We have reviewed the Standards for Privacy of Individually Identifiable Health Information promulgated by the Department of Health and Human Services (HHS) pursuant to HIPAA and HITECH and comply with these regulations for impacted products.
Please note that the majority of our products are exempt from HIPAA mandates. For example, Long Term Disability, Short Term Disability, Life, Supplemental Disability, Accident and Critical Illness coverages are excluded from the HIPAA privacy regulations. However, certain products are covered including long term care, expense-based cancer, hospital confinement, dental, vision, or intensive care policies, certain medical coverages, and other health plans pursuant to the Health Insurance Portability and Accountability Act ("HIPAA").
For Long Term Care and other covered products under the HIPAA privacy regulations, we have implemented compliance, amending service provider (business associate) agreements, developing and distributing privacy notices, to covered policyholders, and developing and revising Policies and Procedures. We are also using HIPAA compliant authorizations during our underwriting and claims processes to facilitate collection of health information from health care providers who are covered by HIPAA.
Unum is continually evaluating and enhancing our Enterprise Security Framework. This framework helps ensure the availability, integrity and accuracy of company assets, customer data, and personally identifiable information. The framework provides the foundation that enables secure access to company assets by employees, customers and business partners anytime from anywhere. Components include, but are not limited to:
- security policies, procedures and guidelines
- security awareness and training
- risk assessment and management
- data classification
- security monitoring and reporting
- incident response/management
- security consulting
- security auditing
- implementation/utilization of the security tools of the trade
Unum uses the Information Security Standard ISO 17799/27001 as well as regulatory requirements from HIPAA and GLB in the development and improvement of our Security Framework.
Electronic data interchange
Federal regulations adopted under HIPAA establish "Standard Transactions and Code Sets" for the sharing of certain data by electronic means. These standards for data elements, code sets and formats are to be used by covered entities when those entities use EDI to conduct certain transactions ("covered transactions") for insurance products that are covered by HIPAA ("covered products"). Covered Entities include certain insurers to the extent their insurance products are Covered Products. "Covered Transactions" are certain HHS defined transfers, via electronic media, of information to carry out financial or administrative activities related to covered products.
We have undertaken an extensive review and inventory of products and data transfers to verify those within the scope of the HIPAA Rules. We have developed policies and procedures so that Unum is capable of conducting Covered Transactions with respect to our covered products using the mandated Standard Transactions and Code Sets.