We have reviewed the Standards for Privacy of Individually Identifiable Health Information promulgated by the Department of Health and Human Services (HHS) pursuant to HIPAA and HITECH and comply with these regulations for impacted products.
Please note that the majority of our products are exempt from HIPAA mandates. For example, Long Term Disability, Short Term Disability, Life, Supplemental Disability, Accident and Critical Illness coverages are excluded from the HIPAA privacy regulations. However, certain products are covered including Long Term Care and various "medical" plans such as Cancer Assist from VB portfolios or Dental policies (hereafter, "covered products").
For Long Term Care and other covered products under the HIPAA privacy regulations, we have implemented compliance, amending service provider (business associate) agreements, developing and distributing privacy notices, to covered policyholders, and developing and revising Policies and Procedures. We are also using HIPAA compliant authorizations during our underwriting and claims processes to facilitate collection of health information from health care providers who are covered by HIPAA.
We are continuously enhancing our Enterprise Security Framework. This provides us with a unified security framework that provides the direction to ensure the availability, integrity and accuracy of company assets, customer data, and personally identifiable information. The framework also provides the foundation that enables secure access to company assets by employees, customers and business partners anytime from anywhere. "Components include, but are not limited to:"
- Security policies, procedures and guidelines
- Security awareness and training
- Risk assessment and management
- Data classification
- Security monitoring and reporting
- Incident response/management
- Security consulting
- Security auditing
- Implementation/utilization of the security tools of the trade.
We use the Information Security Standards of the ISO 27002 as well as HIPAA security requirements as guides to the development of this framework. Our goal is to be in compliance with these standards by the compliance date.
Electronic data interchange
Federal regulations adopted under HIPAA establish "Standard Transactions and Code Sets" for the sharing of certain data by electronic means. These standards for data elements, code sets and formats are to be used by covered entities when those entities use EDI to conduct certain transactions ("covered transactions") for insurance products that are covered by HIPAA ("covered products"). Covered Entities include certain insurers to the extent their insurance products are Covered Products. "Covered Transactions" are certain HHS defined transfers, via electronic media, of information to carry out financial or administrative activities related to covered products.
We have undertaken an extensive review and inventory of products and data transfers to verify those within the scope of the HIPAA Rules. We have developed policies and procedures so that Unum is capable of conducting Covered Transactions with respect to our covered products using the mandated Standard Transactions and Code Sets.