Consistent with the CVS Caremark Values of Integrity and Accountability, the company considers the protection and safeguarding of personal information, including the health and personal information of our customers, plan members and employees, a top priority. To provide for these protections and safeguards, the CVS Caremark Chief Privacy Officer provides leadership for the company’s Information Governance Framework that implements our corporate strategy across all business units and operations and that includes all activities related to the development and implementation of CVS Caremark’s privacy and information security programs. The company’s Information Governance Framework helps identify potential risks relevant to privacy and information security and assists in putting in place appropriate protections and safeguards to address those identified risks.
Information Security Program
In the past year, the company put in place new components for its information security program. To ensure our practices provide appropriate protections and safeguards for personal information, the company developed our Information Security Risk Assessment process that identifies internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information. On a biennial basis to supplement internal processes, an independent assessor reviews our practices operationalizing the information security program. In addition, on an annual basis, the company employs a Qualified Security Assessor to review the sufficiency of any safeguards in place with regard to cardholder data under the Payment Card Industry Data Security Standard. Furthermore, the company maintains an enterprise level team overseen by the Chief Privacy Officer to control identified risks, to manage the company’s investment in a security infrastructure, and to improve continuously the information security program, including enhancements for emerging cyber security issues.
In addition to our information security program, as part of our Information Governance Framework, the company maintains a privacy program to continuously improve our privacy practices. Key to improving processes is driving awareness of colleagues of the importance of member and patient privacy. CVS Caremark uses its training and development program to deliver appropriate periodic training for all our colleagues, including a requirement that core privacy training be completed within thirty days of hiring. Furthermore, the Chief Privacy Officer oversees a full-time policy and investigations team that not only manages the review and response to any potential privacy incident, but, for any actual incident, uses a protocol that involves processing, tracking, reviewing, making improvements and, when appropriate, retraining or developing a corrective action plan. The lessons learned are then incorporated in the existing training to help our colleagues understand better how to avoid future occurrences. In addition, the company conducts an annual assessment of its retail facilities, using an independent assessor to review a statistically significant sample of stores, to ensure implementation of necessary protections and safeguards, including requirements under the Health Insurance Portability and Accountability Act (HIPAA) for privacy and security.
Vendor Assessment Program
In order to ensure appropriate safeguards and protections for any confidential information, especially including any personal information, CVS Caremark maintains a Vendor Assessment Program under which each vendor/supplier who collects, uses, stores, shares, processes, transmits or destroys confidential information on behalf of CVS Caremark must undergo an initial and recurring periodic assessment to determine whether or not the vendor/supplier operates in accordance with our Privacy and Information Security Policies and Procedures.
CVS Caremark’s various oversight committees have enhanced our privacy and information security programs by involving key senior leaders in the decision making process to address identified risks and to implement appropriate protections and safeguards. The policy-level committees, which are cross-functional, meet periodically and review and assess relevant information regarding our practices to manage privacy and information security risk and make recommendations to enhance our existing practices that are then implemented through operational and information services groups.