Privileged and Confidential | 2

After reviewing this presentation, you’ll understand:

• Your role in protecting confidential and health information

• VSP Global Companies’ security and information protection policies

Privileged and Confidential | 3

• Information is one of the most valuable assets of any organization or individual.

• As a service provider, you are expected to treat information security as one of your most important duties.

Privileged and Confidential | 4

It is your responsibility to read and understand all security policies outlined in the SIPP and adhere to any mandated security procedures.

Privileged and Confidential | 5

SIPP is composed of policies that establish the baseline for VSP Companies’ facilities, workforce, and information protection procedures to ensure:• Consistently applied security guidelines• Compliance with applicable State and Federal laws and regulations• Protection of confidential information from accidental or deliberate disclosure,

tampering, or loss.

Privileged and Confidential | 6

SIPP addresses the protection of different types of information:

• Public

• Proprietary

• Confidential

Privileged and Confidential | 7

PUBLIC

• Information which any person or entity either internal or external to VSP Companies can access.

• The disclosure, use, or destruction of publicly available information or data has no adverse affects on VSP Companies nor carries any liability.

Privileged and Confidential | 8

Proprietary

• Information which we own or hold exclusive rights to, such as trade names, service marks, logos, procedures, patents, copyrights, etc.

Privileged and Confidential | 9

Confidential• Information whose loss, corruption, or unauthorized use or disclosure would

be a violation of federal or state international laws/regulations or VSP Global Companies’ rights and interests;• Data that involves issues of personal privacy;• Data whose loss, corruption, or unauthorized use or disclosure may impair

the business functions of VSP Global Companies, or result in business, financial, or legal loss.

Privileged and Confidential | 10

Assets you are responsible for protecting are:

• Equipment and software issued to you as a service provider

• Data and information critical to our business

Privileged and Confidential | 11

• VSP Global Companies’ equipment is uniquely identified, tracked, and regularly audited to ensure proper ownership, maintenance, licensing, and financial verification.

• You are responsible for protecting VSP Global Companies’ equipment against loss, destruction, or misuse.

Privileged and Confidential | 12

As a service provider at a VSP Global Company, it is your responsibility to:

• Properly handle equipment and software

• Protect equipment from misuse

• Report equipment problems to TAC

Global Companies’ Electronic Equipment Policy

VSP Global (VSP) may provide service providers with electronic and communication equipment/systems and software for the use and benefit of VSP and its business partners. Every user is responsible to use the equipment/systems in a productive, ethical, and lawful manner. This policy pertains to all computers, virtual communication tools, software, telephones (desktop and cellular), FAX machines, printers, copiers, pagers, audio/visual equipment, or any other electronic equipment or device (collectively “Electronic Equipment”) issued by the Company. Minimal use of VSP’s Electronic Equipment for informal/personal purposes or outside regular work hours is permissible only with management approval and within reasonable time limits.

Business Etiquette

All forms of communications must be courteous, professional, business-like and must represent VSP appropriately. Use of VSP’s Electronic Equipment to transmit or receive chain letters and defamatory, obscene, discriminatory, illegal, offensive, threatening, intimidating or harassing material or messages is strictly prohibited.

E-mail

● At a minimum, your signature block should include your name, job title, contact information, and division.

● Use of the Company’s brand-approved signature templates or references to corporate initiatives such as eye health, wellness and “going green” are appropriate. Personal statements or quotes in the signature block should not be used.

● For extended absences away from your desk, create an out-of-office reply that includes your status, when the recipient can expect your return, and accurate instructions for an alternative contact.

Telephone

● You are the voice of the VSP and should treat everyone with the respect they deserve. In all areas, we must represent VSP in a positive and professional manner.

● Answer the phone promptly, preferably after the first ring.

● Greet your caller in a friendly and professional manner including your name and the name of the company.

● For extended absences away from your desk, create an out-of-office reply that includes your status, when the recipient can expect your return, and accurate instructions for an alternative contact.

● Make personal calls at lunch or during break times whenever possible.

Company Supplied Equipment

The following applies to all Devices referenced below: PleasereviewVSPGlobalCompanies’ElectronicEquipment Policy.Clicktoopen.

Privileged and Confidential | 13

CONFIDENTIAL AND PROTECTED HEALTH INFORMATION

SIPP addresses the protection of both confidential information and Protected Health Information (PHI).

Confidential Information

• Personal information about VSP members, employees, or service providers, and strategic information about VSP Global Companies’ business operations and financial performance

Privileged and Confidential | 14

CONFIDENTIAL AND PROTECTED HEALTH INFORMATION

SIPP addresses the protection of both confidential information and Protected Health Information (PHI).

Protected Health Information (PHI)

Information relating to any patient’s past, present, or future vision health. This includes:• Patient’sNameApatient’spast,present,

andfuturehealthormedicalcondition• Thepaymentfortheprovisionofhealth

caretoapatient• Informationafterserviceshavebeenrendered

• DesignatedMedicalRecordSet• ID/SSN• DateofService• Service/MaterialInformation

Privileged and Confidential | 15

NOTICE OF PRIVACY PRACTICES

VSP Global Companies maintain and provide to clients and members a Notice of Privacy Practices (NPP) that identifies how protected health information is used and disclosed for:

• Treatment

• Payment

• Health Care Operations

Privileged and Confidential | 16

In the event you are given access to confidential information and Protected Health Information (PHI), it will be based on your job functions.

If this takes place, access to VSP Global Companies’ networks and systems is:

• Assigned to you and audited regularly

• Based on your job functions and responsibilities

• Reassigned when your function or location changes

Privileged and Confidential | 17

FAX AND E-MAIL

All documents that are systematically faxed or e-mailed outside VSP Global Companies should include a Confidentiality Notice.

You must ensure that manual faxes to business partners include a standard fax coversheet with the Confidential Notice.

Ask about the standard fax coversheet used in the area you are assigned to work.

Privileged and Confidential | 18

WORK SPACE SECURITY

Service providers must protect hardcopy-printed documentation and electronic media that contains business information. Electronic media includes diskettes, CDs, USP flash drive, jump drive, memory sticks, tapes, and any other device that can store data. At no time is it allowed to have confidential information on a portable memory device of any kind.

Privileged and Confidential | 19

WORK SPACE SECURITY

• Do not leave confidential information unsecured or unattended at any time.

• Place confidential information, including notes, in a drawer when away from your work space.

• Use confidential envelopes when sending confidential information through interoffice mail.

• Lock confidential information in a drawer or office for overnight security.

Privileged and Confidential | 20

WORK SPACE SECURITY

• Destroy all diskettes and CDs that are no longer needed by disposing in locked shred bins.

• Writing to media with USB ports is disabled by default. Exceptions are granted only on an as-needed basis with approval.

Privileged and Confidential | 21

STORAGE AND DISPOSAL

You can properly store and dispose confidential and Protected Health Information (PHI) by:• Placing confidential information in a shred bin for disposal• Labeling storage boxes as “confidential”• Locking disks and CDs in drawers, cabinets, or secured areas• Deleting confidential information from disks or CDs before destroying or reuse• Immediately put unattended documents containing confidential information

found on printers, faxes, or copy machines into locked shred bins.

Privileged and Confidential | 22

To insure we maintain security in our physical environment, VSP Global Companies maintain a comprehensive Corporate Security Plan that includes safety processes and communication procedures, including:

• Emergency Evacuation

• Safety Incident Reporting

• Crisis Management

• Bomb Threat Response

• Hazardous Materials Handling

Privileged and Confidential | 23

Access to VSP Global Companies’ facilities is controlled:

• For your safety and security

• To safeguard the premises, buildings, and equipment from unauthorized access

Privileged and Confidential | 24

You must ensure that your visitor (auditors, brokers, clients, and personal guests)

• Sign in with security when they arrive

• Receive and wear a visitor’s badge

• Are escorted at all times

• Sign out with security when they leave

Privileged and Confidential | 25

You can properly secure the electronic information you use by creating a unique password (one that cannot be associated with you or your job function.)

You can create a unique password by:

• Using both alpha and numeric characters

• Using at least eight (8) characters

Privileged and Confidential | 26

You can protect your password by:

• Changing it every 60 days

• Not disclosing it to anyone

• Changing it immediately if someone other than you accessed it using your ID.

Privileged and Confidential | 27

VSP Global Companies maintain a Business Continuity Plan (BCP) to ensure critical business functions – such as processing claims and issuing paychecks – can continue if there is a system outage or other emergency.

• VSP Global Companies routinely maintain, test, and revise the business continuity plan.

You have completed the Security and Information Protection Plan Training.

Please use your employer’s microsite link to acknowledge your understanding of your responsibilities.

Privileged and Confidential | 28©2016 Vision Service Plan. All rights reserved.VSP Global is a registered trademark of Vision Service Plan.