Last Updated: June 27, 2023
This privacy policy sets out how Vee ensures to protect all personally identifiable information of our clientele that is entrusted and handled within Vee and of its employee’s personal data.
Vee recognizes and supports the need for reasonable protections regarding the privacy of personal data entrusted to us by our clientele for this reason, the company has developed and adopted these general guiding Principles. Individual locations should consider adopting regional implementation policies to put these Principles into practice.
All company employees whose responsibilities include the collection, processing or storage of client data are expected to be vigilant and assist in the protection of that data by adherence to these Principles and reporting any deviations.
In following these Principles, Vee complies with the applicable laws and regulations protecting the privacy of personal data in the jurisdictions in which the company operates alongside HIPAA and GLB.
"Personal data" means data about an individual that is personally identifiable.
All Employees of Vee are involved in the processing of personally identifiable information.
4.1.1 Notice Principle:
The entity provides notice about its privacy policies and procedures and identifies the purposes for
which personal information is collected, used, retained, and disclosed.
Vee informs its
clients/stake holders the purposes for which personal information is collected, used retained and
disclosed.
Vee provides periodic general notice regarding routine information practices. In addition, Vee communicates these Principles and any implementing policies and procedures through normal communication channels via HR Portal and email.
4.1.2 Communication to clients and stake holder
Notice is provided to all clientele regarding our commitment to the following privacy policies by share the below listed details:
4.1.3 Provision of Notice:
Notice is
provided to the clients about the Vee privacy policies and procedures.
4.1.4 Entities and Activities Covered
An
objective description of the Vee and activities covered by the privacy policies and procedures is
included in the entity’s privacy notice
For Clients: Privacy Memorandum
For Employee's:
Privacy Notice and Consent
Vee describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4.2.1 Communication to clients and employees
Clients are informed about
Employees are also informed about:
4.2.2 Consent for Online Data Transfers to or From an Individual’s Computer or Other Similar Electronic Devices
4.2.3 Consent is obtained from client before Data containing personal
information is transferred to or from an individual’s computer or other similar device.
Privacy
Memorandum
4.2.4 Consent is obtained from employees as a disclaimer through HR portal.
Collection Limited to Identified Purpose
Vee collects personal information only for the purposes identified in the Privacy Notice and Consent for relevant and appropriate purposes only in a reasonable and lawful manner. The collection and use of client personal data in the business context is essential to the operation of the company, and particularly to the operation functions. Examples of the purposes for which the company collects and uses client personal data include Medical Billing, Medical coding, insurance processing, logistic processing, financial and accounting processing the client is the only source to provide information to carry out the knowledge processing, the Data is provided to use through reliable and secure resources with appropriate acknowledgments.
Collection by Fair and Lawful Means
Methods of collecting personal information are reviewed by Chief Privacy Officer before they are implemented to confirm that personal information is obtained
Vee limits the use of personal information to the purposes identified in the notice and for which our client has provided implicit or explicit consent. Vee does not retain any personal information as all the information is processed on the client’s system and data bases unless and until the client requires us to do so, in such circumstances the data is retained for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately the information is appropriately dispossessed.
Vee regularly and systematically destroys, erases, or makes anonymous personal information of their employee’s which are no longer required to fulfill the identified purposes or as required by laws and regulations.
Reference: 1 IMS-PLC-ORG-05-12-Confidential Information Policy
Reference: 2
IMS-PLC-ORG-05-13- Data Classification Policy
Vee does not maintain any personal data, authenticated non editable data is provided by the client Disclosure to Third Parties:
Communication to employees
IMS-PLC-ORG-05-11- Acceptable Usage Policy
IMS-PLC-ORG-05-10-Information Security Policy
Disclosure of Personal Information
Personal information is disclosed to employees only for the purposes described in the notice, and for which the client has provided implicit or explicit consent, unless a law or regulation specifically requires or allows otherwise.
Protection of Personal Information
Personal information is disclosed only to employees who have Signed Non-disclosure agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy policies or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.
Misuse of Personal Information by a Third Party
Vee will take remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
Information Security Program
Vee's Information Security Program
A security program has been
That includes administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program should address, but not be limited to, the following areas1 insofar as they relate to the security of personal information.
Reference: IMS MANUAL
Logical Access Controls
Logical access to personal information is restricted by procedures that address the following matters: Where Vee commits to
Reference: IMS-PLC-ORG-05-14-Access Control Policy
Physical Access Controls
Physical access is restricted to personal information in any form (including the components of the
entity’s system(s) that contain or protect personal information).
Reference :
IMS-PLC-ORG-05-14-Access Control Policy
Environmental Safeguards
Personal information, in all forms, is protected against accidental disclosure due to natural disasters and environmental hazards.
Transmitted Personal Information
Vee ensures that Personal information is protected when transmitted by mail or other physical means.
Personal information collected and transmitted over the Internet, over public and other nonsecure
networks, and wireless networks is protected by deploying industry standard encryption technology for
transferring and receiving personal information.
Reference: IMS-PLC-ORG-05-03-Cryptographic Control
Policy
Personal Information on Portable Media
Vee does not store any PII on portable media,
Testing Security Safeguards
Vee carries out Tests of the effectiveness of the key administrative, technical, and physical safeguards protecting personal information.
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Communication to clients
Clients are notified that they are
responsible for providing the entity with accurate and complete personal information, for processing
claims
Reference: Privacy Draft Notice.doc
Compliance:
Vee maintains an active program to ensure compliance with these Principles, as well as with applicable law or contractual agreements on handling of personal data. Chief Privacy Officer is responsible for implementing and overseeing the administration of these Principles. All Vee employees whose responsibilities include the collection, processing or storage of personal data are required to adhere to these Principles and implementing policy. Failure to do so may be grounds for discipline up to and including termination.
Roles and responsibilities of compliance team
Procedure Compliance measures
Compliant Resolution:
Any employee who has a concern about the collection, use or disclosure of the individual’s personal data is encouraged to use the Vee internal Alternative Dispute Resolution program or other internal means of resolving disputes, Open house/Open Forum meeting conducted in frequently.
Incident Management
Escalation Matrix is established wherein all employees of Vee would be able to report a security incident leading to breach through appropriate channel and record the incidence to avoid similar kind of breach in future.
A risk assessment is reviewed yearly to establish a risk baseline to identify new or changed risks to personal information accordingly respective control are inducted to reduce the respective risks
Privacy policies and the consequences of noncompliance with such policies are communicated, at least annually, to the Vee internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in privacy policies are communicated to such personnel shortly after the changes are approved
Vee Privacy policies, procedures, client contract, and changes to them, are reviewed and approved by management periodically.
Policies and procedures are reviewed and compared to the requirements of applicable laws and regulations at least annually and whenever changes to such laws and regulations are made. Privacy policies and procedures are revised to conform with the requirements of applicable laws and regulations.
As a policy of Vee that all employees will access, use and should not disclose PII, and that all employees shall be vigilant with respect to guarding PII. However, in the event that a potential breach of unsecured PII occurs, the following procedures shall be followed.
DISCOVERY
INTERNAL REPORTING
INVESTIGATION
RISK ASSESSMENT AND RECOMMENDATION
After the investigation is complete, the Privacy Officer will perform a Risk Assessment. The purpose of the Risk Assessment is to determine if a use or disclosure of PII constitutes a breach and requires further notification to the Covered Entity. The Privacy Officer shall appropriately document the Risk Assessment and make a recommendation, whether notification to the Covered Entity of the potential breach would be prudent.
A "reasoned judgment" standard will be applied to the Risk Assessment, which shall be fact specific and shall include consideration of the following factors:
FINAL DETERMINATION BY THE PRIVACY OFFICER
The Vee Privacy Officer shall have final authority to determine whether a breach of unsecured PII occurred and what, if any, further action is warranted
NOTIFICATION TO COVERED ENTITY/BUSINESS ASSOCIATE
In the event that the Privacy Officer determines that notice to the Covered Entity/Business Associate is warranted, the Chairperson shall promptly prepare and transmit a CE/BA Notice.
DOCUMENTATION
All phases of the process must be documented in detail on a case-specific basis, in a manner sufficient to demonstrate that all appropriate steps were completed. All supporting documentation associated with the potential breach shall be kept on file for a period of 6 years.
Vee ensures potential privacy impact is assessed when new processes involving personal information are implemented, and when changes are made to such processes (including any such activities outsourced to third parties or contractors), and personal information continues to be protected in accordance with the privacy policies. For this purpose, processes involving personal information include the design, acquisition, development, implementation, configuration, modification and management of the following:
The use of personal information in process and system test and development is prohibited unless such information is anonymized or otherwise protected in accordance with the entity’s privacy policies and procedures.
Vee ensures identifying the types of personal information and sensitive personal information and the
related processes, systems, and third parties involved in the handling of such information are
identified. Such information is covered by the Vee privacy and related security policies and
procedures.
Reference: IMS-PLC-ORG-05-13-Data Classification Policy
Vee establishes qualifications for personnel responsible for protecting the privacy and security of personal information and assigns such responsibilities only to those personnel who meet these qualifications and have received needed training
Vee A privacy awareness program about the entity’s privacy policies and related matters, and specific training for selected personnel depending on their roles and responsibilities, are provided.
4.12 Training Records
4.13 Notice Communication Records
4.14 Notice Acknowledgement Records
4.15 Incident Report Records
4.16 Disciplinary Action Records