
Screening and background checks for all new employees
a. Washington courts (public records files).
b. Background check conducted by Almond Associates and completed before 1st day of
employment
c. All employees go through HIPAA training and sign confidentiality agreement before access to systems is permitted.
d. Server room secured by additional physical security controls [two locked doors, entry
logged]
No PHI left in plain view after normal business hours unless a supervisor present. Secure access to monitor displays and printers.
Hard copy mailed claims and documents retained onsite in locked filing cabinet in locked storage room
for 30 days until destroyed. All documents are scanned and retained in soft copy for 8 years. All documents containing PHI are shred by offsite shred service.
Flash drives or other data download devices are prohibited onsite and FPS desktop drives disabled.
All key fob owners are tracked by IT. IT immediately deactivates terminated employee fob.
Employee computers are locked at all times while the employee is away from their work space. Unlocked computers are reported to the HIPAA Privacy Officer and locked immediately. Employee penalty
may be imposed on employee who leaves a computer unlocked. Employees working after hours not
permitted unless supervisor present.
Mail containing PHI sent to employers is marked “confidential” and sent only to the designated contact.
Lastrev02272015
47
Electronic data is provided to plan sponsors in secure method (file upload or FTP) including but not limited to password protected or secure FTP site.
US Mail containing PHI:
e. Scanned on same day as received
f. Soft copy stored for 8 years
g. Hard copies stored for 30 days in secure storage room then shred
Secure destruction of hardware and equipment. Desktops are electronically wiped to DOD data destruction standard DoD 5220.22-M. Server drives are wiped and then physically shredded. We have a
policy of not saving or downloading PHI on laptops, tablets, or other mobile devises.
Lastrev02272015
48