Effective Date.

Senior Life Funding, Inc. along with all its divisions, affiliates and subsidiaries, (collectively referred to as the “Company”), hereby adopts the following information privacy and security policy and procedures (collectively referred to as the “Policy”) effective as of August 1, 2019, which supersedes and replaces any and all previous privacy and/or security policies. The Company reserves the right to change the terms of this Policy and to make any new provisions effective to all Nonpublic Personal Information, Personally Identifiable Information or Protected Health Information, as hereinafter defined, maintained by the Company, including that which was created, collected or maintained by the Company prior to the adoption of this Policy. In the event of the amendment or modification of this Policy, the Company shall issue a notice detailing the revised policies and procedures covering the use and disclosure of Nonpublic Personal Information, Personally Identifiable Information and Protected Health Information.

Financial Institution.

This Policy summarizes the Company’s comprehensive written information security program mandated by the Federal Trade Commission’s Safeguards Rule and the Gramm – Leach – Bliley Act (“GLBA”). In particular, this Policy describes the elements pursuant to which the Company intends to (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers. The Policy incorporates by reference the Company’s policies and procedures enumerated below and is in addition to any institutional policies and procedures that may be required pursuant to other federal and state laws and regulations, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The Company has determined to issue and abide by this Policy to satisfy the Company’s obligations as a Financial Institution under the GLBA, and a Business Associate of other Covered Entities in its role as an insurance broker under HIPAA, and the regulations promulgated thereunder now or in the future. Other applicable federal and state laws may further limit and restrict the Company’s use and disclosure of such information. The Company is required to comply with such laws, even if such use or disclosure would otherwise be permitted under this Policy.

Scope of Policy.

This Policy defines common security requirements for all Company personnel and systems that create, maintain, store, access, process or transmit electronic information. This Policy also applies to information resources owned by others, such as agents or contractors of the Company, in cases where the Company has a legal, contractual or fiduciary duty to protect said resources while in the Company custody. In the event of a conflict, the more restrictive measures will apply. This Policy covers the Company network system which is comprised of various hardware, software, communication equipment and other devices designed to assist the Company in the creation, receipt, storage, processing, and transmission of information. This definition includes equipment connected to any the Company domain, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by the Company at its office locations or at remote locations.

4956408 .1 4965842 .1

Definitions. For purposes of this Policy, the following terms shall be defined as follows:

  •   Nonpublic Personal Information and Personally Identifiable Information “Nonpublic Personal Information” shall have the same meaning as defined under Title V of the GLBA and shall include any personally identifiable information that is not available publicly. This includes any information that the Policyholder provides or that is obtained in connection with a transaction involving a product or service and any list of names and addresses that is derived from such information. “Personally Identifiable Information” shall have the same meaning as defined under the ACA. “Nonpublic Personal Information” and “Personally Identifiable Information” are referred to collectively in this Policy as “Nonpublic Personal Information.”
  •   Protected Health Information (or “PHI”). “Protected Health Information” shall have the same meaning as defined under HIPAA, as amended from time to time (referred to herein as “PHI”).
  •   Personally Identifiable Information. “Personally Identifiable Information” shall have the same meaning as defined under ACA, as amended from time to time.
  •   Policyholder. “Policyholder” shall include any “customer,” as defined under GLBA, who has obtained an insurance policy through the Company in the Company’s capacity as an insurance broker or third party administrator.
  •   User. As used herein, “user” shall mean any person authorized to access the Company’s information resources, which may include employees, owners, and contractors.
  2. Privacy and Security Officer. The current Privacy and Security Officer of the Company is: John Lane, Vice President of IT. He may be reached at: (972) 755-1582 ext. 205 or [email protected].
  3. Duties of the Privacy and Security Officer. Unless otherwise provided herein, the Privacy and Security Office shall be responsible for the development, organization, and maintenance of this Policy, and shall jointly carry out the duties and responsibilities set forth in this Policy and any additional responsibilities imposed by the GLBA and HIPAA not otherwise set forth herein.


The Privacy and Security Officer shall be responsible for the following:

4956408 .1 4965842 .1

  •   Identifying areas of concern within the Company and act as the first line of defense in enhancing the appropriate privacy security posture;
  •   Overseeing all ongoing activities related to the development, implementation, and maintenance of the Company’s policies and procedures in accordance with applicable federal and state laws.
  •   Addressing privacy and security issues as they arise and recommending and approving immediate remedial actions to be undertaken.
  •   Conducting training as necessary for all employees with access to PHI or Nonpublic Personal Information.
  •   Maintaining a log of security concerns or confidentiality issues, including an accounting of unauthorized disclosures of PHI, ePHI, and Nonpublic Personal Information. This log must be maintained on a routine basis, and must include the dates of an event, the actions taken to address the event, and recommendations for personnel actions, if appropriate.
  •   Maintaining a log of security enhancements and features that have been implemented to further protect all sensitive information and assets held by the Company.
  •   Respond to any requests for access, amendment, or accounting of disclosures by a Policyholder in accordance with the applicable Business Associate Agreement and Sections 164.524, 164.526, and 164.528 of HIPAA or other applicable law.
  •   Provide Policyholders a notice of the Company’s privacy practices, which may be distributed either electronically by sending the Privacy Notice to the Policyholder’s email address, or by mailing a paper copy of the Privacy Notice to the Policyholder’s current residence.
  •   Maintain an accounting of disclosures of a Policyholder’s PHI in accordance with HIPAA.
  •   Respond to and accommodate reasonable requests from Policyholders to receive communications of PHI and other Nonpublic Personal Information from the Company in a confidential manner, by alternative means or at alternative locations.
  •   Respond to and address any complaints received by the Company from an employee, a Policyholder, or a third party regarding the privacy or security of PHI or other Nonpublic Personal Information. The Privacy and Security Officer shall document all complaints received and their disposition, if any, and retain such documentation, whether in written or electronic form, for a period of six (6) years after the disposition of the complaint. See Section 13 of this Policy. 
  • Anti-Retaliation and Waiver.

The Company shall not retaliate in any way against any individual for filing a complaint with either the Company or the Secretary of Health and Human Services (“HHS”), or otherwise intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of any right under this Policy, HIPAA or HITECH, for the participation in any process established by this Policy, HIPAA or HITECH, including the filing of complaint with Secretary of HHS or testifying, or for participation in an investigation, compliance review or hearing under HIPAA. The Company shall not require individuals to waive any right to file a complaint with the Secretary of HHS as a condition of the provision of treatment, payment, or enrollment in the Company or for eligibility for benefits thereunder.

Employee Training.

The Company shall train any and all employees who use, have access to, and/or may disclose PHI or other Nonpublic Personal Information in the course of their employment on the policies and procedures provided by this Policy, HIPAA, HITECH, ACA and GLBA to the extent necessary and appropriate to carry out the responsibilities of their employment and the administration of their duties. Further details regarding training are outlined in Section 22 of this Policy.

4956408 .1 4965842 .1

Employee Discipline.

Employees may be subject to discipline, up to and including termination, in accordance with any of the Company’s policies for any use or disclosure of PHI or other Nonpublic Personal Information in violation of this Policy, HIPAA, HITECH, ACA or GLBA. Any discipline taken against any employee for the violation of this Policy, HIPAA or HITECH shall be documented and retained by the Company, whether in written or electronic form, and maintained for a period of six (6) years following the discipline. Further details regarding employee discipline are contained in Section 20 of this Policy.


The Company has established appropriate administrative, technical, and physical safeguards to protect the privacy of PHI as well as other Nonpublic Personal Information from intentional or unintentional use or disclosure in violation of this Policy, HIPAA, HITECH, ACA and GLBA. It shall be the responsibility of each employee to carefully read, understand and adhere to the standards and obligations set forth in this Policy. Employees shall take appropriate safeguards to protect PHI and Nonpublic Personal Information, including, but not limited to, the following:

Administrative Safeguards

    •   Access to PHI or other Nonpublic Personal Information is limited to only those employees who need to know such information to carry out their duties on behalf of the Company. Employees who are given access to PHI and other Nonpublic Personal Information shall only access or use such information for appropriate business purposes within the scope of their job duties.
    •   Employees are expected to log off or lock their computers when they leave them unattended (such as when on breaks, at lunch, in a meeting or out of the office). The Company will implement controls to terminate computer sessions and/or lock computers after a predetermined time of inactivity (e.g., 30 minutes).

  • Physical Safeguards.

4956408 .1 4965842 .1

  •   Any paper files or documents containing PHI or Nonpublic Personal Information maintained shall be kept in a locked fireproof cabinet or locked room when not in use. Such information shall not be left accessible to others. These records shall be maintained in accordance with the Company’s record retention policy.
  •   Paper files or documents containing PHI or Nonpublic Personal Information that are no longer needed must be disposed of by shredding or placing them in a designated shredding bin.
  •   When transmitting PHI or Nonpublic Personal Information by electronic facsimile, use an approved fax transmittal sheet.
  •   Use care not to place computers or other electronic devices (including portable storage devices) containing PHI or Nonpublic Personal Information in places where the information may be reviewed by unauthorized individuals.

Employees shall keep mobile electronic communication devices (such as smart phones, etc.) with access to PHI or Nonpublic Personal Information in their possession or in a secured location at all times, and employees will not share passwords or other access information with others.

Technical Safeguards.

  •   The Company has implemented certain technical safeguards which are more fully

    described in this Policy.
  •   Electronic files or materials containing PHI or Nonpublic Personal Information that are no longer needed must be destroyed or securely deleted (including electronic back- ups).
  • Use and Disclosure Without Authorization.

To the fullest extent permitted by the law, the Company may use or disclose PHI or Nonpublic Personal Information without the authorization from any Policyholder or other individual for purposes of:

4956408 .1 4965842 .

  •   Obtaining premiums;
  •   Making determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and the adjudication or subrogation of health benefit claims;
  •   Adjusting risk adjusting amounts due based on Policyholder health status and demographic characteristics;
  •   Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
  •   Conducting utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
  •   Disclosure to consumer reporting agencies of certain PHI and other Nonpublic Personal Information relating to collection of premiums or reimbursement.
  •   Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract for life insurance and or life benefits, and ceding, securing, or replacing a contract life insurance
  •   Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
  •   Business planning and development;
  •   Business management and general administrative activities;
  •   Contacting Policyholders with appointment reminders, or other health-related benefits and services that may be of interest to the Policyholder;
  •   Complying with federal, state, or local law, or when disclosure is permitted or required for public health activities;
  •   Reporting incidents of abuse, neglect or domestic violence to the appropriate authorities or supervising governmental agencies for instances of child, elder or spousal abuse;
  •   Assisting in law enforcement activities including judicial or administrative proceedings;
  •   Research, in certain circumstances, and pursuant to certain limitations;
  •   Avoiding or averting a serious threat to the health or safety of a person or the public;
  •   Providing information to limited data set recipients pursuant to a data use agreement that includes certain safeguards and restrictions;
  •   Providing necessary information to vendors, in connection with services provided to the Company, pursuant to a Business Associate Agreement between the vendor and the Company; and
  •   Any purposes to which a Policyholder has not objected. In certain limited circumstances, the Company may use or disclose PHI after it has given a Policyholder an opportunity to object and the Policyholder did not object, including the use limited information about Policyholders to maintain an office directory, to notify family members or any other person identified by Policyholders regarding issues directly related to that person’s involvement with a Policyholder’s care or payment for that care, or in emergency circumstances.

    All other uses or disclosures of PHI and other Nonpublic Personal Information will be made only with the Policyholder’s written permission or authorization. Any permission and authorization which Policyholders have previously given may be revoked, in writing, at any time, consistent with the terms of the authorization.EMPLOYEE RESPONSIBILITIES a. Employee Requirements

The Company users are responsible for the privacy and security of all data which may come to them in whatever format. The Company is responsible for maintaining ongoing training programs to inform all users of these requirements.

Question Unrecognized Personnel – All visitors to the Company offices must sign in at the front desk. In addition, all visitors must wear a visitor/contractor badge. All other personnel must be employees of the Company. It is the responsibility of all personnel to take positive action to provide physical security. If you see an unrecognized person in a restricted the Company office location(s) without a visitor’s badge, you should challenge them as to their right to be there. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff.

4956408 .1 4965842 .1

Unattended Computers – Unattended computers should be locked by the user when leaving the work area. This feature is discussed with all employees during yearly security training. The Company policy states that all computers will have the automatic screen lock function set to automatically activate upon fifteen (15) minutes of inactivity. Employees are not allowed to take any action which would override this setting.

iii. Home Use of Company Assets – Only computer hardware and software owned by and installed by the Company is permitted to be connected to or installed on the Company equipment. Only software that has been approved for corporate use by the Company may be installed on the Company equipment. Computers or other equipment supplied by the Company are to be used solely for business purposes. All employees and contractors must read and understand the list of prohibited activities that are outlined below. Modifications or configuration changes are not permitted on computers supplied by the Company for home use.

  1. Retention of Ownership – All software programs and documentation generated or provided by employees, consultants, or contractors for the benefit of the Company are the property of the Company unless covered by a contractual agreement. Nothing contained herein applies to software purchased by the Company employees at their own expense.
  2. Compliance with Policy. All personnel must adhere to this Policy and take all reasonable steps to protect these laptops, mobile devices, the Company’s computer systems, data, software and documentation from misuse, loss, theft, unauthorized access and environmental hazards.
  3. Prohibited Activities
    Personnel are prohibited from certain activities, including but not limited to:

Attempting to break into an information resource or to bypass a security feature. This includes running password-cracking programs or sniffer programs, and attempting to circumvent file or other resource permissions.

Introducing, or attempting to introduce, computer viruses, Trojan horses, peer-to-peer (“P2P”) or other malicious code into an information system. [Exception: Authorized information system support personnel, or others authorized by the Company’s Privacy and Security Officer, may test the resiliency of a system. Such personnel may test for susceptibility to hardware or software failure, security against hacker attacks, and system infection.]

The willful, unauthorized access or inspection of confidential or sensitive information to which you have not been approved on a “need to know” basis is prohibited. The Company has access to personal information which is protected by GLBA and/or HIPAA regulations which stipulate a “need to know” before approval is granted to view the information. The purposeful attempt to look at or access information to which you have not been granted access by the appropriate approval procedure is strictly prohibited.

Installation of software onto a Company computer or device, unless approved in advance by the Privacy and Security Officer.

Violating or attempting to violate the terms of use or license agreement of any software product used by the Company is strictly prohibited.

4956408 .1 4965842 .1

Engaging in any activity for any purpose that is illegal or contrary to the policies, procedures or business interests of the Company is strictly prohibited.

Electronic Communication, E-mail, Internet Usage

All electronic communication systems and all messages generated on or handled by Company-owned equipment are considered the property of the Company – not the property of individual users. Consequently, this Policy applies to all the Company employees and contractors, and covers all electronic communications including, but not limited to, telephones, e-mail, voice mail, instant messaging, Internet, fax, personal computers, and servers.

The Company provided resources, such as individual computer workstations or laptops, computer systems, networks, e-mail, and Internet software and services are intended for business purposes. The Company reserves the right, at its discretion, to review any employee’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as the Company policies. Employees should structure all electronic communication with recognition of the fact that the content could be monitored, and that any electronic communication could be forwarded, intercepted, printed or stored by others.

Reporting Software Malfunctions.

Employees should inform the Privacy and Security Officer immediately any time software appears to be functioning incorrectly. The malfunction – whether accidental or deliberate – may pose an information security risk. If an employee suspects a computer virus or software malfunction, the employee shall take the following steps immediately:

Stop using the computer

Do not carry out any commands, including commands to <Save> data.

Do not close any of the computer’s windows or programs.

Do not turn off the computer or peripheral devices.

Write down any unusual behavior of the computer (screen messages, unexpected disk access, unusual responses to commands) and the time when they were first noticed.

Do not attempt to remove a suspected virus yourself.

The IT staff should monitor the resolution of the malfunction or incident, and report to the Privacy and Security Officer the result of the action with recommendations on action steps to avert future similar occurrences.

Report Security Incidents

It is the responsibility of each employee or contractor to report perceived security incidents on a continuous basis to the appropriate supervisor or security person. Users are to report all security incidents, perceived security incidents, or violations of the security policy immediately to the Privacy and Security Officer.

Reports of security incidents shall be escalated as quickly as possible. Each incident will be analyzed to determine if changes in the existing security structure are necessary. All reported incidents are logged and 10

4956408 .1 4965842 .1

the remedial action indicated. It is the responsibility of the Privacy and Security Officer to provide training on any procedural changes that may be required as a result of the investigation of an incident.

Security breaches shall be promptly investigated. If criminal action is suspected, the Privacy and Security Officer shall contact the appropriate law enforcement and investigative authorities immediately.

Breach Notification.

Upon receiving notice of a security incident or violation of this Policy, the Privacy and Security Officer shall assess and determine whether a “breach” of unsecured PHI, as defined in 45 CFR § 164.402, or Nonpublic Personal Information has occurred. In conducting such assessment, the Privacy and Security Officer shall consult with the Company’s legal counsel. If a “breach” has occurred, as defined in 45 CFR § 164.402, the Company (in its capacity as a Business Associate) shall notify the affected covered entity pursuant to the regulations promulgated under HIPAA unless the terms of the applicable business associate agreement are more stringent, in which case the Company shall comply with the notification requirements of the business associate agreement. See Section 22 of this Policy.

Transfer of Sensitive / Confidential Information

When confidential or sensitive information from one individual is received by another individual while conducting official business, the receiving individual shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing individual. All employees must recognize the sensitive nature of data maintained by the Company and hold all data in the strictest confidence. Any purposeful release of data to which an employee may have access is a violation of the Company policy and will result in personnel action, and may result in legal action.

Transferring Software and Files between Home and Work

Personal software shall not be used on the Company computers or networks. If a need for specific software exists, you must submit a request to the Privacy and Security Officer. Users shall not use the Company purchased software on home or on non-Company computers or equipment.

The Company proprietary data, including but not limited to PHI, IT Systems information, financial information or human resource data, shall not be placed on any computer that is not the property of the Company without written consent of the respective supervisor. It is crucial to the Company to protect all data and, in order to do that effectively we must control the systems in which it is contained. In the event that a supervisor receives a request to transfer the Company data to a non-Company Computer System, the supervisor or department head should notify the Privacy and Security Officer or appropriate personnel of the intentions and the need for such a transfer of data.

The Company Wide Area Network (“WAN”) is maintained with a wide range of security protections in place, which include features such as virus protection, e-mail file type restrictions, firewalls, anti-hacking hardware and software, etc. Since the Company does not control non-Company personal computers, the Company cannot be sure of the methods that may or may not be in place to protect the Company sensitive information, hence the need for this restriction.

Internet Considerations

4956408 .1 4965842 .1

Special precautions are required to block Internet (public) access to the Company information resources not intended for public access, and to protect confidential the Company information when it is to be transmitted over the Internet. Prior approval of the Privacy and Security Officer shall be obtained before:

  •   An Internet, or other external network connection, is established;
  •   Company information (including notices, memoranda, documentation and software) is made available on any Internet-accessible computer (e.g. web or ftp server) or device;
  •   Users may not install or download any software (applications, screen savers, etc.). If users have a need for additional software, the user is to contact their supervisor;
  •   Use shall be consistent with the goals of the Company. The network can be used to market services related to the Company, however use of the network for personal profit or gain is prohibited.
  •   Confidential or sensitive data – including credit card numbers, telephone calling card numbers, logon passwords, and other parameters that can be used to access goods or services – shall be encrypted before being transmitted through the Internet.
  •   The encryption software used, and the specific encryption keys (e.g. passwords, pass phrases), shall be escrowed with the Privacy and Security Officer or appropriate personnel, to ensure they are safely maintained/stored. The use of encryption software and keys, which have not been escrowed as prescribed above, is prohibited, and may make the user subject to disciplinary action

Individual users shall each have unique logon IDs and passwords. An access control system shall identify each user and prevent unauthorized users from entering or using information resources. Users shall be responsible for the use and misuse of their individual logon ID. Users shall never use another user’s logon information or credentials to access the Company’s information systems.


User IDs and passwords are required in order to gain access to all the Company’s networks and workstations. All passwords are restricted by a corporate-wide password policy to be of a “Strong” nature (i.e. minimum of 8 characters that contain a combination of upper and lower case letters, numbers, and special characters). This means that all passwords must conform to restrictions and limitations that are designed to make the password difficult to guess. Users are required to select a password in order to obtain access to any electronic information both at the server level and at the workstation level. The Privacy and Security Officer shall work with the IT staff to ensure that the Company’s information resources are configured to, whenever possible, prompt users to change their passwords on a regular basis and require that passwords are of a “Strong” nature. Passwords must be kept confidential and shall not be shared with anyone, written down on paper, or stored within a file or database on a workstation.

Confidentiality Agreement

4956408 .1 4965842 .1

Users of the Company information resources shall sign, as a condition for employment, the confidentiality agreement attached hereto as Appendix A. Temporary workers and third-party employees not already covered by a confidentiality agreement shall sign such a document prior to accessing the Company’s information resources. Confidentiality agreements shall be reviewed on a routine basis, and at such times as deemed appropriate by the Privacy Officer and Security Officer.

Access Control

Information resources are protected by the use of access control systems. Access control systems include both internal (i.e. passwords, encryption, access control lists, constrained user interfaces, etc.) and external (i.e. port protection devices, firewalls, host-based authentication, etc.). Access control shall be managed by the Privacy and Security Officer. Access control shall be based on the employee’s need for access to sensitive information and level of responsibility. The Security Officer shall coordinate with the IT staff to employ user-based access (access based on user name and password), context-based access (access based on the context of the transaction such as time of day or location of the user), and/or role-based access (each user is assigned a role and assigned needed privileges), as deemed appropriate by the Privacy and Security Officer. All users will be given access only to such client data they need to perform their assigned duties.

Rules for access to resources (including internal and external telecommunications and networks) have been established by the Privacy and Security Officer. Whenever the individual’s duties change, the Privacy and Security Officer shall ensure that the individual’s access are modified accordingly. If the individual no longer needs any access (for instance, upon termination of employment), all access should be terminated.

The Privacy and Security Officer shall maintain a log that tracks access rights. The Privacy and Security Officer shall review the list of active user accounts on a quarterly basis and verify that such list is accurate and complete. No less than semi-annually, the Privacy and Security Officer shall conduct entitlement reviews to ensure that all employees have the appropriate roles, access, and software necessary to perform their job functions effectively while being limited to the minimum necessary data to facilitate GLBA and HIPAA compliance and protect consumer data.

Managers and supervisors must notify the Privacy and Security Officer promptly upon departure of employees or contractors or upon transfer to a different position or department. If the employee’s termination is voluntary and employee provides notice, the employee’s supervisor shall promptly notify the Privacy and Security Officer of employee’s last scheduled work day so that their user account(s) can be configured to expire. The Privacy and Security Officer shall be responsible for managing user access on all Company-owned computer systems, and will be responsible for processing all system deletions, changes and modifications to user rights. The Privacy and Security Officer shall be responsible for insuring that all keys, ID badges, user accounts, and other access devices as well as the Company equipment and property is returned to the Company prior to the employee leaving the Company on their final day of employment.

All external personnel performing maintenance activities on the Company’s computer system will be appropriately supervised by authorized and knowledgeable persons.


Access to the Company information resources through modems or other dial-in devices / software, if available, shall be subject to authorization and authentication by an access control system. Direct inward

4956408 .1 4965842 .1

dialing without passing through the access control system is prohibited. Dial-up access privileges are granted only upon the approval of the Privacy and Security Officer or appropriate personnel.

Dial Out Connections

The Company provides a link to an Internet Service Provider. If a user has a specific need to link with an outside computer or network through a direct link, approval must be obtained from the Privacy and Security Officer or appropriate personnel. The appropriate personnel will ensure adequate security measures are in place.

Permanent Connections

The security of the Company systems can be jeopardized from third party locations if security practices and resources are inadequate. When there is a need to connect to a third party location, a risk analysis should be conducted. The risk analysis should consider the type of access required, the value of the information, the security measures employed by the third party, and the implications for the security of the Company systems. The Privacy and Security Officer or appropriate personnel should be involved in the process, design and approval.

  1. Emphasis on Security in Third Party Contracts

Access to the Company computer systems or corporate networks should not be granted until a review of the following concerns have been made, and appropriate restrictions or covenants included in a statement of work (“SOW”) with the party requesting access.

4956408 .1 4965842 .1

  •   A risk assessment of the additional liabilities that will attach to each of the parties to the agreement.
  •   The right to audit contractual responsibilities should be included in the agreement or SOW.
  •   Arrangements for reporting and investigating security incidents must be included in the agreement in order to meet the covenants of the HIPAA Business Associate Agreement.
  •   A description of each service to be made available.
  •   Each service, access, account, and/or permission made available should only be the
    minimum necessary for the third party to perform their contractual obligations.
  •   A detailed list of users that have access to the Company computer systems must be
    maintained and auditable.
  •   Dates and times when the service is to be available should be agreed upon in advance.
  •   Procedures regarding protection of information resources should be agreed upon in
    advance and a method of audit and enforcement implemented and approved by both
  •   The right to monitor and revoke user activity should be included in each agreement.
  •   Language on restrictions on copying and disclosing information should be included in
    all agreements.
  •   Responsibilities regarding hardware and software installation and maintenance should
    be understood and agreement upon in advance.
  •   Measures to ensure the return or destruction of programs and information at the end of
    the contract should be written into the agreement.
  •   If physical protection measures are necessary because of contract stipulations, these
    should be included in the agreement.
  •   Mechanisms should be in place to ensure that security measures are being followed by
    all parties to the agreement.

Because annual confidentiality training is required under the HIPAA regulation, a formal procedure should be established to ensure that the training takes place, that there is a method to determine who must take the training, who will administer the training, and the process to determine the content of the training established.

A detailed list of the security measures which will be undertaken by all parties to the agreement should be published in advance of the agreement.


A firewall is a dedicated piece of hardware or software running on a computer which allows or denies traffic passing through it, based on a set of rules. The Company’s network is protected from outside intrusion with firewalls. Regular security patches and upgrades will be applied, if and to the extent deemed necessary. Authority from the Privacy and Security Officer must be received before any employee or contractor is granted access to a Company router or firewall.


Antivirus Software Installation

Antivirus software is installed on all the Company computers and servers. Virus update patterns are updated daily on the Company servers and workstations. Virus update engines and data files are monitored by the IT staff who are responsible for keeping all virus patterns up to date. The IT staff are responsible for maintaining a record of virus patterns for all workstations and servers on the Company network. The IT staff are responsible for providing reports for auditing and emergency situations as requested by the Privacy and Security Officer.

The IT staff shall also perform virus checks on a regular basis to include: install and maintain up-to-date virus scanning software on all computer systems, respond to all virus incidents, make best efforts to destroy or contain any virus encountered or anticipated, and document any virus encountered.

Software Distribution

Only software approved by the Privacy and Security Officer will be used on internal computers and networks. All new software will be tested by appropriate personnel in order to ensure compatibility with currently installed software and network configuration. In addition, appropriate personnel must scan all software for viruses before installation. This includes shrink-wrapped software procured directly from commercial sources as well as shareware and freeware obtained from electronic bulletin boards, the Internet, or on disks (magnetic or CD-ROM and custom-developed software).

All data and program files that have been electronically transmitted to the Company computer or network from another location must be scanned for viruses immediately after being received. Users shall always remove any diskette, CD-ROM, DVD or USB device from the computer when not in use.

All software programs and documentation generated or provided by employees, consultants, or contractors for the benefit of the Company are the property of the Company unless covered by a contractual agreement. Nothing contained herein applies to software purchased by the Company employees at their own expense.


4956408 .1 4965842 .1


Encryption is the process of transforming information, using an algorithm, to make it unreadable to anyone other than those who have a specific “need to know.” Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text.

Encryption Key

An encryption key specifies the particular transformation of plain text into cipher text, or vice versa during decryption. Sensitive data and files shall be encrypted before being transmitted through networks. When encrypted data are transferred between agencies, the agencies shall devise a mutually agreeable procedure for secure key management. The Company employs several methods of secure data transmission, including the use of Citrix Sharefile for encrypted secure file transfer and email attachments; Microsoft Office 365 Azure Secure e-mail encryption service and Dropbox for encrypted secure file transfer.

Any user desiring to transfer secure e-mail with a specific identified external user may request to exchange public keys with the external user by contacting the Privacy and Security Officer or appropriate personnel. Once verified, the certificate is installed on each recipient workstation, and the two may safely exchange secure e-mail.

File Transfer Protocol (FTP)

Files may be transferred to secure FTP sites through the use of appropriate security precautions. Requests

for any FTP transfers should be directed to the Privacy and Security Officer or appropriate personnel.


It is the policy of the Company to provide facility access in a secure manner for all of its locations. The Company strives to continuously upgrade and expand its security and to enhance protection of its assets and medical information that has been entrusted to it. The following list identifies measures that are in effect:

Entrance to each building during non-working hours is controlled by an alarm system which can be disabled by entering a security code. Each employee has their own security code. Attempted entrance without a proper security code will result in immediate notification to the police department.

The security code is changed on a periodic basis and eligible employees are notified by company e- mail or voice mail. Upon termination of employment with the Company, the terminated employee’s security code is deactivated.

The reception area is staffed at all times during the working hours of 8:30 AM to 5:00 PM.

Any unrecognized person in a restricted office location should be questioned as to their right to be in that location. All visitors must sign in at the front desk, wear a visitor badge (excluding customers), and be accompanied by a Company staff member. In certain situations, non-Company personnel who have signed the confidentiality agreement do not need to be accompanied at all times.


4956408 .1 4965842 .1

The Company considers telecommuting (i.e. working from a remote location) to be an acceptable work arrangement in certain circumstances. This Policy is applicable to all employees, agents, and contractors who work either permanently or only occasionally outside of the Company’s office(s). It applies to users who work from their home full time, to employees on temporary travel, to users who work from a remote office location, and to any user who connects to the Company’s network from a remote location.

While telecommuting can be an advantage for users and for the organization in general, it presents new risks in the areas of confidentiality and security of data. Workers linked to the Company’s network become an extension of the wide area network and present additional environments that must be protected against the danger of spreading Trojans, viruses, or other malware. This arrangement also exposes the corporate as well as consumer data to risks not present in the traditional work environment.

Required Equipment

Employees approved for telecommuting must understand that the Company will not provide all equipment necessary to ensure proper protection of information to which the employee may have access. However, the following lists define the equipment required:

The Company Provided:

You may only connect to Senior Life Funding using LogMeIn encrypted secure connection.

Employee Provided:

Broadband connection and fees,
Secure environment isolated from visitors and family,

Do not print at home. Do not take paper files home.

The Company shall keep an accounting of all electronic devices provided to staff, including the name of the staff member, type of electronic device and serial number of such electronic device. Electronic devices include, but are not limited to, iPads, cellular phones, laptops, etc.

Hardware Security Protections

Virus Protection: Home users must never stop the update process for Virus Protection. Virus Protection software is installed on all Company computers and laptops and is set to update the virus pattern on a daily basis. This update is critical to the security of all data, and must be allowed to complete.

VPN and Firewall Use: Established procedures must be rigidly followed when accessing the Company information of any type. The Company requires the use of LogMeIn encrypted secure connection only.

Security Locks: Use security cable locks for laptops at all times, even if at home or at the office. Cable locks have been demonstrated as effective in thwarting robberies.

Lock Screens: No matter what location, always lock the screen before walking away from the workstation. The data on the screen may be protected by HIPAA or may contain confidential information. Be sure the automatic lock feature has been set to automatically turn on after 15 minutes of inactivity.

4956408 .1 4965842 .1

Data Security Protection

Data Backup. Backup procedures have been established that encrypt the data being moved to an external media. Use only the established procedure – do not create one on your own. If there is not a backup procedure established, or if you have external media that is not encrypted, contact the Privacy and Security Officer and/or IT staff for assistance. Protect external media by keeping it in your possession when traveling.

Transferring Data to the Company. Transferring of data to the Company requires the use of an approved VPN connection to ensure the confidentiality and integrity of the data being transmitted. Do not circumvent established procedures, nor create your own method, when transferring data to the Company.

External System Access. If you require access to an external system, contact your supervisor. The Privacy and Security Officer or appropriate personnel will assist in establishing a secure method of access to the external system.

E-mail. Do not send any PHI or PII via e-mail unless it is encrypted. If you need assistance with this, contact the Privacy and Security Officer or appropriate personnel to ensure an approved encryption mechanism is used for transmission through e-mail.

Non- Company Networks. Extreme care must be taken when connecting Company equipment to a home or hotel network. Although the Company actively monitors its security status and maintains organization wide protection policies to protect the data within all contracts, the Company has no ability to monitor or control the security procedures on non-Company networks.

Protect Data in Your Possession. View or access only the information that you have a need to see to complete your work assignment. Regularly review the data you have stored to ensure that the amount of consumer level data is kept at a minimum and that old data is eliminated as soon as possible. Store electronic data only in encrypted work spaces. If your laptop has not been set up with an encrypted work space, contact the Privacy and Security Officer or appropriate personnel for assistance.

Hard Copy Reports or Work Papers. Never leave paper records around your work area. Lock all paper records in a file cabinet at night or when you leave your work area.

Data Entry When in a Public Location. Do not perform work tasks which require the use of sensitive or consumer information when you are in a public area (i.e. airports, airplanes, hotel lobbies). Computer screens can easily be viewed from beside or behind you.

Sending Data to Persons Outside the Company. All external transfer of data must be associated with an official contract, non-disclosure agreement, or appropriate Business Associate Agreement. Do not give or transfer any consumer information to anyone outside the Company without the written approval of the Privacy and Security Officer.


This Policy outlines the processes and procedures for acquiring wireless access privileges, utilizing wireless access, and ensuring the security of the Company laptops, tablets, iPads, and mobile devices.

4956408 .1 4965842 .1

Software Requirements – The following is a list of minimum software requirements for any Company laptop that is granted the privilege to use wireless access:

  •   Windows 10
  •   Antivirus software enabled
  •   Full Disk Encryption
  •   Appropriate LogMeIn Client, if Available
  •   Google Chrome updated to the latest version
    If your laptop does not have all of these software components, please notify the Privacy and Security Officer so these components can be installed.

    Training Requirements – Once you have gained approval for wireless access on your Company computer, you will be required to attend a usage and security training session to be provided by the Privacy and Security Officer or appropriate personnel. This training session will cover the basics of connecting to wireless networks, securing your computer when connected to a wireless network, and the proper method for disconnecting from wireless networks. This training will be conducted within a reasonable period of time once wireless access approval has been granted, and in most cases will include several individuals at once.
  • Use of Transportable Media
  1. Transportable media included within the scope of this Policy includes, but is not limited to, SD cards,

DVDs, CD-ROMs, flash drives, and USB key devices.

The purpose of this Section 12 is to guide employees, agents, and contractors of the Company in the proper use of transportable media when a legitimate business requirement exists to transfer data to and from Company networks. Every workstation or server that has been used by either the Company employees or contractors is presumed to have sensitive information stored on its hard drive. Therefore, procedures must be carefully followed when copying data to or from transportable media to protect sensitive Company data. Since transportable media, by their very design are easily lost, care and protection of these devices must be addressed. Since it is very likely that transportable media will be provided to a Company employee by an external source for the exchange of information, it is necessary that all employees have guidance in the appropriate use of media from other companies.

All users must be aware that sensitive data could potentially be lost or compromised when moved outside of Company networks. Transportable media received from an external source could potentially pose a threat to Company networks. Sensitive data includes all human resource data, financial data, PII, Nonpublic Personal Information, Company proprietary information, and PHI protected by HIPAA.

Rules governing the use of transportable media include:

  •   No sensitive data should ever be stored on transportable media unless the data is maintained in an encrypted format.
  •   All USB keys used to store Company data or sensitive data must be an encrypted USB key issued by the Security Officer or appropriate personnel. The use of a personal USB key is strictly prohibited.
  •   Users must never connect their transportable media to a workstation that is not issued by the Company.

    4956408 .1 4965842 .1
  •   Non-Company workstations and laptops may not have the same security protection standards required by the Company, and accordingly virus patterns could potentially be transferred from the non- Company device to the media and then back to the Company workstation. (Ex: Do not copy a work spreadsheet to your USB key and take it home to work on your home personal computer).
  •   Data may be exchanged between Company workstations/networks and workstations used within the Company. The very nature of data exchange requires that under certain situations data be exchanged in this manner. Examples of necessary data exchange include data provided to auditors via USB key during the course of the audit.
  •   Employees shall obtain prior written approval from the Privacy and Security Officer prior to connecting transferable media from other businesses or individuals into Company workstations or servers.
  •   Before initial use and before any sensitive data may be transferred to transportable media, the media must be sent to the Privacy and Security Officer or appropriate personnel to ensure appropriate and approved encryption is used. Copy sensitive data only to the encrypted space on the media. Non- sensitive data may be transferred to the non-encrypted space on the media.
  •   Report all loss of transportable media to your supervisor. It is important that the Security Officer is notified either directly from the employee or contractor or by the supervisor immediately.
  •   When an employee leaves the Company, all transportable media in their possession must be returned to the Privacy and Security Officer or appropriate personnel for data erasure.

    The Company utilizes an approved method of encrypted data to ensure that all data is converted to a format that cannot be decrypted. The Privacy and Security Officer or appropriate personnel can quickly establish an encrypted partition on your transportable media.

    All transportable media must be returned to the Privacy and Security Officer or appropriate personnel for data erasure when no longer in use. All Company laptops, workstations, and/or servers that are no longer in use must be wiped of data in a manner which conforms to the GLBA and HIPAA regulations. All transportable media must be wiped according to the same standards.

Unless otherwise provided herein, the Company shall maintain, in either written or electronic form, the following documents for a period of not less than six (6) years after the later of such document’s creation or last effective date:

  •   This Policy and all amendments thereto;
  •   The Notice of Privacy Practices and all subsequent privacy notices;
  •   Any communication, action, activity, or documentation required by this Policy, HIPAA or HITECH to be documented and maintained;
  •   Vendor contracts and business associate agreements; and 20

    4956408 .1 4965842 .1

All consent forms for the disclosure of PHI or Nonpublic Personal Information must be retained for ten (10) years.


It must be assumed that any external media in the possession of an employee is likely to contain either PHI, PII, or other sensitive information. Accordingly, external media (CD-ROMs, DVDs, diskettes, USB drives) should be disposed of in a method that ensures that there will be no loss of data and that the confidentiality and security of that data will not be compromised.

The following steps must be adhered to: 

It is the responsibility of each employee to identify media which should be shredded and to utilize this policy in its destruction.

External media should never be thrown in the trash.

When no longer needed all forms of external media are to be sent to the Security Officer or appropriate personnel for proper disposal.

The media will be secured until appropriate destruction methods are used based on NIST 800-88 guidelines.

Requirements Regarding Equipment

All equipment to be disposed of will be wiped of all data, and all settings and configurations will be reset to factory defaults. No other settings, configurations, software installation or options will be made. Asset tags and any other identifying logos or markings will be removed.


The Company shall track changes to networks, systems, and workstations, including software releases and software vulnerability patching, in information systems that contain electronic PHI by documenting and maintaining a list of such changes. Change tracking allows the IT staff to efficiently troubleshoot issues that arise due to an update, new implementation, reconfiguration, or other change to the system

  1. The IT staff or other designated Company employee who is updating, implementing, reconfiguring, or otherwise changing the system shall carefully log all changes made to the system. When changes are tracked within a system (i.e. Windows updates in the Add or Remove Programs component updates performed and logged by the vendor), they do not need to be logged on the change management tracking log. However, the employee implementing the change will ensure that the change tracking is available for review if necessary.
  2. The employee implementing the change will ensure that all necessary data backups are performed prior to the change.
  3. The employee implementing the change shall also be familiar with the rollback process in the event that the change causes an adverse effect within the system and needs to be removed.

4956408 .1 4965842 .1


The purpose of this Section 16 is to ensure that the Company implements hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain ePHI. Audit Controls are technical mechanisms that track and record computer activities. An audit trail determines if a security violation occurred by providing a chronological series of logged computer events that relate to an operating system, an application, or user activities.

The Privacy and Security Officer shall perform regular log checks that will include review of logins to the network, file accesses at the file level, and potential security incidents and breaches. Any unusual or irregular activity will be promptly investigated.

The Company is committed to routinely auditing users’ activities in order to continually assess potential risks and vulnerabilities to ePHI in its possession. As such, the Company will continually assess potential risks and vulnerabilities to ePHI in its possession and develop, implement, and maintain appropriate administrative, physical, and technical security measures in accordance with HIPAA.

See Section 17 entitled Information System Activity Review for the administrative safeguards for auditing system activities.

The Company’s Microsoft Server 2016 Essentials software enables event auditing on all computers that process, transmit, and/or store ePHI for purposes of generating audit logs. Each audit log include, at a minimum: user ID, login time and date, and scope of data being accessed for each attempted access. Audit trails shall be stored on a separate computer system to minimize the impact of such auditing on business operations and to minimize access to audit trails.

The Company shall utilize appropriate network-based and host-based intrusion detection systems. The IT staff shall be responsible for installing, maintaining, and updating such systems.


The purpose of this Section 17 is to establish the process for conducting, on a periodic basis, an operational review of system activity including, but not limited to, user accounts, system access, file access, security incidents, audit logs, and access reports. The Company shall conduct on a regular basis an internal review of records of system activity to minimize security violations.

  1. See Section 16 entitled Audit Controls for a description of the technical mechanisms that track and record activities on the Company’s information systems that contain or use ePHI or PII.
  2. The Privacy and Security Officer, or his/her designee, shall be responsible for conducting reviews of the Company’s information systems’ activities. Such person(s) shall have the appropriate technical skills with respect to the operating system and applications to access and interpret audit logs and related information appropriately.
  3. The Privacy and Security Officer shall develop a report format to capture the review findings. Such report shall include the reviewer’s name, date and time of performance, and significant findings describing events requiring additional action (e.g., additional investigation, employee training and/or discipline, program adjustments, modifications to safeguards). To the extent possible, such report shall be in a checklist format.

4956408 .1 4965842 .1

  1. Such reviews shall be conducted annually. Audits also shall be conducted if the Company has reason to suspect wrongdoing. In conducting these reviews, the Security Officer, or his/her designee, shall examine audit logs for security-significant events including, but not limited to, the following:
  • Logins – Scan successful and unsuccessful login attempts. Identify multiple failed login attempts, account lockouts, and unauthorized access.
  • File accesses – Scan successful and unsuccessful file access attempts. Identify multiple failed access attempts, unauthorized access, and unauthorized file creation, modification, or deletion.
  • Security incidents – Examine records from security devices or system audit logs for events that constitute system compromises, unsuccessful compromise attempts, malicious logic (e.g., viruses, worms), denial of service, or scanning/probing incidents.
  • User Accounts – Review of user accounts within all systems to ensure users that no longer have a business need for information systems no longer have such access to the information and/or system.

All significant findings shall be recorded using the report format referred to in this Section 17 and procedure. The IT staff shall forward all completed reports, as well as recommended actions to be taken in response to findings, to the Security Officer for review. The Security Officer shall be responsible for maintaining such reports. The Security Officer shall consider such reports and recommendations in determining whether to make changes to the Company’s administrative, physical, and technical safeguards. In the event a security incident is detected through such auditing, such matter shall be addressed pursuant to Section 5 entitled Employee Responsibilities (Report Security Incidents).


The purpose of this Section 18 is to protect the Company’s ePHI and PII from improper alteration or destruction. The Company shall implement and maintain appropriate electronic mechanisms to corroborate that ePHI and PII has not been altered or destroyed in an unauthorized manner.

  •   To the fullest extent possible, the Company shall utilize applications with built-in intelligence that automatically checks for human errors.
  •   The Company shall acquire appropriate network-based and host-based intrusion detection systems. The Privacy and Security Officer shall be responsible for installing, maintaining, and updating such systems.
  •   To prevent transmission errors as data passes from one computer to another, the Company will use encryption, as determined to be appropriate, to preserve the integrity of data.
  •   The Company will check for possible duplication of data in its computer systems to prevent poor data integration between different computer systems.
  •   To prevent programming or software bugs, the Company will test its information systems for accuracy and functionality before it starts to use them. The Company will update its systems when IT vendors release fixes to address known bugs or problems.
  •   The Company will install and regularly update antivirus software on all workstations to detect and prevent malicious code from altering or destroying data.

To prevent exposing magnetic media to a strong magnetic field, workforce members shall keep magnetic media away from strong magnetic fields and heat. For example, computers should not be left in automobiles during the summer months.


The purpose of this Section 19 is to establish and implement policies and procedures for responding to an emergency or other occurrence (e.g., fire, vandalism, system failure, natural disaster) that damages systems that contain ePHI or PII.

The Company is committed to maintaining formal practices for responding to an emergency or other occurrence that damages systems containing ePHI or PII. The Company shall continually assess potential risks and vulnerabilities to protect the information in its possession, and develop, implement, and maintain appropriate administrative, physical, and technical security measures in accordance with the GLBA, the HIPAA Security Rule, the ACA and other applicable law.

Data Backup Plan. The Company, under the direction of the Security Officer, shall implement a data backup plan to create and maintain retrievable exact copies of ePHI and PII. Such data backup plan shall include:

At the conclusion of each day, Monday through Friday, an incremental backup of all servers containing ePHI and PII shall be backed up. On Saturday, a full backup of all servers containing ePHI and PII shall be backed up. The backup media are taken each week off site by the IT staff or his/her designee to ensure the Company’s data is properly safeguarded. One month of backup data will be maintained at all times in a remote location. Backup media that is no longer in service will be disposed of in accordance with Section 13 entitled Disposal of External Media/Hardware.

The Privacy and Security Officer shall monitor storage and removal of backups and ensure all applicable access controls are enforced.

The Privacy and Security Officer shall test backup procedures on an annual basis to ensure that exact copies of ePHI and PII can be retrieved and made available. Such testing shall be documented by the Privacy and Security Officer. To the extent such testing indicates need for improvement in backup procedures, the Privacy and Security Officer shall identify and implement such improvements in a timely manner.

Disaster Recovery and Emergency Mode Operations Plan. The Privacy and Security Officer shall be responsible for developing and regularly updating the written disaster recovery and emergency mode operations plan for the purpose of:

Restoring or recovering any loss of ePHI or PII and/or systems necessary to make ePHI and PII available in a timely manner caused by fire, vandalism, terrorism, system failure, or other emergency; and

Continuing operations during such time information systems are unavailable. Such written plan shall have a sufficient level of detail and explanation that a person unfamiliar with the system can implement the plan in case of an emergency or disaster. Copies of the plan shall be maintained on-site and at the off-site locations at which backups are stored or other secure off-site location.

4956408 .1 4965842 .1

The disaster recovery and emergency mode operation plan shall include the following: (i) Current copies of the information systems inventory and network configuration developed and updated as part of the Company’s risk analysis; (ii) Current copy of the written backup procedures developed and updated pursuant to this Policy; (iii) Identification of an emergency response team; (iv) Procedures for responding to loss of electronic data including, but not limited to retrieval and loading of backup data or methods for recreating data should backup data be unavailable. The procedures should identify the order in which data is to be restored based on the criticality analysis performed as part of the Company’s risk analysis.

Members of such team shall be responsible for the following:

  •   Determining the impact of a disaster and/or system unavailability on the Company’s operations.
  •   In the event of a disaster, securing the site and providing ongoing physical security.
  •   Retrieving lost data.
  •   Identifying and implementing appropriate “work-arounds” during such time information systems are unavailable.
  •   Taking such steps necessary to restore operations.
  •   Maintain a list of all telephone numbers and/or e-mail addresses for all persons to be contacted in the event of a disaster, including the following: Members of the immediate response team, Facilities at which backup data is stored, Information systems vendors, and all current workforce members.

    The disaster recovery team shall meet on at least an annual basis to:

    Review the effectiveness of the plan in responding to any disaster or emergency experienced by the Company;

    In the absence of any such disaster or emergency, plan drills to test the effectiveness of the plan and evaluate the results of such drills; and

    Review the written disaster recovery and emergency mode operations plan and make appropriate changes to the plan. The Privacy and Security Officer shall be responsible for convening and maintaining minutes of such meetings. The Privacy and Security Officer also shall be responsible for revising the plan based on the recommendations of the disaster recovery team.

All workforce members shall receive appropriate training concerning this Policy. Such training shall be provided to all new employees upon hire and on an ongoing basis thereafter. Such training shall be repeated annually for all employees.

Privacy and Security Training Program

The Privacy and Security Officer shall have responsibility for the development and delivery of initial

privacy and security training. All workforce members shall receive such initial training addressing the 25

4956408 .1 4965842 .1

requirements of the HIPAA including the updates to HIPAA regulations found in the HITECH Act, and the ACA’s requirements for PII security. Training shall be provided to all new workforce members as part of the orientation process. Attendance and/or participation in such training shall be mandatory for all workforce members. The Privacy and Security Officers shall be responsible for maintaining appropriate documentation of all training activities.

The Privacy and Security Officer shall have responsibility for the development and delivery of ongoing security training provided to workforce members in response to environmental and operational changes impacting the security of ePHI and PII (e.g., addition of new hardware or software, and increased threats).

Privacy and Security Reminders

The Privacy and Security Officer shall generate and distribute to all workforce members routine privacy and security reminders on a regular basis. Periodic reminders shall address password security, malicious software, incident identification and response, and access control. The Privacy and Security Officer may provide such reminders through formal training and periodic informal reminders. The Privacy and Security Officer shall be responsible for maintaining appropriate documentation of all periodic privacy and security reminders. The Privacy and Security Officer shall generate and distribute special notices to all workforce members providing urgent updates, such as new threats, hazards, vulnerabilities, and/or countermeasures.

Protection from Malicious Software

As part of the aforementioned Training Program, the Privacy and Security Officer shall provide training concerning the prevention, detection, containment, and eradication of malicious software. Such training shall include the following:

Guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail,

The importance of updating anti-virus software and how to check a workstation or other device to determine if virus protection is current,

Instructions to never download files from unknown or suspicious sources,
Recognizing signs of a potential virus that could sneak past antivirus software or could

arrive prior to an update to anti-virus software,

The importance of backing up critical data on a regular basis and storing the data in a safe place,

Damage caused by viruses and worms, and

What to do if a virus or worm is detected. d. Password Management

As part of the aforementioned Training Program, the Privacy and Security Officer shall provide training concerning password management. Such training shall address the importance of confidential passwords in maintaining computer security, as well as the requirements relating to passwords set forth in Section 5 herein.

4956408 .1 4965842 .


The Company shall conduct an accurate and thorough risk analysis to serve as the basis for the Company’s compliance efforts with HIPAA and other applicable law. The Company shall re-assess the security risks to its ePHI and evaluate the effectiveness of its security measures and safeguards as necessary in light of changes to business practices and technological advancements.

The Privacy and Security Officer shall be responsible for coordinating the Company’s risk analysis. The Privacy and Security Officer shall identify appropriate persons within the organization to assist with the risk analysis.

The risk analysis shall proceed in the following manner:
i. Document the Company’s current information systems.

4956408 .1 4965842 .1

  • (a)  Update/develop information systems inventory. List the following information for all hardware (i.e., network devices, workstations, printers, scanners, mobile devices) and software (i.e., operating system, various applications, interfaces): date acquired, location, vendor, licenses, maintenance schedule, and function. Update/develop network diagram illustrating how organization’s information system network is configured.
  • (b)  Update/developfacilitylayoutshowinglocationofallinformationsystemsequipment, power sources, telephone jacks, and other telecommunications equipment, network access points, fire and burglary alarm equipment, and storage for hazardous materials.
  • (c)  Foreachapplicationidentified,identifyeachlicensee(i.e.,authorizeduser)byjobtitle and describe the manner in which authorization is granted.

(d) For each application identified:

  •   Describe the data associated with that application.
  •   Determine whether the data is created by the organization or received from a third
    party. If data is received from a third party, identify that party and the purpose and manner of receipt.
  •   Determine whether the data is maintained within the organization only or transmitted to third parties. If data is transmitted to a third party, identify that party and the purpose and manner of transmission.
  •   Define the criticality of the application and related data as high, medium, or low. Criticality is the degree of impact on the organization if the application and/or related data were unavailable for a period of time.
  •   Define the sensitivity of the data as high, medium, or low. Sensitivity is the nature of the data and the harm that could result from a breach of confidentiality or security incident.

4956408 .1 4965842 .1


For each application identified, identify the various security controls currently in place and locate any written policies and procedures relating to such controls.

Natural and environmental threats (e.g., tornados, water damage, fire and smoke damage, power outage, utility problems)

Human threats

o Accidental acts (e.g., input errors and omissions, faulty application programming or processing procedures, failure to update/upgrade software/security devices, lack of adequate financial and human resources to support necessary security controls)

o Inappropriate activities (e.g., inappropriate conduct, abuse of privileges or rights, workplace violence, waste of corporate assets, harassment)

o Illegal operations and intentional attacks (e.g., eavesdropping, snooping, fraud, theft, vandalism, sabotage, blackmail)

o External attacks (e.g., malicious cracking, scanning, demon dialing, virus introduction)

o IdentifyanddocumentvulnerabilitiesintheCompany’sinformationsystems. A vulnerability is a flaw or weakness in security policies and procedures, design, implementation, or controls that could be accidentally triggered or intentionally exploited, resulting in unauthorized access to ePHI or PII, modification of ePHI or PII, denial of service, or repudiation (i.e., the inability to identify the source and hold some person accountable for an action). To accomplish this task, conduct a self-analysis utilizing the standards and implementation specifications to identify vulnerabilities.

Determine and document probability and criticality of identified risks.

Assign probability level, i.e., likelihood of a security incident involving identified risk.

  •   “Very Likely” (3) is defined as having a probable chance of occurrence.
  •   “Likely” (2) is defined as having a significant chance of occurrence.
  •   “Not Likely” (1) is defined as a modest or insignificant chance of occurrence.

    Assign criticality level.

“High” (3) is defined as having a catastrophic impact on the medical practice including a significant number of medical records which may have been lost or compromised.

Identify and document threats to the confidentiality, integrity, and availability

(referred to as “threat agents”) of ePHI and PII created, received, maintained, or transmitted by the Company. Consider the following:

  •   “Medium” (2) is defined as having a significant impact including a moderate number of medical records within the practice which may have been lost or compromised.
  •   “Low” (1) is defined as a modest or insignificant impact including the loss or compromise of some medical records.

    Determine risk score for each identified risk. Multiply the probability score and criticality score. Those risks with a higher risk score require more immediate attention.

(g) Identify and document appropriate security measures and safeguards to address key vulnerabilities. To accomplish this task, review the vulnerabilities you have identified in relation to the standards and implementation specifications. Focus on those vulnerabilities with high risk scores, as well as specific security measures and safeguards required by GLBA and HIPAA.

(h) Develop and document an implementation strategy for critical security measures and safeguards

  •   Determine timeline for implementation.
  •   Determine costs of such measures and safeguards and secure funding.
  •   Assign responsibility for implementing specific measures and safeguards to appropriate person(s).
  •   Make necessary adjustments based on implementation experiences.
  •   Document actual completion dates.
  • Evaluate effectiveness of measures and safeguards following implementation and

make appropriate adjustments.

The Privacy and Security Officer shall be responsible for identifying appropriate times to conduct follow- up evaluations and coordinating such evaluations. The Privacy and Security Officer shall identify appropriate persons within the organization to assist with such evaluations. Such evaluations shall be conducted upon the occurrence of one or more of the following events: changes in the HIPAA Security Regulations or GLBA regulations regarding consumer privacy and security; new federal, state, or local laws or regulations affecting the security of ePHI or PII; changes in technology, environmental processes, or business processes that may affect security policies or procedures; or the occurrence of a serious security incident. Follow-up evaluations shall include the following:

Inspections, reviews, interviews, and analysis to assess adequacy of administrative and physical safeguards. Such evaluation shall include interviews to assess employee compliance; after-hours walk-through inspections to assess physical security, password protection (i.e., not posted), and workstation sessions terminated (i.e., employees logged out); review of latest security policies and procedures for correctness and completeness; and inspection and analysis of training, incident, and media logs for compliance.

4956408 .1 4965842 .1

Analysis to assess adequacy of controls within the network, operating systems and applications. As appropriate, the Company shall engage outside vendors to evaluate existing physical and technical security measures and make recommendations for improvement


It is the policy of the Company that all workforce members must protect the confidentiality, integrity, and availability of sensitive information at all times. The Company will impose sanctions, as described below, on any individual who accesses, uses, or discloses personal information without proper authorization, in violation of this Policy.

The Company will take appropriate disciplinary action in accordance with this Policy or state, or federal confidentiality laws or regulations.

In the event that a workforce member violates this Policy and/or violates the ACA, GLBA, HIPAA or related state laws governing the protection of sensitive and patient identifiable information or consumer information, the workforce member may be subject to disciplinary action. Depending on the severity of the violation, any single act may result in disciplinary action up to and including termination of employment or contract with the Company


  1. This applies to all employees, agents, directors, officers, and other individuals working under contractual

agreements with the Company.

  1. Any staff members who believe that information has been used or disclosed in any way that compromises the security or privacy of that information, or any person who becomes aware of any unauthorized acquisition, access, use or disclosure of PHI or PII in the custody or control of the Company shall immediately inform their supervisor/manager, and the Privacy and Security Officer of such incident. Notification should occur immediately upon discovery of the potential breach or security incident or before the end of the work day on which the incident occurred. If other duties interfere, however, in no case should notification occur later than twenty-four (24) hours after discovery.
  2. The staff member shall:

    • Provide the Privacy and Security Officer with as much detail as possible, including the following information (if known): identity of individual whose information has been compromised, the type of information, and circumstances leading to or causing the use or disclosure.

    • Be responsive to requests for additional information from the Privacy and Security Officer.
  3. The Privacy and Security Officer will determine whether the Company is obligated to comply with certain notice procedures which may be set forth in a Business Associate Agreement to which the Company is a party. The Privacy and Security Officer shall comply with the terms of the applicable Business Associate Agreement as it relates to notice to the Covered Entity, notification required under HIPAA, and any other contractual term which may apply.

4956408 .1 4965842 .1


  1. The Company shall notify the affected Covered Entity pursuant to the regulations promulgated under HIPAA unless the terms of the applicable Business Associate Agreement are more stringent, in which case the Company shall comply with the notification requirements of the Business Associate Agreement.
  2. Subcontractors (or sub-business associates) must notify the Company if they incur or discover a Breach of unsecured PHI. Notices must be provided without reasonable delay and in no case later than sixty (60) days after discovery of the Breach. Subcontractors or sub-business associates must cooperate with the Company in investigating and mitigating the Breach.

Containing the Breach

The Privacy and Security Officer will work with individual or department(s) to immediately contain the breach. Examples include, but are not limited to: Stopping the unauthorized practice, Recovering the records, if possible, Shutting down the system that was breached, Mitigating the breach, if possible, Correcting weaknesses in security practices, Notifying the appropriate authorities including the local police department if the Breach involves, or may involve, any criminal activity, etc.

Investigating and Evaluating the Risks Associated with the Breach

  1. To determine what other steps are immediately necessary, the Privacy and Security Officer will investigate the circumstances of the Breach.

4956408 .1 4965842 .1

  • The Privacy and Security Officer, in collaboration with the Company’s legal counsel, will review the results of the investigation to determine root cause(es), evaluate risks, and develop a resolution plan.
  • The Privacy and Security Officer, in collaboration with the Company’s legal counsel, will consider several factors in determining the risks associated with the Breach, including but not limited to:
    1. Contractual obligations to third parties and/or customers
    2. Legal obligations – the Company’s legal counsel should complete a separate legal assessment of the potential breach and provide the results of the assessment to the Privacy and Security Officer and the rest of the breach response team
    3. Risk of identity theft or fraud because of the type of information lost such as social security number, banking information, identification numbers
    4. Risk of physical harm if the loss puts an individual at risk of stalking or harassment
    5. Risk of hurt, humiliation, or damage to reputation when the information includes medical or disciplinary records
    6. Number of individuals affected.


I understand and agree to maintain and safeguard the confidentiality of privileged information of the Company. Further, I understand that any unauthorized use or disclosure of information residing on the Company information resource system may result in disciplinary action, up to and including termination of employment, and may constitute a violation of federal or state law for which civil and criminal sanctions could apply.

______________________________________ Date Signature

______________________________________ Company/Firm

______________________________________ Date Signature of the Privacy and Security Officer

4956408 .1 4965842 .1

Senior Life Funding Privacy Policy Our commitment to privacy

This notice is being provided to you in accordance with the Securities and Exchange Commission rule regarding the privacy of consumer financial information (Regulation S-P).1 Please take the time to read and understand the privacy policies and procedures that we have implemented to safeguard your nonpublic personal identifiable information. We collect your personal information to offer you insurance and financial products and services. The type of information we collect and the extent to which it is used depends on the products and services we provide to you. For example, we may obtain information such as: business, geographic, and demographic information, names, addresses, phone numbers, email addresses, tax identification numbers, employee identification numbers, trust agreements, corporate documents, bank account numbers, loan numbers, obligation numbers, passwords for secured documents, driver’s license numbers, your financial and medical history, and other financial information. Senior Life Funding is committed to maintaining the confidentiality, integrity, and security of personal information about our current and prospective customers. In this policy personal information means “personally identifiable information.”

Please note that certain details of this policy may depend on whether you deal with us through an investment professional, directly as an individual investor, through an agent or licensee of NIW, or whether Senior Life Fundingprovides services to your employer or plan sponsor.

The privacy policies of Senior Life Funding are reviewed periodically, that include updates made from time to time and published on our website

Senior Life Funding privacy policy
How and why we obtain personal information

We may use personal information about you to model financial proposals for your approval; to illustrate and to provide for underwriting of life insurance and related products; to illustrate and provide for financing, related underwriting, and servicing; to process transactions for your benefit; to provide the service to you for the products you purchase and are interested in; to assist in your education regarding Senior Life Funding products and services, and to choose to purchase; to respond to inquiries from you or your representatives; to develop, offer, and deliver products and services; and to fulfill legal and regulatory requirements.

How we protect information about you

1 Although this Privacy Policy addresses only consumer information, Senior Life Funding acknowledges its legal responsibilities to protect stored nonpublic information of commercial users, and takes appropriate steps to guard it against unauthorized use or disclosure as well.

4963319 .1

Senior Life Funding considers the protection of personal information to be a foundation of customer trust and a sound business practice. We employ physical, electronic and procedural controls and we regularly adapt these controls to respond to changing requirements and advances in technology.

At NIW, we restrict access to personal information to those who require it to develop, support, offer and deliver products and services to you.

How we share information about you with third parties

Senior Life Funding does not share personal information about our customers with unaffiliated third parties for use in marketing their products and services. We may share personal information with the following entities without prior notice to you:

  •   Its agents (general and independent), independent marketing organizations (IMOs), brokers such as broker general agents (BGAs), licensees, and unaffiliated service providers engaged in the delivery of product and services to or for your benefit (collectively “Agents”).
  •   Insurance carriers, and related parties providing products and services involved with a proposal, illustration or engagement.

o If your engagement with Senior Life Funding includes transacting business through life insurance companies, we may validate and obtain information about you from an insurance support organization. The insurance support organization may further share your information with other insurers, as permitted by law. We may also share medical information about you to learn if you qualify for coverage, to process claims, to prevent fraud, or otherwise at your direction, as permitted by law.

  •   Lenders and others involved in providing financial underwriting and financing of payment of premiums and other costs involved with a proposal, illustration or engagement.
  •  Commercial trustees involved in the servicing and maintenance of a financial and/or insurance arrangement you have engaged.
  • Other third-parties, with your direction or consent or as directed by your representatives
  •  Governmental and other organizations as permitted or required by law (for example for
    fraud prevention, suspicious activity reporting, or to respond to a subpoena).
  • How we share information about you within NIW
  • We may share personal information about you with various Senior Life Funding Affiliated Companies including internal service providers which perform financial illustrations, modeling, data processing, and communication of the information as part of the service. We ensure that only appropriate employees and agents access and use your information, on a confidential basis.

    Additionally, if you interact with Senior Life Funding directly as an individual client (including joint account holders) or if Senior Life Funding provides services to your employer or plan sponsor, we may exchange certain information about you with Senior Life Funding Affiliated Companies, for their use in marketing products and services as allowed by law.

4963319 .1

Digital privacy

Privacy, security, and service in NIW’s online operations are just as critical as in the rest of our business. We use firewall barriers, encryption techniques, and authentication procedures, among other controls, to maintain the security of your online session and to protect Senior Life Funding accounts and systems from unauthorized access.

When you interact with us by using our websites, online services or mobile applications that are owned and controlled by Senior Life Funding (“our digital offerings”), Senior Life Funding manages personal information in accordance with all of the practices and safeguards described previously. Access to our digital offerings is restricted to you and is not permitted to be disclosed to other persons. Senior Life Funding’s systems and technology are proprietary, and contain core intellectual property, and confidential information of Senior Life Funding and others. Access to our digital offerings can be revoked, such as for reasons of unauthorized disclosure or other breach.

When you use our digital offerings, we may collect technical and navigational information, such as device type, browser type, Internet protocol address, pages visited, and average time spent on our digital offerings. We use this information for a variety of purposes, such as maintaining the security of your session, facilitating site navigation, improving Senior Life Funding website design and functionality, and personalizing your experience. Additionally, the following policies and practices apply when you are online.

Cookies and similar technologies

Senior Life Funding and our third-party service providers may use cookies and similar technologies to support the operation of our digital offerings. Cookies are small amounts of data that a website or online service exchanges with a web browser or application on a visitor’s device (for example, computer, tablet, or mobile phone). Cookies help us to collect information about users of our digital offerings, including date and time of visits, pages viewed, amount of time spent using our digital offerings, or general information about the device used to access our digital offerings. Senior Life Funding cookies are also used for security purposes and to personalize your experience, such as customizing your screen layout.

You can refuse or delete cookies. Most browsers and mobile devices offer their own settings to manage cookies. If you refuse a cookie, or if you delete cookies from your device, you may experience some inconvenience in your use of our digital offerings. For example, you may not be able to sign in and access your account, or we may not be able to recognize you, your device, or your online preferences.

Both Senior Life Funding and third-party service providers we hire may use cookies and other technologies, such as web beacons, pixel tags, or mobile device ID, in online advertising as described below.

Connecting with Senior Life Funding on digital platforms

4963319 .1

Senior Life Funding provides experiences on digital platforms that enable online sharing and collaboration among users who have registered to use them. We may collect information you provide by interacting with us via digital media, such as photographs, opinions, or digital media account ID. Any content you post, such as pictures, information, opinions, or any personal information that you make available to other participants on these platforms, is also subject to the terms of use and privacy policies of those platforms. Please refer to them to better understand your rights and obligations with regard to such content.

Protecting children’s privacy online

Senior Life Funding websites are not directed to individuals under the age of thirteen (13). Senior Life Funding does not intentionally collect information on Senior Life Funding websites from those we know are under 13, and we request that these individuals do not provide personal information through the sites.

Additional information

Your information and case history is retained as long as your case is active, for the duration of NIW’s service to you, and thereafter as may be required for audit, typically 3 years. Thereafter, except for your name and contact information, the information is destroyed.

If you are a former customer, these policies also apply to you; we treat your information with the same care as we do information about current customers.

Senior Life Funding offers several options for accessing and, if necessary, correcting your account information. You can review your information using statements and illustrations we provide, or through our Internet services. You may also write or call us with your request for information. If you transact business through a third party provider, such as a life insurance carrier or lender, please contact them directly; in connection with life underwriting by or on behalf of an insurance carrier, they may be required to provide, upon written request, a record of any disclosures of your medical record information. If we serve you through an Agent or other investment professional, please contact them directly. Specific Internet addresses, mailing addresses and telephone numbers are listed on your statements and other correspondence.

The Senior Life Funding Privacy Policy is provided on behalf of Senior Life Funding Companies, Inc., and other companies owned by Senior Life Funding Companies or its affiliates provide life underwriting, financing, finance servicing, and associated financial services to or for the benefit of their customers (collectively, “NIW”).

We do not offer a right to opt out since we only share information about you with others as permitted or required by law.

Senior Life Funding privacy policy

Protecting your personal information is an important priority for Senior Life Funding. The Senior Life Funding privacy policy is designed to support this objective. Senior Life Funding collects non-public personal information concerning you in the following ways:

4963319 .1

  •   Information provided by you or your representative on applications or other forms furnished to Senior Life Funding or Agents or through other interactions that you, your representative or Agents have with Senior Life Funding.
  •   Information arising from your insurance policies, investments and borrowings that involve Senior Life Funding products or related services.
  •   Information Senior Life Funding receives from a third-party reporting agencies that you authorize or are otherwise permitted by law.

    Senior Life Funding employs physical, electronic, and procedural controls to safeguard your information. For example, the Senior Life Funding authorizes access to your personal and account information only for personnel who need that information in order to provide products or services to you.

    Senior Life Funding does not disclose any non-public personal information about you, except as permitted by law.

    If you decide to terminate your financial services relationship with Senior Life Funding, Senior Life Funding will continue to adhere to the privacy policies and practices as described in this notice.

    The Senior Life Funding Privacy Policy is provided on behalf of the Senior Life Funding Affiliated Companies, including their Agents applying Senior Life Funding’s life insurance premium finance and servicing arrangements.

    Effective August 2019

We may update this privacy policy from time to time to reflect changes to our information practices. If we make any material changes to our privacy practices, we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on our platforms prior to the change becoming effective. We encourage you to periodically review this page for the

latest information on our privacy practices.

4963319 .1