3a human resources policy - contentful: content ... · oscar shall obtain the prior ... and that...

2

Health Information.

Oscar shall obtain the prior written authorization from any candidate who is the subject of a security clearance. Upon request, Oscar shall provide the candidate with the name, address and telephone number of the consumer reporting agency retained by Oscar, together with a complete and accurate disclosure of the nature and scope of the investigation requested by Oscar as well as a written summary of the candidate’s rights under the Fair Credit Reporting Act. Before taking any adverse action with respect to a candidate based, in whole or in part, on information in a consumer report, Oscar shall provide the candidate with a copy of the report, along with a written description of his or her rights under applicable law. Candidates shall be afforded a reasonable time period to review the report for errors that might affect an adverse employment decision.

In the event Oscar denies employment based upon the findings of a consumer report, Oscar shall notify the candidate that the consumer reporting agency did not make the decision to take the adverse action, that Oscar is unable to explain the specific reasons for the decision, and that the candidate has the right to dispute the accuracy of the report. Oscar shall deny employment based solely on one or more past or pending convictions only in cases in which the relevant crime(s) involved fraud, mishandling of funds, dishonesty, theft, a breach of privacy or any other activity deemed by the Legal Department and Compliance Department to make the candidate unsuitable for handling Protected Health Information or carrying out requisite job functions. In no event shall Oscar inquire about or deny employment based upon a candidate’s prior arrest record if the arrest did not result in a conviction.

All materials relating to the pre-employment screening process shall be maintained in the employee’s personnel file.

Access Rights

In conjunction with the hiring process, the Chief Privacy Officer to the extent deemed necessary, shall establish and maintain a record of the type of Protected Health Information to which each new employee requires access in order to perform his or her job functions. This determination shall be communicated to all appropriate personnel, including the Head of Information Technology and Head of Security.

Employee Training and Awareness

At the time of initial employment, all employees shall be provided information regarding Oscar’s privacy and security policies and procedures. As part of Oscar’s comprehensive privacy and security training program, these policies and procedures shall be reviewed with

3

each new employee during an initial orientation, which shall take place within 30 days after the date of employment. Supervisory personnel shall be responsible for providing additional security training to new employees under their supervision that is tailored to the employee’s specific responsibilities.

Each employee shall be required to sign a written acknowledgement stating that he or she has reviewed Oscar’s pertinent privacy and security policies, participated in the privacy and security training program, and understands that failure to comply with the terms of such policies may result in disciplinary action. A copy of the signed acknowledgement shall be maintained in each new employee’s personnel file.

The Chief Privacy Officer shall ensure that all employees promptly receive updates and revisions to Oscar’ privacy and security policies and procedures. In addition, the Head of Security shall be responsible for providing employees with security reminders and other notices pertaining to Oscar’s privacy and security programs, such as descriptions of emerging threats, potentially relevant threat intelligence, vulnerabilities identified in the industry, and other pertinent matters.

Employee Evaluations and Sanctions

Oscar managers shall consider compliance with Oscar’s privacy and security policies as part of regular performance evaluations for all employees.

To ensure compliance with Oscar’s privacy and security policies, any breach of Protected Health Information by an employee shall be subject to the following disciplinary actions, which are based upon the nature of the breach:

Carelessness. This level of breach occurs when an employee unintentionally or carelessly accesses, reviews, discloses or fails to safeguard Protected Health Information. Examples include an employee’s failure to lock a workstation at the end of the day or leaves copies of Protected Health Information in a public area. Depending on the facts, disciplinary action for a first offense may include, counseling, an oral warning or a written warning. Disciplinary action for subsequent offenses may include the aforementioned sanctions as well as suspension or termination.

Intentional Violation without Personal Gain or Malice. This level of breach occurs when an employee, for unauthorized purposes, intentionally accesses or discloses Protected Health Information, without any personal gain or malice. Examples include accessing Protected Health Information of friends or relatives out of genuine concern for the individual’s health or accessing another employee’s e-mail without authorization. Disciplinary sanction may include a written warning, suspension or termination.

Intentional Violation for Personal Gain or with Malice. This level of breach occurs when an employee accesses, reviews or discloses Protected Health Information for personal gain

4

or with malicious intent. Examples include an employee’s use of information to compile a mailing list for personal commercial purposes, the sale of Protected Health Information to outside parties or the review of Protected Health Information for use in an adverse personal relationship (e.g., a divorce). Any employee who commits such a breach shall be subject to immediate termination and Oscar, as appropriate, may refer the matter to regulatory or law enforcement authorities.

In addition to the foregoing, the employee shall be required to repeat any pertinent portions of Oscar’s privacy and security training program as determined by the Director of People Operations and Strategy. Written documentation of all employee disciplinary actions shall be maintained in the employee’s personnel file.

Employee Departures

Oscar shall conduct an exit interview with each departing employee prior to the employee’s final working day. During the exit interview, the employee will be reminded of any applicable non-disclosure agreement in effect as well as the employee’s continuing responsibility to maintain the confidentiality of any Protected Health Information to which he or she may have had access during the course of employment. Any potential privacy or security threats that are identified during the exit interview shall be immediately reported to the Chief Privacy Officer and Head of Security, as applicable.

The Head of Information Technology and the Head of Security, or their designee(s), shall ensure that departing employees have access privileges to Oscar’s Protected Health Information and other resources immediately revoked. The following measures may be taken:

• The surrender of any keys, tokens, access cards and other devices that permit access to Oscar’s offices or internal systems.

• The removal of the employee’s name from all building or other access lists.

• The surrender of any identification cards or badges issued by Oscar to the employee.

• The removal of user accounts granting employee access to any components of internally or externally hosted systems.

• The termination of the employee’s passwords, authentication identification data and any other access codes and devices.

• Ensuring that any of Oscar’s equipment and other property in the possession of the employee is returned to Oscar.

5

Taking any other precautions that may be necessary based upon the specific circumstances concerning the employee’s job functions or departure.

Questions and Further Guidance If you have any questions or need further guidance regarding any aspect of this Policy, please contact Compliance at [email protected].

6

CONFIDENTIALITY ACKNOWLEDGEMENT

I have received a copy of Oscar’s Privacy and Security Policies. I have read these policies carefully and understand them.

I will familiarize myself with any updates or changes to Oscar’s privacy and security policies that are provided to me by Oscar. If there is any provision in any updates or changes that I do not understand, I will seek clarification from my supervisor or other appropriate Oscar personnel.

I understand that information regarding Oscar’s patients is confidential and I will maintain the confidentiality of such information. I further understand that the unauthorized use or disclosure of information regarding Oscar’s patients is inconsistent with Oscar’s policies as well as state and federal law.

I agree to comply with the terms of Oscar’s privacy and security policies. I understand that my failure to comply may result in disciplinary or legal action, including termination of my employment.

__________________________ Employee Name

__________________________ Employee Signature

__________________________ Date

2

“Payment” means activities intended to obtain payment of premiums, determine or fulfill Oscar's responsibility to provide coverage or benefits to enrollees or obtain or provide reimbursement for health care services. Examples of such activities include, but not are not limited to, eligibility determinations, coordination of benefits, claims processing, obtaining payment from stop-loss insurers and utilization review

“Protected Health Information” (PHI) means information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual, and identifies or could reasonably be used to identify the individual. Protected health information includes demographic information about individuals (such as name, address and social security number), even if unaccompanied by information about the individual’s health or medical treatment, if the demographic information was created in connection with the provision of or payment for health care services.

Terms of Policy Disclosures Subject to an Accounting

Individuals may request an accounting of certain disclosures of their Protected Health Information made by Oscar or any of its Business Associates for the six year period immediately preceding the date of the request. All such requests must be made in writing on Oscar’s standard form and directed to the Chief Privacy Officer.

The accounting provided by Oscar must include all disclosures of PHI other than those for the following purposes:

· To carry out Payment or Health Care Operations; · To the enrollee; · Made pursuant to an authorization signed by the enrollee that complies with

the requirements of the HIPAA privacy rule; · To federal officials for national security or intelligence purposes; · To a correctional institution or law enforcement official that has custody of

an enrollee, upon a determination by Oscar’s Chief Privacy Officer that such disclosure is not subject to an accounting under the HIPAA privacy rules;

· To a health oversight or law enforcement agency if such agency notifies Oscar in writing that the provision of an accounting during a specified period would be reasonably likely to impede the agency's or official's activities; and

· That occurred prior to April 14, 2003.

Only disclosures to persons or entities outside of Oscar are subject to the accounting requirement. Internal use of Protected Health Information by Oscar employees or other workforce members is not treated as a disclosure.

3

Tracking Disclosures Any employee who makes a disclosure of Protected Health Information that is subject to the accounting requirement must promptly complete Oscar’s “Disclosure Tracking Form.” The employee must forward the completed form to the Chief Privacy Officer, or his or her designee, who will be responsible for retaining all such forms for a period of six years. All Business Associates maintaining or accessing Protected Health Information for or on behalf of Oscar will be required to track disclosures in accordance with the terms of this policy. The contract manager responsible for overseeing Oscar’s relationship with the Business Associate shall ensure the Business Associate’s compliance with this requirement.

Provision of an Accounting

Any request for an accounting submitted by an Individual received by an employee shall be promptly transmitted to the Chief Privacy Officer. The Chief Privacy Officer will be responsible for reviewing the Disclosure Tracking Forms, if any, covering disclosures of the Individual’s Protected Health Information by Oscar and preparing a response to the request. The Chief Privacy Officer will also request a list of disclosures subject to this policy from all Business Associates that may have had access to the Individual’s Protected Health Information. The Chief Privacy Officer will consult other employees as necessary to ensure that a complete list of Business Associates with access to Protected Health Information is available.

The accounting provided by the Chief Privacy Officer to Individuals will include the following information for each disclosure subject to the accounting requirement:

! The date of the disclosure;

! The name of the recipient of the information and, if known, the recipient's address;

! A brief description of the Protected Health Information disclosed; and

! A brief statement of the purpose of the disclosure.

In certain circumstances, if Oscar has made multiple disclosures of Protected Health Information, the accounting, in lieu of specifying the date of each disclosure, may state the frequency, schedule or number of disclosures and the dates of the first and late disclosures. The circumstances in which such a statement may be provided include multiple disclosures to (i) the U.S. Department of Health and Human Services in order to comply with HIPAA or (ii) other persons or entities to meet legal requirements, comply with government requests for information or satisfy other public interest purposes which have been determined by the Chief Privacy Officer to fall within 45 C.F.R. § 164.512.

4

Time Frame for Providing Accounting

The Chief Privacy Officer will ensure that a response to an Individual’s request for an accounting is made within 60 days.

Fees

Oscar will not charge Individuals a fee for the first accounting requested in any 12-month period. For additional requests, the Chief Privacy Officer will inform the enrollee in advance that the enrollee will be charged a fee to cover Oscar’s reasonable costs.

Record Retention The Chief Privacy Officer will maintain documentation of all accountings requested by and provided to Individuals under this policy for a period of six years. The Chief Privacy Officer will carry out any other responsibilities imposed on Oscar under 45 C.F.R. § 164.528.


2

If an email containing PHI is sent outside of the organization and is not appropriately encrypted, this must be disclosed to the Chief Privacy Officer within 3 days of the disclosure; the individual should provide the Chief Privacy Officer with a completed disclosure form so that he/she can determine next steps. Enforcement This policy will be enforced by the Chief Privacy Officer. Employees who violate this policy will be subject to disciplinary action, up to and including termination.


2

Terms of Policy

Applicable Law HIPAA permits Individuals to request amendments to their Protected Health Information maintained by Oscar or any of its Business Associates in a Designated Record Set.

Process for Handling Amendment Requests Oscar may receive requests from Individuals or their personal representatives requesting amendments to their Protected Health Information. Any such request received by an employee shall be promptly transmitted to the Chief Privacy Officer. The Chief Privacy Officer will ensure that a response is provided to each Individual within 60 days of receipt of the request.

The Chief Privacy Officer shall determine whether any Protected Health Information should be amended. If the Chief Privacy Officer agrees to the amendment request, he or she must notify the Individual and append or link the amendment to the original record. The original record will not be deleted or modified.

If the Chief Privacy Officer denies the amendment request, he or she must send the Individual a written denial notice using Oscar’s standard form. The notice will advise the Individual that he or she has the right to submit a written statement of disagreement in response to the denial. The amendment request, the denial notice and the statement of disagreement, if any, must be appended or linked to the original record.

The Chief Privacy Officer may deny a request for an amendment if the relevant Protected Health Information (i) was not created by Oscar or one of its Business Associates, (ii) is not part of a Designated Record Set, (iii) would not be available for inspection and copying under this policy; or (iv) is accurate and complete. The reason for the denial will be specified in the denial notice.

Applicable Fees Oscar will not charge Individuals any fees for responding to amendment requests under this policy.

Record Retention The Chief Privacy Officer will maintain a copy of all correspondence related to amendment requests for six years. The Chief Privacy Officer will carry out any other responsibilities imposed on Oscar under 45 C.F.R. § 164.526.

Enforcement This policy will be enforced by the Chief Privacy Officer. Employees who violate this policy

3

will be subject to disciplinary action, up to and including termination.


“Unsecured Protected Health Information” means Protected Health Information that is not encrypted or otherwise secured in a manner that is consistent with guidance issued by the U.S. Department of Health and Human Services under Section 13402(h) of HITECH. Note: Redaction or password protection of information is not considered effective means of securing Protected Health Information. Procedure Reporting Actual or Suspected Breaches

All employees, agents, contractors, interns and volunteers must immediately report actual or suspected Breaches to their immediate supervisor or the Chief Privacy Officer. Any supervisor receiving a report of an actual or suspected Breach must immediately forward the report to the Chief Privacy Officer. All employees must cooperate in any investigation of an actual or suspected Breach.

If the actual or suspected Breach includes computerized protected personal information,1 the state-specific requirements set forth in Exhibits A-D may also apply, as well as CMS reporting requirements specific to federally facilitated exchanges, set forth in Exhibit E.

Business Associates of Oscar shall report all actual or suspected breaches in accordance with their business associate agreements. Oscar shall require additional follow-up by its Business Associates as necessary and appropriate and directed by the Chief Privacy Officer.

Determining Whether a Breach Occurred

After receiving a report of a suspected breach, the Chief Privacy Officer or his/her designee will investigate the circumstances surrounding the suspected Breach. The Chief Privacy Officer will involve the Chief Security Officer as necessary. To the extent that a suspected Breach involves a security incident, the Security Officer will be immediately informed and Oscar’s Security Incident Management Policy will be followed. During the investigation, the Privacy Officer or designee will, to the extent possible:

1. Determine whether there has been an impermissible access, use or disclosure of PHI;

2. Determine who impermissibly accessed, used or received PHI and to whom the PHI was potentially disclosed, if applicable;

3. Determine whether the PHI involved in the incident was Unsecured PHI;

4. Identify the type and amount of PHI involved; and

5. Determine what steps have been taken, or should be taken, to mitigate risk

(obtaining the return of the PHI, reporting the incident to the police, etc.).

1 Please refer to exhibits A-D for state-specific, and Exhibit E for CMS-specific, definitions of protected personal information subject to additional security requirements.

The Chief Privacy Officer, in consultation with Legal Counsel as deemed appropriate, is responsible for determining whether a Breach has occurred. The Chief Privacy Officer will use best efforts to complete his or her review within ten business days of becoming aware of the potential Breach. In no event shall such review be completed more than 30 days after receipt of a report.

In determining whether there has been a Breach, the Chief Privacy Officer will assess the probability that the Protected Health Information has been compromised, using the HIPAA Risk Assessment Tool, attached as Exhibit F. A Breach is presumed to have occurred unless the assessment demonstrates that there is a low probability that the Personal Health Information is compromised. The Chief Privacy Officer will consider all of the relevant factors relating to the incident, including but not limited to:

1. The nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification;

2. The unauthorized person who used the Protected Health Information or to

whom the disclosure was made;

3. Whether there is evidence that the Protected Health Information was actually acquired or viewed; and

4. The extent to which the risk to the Protected Health Information has been

mitigated.

If the Chief Privacy Officer determines that a Breach involving Unsecured Protected Health Information has occurred, the Chief Privacy Officer will take the steps set forth in this policy to ensure proper notification. If the Breach involved individually identifiable information but no Unsecured Protected Health Information, the Chief Privacy Officer will consult with Legal Counsel to determine what notification obligations, if any, Oscar has under breach notification laws other than HITECH.

In addition, if the actual or suspected Breach includes computerized protected personal information, the state-specific requirements regarding notification set forth in Exhibits A-D may also apply.

Notification to Individuals

If the Chief Privacy Officer determines there has been a Breach of Unsecured Protected Health Information, he or she will arrange for notification to individuals whose Unsecured Protected Health Information was subject to the Breach. Each affected individual shall be notified in the most expedient time possible and without unreasonable delay, and in no event, later than 60 days after discovery of the Breach by Oscar.

Form of Notice The notice sent to affected individuals will include the following information:

• Identification of the individual whose Unsecured Protected Health Information has been or is reasonably believed to have been involved in the Breach;

• A brief description of what happened, including the date of the Breach and its date of discovery, if known;

• A description of the types of Unsecured Protected Health Information involved in the Breach (such as full name, social security number, date of birth, home address, account number, disability code);

• A description of the steps that individuals should take to protect themselves from potential harm resulting from the Breach (e.g. contacting state agencies, notifying credit card agencies, banks, consumer reporting agencies);

• A brief description of what Oscar is doing to investigate the Breach, to mitigate losses, and to protect against further incidents; and

• Oscar’s contact information, so that individuals can ask questions or learn additional information, including a toll-free number, e-mail address, website or postal address.

Delivery of Notice to Affected Individuals:

Oscar may notify affected individuals in any of the following ways:

• Written: Provide written notification by first class mail. • Electronic: Provide notification by email, if the individual has previously

requested that he or she receive notices from Oscar in this manner. Note: Oscar must provide written or electronic notice, as set forth above, following the Breach, unless criteria for alternative notice (below) apply.

• Telephone: In addition to the written (or, if applicable, electronic notice), contact by telephone if there is a threat of imminent misuse of Unsecured Protected Health Information.

• Alternatives: If Oscar has outdated or insufficient contact information for an individual, it may use other methods to notify affected individuals.

o If there is outdated or insufficient contact information for ten or more individuals, the alternative method must include posting a notice on Oscar’s website, publishing a notice in a major newspaper or using local media to contact affected individuals. o If one of these methods is used, Oscar will also provide a toll-free number where an individual may learn information on whether he or she is affected by the Breach.

• 500 or more Affected. Oscar will notify a media outlet that has a statewide

audience if more than 500 individuals residing in any state are affected by the Breach.

If the actual or suspected breach includes computerized protected personal information, the additional requirements regarding the types of and requirements for notification set forth in Exhibits A-F will apply. Notification of Government Agencies

Oscar will immediately notify HHS of any Breaches of Unsecured Protected Health Information if more than 500 individuals are affected. For all Breaches of Unsecured Protected Health Information involving less than 500 people, the Chief Privacy Officer, or his/her designee, maintains a log of breaches that Oscar will report annually to HHS. Cooperation With Law Enforcement

The Chief Privacy Officer shall delay providing any notices under this policy if a law enforcement official determines that such notice would impede a criminal investigation. The Chief Privacy Officer shall, in consultation with Legal Counsel, provide any notice required by this policy promptly after such official determines that providing the notice would not compromise the investigation. Record Retention

Records of all actual or suspected Breaches, notifications and other documents pertaining to the investigation and response to actual or suspected Breaches shall be maintained by the Chief Privacy Officer for six years. Enforcement Compliance with this policy will be overseen by the Chief Privacy Officer in consultation with Legal Counsel. Employees who violate this policy will be subject to discipline, up to and including termination. Record Retention Records of all actual or suspected Breaches, notifications and other documents pertaining to the investigation and response to actual or suspected Breaches shall be maintained by the Chief Privacy Officer for six years. Questions and Further Guidance If you have any questions or need further guidance regarding any aspect of this Policy, please contact Compliance at [email protected].

Reference Health Information Technology for Economic and Clinical Health Act and its implementing regulations (45 CFR 164.400 – 164.414); HIPAA; September 28, 2010 CMS Medicare Part C and D Breach Notification Alert.

EXHIBIT A

California Electronic Data Security Breach Notification Requirements

A. Definitions

CA Breach Notification Law means California Civil Code § 1798.80 et seq., including California Civil Code § 1798.82.

Personal Information means either:

(a) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social security number;

2. Driver’s license number or California identification card number;

3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;

4. Medical information, meaning any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;

5. Health insurance information, meaning an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records;

6. Information or data collected through use or operation of an automated license plate recognition system; or

(b) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Personal Information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.

Security Breach means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information about California residents maintained by Oscar Health Plan of California.

B. Notification Requirements

1. Notice Contents. Notices to affected individuals will be compliant with California law if they meet the Form of Notice requirements set forth above in Section titled “Notification of Individuals” of the Security Breach Notification Policy.

2. Delivery of Notice. Oscar Health Plan of California may notify affected individuals through written or electronic notice, as set forth in the Security Breach Notification Policy, but if alternative notice is provided, all of the following requirements must be met:

• Alternative notice may be provided if Oscar Health Plan of California demonstrates that: the cost of providing notice would exceed $250,000; or the affected class of individuals exceeds 500,000; or Oscar Health Plan of California does not have sufficient contact information for affected individuals.

• Alternative notice must include all of the following:

o Email: When Oscar Health Plan of California has an email address for affected individuals;

o Website: Conspicuous posting on Oscar’s website, by providing a link to the notice on the home page or first significant page after entering the website that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link; and

o Media: Notification to major statewide media.

If a Security Breach involves a user name or email address, in combination with a password or security question and answer that would permit access to an online account, and:

• Where an online account, but none of the Personal Information set forth in Exhibit A, section A(a), above is involved, Oscar Health Plan of California may provide notification in electronic or other form that directs the individual whose Personal Information has been breached promptly to:

o Change his/her password and security question or answer, as applicable, or

o Take other steps appropriate to protect the online account with Oscar and all other online accounts for which the individual whose Personal Information has been breached uses the same user name or email address and password or security question or answer.

• Where the login credentials of an email account furnished by Oscar are involved:

Oscar will not notify affected individuals through email to the affected email address. Instead, it will provide notice on its website or via media, as set forth above, or by clear and conspicuous notice delivered to the individual online when the individual is connected to the online account from an Internet Protocol address or online location from which Oscar knows the individual customarily accesses the account.

3. Notice to the Attorney General. If the Breach involved more than 500 California residents, Oscar will submit a sample copy of the breach notification, excluding any personally identifiable information, to the California Attorney General. A copy of the California Data Security Breach Reporting Form can be found at: https://oag.ca.gov/ecrime/databreach/report-a-breach.

EXHIBIT B

New Jersey Electronic Data Security Breach Notification Requirements

A. Definitions

N.J. Breach Notification Law means New Jersey Statutes Annotated §§ 56:8-161 & 56:8-163.

Personal Information means information consisting of an individual’s first name or first initial and last name linked with any one or more of the following:


2. Driver’s license number or State identification card number; or

3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Dissociated data, that if linked, would constitute Personal Information is Personal Information if the means to link the dissociated data were accessed in connection with access to the dissociated data.

Personal Information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

Security Breach means an unauthorized access to electronic files, media or data containing Personal Information that compromises the security, confidentiality or integrity of Personal Information when access to the Personal Information has not been secured by encryption or by any other method or technology that renders the Personal Information unreadable or unusable.

Note: Disclosure of a Security Breach is not required if Oscar Insurance Corporation of New Jersey establishes that misuse of the information is not reasonably possible. Any such determination must be documented in writing, and retained for five years.


1. Notice Contents. Such notices to these state and consumer agencies must include a copy of the notifications sent to affected individuals, a description of when and how the notifications were sent and the approximate number of affected individuals.

2. Delivery of Notice. Oscar Insurance Corporation of New Jersey may notify affected individuals through written or electronic notice, as set forth in the

Security Breach Notification Policy, but if alternative notice is provided, all of the following requirements must be met:

• Alternative notice may be provided if Oscar Insurance Corporation of New Jersey demonstrates that: the cost of providing notice would exceed $250,000; or the affected class of individuals exceeds 500,000; or Oscar does not have sufficient contact information for affected individuals.


o Email: When Oscar has an email address for affected individuals;

o Website: Conspicuous posting on Oscar Corporation’s website; and


3. Notice to Government Agencies.

• Oscar Insurance Corporation of New Jersey will also notify the New Jersey Department of Law and Public Safety, Division of State Police. Contact information for reporting a Security Breach can be found at: http://www.cyber.nj.gov/data-breach-notifications/.

• If more than 1,000 New Jersey residents are affected, Oscar Insurance Corporation of New Jersey will notify consumer reporting agencies.

EXHIBIT C

New York Electronic Data Security Breach Notification Requirements A. Definitions

N.Y. Breach Notification Law means New York General Business Law § 899-aa.

Private Information means information consisting of an individual’s Protected Health Information in combination with any one or more of the following data elements about the individual, when either the applicable information is not encrypted or when it is encrypted and the encryption key has also been compromised:


2. Driver’s license number or non-driver identification card number; or

3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Private Information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.

Security Breach means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Private Information about New York residents maintained by Oscar Insurance Corporation. In determining whether information has been acquired, or is reasonably believed to have been acquired by an unauthorized person, Oscar may consider the following factors, among others:

1. Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information;

2. Indications that the information has been downloaded or copied; or

3. Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.


1. Notice Contents. Such notices to these state and consumer agencies must include a copy of the notifications sent to affected individuals, a description of when and how the notifications were sent and the approximate number of affected individuals.

2. Delivery of Notice. Oscar Insurance Corporation may notify affected individuals through written, electronic or telephonic notice, as set forth in the

Security Breach Notification Policy, but if alternative notice is provided, all of the following requirements must be met:

• Alternative notice may be provided if Oscar Insurance Corporation demonstrates to the N.Y. State Attorney General that: the cost of providing notice would exceed $250,000; or the affected class of individuals exceeds 500,000; or Oscar does not have sufficient contact information for affected individuals.



o Website: Conspicuous posting on Oscar Corporation’s website; and


3. Notice to Government Agencies.

• Oscar Insurance Corporation will also notify the N.Y. State Office of the Attorney General, the N.Y. Department of State’s Division of Consumer Protection, and the N.Y. State Division of State Police. Contact information for reporting a Security Breach can be found at: https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf. A copy of the New York State Breach Reporting Form can be found at: https://its.ny.gov/sites/default/files/documents/Business-Data-Breach-Form.pdf.

• If more than 5,000 New York residents are affected, Oscar Insurance Corporation will notify consumer reporting agencies.

EXHIBIT D

Additional Texas Electronic Data Security Breach Notification Requirements

A. Definitions

TX Breach Notification Law means Texas Business & Commerce Code §§ 512.002 &521.053.

Sensitive Personal Information means:

(a) An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:


2. Driver’s license number or government-issued identification number; or

3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or

(b) Information that identifies an individual and relates to: 1. The physical or mental health or condition of the individual;

2. The provision of health care to the individual; or

3. Payment for the provision of health care to the individual.

Sensitive Personal Information does not include publicly available information which is lawfully made available to the public from the federal, state or local government.

Security Breach means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Sensitive Personal Information maintained by Oscar Insurance Company of Texas, including data that is encrypted if the person accessing the data has the key required to decrypt the data. If the individual whose Sensitive Personal Information is a resident of California, New York or New Jersey (or another state that requires Oscar to provide notice to a person whose Sensitive Personal Information has been subject to a Security Breach), Oscar may provide notice either under that state’s law, or pursuant to Texas requirements.


Notice Contents. Such notices to these consumer agencies must include a copy of the notifications sent to affected individuals, a description of when and how the notifications were sent and the approximate number of affected individuals.

1. Delivery of Notice. Oscar Insurance Company of Texas may notify affected individuals through written or electronic notice, as set forth in the Security Breach Notification Policy, but if alternative notice is provided, all of the following requirements must be met:

• Alternative notice may be provided if Oscar Insurance Company of Texas demonstrates that: the cost of providing notice would exceed $250,000; or the affected class of individuals exceeds 500,000; or Oscar does not have sufficient contact information for affected individuals.



o Website: Conspicuous posting of the notice on Oscar Corporation’s website; and


Notice to Consumer Reporting Agencies. If more than 10,000 individuals are affected, Oscar Insurance Company of Texas will also notify consumer reporting agencies.

EXHIBIT E

CMS Electronic Data Security Breach Notification Requirement for Federally Facilitated Marketplace Plans

C. Definitions

QHP Privacy and Security Agreement means the Qualified Health Plan Certification Agreement and Privacy and Security Agreement between Qualified Health Plan Issuer [Oscar] and the Center for Medicare and Medicaid Services effective 9/21/2015 through December 31, 2016, as renewed annually thereafter.

Incident or Security Incident means the act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge or consent.

Personally Identifiable Information (PII) means information which can be used to distinguish or trace and individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information that is linked to a specific individual, such as date and place of birth, mother’s maiden name, etc.

D. Notice to CMS

1. Security Incidents, or Breaches of PII, associated with Oscar’s Federally Facilitated Marketplace plans must be reported within seventy-two (72) to ninety-six (96) hours after the discovery of the Incident to the CMS IT Service Desk via e-mail to [email protected], using the Computer Security Incident Report form specified by CMS, with a copy to Oscar’s CMS Account Manager.

2. Note: Under the terms of the Privacy and Security Agreement, notification to CMS by telephone at (410) 786-2580 or 1-800-562-1963, is also allowed; however, written notification by e-mail is preferred under Oscar Policy.

3. Reporting of unintentional disruptions to a system or data is not required where a Breach risk assessment conducted under this Policy, pursuant to HIPAA guidelines, concludes that the disruption does not pose a risk to PII, Oscar, and CMS. For example, a risk assessment may conclude it is not reasonable to report a failed attempt to access a system, as opposed to a pattern of activities.

4. Examples of incidents that should be considered for reporting to CMS include:

• A sudden unexpected increase in network traffic; • An unexpected or abnormal increase in the number of bad or malformed

packets; • Systems rebooting for unknown reasons; • Discovery of a virus or malware; • Loss of equipment; • Network scans by unknown sources; • A large increase in internet requests that degrades or disables the QHP

issuer’s system from communicating; and • Unknown users being added, or known users’ privileges increasing

without knowledge or approval.

5. The Chief Security Officer and Chief Privacy Officer shall coordinate to ensure appropriate reporting under this requirement.

Reference: CMS, “Frequently Asked Questions (FAQs) regarding Reporting Certain Incidents to the Centers for Medicare and Medicaid Services (CMS) under the 2015 Qualified Health Plan (QHP) Certification Agreement and Privacy and Security Agreement (November 12, 2014).

Exhibit F

HIPAA RISK ASSESSMENT TOOL

Date:

Name of Risk Assessor:

Date of Incident:

Date of Discovery of Incident:

Brief Description of Incident:

I. The nature and extent of Protected Health Information involved, including types of identifiers and likelihood of re-identification.

A. Describe the member information involved.

B. Were direct patient identifiers of information included? (i.e. names or social

security numbers of patients) C. If no direct identifiers of information were provided, is there a likelihood that the

PHI involved could be re-identified based on the context and the ability to link the PHI with other available information?

D. Is PHI that was involved sensitive in nature? If yes, please describe in further

detail (e.g. a sensitive diagnosis such as substance abuse, behavioral health, HIV, sexually transmitted disease)

II. Unauthorized person who used the PHI or to whom the disclosure was made

E. Who accessed/used the information or to whom was the information disclosed?

F. Was the information disclosed to someone with obligations to protect the privacy of the PHI? (e.g. another covered entity, attorney) Please explain.

G. Was the PHI disclosed to someone with a reason to want to misuse the PHI?

(e.g. to an employer or family member) Please explain.

II. Was the PHI actually acquired or viewed

Can you demonstrate that PHI was not accessed (i.e. a laptop was stolen but a forensic analysis shows that the PHI was not accessed) Please explain.

III. Extent to which the risk of the PHI has been mitigated

A. Have you received satisfactory assurances from the person who received the PHI that they destroyed the information and did not share the PHI? Please explain and attach written attestation if available.

B. Describe any other mitigating factors:

CONCLUSION (describe why the combination of these factors supports a finding that there was a low probability of compromise):

2

Terms of Policy Applicable Law Subject to certain limitations, HIPAA and applicable state law permits Individuals to obtain access to Protected Health Information about them maintained by Oscar or its Business Associates in a Designated Record Set.

Process for Handling Access Requests Any requests from Individuals (a minor patient authorized by law to be able to consent to medical treatment may make such a request) or their personal representatives requesting access to Protected Health Information that are received by an employee shall be promptly transmitted to the Privacy Officer. The Privacy Officer shall determine whether access to Protected Health Information should be provided to an Individual.

Right to Access

Subject to the conditions and limitations set forth in this policy, any Individual may request that he or she be allowed to inspect and/or obtain a copy of any Protected Health Information about the enrollee maintained by or for Oscar in a Designated Record Set. Such requests may be made by the Individual or any other person who is qualified to act as the Individual's personal representative under state or federal law.

All requests for access must be made by the Individual in writing. Requests shall be received and processed by the Member Services Department, which shall seek the advice of the Medical Director and/or Chief Privacy Officer, as necessary and appropriate.

It shall be the Individual’s option as to whether access is provided by inspection and/or copying. Information must be provided in the format requested by the Individual (e.g., electronic or paper) if it is maintained in such format. Oscar may provide a summary or explanation of the requested information in lieu of providing access if agreed to by the Individual. In California, the Individual agrees to receive the summary, then Oscar must provide it within 10 working days of the request; however, if needed, Oscar may request up to 30 days to provide the summary.

Time Frames for Responding to Requests for Access

Under HIPAA. within 30 days of receiving a request for access to Protected Health Information, Oscar must either (i) notify the Individual that access has been granted and arrange for such access or (ii) issue a written denial notice.

If Oscar is unable to respond to a request within the time frames specified above, Oscar may extend the time for issuing a response by an additional 30 days if, within the generally

3

applicable time frame, it notifies the Individual in writing of the reason for the delay and the date by which it will issue a response. Oscar may extend the time frame for responding only once with respect to each request.

In California, an Individual must be permitted to inspect his or her records within 5 business days of receiving the written request. If the California resident requests a copy of his or her record, the copy must be sent by Oscar Health Plan of California within fifteen days after receiving the written request.

For New Jersey residents, Oscar of New Jersey must permit the Individual to inspect and copy his or her Protected Health Information in person or obtain a copy of it by mail, which the Individual prefers, within 30 business days of receiving the written request.

Note: For New Jersey residents, in addition to providing the Protected Health Information to the Individual, Oscar Insurance Company of New Jersey may also provide a list of all persons to whom it has disclosed such information within two years prior of the request for access, if that information is recorded. If such information is not recorded, then Oscar, must inform the Individual of the names of those persons to whom it normally discloses such information.

Denial of Access

Oscar may deny access to Protected Health Information for any of the following reasons ("Unrevewiable Reasons"):

· The information consists of psychotherapy notes; · The information was compiled in anticipation of or for use in a lawsuit or

administrative proceeding; · The information may not be disclosed to enrollees pursuant to the Clinical

Laboratory Improvements Amendments of 1988 ("CLIA"); or · The information requested was obtained from someone other than a health

care provider under a promise of confidentiality and the release of the information would be reasonably likely to reveal the source of the information.

Oscar may also deny access to Protected Health Information on a case-by-case basis for any of the following reasons (the "Reviewable Reasons"):

· A licensed health care professional determines that providing access is reasonably likely to endanger the life or physical safety of the Individual or another person; · The information requested makes referenced to another person (other than a health care provider) and a licensed health care professional determines

4

that providing access is reasonably likely to cause substantial harm to that person; or · Access is requested by a personal representative of the Individual and a licensed health care professional determines that providing access is reasonably likely to cause substantial harm to the Individual or another person.

If Oscar does not maintain the information requested by an Individual and Oscar knows where such information is maintained, it will inform the Individual as to where to direct his or her request for access.

Appeal Rights

If Oscar denies access based on a Reviewable Reason, the Individual shall have the right to appeal the denial. Any such appeal shall be handled within a reasonable time period by a licensed health care professional who was not involved in the initial determination. Written notice of the appeal decision shall be promptly mailed to the Individual. Individuals shall have no right to appeal denials of access based on Unreviewable Reasons.

Fees

Oscar will charge Individuals requesting copies of Protected Health Information a reasonable fee1 that covers the costs associated with copying (including supplies and labor), postage (if the information is mailed) and preparation of a summary or explanation of the information (if applicable and agreed to in advance by the Individual). Oscar will maintain a list of such charges that will be updated from time to time. No fees will be charged for the inspection of records at Oscar's offices.

Record Retention Oscar will retain records of all correspondence and other documents related to requests made by Individuals for access to Protected Health Information for a period of six years from the date of the request.

Enforcement of Policy This policy will be enforced by the Privacy Officer. Employees who violate this policy will be subject to disciplinary action, up to and including termination.

Questions and Further Guidance

1 In California, the copying fee may not exceed $0.25 per page, plus any additional reasonable clerical cost incurred in the making the records available.

5

If you have any questions or need further guidance regarding any aspect of this Policy, please contact Compliance at [email protected].

References: HIPAA, CA Health and Safety Code § 123100 et. seq.; Tex. Ins. Code § 602.002; N.J. Stat. Ann.§§ 17:23A-1

2

Protected Health Information for the intended purpose.

Scope of Minimum Necessary Requirement The obligation to use, disclose or request the minimum necessary Protected Health Information does not apply to:

• Uses and disclosures for purposes of providing medical treatment.

• Disclosures to the individual who is the subject of the Protected Health Information or to another individual authorized to act on the individual’s behalf.

• Uses or disclosures made pursuant to the written authorization of the individual or his or her personal representative.

• Disclosures to the Secretary of the U.S. Department of Health and Human Services or other uses or disclosures required for compliance with HIPAA.

· Uses or disclosures that are required by law.

Minimum Necessary Protocols and Criteria

The Privacy Officer will develop and maintain the following:

• A set of standard protocols that will be followed by employees in the department for requests, uses or disclosures of Protected Health Information that are subject to the minimum necessary requirement and are carried out on a routine and recurring basis. The protocols will specify the type of Protected Health Information that is required for each such request, use or disclosure.

• The Privacy Officer, in collaboration with Team Leads, will develop a set of criteria that will be applied on a case-by-case basis by employees in the department for requests, uses or disclosures of Protected Health Information that are subject to the minimum necessary requirement and are not carried out on a routine and recurring basis. The initial application of these criteria to a particular type of request, use or disclosure will be approved by the Manager.

The protocols and criteria developed by Managers under this policy will be subject to the review and approval of the Privacy Officer and will be modified as necessary to reflect changes in Oscar business processes or other business requirements. Managers will be responsible for ensuring that each employee within his or her department receives a copy of and is trained to apply all protocols and criteria applicable to the employee’s job function.

3

To the extent applicable, all protocols and criteria adopted under this policy will allow employees to automatically treat a request to Oscar for Protected Health Information as the minimum necessary for the intended purpose under the following circumstances:

• The Protected Health Information is requested by a public official in accordance with applicable law and the public official represents that the information requested is the minimum necessary.

• The Protected Health Information is requested by another health care provider or health plan that is covered by HIPAA and the party requesting the information represents that it is the minimum necessary.

• The Protected Health Information is requested by an employee or independent contractor of Oscar who is a professional (such as an attorney or accountant) for the purpose of providing professional services to Oscar and the professional represents that the information requested is the minimum necessary.

• The Protected Health Information is disclosed for research purposes pursuant to the approval of an Institutional Review Board or Privacy Board of another provider or covered entity and the researcher represents that the information requested is the minimum necessary for research purposes.

Employee Access Rights

Each Team Lead of a Oscar department that has access to Protected Health Information will prepare a schedule of all positions within the department and the types of Protected Health Information, if any, to which access is required for carrying out the duties of each position. Any conditions that an employee in a particular position must satisfy prior to obtaining access to Protected Health Information (e.g., approval of a supervisor) will be specified. The schedule will be subject to the review and approval of the Privacy Officer and will be modified as necessary to reflect changes in job functions and Oscar business processes. Copies will be provided to the Head of Technical Operations. Oscar will make reasonable efforts, consistent with Oscar’s business needs and available resources, to limit the access of employees to the Protected Health Information they require to perform their jobs, as set forth in the above-referenced schedules, through the implementation of administrative, physical and technical safeguards established under other Oscar policies.

Enforcement This policy will be enforced by the Privacy Officer. Employees who violate this policy will be subject to disciplinary action, up to and including termination.

Questions and Further Guidance

4

If you have any questions or need further guidance regarding any aspect of this Policy, please contact Compliance at [email protected].

2

Terms of Policy Treatment, Payment and Health Care Operations

Under HIPAA, Protected Health Information may be used and disclosed without the Individual’s authorization for purposes of providing treatment, obtaining or making payment for health care services or carrying out certain health care operations such as quality improvement, auditing, legal review, business management and administration.

Employees shall consult with the Privacy Officer regarding any questions as to whether a requested use or disclosure of Protected Health Information is permitted under HIPAA. Moreover, employees must consult with the Privacy Officer prior to using or disclosing especially sensitive types of Protected Health Information without the Individual’s authorization so that the Privacy Officer may determine whether state or federal laws require greater privacy protection. Sensitive types of Protected Health Information include information relating to alcohol or substance abuse treatment, HIV/AIDS, mental illness, genetic testing or marker information, or family planning services.

Family Members and Friends Oscar employees may disclose Protected Health Information about an Individual to any family members or friends of the Individual who are assisting with the Individual’s treatment or benefits if the Individual orally agrees to the disclosure; provided, however, that highly sensitive information, such as HIV or AIDS diagnosis or treatment information, mental health or substance abuse treatment, genetic testing or markers, or reproductive rights information may only be disclosed if the Individual provided expressed written consent for those disclosures. Further, note that a minor’s consent must be obtained if the minor is authorized by law to be able to consent to medical treatment. If the Individual does not have the capacity to provide his or her agreement (e.g., if the Individual is under anesthesia or receiving emergency treatment), employees may disclose Protected Health Information to a family member or friend if the employee determines, in his or her professional judgment, that the disclosure is in the Individual’s best interest. Employees are encouraged to consult with the Privacy Officer, if practicable, when making these determinations.

“Public Interest” Purposes HIPAA permits Oscar to use and disclose Protected Health Information for certain public interest purposes without an Individual’s authorization. These public interest purposes include, among others, complying with a state or federal law mandating disclosure, permitting public health reporting or oversight of the health care system by government agencies, complying with court orders or subpoenas and cooperating with certain law enforcement investigations. Employees must obtain the approval of the Privacy Officer prior to using or disclosing Protected Health Information for any of these purposes. The Privacy Officer shall consult with Legal Counsel as appropriate to ensure that all such disclosures are made in compliance with HIPAA.

3

Individual Authorization Oscar may use or disclose Protected Health Information for purposes not otherwise permitted by this policy with the written authorization of the Individual who is the subject of the information, or his or her personal representative. Oscar will obtain an authorization directly from an Individual on an authorization form, a copy of which may be obtained from the Privacy Officer.

All signed authorization forms must be retained in the Individual’s files for a period of six years. Individuals must be provided with a copy of the completed form. Prior to using or disclosing Protected Health Information based on an Individual’s authorization, employees must review the Individual’s file to confirm that the expiration date or event specified in the authorization has not passed and that the authorization has not been revoked.

Member Requests Relating to Protected Health Information Individuals have certain rights under HIPAA with respect to their own Protected Health Information. Oscar will ensure these rights are satisfied in accordance with Oscar’s Accounting of Disclosures of Protected Health Information Policy, Member Access to Protected Health Information Policy and Member Amendment of Protected Health Information Policy.

Minimum Necessary The use and disclosure of Protected Health Information must be carried out in accordance with Oscar’s Minimum Necessary Policy.

Business Associates Oscar may share Protected Health Information with a Business Associate only if the Business Associate has entered into a Business Associate Agreement with Oscar. Legal Counsel shall develop a model agreement for this purpose. No employee may modify any provision of the model agreement without the approval of the Privacy Officer.

Privacy Violations by Business Associates If an employee believes that a Business Associate has engaged in a pattern of activity or practice that violates the provisions of the applicable Business Associate Agreement or HIPAA, the employee shall immediately notify the Privacy Officer, who shall investigate the matter. If the Privacy Officer determines that such a violation has occurred, the Privacy Officer shall inform Legal Counsel. Legal Counsel shall be responsible for issuing a notice to the Business Associate requesting a cure of the violation. If no cure has occurred within a reasonable time period set forth in the notice, the Privacy Officer shall direct the termination of Oscar’s Business Associate Agreement with the Business Associate unless the Privacy Officer, in consultation with other appropriate employees, determines that such termination is infeasible.

4

Otherwise Permitted by Law Oscar may disclose Protected Health Information as authorized permitted by HIPAA or applicable state law. Enforcement This policy will be enforced by the Privacy Officer. Employees who violate this policy will be subject to disciplinary action, up to and including termination.


References: HIPAA, 42 CFR Part 2; N.Y. Pub. Health Law Article 27-F; N.Y. Pub. Health Law § 33.13; Tex. Occ. Code Ann. § 159.002; TEX. HEALTH & SAFETY CODE ANN. § 85.260; N.J. Stat. Ann. § 17-23A-13; N.J. Stat. Ann. §§ 26:5C-7; 25:5C-8; Cal. Civ. Code § 56.10.

2

these elements must be observed by employees:

• Confidential Documents must not be left unattended in any public area.

• Confidential Documents may not be transmitted by interoffice mail unless they are enclosed in a sealed envelope marked “Confidential.”

• All Confidential Documents must be placed in folders, drawers or face down on desks and workspaces when employees are not actively working on the Confidential Documents. At the end of each workday, all Confidential Documents must be cleared from employees’ desks.

• Employees must promptly retrieve Confidential Documents from printers, copiers and fax machines.

• Employees may not dispose of Confidential Documents in an unlocked waste receptacle.

• When mailing Confidential Documents, employees must take reasonable steps to ensure that they have the correct address. Confidential Documents should not be left unsealed in outgoing mail bins or trays.

• Prior to gaining access to Confidential Documents, all Employees must receive training in the use and disclosure of Protected Health Information and must affirm completion of Oscar’s HIPAA training. Record of the affirmation is maintained by the Compliance Department.

• When handling Confidential Documents, employees must comply with all other applicable policies of Oscar, including Oscar’s Policy for the Use and Disclosure of Protected Health Information.

Storage of Confidential Documents

All Confidential Documents that are maintained on-site shall be stored in locked file cabinets or rooms that shall remain locked when not in use. Only authorized employees shall have access to the keys or combinations to these cabinets and rooms.

If Oscar stores Confidential Documents off-site, employees involved in selecting off-site document storage companies or services on behalf of Oscar shall comply with the following requirements:

3

• Before any entity furnishes document storage services, Oscar must execute a written business associate agreement with such entity.

• The entity must be appropriately insured and each of its employees that will be handling Oscar’s documents must be bonded.

• The facility in which the documents will be stored must be secure and contain adequate fire and security systems as well as environmental controls.

• The storage facility must have a reliable system for indexing all of Oscar’s documents, as well as a system for the retrieval of documents in a manner and timeframe acceptable to Oscar.

• The entity must have a secure mechanism for transporting Confidential Documents from Oscar’s offices to the storage facility.

Document storage companies must provide Oscar with a written inventory of all Confidential Documents removed from Oscar’s facilities at the time such documents are collected for storage.

Destruction of Confidential Documents

Confidential Documents shall be disposed of in locked trash receptacles located within the facility. Confidential Documents that do not need to be retained shall be destroyed at the end of each workday. Confidential Documents that have been stored by Oscar shall be destroyed promptly when the retention period approved by Oscar has expired. Confidential Documents, including any surplus or draft copies, shall be destroyed only by shredding.

The destruction of Confidential Documents that have been stored by Oscar at the end of a specified retention period must be authorized by the Chief Security Officer. In addition to complying with the requirements for shredding other Confidential Documents, employees shredding Confidential Documents at the end of a retention period shall include a general description of such documents in the logbook.

Employees involved in the selection process of off-site document shredding services on behalf of Oscar shall comply with the following requirements:

• Before any entity provides document shredding services, Oscar must execute a business associate written agreement with such entity.

• The entity must be appropriately insured and each of its employees that will be handling Confidential Documents must be bonded.

4

To confirm that Confidential Documents have been destroyed by vendors providing shredding services, an authorized employee must witness the destruction of such documents or the shredding service must provide an executed certificate of destruction verifying that all materials provided by Oscar have been totally destroyed. The certificate of destruction or a written description of the date, time and nature of the documents destroyed signed by the witness, as applicable, shall be forwarded to the Chief Security Officer. The Chief Security Officer shall retain such information for at least two years.

Enforcement Employees who do not comply with this policy will be subject to disciplinary action by Oscar. Depending upon the facts and circumstances of each case, Oscar may reprimand, suspend, dismiss or refer for criminal prosecution any employee who fails to comply with this policy.


2

• Full name • DOB • Oscar ID number • Address on file • Last four of SSN

For an outgoing call where an Oscar employee is calling the member, the Oscar employee should ask to speak with the individual about whom the information pertains. To confirm the person’s identity, the Oscar employee should confirm at least two of the following items:

• Oscar ID number • Address on file • DOB • Last four of SSN

If the information above is confirmed and the individual requesting the information is not the individual about whom the information pertains, Oscar may only provide enrollment status, premium payments, and claim billed amounts. Additional authorization must be obtained from the member before Oscar can release further information. If the individual indicates that there is an authorization on file, the Oscar employee must locate the authorization before providing any additional information. Note that even with an authorization on file, certain conditions may not be discussed with the representative unless the authorization specifically notes that they may be shared. These conditions vary by state. Please see each state’s HIPAA Authorization Form for further guidance. These conditions include:

• Alcohol/substance abuse • HIV/AIDS • Mental health (excluding psychotherapy notes) • Genetic Testing/Information • Sexually Transmitted Diseases • Reproductive Rights

Leaving Messages When leaving a message for a member, the message should include the employee’s name, their affiliation with Oscar, the name of the individual they are trying to reach, Oscar’s phone number and a generic description stating the purpose for the call (such as the employee is returning the member’s call). The message should never include PHI – such as details about a claim, a condition, a test, or a prescription.

3

Providing information to Dependent Children Information about dependent children can be provided to parents or guardians covered under the same plan. For a child only plan, PHI can be provided to the Responsible Adult listed on the child’s policy. However, there are some categories which are protected by law and cannot be discussed with a parent or guardian. These conditions vary by state. Please see each state’s HIPAA Authorization Form for further guidance. These categories are:

• Alcohol/substance abuse • HIV/AIDS • Mental health (excluding psychotherapy notes) • Genetic Testing/Information • Sexually Transmitted Diseases • Reproductive Rights

The law encourages minors to seek care for the conditions mentioned above without parental notification or consent. It is up to the minor to share this information with his/her parent or guardian. If the dependent calls and is able to verify their information (in the manner set forth above), the information related to the above should be shared with the individual.

Family Members and Friends Oscar employees may disclose Protected Health Information about an individual to an individuals’ family member or friend if they are assisting with the individual’s treatment or benefits if the individual orally agreed to the disclosure of the individual’s medical information. The verbal authorization terminates at the end of the call and must be documented internally. If the individual does not have the capacity to provide his or her consent (e.g., if the individual is under anesthesia or receiving emergency treatment), the employee may disclose Protected Health Information to a family member or friend if the employee determines, in his or her professional judgment, that the disclosure is in the individual’s best interest. However, information about an individual’s HIV or AIDS status should never be disclosed to a family member or friend. Information of this nature is specifically protected under NYS Article 27F.

Employees are encouraged to consult with the Chief Privacy Officer, if practicable, when making determinations related to the above.

Individual Authorization Oscar may use or disclose Protected Health Information for purposes not otherwise permitted by this policy with the written authorization of the individual who is the subject

4

of the information, or the written authorization of his or her personal representative. Oscar will obtain an authorization directly from an individual on an authorization form. A copy of the HIPAA Authorization Form may be obtained from the Chief Privacy Officer. All signed HIPAA Authorization Forms must be retained in the individual’s file for a period of six years. Individuals must be provided with a copy of the completed HIPAA Authorization Form. Prior to using or disclosing Protected Health Information based on an individual’s authorization, employees must review the individual’s file to confirm that the expiration date or event specified in the authorization has not passed and that the authorization has not been revoked.

Minimum Necessary The use and disclosure of Protected Health Information must be carried out in accordance with Oscar’s Minimum Necessary Policy.

Enforcement This policy will be enforced by the Chief Privacy Officer. Employees who violate this policy will be subject to disciplinary action, up to and including termination.
