Secured by GoDaddy
- Read our HIPAA Notice of Privacy Practices
NOTICE OF PRIVACY PRACTICE
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. THE PRIVACY OF YOUR HEALTH INFORMATION IS IMPORTANT TO US.
OUR LEGAL DUTY
We respect your right to privacy and function to ensure your confidentiality by following federal and state laws concerning protected health information. This Notice describes the manner and means by which Visionworks demonstrates the appropriate privacy measures. We are required by applicable federal and state law to maintain the privacy of your protected health information. "Protected Health Information" (PHI) is your individually identifiable health information, including demographic information, collected from you or created or received by a health care provider, a health plan, your employer, or a healthcare clearinghouse that relates to: (i) your past, present, or future physical or mental health or condition; (ii) the provision of health care to you; or (iii) the past, present, or future payment for the provision of health care to you. We are also required to give you this Notice about our privacy practices, our legal duties, and your rights concerning your protected health information. We are also required to notify you following a breach of unsecured PHI. We must follow the privacy practices that are described in this Notice while it is in effect. This Notice takes effect September 23, 2013, and will remain in effect until we replace it.
We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We reserve the right to make the changes in our privacy practices and the new terms of our Notice effective for all health information that we maintain, including health information we created or received before we made the changes. In the event we make a material change in our privacy practices, we will change this Notice and provide it to you.
You may request a copy of our Notice at any time. For more information about our privacy practices, or for additional copies of this Notice, please contact us using the information listed at the end of this Notice.
USES AND DISCLOSURES OF HEALTH INFORMATION
In order to administer our benefit programs effectively, we collect, use and disclose PHI for certain of our activities, including payment and health care operations. We may use and disclose PHI about you for treatment, payment, and healthcare operations. For example:
Treatment: We may use or disclose your PHI to an optician, ophthalmologist or other health care provider providing treatment to you for: (a) the provision, coordination, or management of health care and related services by health care providers; (b) consultation between health care providers relating to a patient; (c) the referral of a patient for health care from one health care provider to another, or (d) recall information. For example, we may disclose your PHI outside our Retail Dispensary for treatment purposes if we refer you to another Retail Dispensary for a prescription for glasses or contacts to be filled or when we phone you to let you know your glasses or contact lenses are ready to be picked up. Sometimes we may ask for copies of your PHI from another professional that you may have seen before us. We also may disclose your PHI to others who may help in your care, such as your spouse, children or parents.
Payment: We use and disclose your PHI to obtain payment for services we provide to you. This may include: (a) billing and collection activities and related data processing; (b) actions by a health plan or insurer to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under its health plan or insurance agreement, determinations of eligibility or coverage, adjudication or subrogation of health benefit claims; (c) medical necessity and appropriateness of care reviews, utilization review activities; and (d) disclosure to consumer reporting agencies of information relating to collection of premiums or reimbursement.
Online Credit Card Payment and Payment Information
Visionworkscontacts.com does not capture or store your credit card information. The transactional ordering process utilizes a payment gateway (CyberSource) wherein Secure Acceptance accepts payments from the web and mobile browsers without payment data entering the Visionworkscontacts.com system. Payments are accepted using Point-to-Point Encryption (P2PE) and Payment Tokenization thus avoiding the storing of payment data. Payment Authorization Tokens are held until Payment Settlement which occurs at time of order shipment. Returns and any applicable credits are handled by contacting Customer Service at 855-589-7910.
We protect your password information using technical and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration of passwords. Some of the safeguards we use are strong password validation, temporary password reset procedures, and encryption of passwords when stored.
Passwords must be a minimum of 8 characters in length, contain a mix of upper case, lower case, at least one numeric and at least one special character.
If more than six failed login attempts are made to an account, a password lockout threshold is reached and the account will be locked for twenty (20) minutes. After the twenty (20) minutes, the account is reset and the failed attempts are cleared. During the lockout period you will NOT be able to login or reset your password.
Password reset requires user account validation wherein an email is sent, to the email address on file, with a temporary password. The temporary password is valid for a set period of time during which a user must login to their account and reset their password.
User Password Management:
- Users should never share their passwords with anyone else
- Users should never share their passwords with any outside parties, including those claiming to be representatives of a business with a legitimate need to access user information
- Users should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information
- Users must refrain from writing passwords down and keeping them accessible
- Users should not use password managers or other tools to help store and remember passwords
Health Care Operations: We use and disclose your PHI in connection with our health care operations. Health care operations include things such as quality assessment and improvement activities, reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, conducting training programs, accreditation, certification, licensing or credentialing activities.
Your Authorization: Other uses and disclosures of PHI not covered by this Notice or applicable laws will be made only with your written permission. In addition to our use of your health information for treatment, payment or health care operations, you may give us written authorization to use your PHI or to disclose it to anyone for any purpose. If you give us an authorization, you may revoke it in writing at any time. Your revocation will not affect any use or disclosures permitted by your authorization while it was in effect. Unless you give us a written authorization, we cannot use or disclose your PHI for any reason except those described in this Notice.
Marketing Health Products or Services: We may use or disclose your PHI for marketing purposes without your permission in certain situations, such as when we discuss products or services with you face to face or to provide you with an inexpensive promotional gift related to the product or service. We also may contact you to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you where permitted by law. For other types of marketing activities we will obtain your written permission before using or disclosing your PHI.
To You, Your Family and Friends: We must disclose your PHI to you, as described in the Patient Rights section of this Notice. We may disclose your protected health information to a family member, friend or other person to the extent necessary to help with your health care or with payment for your health care, but only if you agree that we may do so or, if you are not able to agree, if it is necessary in our professional judgment.
Persons Involved in Care: We may use or disclose PHI to notify, or assist in the notification of (including identifying or locating) a family member, your personal representative or another person responsible for your care, of your location, your general condition, or death. If you are present, then prior to use or disclosure of your PHI, we will provide you with an opportunity to object to such uses or disclosures. In the event of your incapacity or emergency circumstances, we will disclose PHI based on a determination using our professional judgment disclosing only protected health information that is directly relevant to the person's involvement in your health care. We will also use our professional judgment and our experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, x rays, or other similar forms of PHI.
Appointment Reminders and Treatment Alternatives: We may use or disclose your PHI to provide you with appointment reminders (such as voicemail messages, postcards, or letters) or information about treatment alternatives or other health-related benefits and services that may be of interest to you.
Legal Obligations and Public Policy Disclosures: We may use and/or disclose your PHI as permitted or required by federal, state or local law, in the following situations:
- To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplants.
- Your PHI may be released if a work force member or business associate believes in good faith that there has been unlawful conduct or violation of professional or clinical standards which are potentially dangerous to one or more patients, workers or the public.
- To military authorities if you are a member of the armed forces (of either the United States or a foreign government).
- To workers' compensation or similar programs to the extent authorized by and necessary to comply with laws relating to workers compensation or other similar programs established by law.
- To public health or legal authorities for public health activities. For example to report births and deaths, or for the prevention or control of disease, injury, or disability, or, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.
- In response to a court or administrative order, subpoena, discovery request, or other lawful process, but only if efforts have been made to tell you about the request.
- To law enforcement if asked to do so (1) to identify or locate a suspect, fugitive, material witness or missing person; (2) regarding the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement; (3) regarding a death we believe may be the result of criminal conduct; (4) regarding criminal conduct at our facilities; or (5) in emergency circumstances to report information regarding a crime.
- We may disclose PHI to a medical examiner or coroner to identify a dead person or to identify the cause of death. If necessary, we will share PHI with funeral directors.
- We may use and disclose your PHI when necessary to reduce or prevent a serious threat to your health and safety or another individual or the public. Under these circumstances, we will only disclose your PHI to the person or organization able to help prevent the threat.
- We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
- We may disclose to the FDA health information related to known adverse events with respect to food, supplements, pharmaceuticals, product defects or information to enable product recalls, repairs or replacements.
- We may disclose your PHI to authorized federal officials for intelligence, counter-intelligence and other national security activities authorized by law.
- We may disclose your PHI to a health oversight agency for purposes of 1) monitoring the health care system, 2) determining benefit eligibility for Medicare, Medicaid and other government benefit programs, and 3) monitoring compliance with government regulations and civil rights laws.
- We may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your PHI if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws. To the correctional institution or law enforcement official if you are an inmate of a correctional institution or under the custody of a law enforcement official.
Access, Inspect and copy: You have the right to review or get copies of your PHI, with limited exceptions. You may request that we provide copies in a format other than photocopies. We will use the format you request unless we cannot practicably do so. You must make a request in writing to obtain access to your protected PHI. You may obtain a form to request access by using the contact information listed at the end of this Notice. You may also request access by sending us a letter to the address at the end of this Notice. If you prefer, we will prepare a summary or an explanation of your PHI for a fee.
We may deny your request to inspect and copy your PHI in certain limited circumstances. If you are denied access to your information, you may request that the denial be reviewed. A licensed health care professional chosen by us will review your request and the denial. The person performing this review will not be the same one who denied your initial request. Under certain conditions, our denial will not be reviewable. If this event occurs, we will inform you in our denial that the decision is not reviewable.
Disclosure Accounting: You have the right to receive a list of instances in which we or our business associates disclosed your PHI for purposes, other than treatment, payment, health care operations, where you have provided an authorization and certain other activities, for the last 6 years. If you request this accounting more than once in a 12 month period, we may charge you a reasonable, cost based fee for responding to these additional requests.
Restriction: You have the right to request that we place additional restrictions on our use or disclosure of your protected PHI. Any agreement we may make to a request for additional restrictions must be in writing signed by a person authorized to make such an agreement on our behalf. You may terminate this restriction if you submit the termination in writing, or if we inform you that we are terminating the restriction. Any termination will apply only to PHI created or received after receipt of the termination.
In your written request tell us: (1) the information whose disclosure you want to limit; and (2) how you want to limit our use and/or disclosure of the information. In the event that products or services were paid out of pocket in full, at your request, we will not share information about those services with a health plan for purposes of payment or health care operations. "Health plan" means an organization that pays for your medical care.
Alternative Communication: You have the right to request in writing that we communicate with you about your PHI by alternative means or to alternative locations. Your request must specify the alternative means or location, and provide satisfactory explanation how payments will be handled under the alternative means or location you request.
Although you may initiate your request verbally, you must make your request in writing. We must reasonably honor your request. However, the request must allow us to communicate and serve you effectively.
Amendment: You have the right to request that we amend your PHI. Your request must be in writing, and it must explain why the information should be amended. We may deny your request under certain circumstances.
If you disagree with our decision, you may submit your written statement of disagreement to be appended to the information you wanted amended. If we accept your request to amend the information, we will make reasonable efforts to inform others, including people you name, of the amendment and to include the changes in any future disclosures of that information.
Electronic Notice: If you receive this Notice on our Web site or by electronic mail (e mail), you are entitled to receive this Notice in written form.
QUESTIONS AND COMPLAINTS
If you want more information about our privacy practices or have questions or concerns, please contact us.
If you are concerned that we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI or in response to a request you made to amend or restrict the use or disclosure of your protected health information or to have us communicate with you by alternative means or at alternative locations, you may complain to us using the contact information listed at the end of this Notice. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.
We support your right to the privacy of your protected health information. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.Visionworks Privacy Office
175 E. Houston Street
San Antonio, TX 78205
1. INFORMATION WE COLLECT
Visionworks does not collect personal information unless you voluntarily provide it to us. We do, however, collect certain types of information and ask for personal information in certain circumstances, such as when you set up a User Account, use the Frame Finder™ service, request custom alerts and notifications regarding particular products and product categories, indicate your favorite products, and search for products on the Site. The following sections describe the type of information we collect and how we collect it.
- Information You Give Us. All users may visit the public areas of the Site without disclosing any personal information about themselves. However, in order to use certain Site Features, you may be asked for, or you may choose to provide, certain personally identifiable information ("PII"), such as your name, email address, mailing address, phone number and similar information. We will not collect PII from you while you use the Site Features unless you voluntarily provide it to us or authorize us to collect such information. When you complete a registration form to create a User Account, we require you to provide us with relevant PII.
- Log Information. Our servers automatically track certain information about you as you use our Site. This information may include the URL that you just came from, which URL you go to next, what browser you are using, and your IP address. Our site logs do generate certain kinds of non-identifying site usage data, such as the number of hits and visits to our Site. This information is used for internal purposes by technical support staff to provide better services to the public and may also be provided to others, but the statistics contain no personal information and cannot be used to gather such information.
- Favorites and Custom Alerts. You may choose to submit information pertaining to your areas of interest, including the designation of certain categories of content as "favorites" or the like. Similarly, you may choose to sign-up for customized alerts and notifications pertaining to certain products or product categories featured on the Site. This information is used to personalize the Site Features and tailor the Site to your particular preferences.
- User Content. You may choose to submit content to the Site (hereinafter, "User Content"), including personal photographs for use in connection with the Frame Finder™ service. This User Content will be used to facilitate delivery of the Site Features.
- Usage Activity. When you use the Site Features we may track your usage history, including search history and the particular content you viewed. This usage history will be used for your convenience, so that you can easily access past searches and content of interest.
2. SHARING OF INFORMATION
We may use personal information that you provide to us to personalize your profile information, maintain, customize and add new resources and services, and allow communication and interaction between you and Visionworks, and between Visionworks and its operating personnel. In addition, we will share the personal information we collect from you under the following circumstances:
- Direct Communication. We may send emails or regular mail to you in connection with your transaction or business relationship with us. If you sign up on our online registration page, we may send email to you concerning special offers, promotions, and eye exam and contact lens replenishment reminders consistent with any email preferences selected by you on the registration page. You may also provide your address information for inclusion on our email or regular mail lists in person at one of our stores. Visionworks or one of Visionworks' affiliated service providers may contact you by phone, email, or regular mail in connection with the provision of goods or services to you or in response to an inquiry from you. If you do not wish to receive special offers or promotional mailings, you may be removed from our email or regular mail lists through the use of any of the "Control of Your Information & Opt-Out Methods" listed below.
- Reputable Marketers. Some of the information we collect may be shared with other reputable marketers to bring you offers of interest, and, if personally identifiable information is collected in connection with a joint promotion, it may be provided to that joint promoter for marketing and research purposes. If you prefer that we do not share your name and address with other reputable marketers, you may contact us using the "Control of Your Information & Opt-Out Methods" listed below and request that your name be marked as "do not share."
- Asset Transfers. If we become involved in a merger, acquisition or other transaction involving the sale of some or all of Visionworks' assets, user information, including personal information collected from you through your use of the Site Features, could be included in the transferred assets. Visitors to the Site will be notified via a prominent notice on the Site for thirty (30) days prior to a change of ownership or control of user information held by us.
In addition, we may share with third parties user information in the form of aggregated non-personal information. This non-identifying information may include, for example, the patterns, trends, preferences, and other collective characteristics of our users. Disclosure of this information serves to help us and our marketing partners evaluate and tailor our communications, advertisements, services and general business practices to the needs of users of the Site Features.
3. CONTROL OF YOUR INFORMATION & OPT-OUT METHODS
You may request us to correct, update or delete any of the information we have collected from you by sending an email to us at CustomerService@VisionworksContacts.com and we will attempt to fulfill your request. We may choose not to fulfill any request that we determine is unreasonable, unduly burdensome or impractical or that constitutes a threat to the privacy or rights of others. You may also request to be removed from any of our email lists by clicking on an unsubscribe link where provided on our emails and following the related instructions. Should you have any questions or concerns regarding personal information or privacy-related issues, please contact us by sending an email to CustomerService@VisionworksContacts.com.
The personal information that you provide to us is stored on servers, which are located in secured facilities with restricted access, and protected by protocols and procedures designed to ensure the security of such information. In addition, we restrict access to personal information to Visionworks employees, independent contractors and agents who need to know this information in order to develop, operate and maintain the Site Features. All Visionworks personnel who have access to this information are trained in the maintenance and security of such information. However, no server, computer or communications network or system, or data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we strive to protect user information, we cannot ensure or warrant the security of any information you transmit to us or through the use of any of the Site Features and you acknowledge and agree that you provide such information and engage in such transmissions at your own risk. Once we receive a transmission from you, we will endeavor to maintain its security on our systems.
5. MINOR'S PRIVACY
The Site is not targeted towards, nor intended for use by, anyone under the age of 18. We do not market our products or services to children (although we do market some of our products and services for children to their parents), and we do not knowingly permit persons under the age of 18 to register or provide personally identifiable information on the Site. The provision of personally identifiable information by children on the Site is strictly prohibited. We encourage parents to supervise and participate in their children's Internet activities, and we urge children to exercise caution and consult their parents before providing any personally identifiable information on the Internet.
6. NOTIFICATION OF CHANGES
8. QUESTIONS? CONTACT US
9. TERMS OF SERVICE
(Updated August 27, 2013)
Download the HIPAA Privacy Notice pdf.
This notice describes how Medical information about you may be used and disclosed and how you can get access to this information.
Protecting Competitively Sensitive Information Policy
Download the Protecting Competitively Sensitive Information Policy pdf.
Note: To view the PDF documents, you will need Acrobat Reader from Adobe. Download Acrobat Read now.
- Read our Policy Protecting Competitively Sensitive Information
Visionworks of America, Inc. (“Visionworks”) adopts and is ultimately responsible and accountable for the administration and enforcement of this Policy Protecting Competitively Sensitive Information (CSI) in compliance with the Highmark Health Policy Protecting Competitively Sensitive Information for the Highmark Health System as defined in that policy and including all companies designated on Attachment A to this Policy. All Visionworks Personnel, including all directors, officers, other employees, trainees, volunteers, and independent contractors are subject to and shall strictly comply with this Policy.1
The Pennsylvania Insurance Department (“Department”) has raised the concern that the corporate affiliation of Highmark Inc. companies (as buyers of healthcare medical services), Allegheny Health Network companies (as sellers of healthcare medical services), and Highmark Health (as the parent company) could result in one or more of these entities obtaining or sharing information on the terms and conditions of rival contracts. The Department expressed concern that the result could be a reduction in competition, competitive innovation or pricing between the now affiliated companies and their rivals at one or more levels. To prevent such potential adverse competitive effects, the Department requires that the System develop, implement and strictly comply with Firewalls to restrict Highmark Inc. companies' knowledge of and ability to influence Allegheny Health Network companies' negotiations with rival insurers. Similarly, development, implementation and strict compliance with Firewalls is required to restrict Allegheny Health Network companies' influence on Highmark Inc. companies' negotiations with rival hospitals.
Accordingly, Visionworks has determined that the adoption of this Policy will serve to protect CSI against inappropriate access, use or disclosure, as required as a condition of the Department's Approving Determination and Order issued on May 29, 2013, Order No. ID-RC-13-06. This Policy is implemented and will be enforced in accordance with the Department's Approving Determination and Order. A copy of that Order may be found at http://www.portal.state.pa.us/portal/server/pt/community/industry_activity/9276/application_materials/1014652. This Policy sets forth the requirements and processes to safeguard against such inappropriate access, use or disclosure of CSI between and among companies within the System and their respective Personnel.
This Policy is not intended to replace Highmark Health Policy 132, titled “Information Use, Management and Disclosure,” but to supplement it, particularly with respect to the imposition of procedures to accomplish the objectives of that Policy. To the extent that there are inconsistencies between this Policy and Highmark Health Policy 132, the provisions of this Policy shall control and supersede the provisions of Highmark Health Policy 132.
1 Each adopting company will adjust this model policy only as necessary to reflect the organizational structure of that company.
- Competitively Sensitive Information (CSI) protected under this Policy includes the following categories of non-public information held by the System: Past, present and future reimbursement rates and rate schedules; contracts with providers; contracts with payers; any term or condition in a payer-provider agreement that could be used to gain an unfair commercial advantage over a competitor or supplier, including but not limited to discounts, reimbursement methodologies, and provisions relating to performance, pay for performance, pay for value, tiering of providers, cost data and methodologies including specific cost and member information and revenue, or discharge information specific to the payer or provider; contract negotiations or negotiating positions, including but not limited to offers, counteroffers, party positions, and thought processes; specific plans regarding future negotiations or dealings with payers or providers; and claims reimbursement data.
- Firewalls refer to safeguards that restrict unauthorized access, use and sharing of CSI. Firewalls segregate and protect CSI through procedures, training and behavioral guidelines and processes applicable to all System Personnel in their interactions with one another. Firewalls also include software-based and hardware-based tools and equipment to protect CSI and create additional barriers to unauthorized access. Firewalls prohibit the sharing of CSI in any form, whether oral, written, electronic or otherwise.
- Highmark Health is the parent entity of both Highmark Inc. and Allegheny Health Network.
- Highmark Inc. (Highmark) is a subsidiary of Highmark Health. Highmark Inc. and the companies it controls conduct the insurance business of the System. The Highmark Inc. companies identified in Attachment A are referred to in this Policy as “Highmark Inc. Companies.”
- Allegheny Health Network (AHN) is a subsidiary of Highmark Health. AHN and the companies it controls conduct the provider services of the System. The AHN companies identified in Attachment A are referred to in this Policy as “AHN Companies.”
- System is the collective reference to Highmark Health, Highmark Inc. and AHN.
- Personnel includes any director, officer, other employee, trainee, volunteer, independent contractor or consultant performing services on behalf of the System or any company within the System.
- Visionworks Personnel includes any director, officer, other employee, trainee, volunteer, independent contractor or consultant performing services on behalf of Visionworks.
- Director of Privacy is the individual responsible for privacy oversight for AHN or Highmark Inc. respectively and who is directly accountable to the Highmark Health Chief Privacy Officer.
- Senior Privacy Official is the Visionworks employee responsible for privacy oversight of the Visionworks.
IV. Roles and Responsibilities
- Visionworks' President and Board shall be ultimately accountable and responsible for the adoption, implementation, monitoring and strict enforcement of this Policy. The Audit Committee of the Board, or those performing the audit function, shall require periodic reports regarding compliance with this Policy and shall report that information to the full Board.
Subject to A above, the following shall be responsible for administration of this Policy:
- Director of Privacy, and/or Senior Privacy Official for Visionworks
- Senior Auditor and Compliance Officer, Visionworks [if applicable]
- Senior Legal Officer, Visionworks [if applicable]
- Senior Information Security Officer, Visionworks
V. Policy and Administration
All Visionworks Personnel must strictly observe the following Policy to protect against the inappropriate access, use or disclosure of CSI:
Visionworks Personnel who have access to, or are in possession of, any CSI of any Highmark Inc. Company shall not disclose such CSI to AHN or to any Personnel of an AHN Company.
Example: Mabel works as an account service manager in the National Accounts area of Highmark. In providing plan administration reports to her self-funded group accounts, Mabel regularly sees claims reimbursement and utilization reports for nonaffiliated providers who treat members of the group account. Mabel rides the bus everyday with Sandy who works in Physician Services for AHN and is responsible for assisting in the recruitment of new physicians into the network. During their ride to work one morning, Sandy asks Mabel if she could research a particular physician practice and share their utilization and reimbursement information with her so that she can determine if they are a good recruiting target. Mabel is prohibited from sharing any of the billing, claims reimbursement and utilization reports of Highmark Inc. nonaffiliated providers with Sandy because it is CSI.
Visionworks Personnel who have access to, or are in possession of, any CSI of any AHN Company shall not disclose such CSI to Highmark Inc. or to any Personnel of a Highmark Inc. Company;
Example: John is Associate Counsel at AHN and one of his responsibilities is to negotiate the terms and conditions of third party payer contracts. After a long and protracted series of negotiations, John successfully reaches a good deal for AHN physicians, and concludes the contract negotiation with Acme Health Insurer. That afternoon, John has lunch with his friend Ben who works at Highmark. John cannot discuss the negotiations, his thoughts and impressions, and the results of the negotiation with Ben because sharing the information would violate this Policy and compromise Competitively Sensitive Information.
- Visionworks Personnel who have access to, or are in possession of, any CSI of any Highmark Inc. Company shall not disclose such CSI to AHN or to any Personnel of an AHN Company.
- All Visionworks Personnel must take mandatory CSI Policy training and all newly-hired Visionworks Personnel must do so before performing any work. There will be no exceptions to this mandatory requirement. Visionworks shall provide periodic refresher training regarding the protection of CSI, at least annually, and supplemental training as necessary. CSI Policy training shall be developed, designed, facilitated and administered by the Highmark Health Chief Privacy Officer. At the completion of the mandatory training session and after each refresher training session, all Visionworks Personnel shall be required to certify completion of the program and comprehension of the materials presented.
All Visionworks Personnel must excuse themselves from participation in any activity where their participation would necessarily involve the improper access, use or disclosure of CSI. Any individual who comes in contact with CSI from either Highmark or AHN in the ordinary course of his or her function cannot use that CSI in performing any activity or service for the other company. If that activity requires sharing or reference to the CSI, the individual must excuse himself or herself from that activity.
Example: James is an executive of Highmark Health and also serves as a director of AHN. In his executive position and in the course of his job function he properly receives CSI from Highmark Inc. regarding recent rate negotiations with Hospital A, a competitor of AHN. At the next AHN board meeting, James must not disclose that CSI and must excuse himself from AHN board discussions or actions that would involve the use or disclosure of that CSI.
- All Visionworks Personnel are encouraged to contact the Highmark Health Chief Privacy Officer or Visionworks Director of Privacy or the Senior Privacy Official for Visionworks if they have any questions about their responsibilities or other matters pertaining to this Policy.
VI. Infrastructure and Physical Safeguards
Visionworks shall continue to observe current safeguards and adopt any additional safeguards sufficient to assure that access to CSI is properly controlled and protected. Such safeguards include:
- Role based access
- Control and Management of User IDs
- Separation of servers or data stored on servers as appropriate
- Monitoring systems for unauthorized access
- Other necessary technical controls to accomplish segregation of duties, businesses and roles.
- Visionworks shall continue to use security tools that include electronic interface with the Human Resources systems to provide information regarding the identity of authorized Visionworks Personnel in each business area, including updates on terminations, new hires, transfers and other position and organization changes.
- Strong PC/workstation controls shall continue to protect CSI from unauthorized access or transmission.
VII. Monitoring and Auditing
- The Highmark Health Privacy Department shall be responsible for monitoring the System, including Visionworks, to assure that CSI has not been inappropriately accessed, used or disclosed.
- Highmark Health’s Internal Audit Department shall develop and implement an audit plan to assure that proper controls are in place for the protection of CSI and that all policies and procedures are followed. Internal Audit shall conduct regular audits of the System, including Visionworks, to ensure compliance with this Policy. Audit findings and observations shall be reported to the Highmark Health Chief Privacy Officer for appropriate remediation and mitigation, and ultimately reported to the Highmark Health Audit Committee, which shall report to the full Highmark Health Board, and to the Audit Committee of the Visionworks Board or those performing the audit function, who shall report to the full Visionworks Board.
- All Visionworks Personnel shall certify annually that they have read and understood this Policy and that they are in full compliance with it. In addition, all Visionworks Personnel shall certify their responsibility to report actual or potential violations with the understanding that such reporting will not result in retribution or retaliation by any company or Personnel within the System. Highmark Health’s Internal Audit Department shall monitor these annual certifications to insure compliance with this Policy. All annual certifications will be reported to Highmark Health’s Chief Privacy Officer for inclusion in the annual report on System compliance.
- All Visionworks Personnel shall also affirmatively acknowledge that failure to report an actual or potential violation of this Policy may subject the individual to disciplinary action, up to and including termination.
VIII. Violations and Enforcement
- Violations of this Policy are subject to corrective action up to and including termination of employment or contractual arrangement, or removal from the Board, consistent with Highmark Health and Visionworks disciplinary procedures.
All Visionworks Personnel are required to immediately report violations or suspected violations of this Policy to the Visionworks Senior Privacy Official, who shall notify the appropriate Director of Privacy, who shall notify the Highmark Health Chief Privacy Officer. The Highmark Health Chief Privacy Officer, the appropriate Director of Privacy and the Visionworks Senior Privacy Official shall investigate and take appropriate remedial action including determining the cause(s) of any violation, mitigating the effects of the violation, taking corrective action to prevent future occurrences, and engaging Human Resource areas as necessary to determine appropriate sanctions.
Example: Tricia, a data analyst in the AHN provider financial operations area sits in the cubicle next to her colleague Glen. One afternoon Tricia overhears Glen talking on the phone to Helen who works as an analyst in Highmark Inc. Informatics. Glen thanks Helen for the report she generated and sent to him containing Highmark BCBS member-level data pertaining to specific cost and reimbursement rates for particular drugs and the associated prescribing provider information. Concerned that competitively sensitive information was compromised, Tricia contacts the Highmark Health Chief Privacy Officer.
- In any case in which any individual has violated or is suspected to have violated this Policy, the Visionworks Senior Privacy Official, the appropriate Director of Privacy and the Highmark Health Chief Privacy Officer shall notify Visionworks Human Resources and provide case-specific information to enable Visionworks Human Resources and Visionworks business unit management to administer appropriate disciplinary measures. In any case in which a director or executive officer of Visionworks has violated or is suspected to have violated this Policy, the Visionworks Senior Privacy Official shall notify the appropriate Director of Privacy, who shall notify the Highmark Health Chief Privacy Officer, who shall oversee the investigation. If a violation is found, the Board with appropriate authority shall discipline the director or officer as it deems appropriate. There is zero tolerance for intentional improper access, use or disclosure of CSI in violation of this Policy.
- Failure to report known or suspected violations of this Policy shall constitute a violation.
IX. Filing a Complaint
Complaints and reports may be made in any of the following ways:
- (1) directly to the Visionworks Senior Privacy Official or the Highmark Health Chief Privacy Officer,
- (2) by calling toll-free: 1-877-959-4160,
- (3) or by email to firstname.lastname@example.org.
- The Highmark Health Chief Privacy Officer shall have ultimate responsibility for the administrative enforcement of this Policy. The Highmark Health Chief Privacy Officer, the appropriate Director of Privacy and the Visionworks Senior Privacy Official shall promptly investigate and ensure that necessary and appropriate remedial action is taken in response to all reported violations. The remedial actions taken shall include determination of the cause(s) of the violation, mitigation, corrective action that is required to prevent future occurrences, and facilitating appropriate workforce sanctioning if applicable.
X. Policy Against Retaliation
Visionworks is committed to protecting all Personnel, health care providers with whom any Highmark Inc. company contracts, and members of the general public (collectively referred to as “Individuals”) from interference with making a good faith disclosure that this Policy has been violated, from retaliation for having made a good faith disclosure, or from retaliation for having refused a direction or order in conflict with this Policy. Visionworks encourages all Individuals to report good faith concerns about a potential violation of this Policy. No Individual or entity who in good faith reports a violation of this Policy, or who participates in the investigation of a reported violation of this Policy, will suffer harassment, retaliation, adverse employment or other adverse action as a result of the Individual’s report and/or participation. Any Visionworks Personnel who retaliates against someone who has reported a violation of this Policy in good faith, or who has participated in an investigation of a reported violation, is subject to discipline up to and including termination of employment or contractual arrangement or removal from the Board.
Example: Community Hospital A, in attempting to negotiate its provider contract with Highmark Inc. has evidence that Highmark Inc. knows the terms and conditions of Community Hospital A’s provider contract with other insurers. In the event that Community Hospital A files a complaint against Highmark Inc., Highmark Inc. may not take any negative action with respect to its relationship with Community Hospital A as a result of this complaint.
Example: Kathleen works at West Penn Hospital where as part of her duties, she gathers materials to assist the team that negotiates the hospital’s rates with insurers. As she is preparing information about the hospital’s recent experience providing services to subscribers of National Insurer, she finds an email from her supervisor to an employee of Highmark Inc. attaching West Penn’s current agreement with National Insurer. Kathleen reports her findings to the Highmark Health Chief Privacy Officer, which triggers an investigation and results in serious discipline of her supervisor. Neither the supervisor nor any other System Personnel may take any negative action toward Kathleen for complying with her obligations under this Policy.
XI. No Exceptions
There are no exceptions to this Policy regarding improper access, use or disclosure of CSI.
XII. HIPAA Compliance
Nothing in this Policy is intended to prohibit or otherwise prevent disclosure of information that may include competitively sensitive data elements if the disclosure is necessary, appropriate and required to comply with the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under HITECH, GINA and other modifications to the HIPAA Rules as set forth in 45 CFR Parts 160 and 164
Any amendments to this Policy are subject to approval by the Pennsylvania Insurance Department.
HIGHMARK INC. COMPANIES
United Concordia Companies, Inc.
- United Concordia Life and Health Insurance Company
- United Concordia Dental Plans of Pennsylvania, Inc.
Davis Vision, Inc.
- DavisVision IPA, Inc.
Visionworks of America, Inc.
- Visionworks, Inc.
- Visionworks Enterprises, Inc.
- Empire Vision Center, Inc.
- Visionworks of America, Inc.
- Highmark Select Resources, Inc.
- Keystone Health Plan West, Inc.
- HM Life Insurance Company
- HM Health Insurance Company
- Highmark Senior Health Company (pending receipt of Certificates of Authority)
- Highmark Coverage Advantage Inc. (pending receipt of Certificates of Authority)
- Highmark Benefits Group Inc. (pending receipt of Certificates of Authority)
- United Concordia Companies, Inc.
ALLEGHENY HEALTH NETWORK COMPANIES
- Promedix LLC
West Penn Allegheny Health System, Inc.
- Alle-Kiski Medical Center
Canonsburg General Hospital
- Canonsburg General Hospital Ambulance Service
- Allegheny Medical Practice Network
Allegheny Clinic (f/k/a Allegheny Specialty Practice Network)
Physician Landing Zone
- Lake Erie Medical Group PC
- Premier Medical Associates, PC
- Physician Landing Zone
- West Penn Allegheny Oncology Network
Jefferson Regional Medical Center
- Prime Medical Group PCG 1
- Primary Care Group 2, Inc.
- Primary Care Group 3, Inc.
- Primary Care Group 4, Inc.
- Primary Care Group 5, Inc.
- Primary Care Group 6, Inc.
- Primary Care Group 7, Inc.
- Primary Care Group 8, Inc.
- Primary Care Group 9, Inc.
- Primary Care Group 10, Inc.
- Primary Care Group 11, Inc.
- Primary Care Group 12, Inc.
- Family Practice Medical Associates South, Inc.
- JRMC-Diagnostic Services, LLC
- Jefferson Magnetic Resonance Imaging, LLC
- The Park Cardiothoracic and Vascular Institute
- Specialty Group Practice 1, Inc.
- Grandis, Rubin, Shanahan & Associates
- Steel Valley Orthopaedic and Sports Medicine
- Jefferson Hills Surgical Specialists
- JRMC Specialty Group Practice
- JRMC Physician Services Corporation
- Pittsburgh Bone, Joint & Spine, Inc.
Saint Vincent Health Center
- Regional Heart Network
Saint Vincent Health System
Clinical Services, Inc.
- Saint Vincent Rehab Solutions, LLC
- Saint Vincent Consultants in Cardiovascular Diseases, LLC
- Saint Vincent NWPA Surgery Center, Ltd.
- Saint Vincent Affiliated Physicians
- Saint Vincent Medical Education & Research Institute, Inc.
- Clinical Services, Inc.