HIC, INC PRIVACY POLICY 1

Policy ID: HIC-P-1

Introduction
HIC, Inc. takes pride in delivering the best healthcare experience customers can receive
at a reasonable cost. In pursuit of this interest, HIC, Inc. handles many kinds of information to
deliver excellent care. This privacy policy outlines what information is collected, how it is
collected and handled, who has access to it, how it is protected, and how customers, staff, and
authorized affiliates may use and share data. HIC Inc. handles the following types of data which
is subject to various laws, regulations, standards and regulations:

 Protected Health Information (PHI) and Electronic PHI (ePHI)

 Personally Identifiable Information (PII); including that of employees
 Corporate
 Credit Card and other payment information
 Public

Protected Health Information

Protected Health Information and Electronic Protected Health Information (collectively
referred as PHI) are “any information about health status, provision of health care, or payment
for health care that is created or collected by a Covered Entity (or a Business Associate of a
Covered Entity), and can be linked to a specific individual”. This information may be in any
communicated form including spoken, written, printed, or in electronic form.

PHI data is regulated by the federal Health Information Portability and Protection Act (HIPPA)
and California state laws. HIC Inc. conforms to HIPAA’s Privacy Rule which sets national
standards for protecting the confidentiality, integrity, and availability of PHI and its use.
Additionally, HIC Inc. complies with all state laws related to PHI including the California Data
Breach Notice (Senate Bill 1386), Patient Safety and Quality Improvement Act (PSQIA),
California Confidentiality of Medical Information Act, Patient Access to Health Records Act
(PAHRA), Insurance Information and Privacy Protection Act (IIPPA), and other specific-case state
laws.

HIC Inc. may only grant or deny access to PHI data in accordance with Federal and State laws.
Only PHI trained HIC Inc. staff, contractors, and authorized affiliates performing business
related activities have access to PHI data. HIC Inc. will not disclose any PHI data to unauthorized
persons, except in the case of legal subpoenas and law enforcement requests. Customers may
authorize persons of their choosing to access their own PHI data in writing, request a copy of
their PHI data, or request corrections for inaccurate information in accordance with HIPPA laws.

Personally Identifiable Information

NIST Special Publication 800-122 defines PII as "any information about an individual
maintained by an agency, including (1) any information that can be used to distinguish or trace
an individual's identity, such as name, social security number, date and place of birth, mother's
maiden name, or biometric records; and (2) any other information that is linked or linkable to
an individual, such as medical, educational, financial, and employment information." HIC, Inc.
HIC, INC PRIVACY POLICY 2
Policy ID: HIC-P-1
handles employee, and customer PII and may only authorize employees and affiliates
performing business related activities in accordance with the Federal and State laws. HIC, Inc.
will follow the same privacy policy specified in our PHI section with regards to PII data.

Corporate information
HIC, Inc. maintains both corporate information which is private and sensitive as well as
corporate data related to financial reports governed by the federal Sarbanes-Oxley Act. Only
corporate data required by federal and state laws may be shared, and must be authorized for
release by senior managers (CEO, CFO, CIO). Only authorized personnel performing business
processes may view and handle sensitive corporate data. Employees of HIC, Inc. as well as
contractors and affiliates have no rights to any corporate data. All information systems,
telephones, and voice over IP systems may be monitored, and computer usage and data
recorded in accordance with state and federal laws. HIC, Inc. retains the rights to use any
corporate data, provide corporate data to affiliates, and share corporate data in the pursuit of
business operations in compliance with federal and state laws.

Financial Information
The Gramm-Leach-Bliley Act (GLBA) financial privacy rule requires us to provide new
customers, and existing customers annually, a notice on the information we collect, where
information is shared, how it is used, and how it is protected. HIC, Inc. collects only financial
information required to perform billing and payment operations for business purposes. HIC, Inc.
does not share information with any other organizations unless required by law. Consumers
have the right to opt-out of any form of sharing which may be unrelated to business operations
by writing a letter requesting to be excluded in to the finance department at HIC, Inc. We take
all leading practices to protect financial data and other Personally Identifiable Information (PII)
and employ a robust and evolving information security plan to address threats to all of ours and
our customers data.

Credit Card Information

As a handler and processor of credit card data, HIC, Inc. complies with the latest revision
of the Payment Card Industry Data Security Standard (PCI-DSS). This standard requires strict
handling of any systems and information related to the handling and processing of credit cards.
HIC, Inc. does not share any credit card information unless required to process credit card
payments. All information is retained only as authorized by the cardholder, law enforcement, or
as long as is permitted by PCI-DSS standards in compliance with federal and state law.

Privacy Violations and Enforcement

HIC, Inc. must follow all privacy laws. However, we recognized the complexity of these
privacy laws. If incidents occur, or you have any questions or concerns about this policy, please
contact the Chief Data Officer (CDO) by emailing CDO-Questions@hic-inc.com. Any HIC, Inc.
employees who violate privacy policy are encouraged to contact the CDO. Accidental violations
divulged in good faith may result in additional privacy training, written notices, or in cases of
repeated offenses, termination of employment in accordance with HR policies. Any discovered
intentional violations of privacy law will be prosecuted to the full extent of the law.
HIC, INC PRIVACY POLICY 3
Policy ID: HIC-P-1
References
Bosworth, S., Kabay, M.E., and Whyne, E. (2014). Computer Security Handbook. Hoboken, NJ:
John Wiley & Sons.

Stults, G. (2004, May 09). Sarbanes-Oxley - SANS Information Security Training. Retrieved
March 24, 2018, from https://www.sans.org/reading-room/whitepapers/legal/overview-
sarbanes-oxley-information-security-professional-1426

Privacy/HIPAA. (n.d.). Retrieved March 21, 2018, from

https://www.calhospital.org/privacyhipaa

Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and
Credit Card Security Standards. (n.d.). Retrieved March 24, 2018, from
https://www.pcisecuritystandards.org

Health and Medical Privacy Laws (California Medical Privacy Series). (n.d.). Retrieved March 24,
2018, from https://www.privacyrights.org/consumer-guides/health-and-medical-privacy-laws-
california-medical-privacy-series

https://en.wikipedia.org/wiki/Protected_health_information
https://www.bbb.org/reno/for-businesses/sample-privacy-policy/