HIPAA POLICY
Last updated on 5/12/2024
Please read this HIPAA Policy (“Policy”) carefully. The users, subscribers, partners, and viewers accept the terms of this Policy by accessing and/or utilizing the services of Bridge To Life Clinical Consultants (the “BTLCC” or “Company”). The users acknowledge that they agree to this Policy and accept the rights and obligations created by it. This Policy is drafted to outline the HIPAA policy of the Company. This Policy is designed to comply with applicable laws and standards.
- INTRODUCTION
-
- Purpose of the HIPAA Policy: The purpose of this Health Insurance Portability and Accountability Act (HIPAA) Policy for BTLCC is to ensure rigorous adherence to federal regulations regarding the confidentiality, integrity, and availability of protected health information (PHI) handled by BTLCC across all its platforms and operations. This policy guides the handling of PHI to protect patient privacy and ensure the secure communication and transfer of sensitive health data. It establishes the legal obligations and ethical duties of BTLCC in managing health information while outlining the procedural norms to prevent unauthorized use or disclosure of PHI.
-
- Scope of Application: This HIPAA Policy applies to all forms of operations and services provided by BTLCC that involve the use, storage, processing, and transmission of PHI. Specifically, it encompasses our primary healthcare services accessible via BTLCC’s website, mobile application, and Facebook application. It further extends to related activities such as marketing, sales, promotional events, and all other digital and physical engagements where PHI is handled. The policy encompasses the actions and responsibilities of all BTLCC employees, associates, business partners, and any third-party service providers engaged by BTLCC, ensuring that all parties adhere to the same high standards of PHI privacy and security in accordance with HIPAA regulations.
-
- Compliance Commitment Statement: BTLCC is committed to achieving full compliance with all applicable HIPAA provisions as well as any other relevant federal and state privacy laws. We acknowledge the sensitivity of the PHI entrusted to us by our patients and recognize our responsibility to protect this information from unauthorized access, use, or disclosure. This commitment is reflected in our rigorous training programs for all staff, our adoption of advanced security measures, including encryption and secure communication protocols, and our meticulous oversight of business associates and third-party service providers. BTLCC pledges to regularly review and update our privacy practices and this policy to address evolving risks, enhance security measures, and maintain compliance with HIPAA and other privacy regulations, thus upholding our foundational commitment to safeguard our community’s health data with the utmost responsibility and integrity.
- DEFINITIONS
-
- Protected Health Information (PHI): Protected Health Information (PHI) refers to any information, whether oral or recorded in any form or medium, that is created or received by BTLCC or any entity acting on its behalf, such as a business associate. This information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. PHI includes information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Examples include names, geographic identifiers smaller than a state, all elements of dates (except year) related to an individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers including license plate numbers, device identifiers and serial numbers, URLs, IP address numbers, biometric identifiers, full face photographic images, and any other unique identifying number, characteristic, or code.
-
- Covered Entities: For the purposes of this HIPAA Policy, a Covered Entity includes any health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction for which the Secretary of Health and Human Services has adopted a standard. BTLCC, as a provider of medical services ranging from acute illness treatment to specialized women's health services and chronic condition management, qualifies as a Covered Entity. This designation imposes specific responsibilities on BTLCC regarding the handling, use, and disclosure of PHI, ensuring adherence to all administrative, physical, and technical safeguards as outlined by HIPAA regulations.
-
- Business Associates: A Business Associate is any person or entity that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of PHI. Typical business associate services might include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, a person or entity is not considered a business associate if their functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. BTLCC engages Business Associates to perform functions such as billing, legal representation, and consultancy, or to provide services like electronic health record systems and cloud storage solutions, under the condition that each Business Associate complies with HIPAA regulations concerning the use and disclosure of PHI.
-
- 10DLC (10 Digit Long Code): A 10 Digit Long Code (10DLC) is the standard type of phone number used primarily for voice calls and SMS messages in the United States. Within the context of HIPAA and BTLCC’s operations, the 10DLC is pertinent to the communication processes involving the transmission of PHI and other sensitive information between BTLCC and its patients or between BTLCC and its Business Associates. The use of 10DLC must comply with HIPAA's technical safeguards to ensure the secure transmission of PHI. Furthermore, BTLCC's use of 10DLC is regulated under policies allowing patients to opt-in or opt-out of receiving communications via this medium, thus protecting their rights and preferences regarding the receipt of health-related messages or notifications.
- GENERAL PROVISIONS
-
- Notice of Privacy Practices: The Notice of Privacy Practices is a fundamental document that BTLCC is mandated to provide to all patients under the HIPAA. This notice clearly delineates how personal health information about patients may be used and disclosed by BTLCC and how patients can access this information. In compliance with HIPAA, this notice includes a detailed description of the permissible uses and disclosures of PHI without patient authorization, conditions under which authorization is required, and the rights of patients regarding their health information. BTLCC is committed to distributing this notice prior to the first service delivery and upon any amendment to the notice or a change in practices. Patients are required to acknowledge receipt of this notice, and BTLCC maintains records of all acknowledgments. The Notice of Privacy Practices also explains the procedures for filing complaints concerning privacy violations and describes the process for addressing grievances.
-
- Patient Rights and Responsibilities: Under this HIPAA Policy, patients of BTLCC hold specific rights concerning their health information. These rights include the ability to request access to view and obtain a copy of their PHI, request amendments to their health records if they believe there are errors or omissions, request an accounting of disclosures of their PHI, and request restrictions on certain uses and disclosures of their health information, including those related to treatment, payment, or health care operations. Furthermore, patients have the right to request communications of PHI by alternative means or at alternative locations. BTLCC is devoted to facilitating the exercise of these rights in compliance with the stipulated timeframes and procedural requirements set by HIPAA. Correspondingly, patients at BTLCC are responsible for providing accurate and complete health information and for notifying the facility of any changes in their health condition or insurance coverage. Patients are also expected to respect the health and safety of other patients and staff members by following facility policies and procedures.
-
- Responsibilities of BTLCC: BTLCC, as a Covered Entity under HIPAA, is tasked with a broad array of responsibilities aimed at safeguarding the privacy and security of PHI. These responsibilities include implementing appropriate physical, administrative, and technical safeguards to protect PHI from unauthorized access, use, or disclosure. BTLCC is also responsible for training all members of its workforce on the policies and procedures designed to protect PHI, as mandated by HIPAA. This training occurs upon hiring and periodically thereafter. BTLCC must also ensure that any business associates with whom PHI is shared or who are engaged to perform services on behalf of BTLCC are bound by the same standards of protection, typically enforced through a formal business associate agreement. Compliance with these responsibilities is monitored and managed by BTLCC’s designated Privacy Officer, who oversees all activities related to the development, implementation, maintenance of, and adherence to the privacy policies and procedures in accordance with applicable federal and state laws.
- USE AND DISCLOSURE OF PHI
-
- General Rules for Use and Disclosure: The use and disclosure of PHI by BTLCC are governed by the principles of necessity, minimum necessity, and privacy preservation, consistent with the HIPAA. PHI shall not be used or disclosed by BTLCC for any purpose other than those explicitly permitted under HIPAA or as required by law. BTLCC employees and associates are trained to use or disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, except in the provision of healthcare treatment where such limitation does not apply. Each unauthorized use or disclosure that compromises the security or privacy of PHI is treated as a potential breach and is subject to investigation, notification, and mitigation procedures in accordance with federal and state laws.
-
- Specific Uses in Healthcare Treatment, Payment, and Operations: In its operation as a healthcare provider, BTLCC uses and discloses PHI primarily for treatment, payment, and healthcare operations. Treatment activities may include sharing information among healthcare providers involved in a patient’s care, such as doctors, nurses, technicians, and other primary care or specialist staff. For payment activities, BTLCC may use and disclose PHI to bill and collect payment from health plans or individuals directly. Operational uses of PHI include quality assessment and improvement initiatives, evaluating the competence and qualifications of healthcare professionals, provider and plan performance rating, and conducting or arranging for other business activities. All such uses are conducted with the assurance that only the necessary PHI is accessed, and all disclosures are tracked as required for compliance reporting.
-
- Use and Disclosure with Patient Authorization: BTLCC may use or disclose PHI for purposes outside of treatment, payment, or healthcare operations when a patient's explicit authorization has been obtained, except as otherwise permitted or required by law. This authorization is detailed and specifies exactly what information is being disclosed, to whom, and for what purpose. Patients have the right to revoke their authorization at any time, except to the extent that BTLCC has taken action relying on the authorization. Uses and disclosures pursuant to an authorization must be documented and maintained in accordance with HIPAA regulations.
-
- Use and Disclosure for Marketing and Fundraising: Uses and disclosures of PHI for marketing purposes and most fundraising activities require patient authorization, reflecting BTLCC’s commitment to patient privacy. Marketing activities that involve direct or indirect remuneration to BTLCC from third parties require a clear disclosure to patients that the disclosure of their PHI will result in remuneration to BTLCC. Patients must opt-in to any communications that are considered marketing under HIPAA. Similarly, patients have the right to opt out of fundraising communications, and each solicitation will provide clear instructions on how to be removed from future fundraising lists.
-
- Disclosures to Business Associates: BTLCC engages with Business Associates to provide various services; these associates may receive, create, maintain, or transmit PHI on behalf of BTLCC. Prior to any PHI being disclosed to a Business Associate, a Business Associate Agreement (BAA) must be in place. This agreement mandates that Business Associates implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing necessary physical, administrative, and technical safeguards to protect the PHI. BTLCC is responsible for ensuring that Business Associates comply with HIPAA regulations through the execution of such agreements, regular audits, and reviews of the practices of Business Associates regarding the handling of PHI.
- PATIENT RIGHTS
-
- Access to PHI: Under the HIPAA regulations, patients at BTLCC have the fundamental right to inspect and obtain copies of their PHI that is held in a designated record set by BTLCC. This record set generally includes medical and billing records, as well as any other records used by BTLCC to make decisions about individuals. Patients may request access in writing, and BTLCC is required to respond to such requests within thirty (30) days (with a possibility of a one-time extension of an additional thirty (30) days under specific circumstances). If access is denied, the patient must be provided with a written denial specifying the basis for denial, their review rights, and instructions on how to submit a complaint with the U.S. Department of Health and Human Services. BTLCC may impose a reasonable, cost-based fee for the costs of copying, mailing, or other supplies associated with the request.
-
- Amendment of PHI: Patients have the right to request that BTLCC amend their PHI if they believe it is incorrect or incomplete. The request for amendment must be made in writing and must include a reason to support the amendment. BTLCC is required to respond within 60 days of the request, with a possible thirty (30)-day extension if additional time is needed. If BTLCC denies the amendment, it must provide a written denial that explains the reason for the denial and informs the patient of their right to submit a written statement disagreeing with the denial, which will be appended to their PHI.
-
- Accounting of Disclosures: Patients have the right to receive an accounting of disclosures of their PHI made by BTLCC in the six years prior to the date on which the accounting is requested, except for disclosures for treatment, payment, healthcare operations, and certain other exceptions. The accounting will include the date of each disclosure, the name of the entity or person who received the PHI, a brief description of the information disclosed, and the purpose of the disclosure. BTLCC must provide the first accounting to a patient in any twelve (12)-month period without charge; subsequent accountings within the same twelve (12)-month period may incur a reasonable, cost-based fee.
-
- Restriction Requests: Patients have the right to request restrictions on the use or disclosure of their PHI for treatment, payment, or healthcare operations, as well as disclosures to family members or others involved in their care. BTLCC is not required to agree to these restrictions, but if it does, it must abide by them unless the information is needed to provide emergency treatment. Patients must make such requests in writing specifying what information they want to limit and to whom the limits apply.
-
- Confidential Communication Requirements: Patients have the right to request that BTLCC communicate with them about their health information in a certain way or at a certain location to ensure privacy. For example, a patient might request that BTLCC contact them at a work phone number rather than a home phone number, or through mailed letters with no identifying information on the envelope. BTLCC must accommodate reasonable requests and must not ask for an explanation as to the basis for the request. All requests must be made in writing, and BTLCC will implement all necessary measures to comply with these requests while continuing to provide effective medical care.
- ADMINISTRATIVE REQUIREMENTS
-
- Privacy Officer Duties: The Privacy Officer at BTLCC is tasked with overseeing all activities related to the development, implementation, and maintenance of the privacy policies in accordance with the HIPAA standards. The duties of the Privacy Officer include conducting periodic HIPAA compliance audits, managing the training and education of employees on privacy policies, ensuring that privacy practices are consistently followed throughout the organization, and serving as a contact point for all patient inquiries and complaints regarding BTLCC’s use and disclosure of PHI. Furthermore, the Privacy Officer is responsible for maintaining an up-to-date knowledge base on evolving federal and state privacy laws to ensure organizational adaptation and compliance. The Privacy Officer also liaises with IT and security teams to ensure that all electronic and physical safeguards meet or exceed regulatory requirements.
-
- Training Requirements for Staff: All employees at BTLCC who have access to PHI are required to complete training as part of their initial orientation and annually thereafter. This training program covers the proper handling of PHI, the patient's rights to privacy, the employee's duties under the HIPAA Privacy Rule, and the security practices that must be followed to protect PHI. Additional training sessions are conducted when there is a significant change in the law or policies affecting PHI. The training is designed to ensure that all employees understand and can effectively implement the privacy and security policies of BTLCC. Documentation of each training session, including topics covered, materials distributed, and lists of attendees, is maintained for six years.
-
- Mitigation Strategies: In the event of a use or disclosure of PHI that violates the Privacy Rule, BTLCC is committed to mitigating, to the extent practicable, any harmful effect that is known to BTLCC of such use or disclosure. Mitigation strategies include notifying affected individuals, cooperating with federal and state investigations, retrieving disclosed PHI from incorrect parties, and implementing additional security measures to prevent future occurrences. The Privacy Officer is responsible for developing and implementing these mitigation actions and for documenting the steps taken and outcomes achieved in mitigating any breaches of PHI.
-
- Data Protection Measures (Technical and Physical Safeguards): BTLCC employs comprehensive technical and physical safeguards to protect PHI against unauthorized access, alteration, and destruction. Technical safeguards include the use of encryption, secure access controls, audit logs, and secure communication channels. Physical safeguards involve secure facilities, controlled access to buildings, proper disposal of PHI, and protection against environmental hazards. BTLCC regularly reviews these measures to adapt to new security challenges and technologies, ensuring that safeguards remain effective and compliant with HIPAA requirements.
-
- Breach Notification Procedures: BTLCC adheres to the HIPAA Breach Notification Rule, which requires health care providers to notify affected individuals, the Secretary, and, in some cases, the media of a breach of unsecured PHI. Notifications to individuals must be made without unreasonable delay and in no case later than sixty (60) days following the discovery of a breach. The notifications include, where possible, a description of the breach, the types of information involved, steps individuals should take to protect themselves from potential harm, a brief description of the actions BTLCC is taking to investigate the breach, mitigate harm, and prevent further breaches. In the event that the breach affects more than five hundred (500) residents of a state or jurisdiction, BTLCC is required to notify prominent media outlets serving the state or jurisdiction. All breaches must be documented and reported to the Secretary of the U.S. Department of Health and Human Services annually.
- 10DLC COMPLIANCE
-
- Explanation of 10DLC Requirement: The 10DLC requirement is a regulatory framework established by major U.S. wireless carriers to oversee the use of standard 10-digit phone numbers for Application-to-Person (A2P) SMS and MMS messaging. The primary aim of this regulation is to enhance message delivery quality, increase security, and reduce spam by providing clear accountability for message traffic. For BTLCC, compliance with the 10DLC regulations is crucial to maintain the integrity and reliability of communications between BTLCC and its patients. This includes communications pertaining to appointment reminders, health updates, promotional offers, and other relevant interactions that facilitate ongoing patient engagement and support. Adhering to these requirements ensures that BTLCC's messaging practices are in line with industry standards and that patient communications are both secure and effective.
-
- Opt-in Procedures for Text Messages and Communications: BTLCC implements rigorous opt-in procedures to ensure that patients clearly and explicitly consent to receive text messages and other forms of electronic communications on their mobile devices or any other communication platforms associated with their personal contact information. This process involves the patient providing their phone number and affirmatively agreeing to receive messages by ticking a checkbox or signing a digital or physical consent form. This consent is documented and stored in the patient’s electronic health record. Patients are informed about the types of messages they might receive, which may include health care updates, reminders, and educational or promotional information. The opt-in process is designed to be straightforward and user-friendly while providing comprehensive information to patients to make informed decisions about their communication preferences with BTLCC.
-
- Opt-out Mechanisms and Procedures: BTLCC respects the rights of patients to discontinue receiving text messages or other communications at any time. The opt-out process is made as easy as the opt-in process. Patients can opt out by sending a simple keyword such as "STOP" via SMS, clicking an unsubscribe link provided in email communications, or directly contacting BTLCC’s office via phone or email to request removal from future communications. Upon receiving an opt-out request, BTLCC promptly processes the request and updates the patient’s preferences in their health record to reflect this change. Confirmation of the opt-out is sent to the patient to ensure transparency and closure of the communication loop. These opt-out mechanisms are tested regularly to ensure they function correctly and are compliant with both HIPAA and 10DLC regulations.
-
- Documentation and Records of Consent: Maintaining accurate and accessible documentation of consent for communications is a critical aspect of BTLCC’s compliance with HIPAA and 10DLC regulations. Every patient’s opt-in and opt-out actions are recorded with a timestamp in the patient’s electronic health record. This record includes the specific type of consent granted, the date of consent, and any modifications or withdrawals of consent over time. BTLCC utilizes secure, HIPAA-compliant systems to store and manage these records, ensuring that they are protected against unauthorized access and that they are available for audit purposes. Regular audits are conducted to verify the integrity and accuracy of the consent records, and staff are trained on the importance of proper documentation and the legal implications of these records.
- HANDLING OF COMPLAINTS
-
- Procedure for Lodging Complaints: BTLCC has established a formal procedure to ensure that all complaints related to privacy practices, breaches of PHI, or any other concerns related to the handling of personal health information are addressed promptly and effectively. Patients or any concerned parties wishing to lodge a complaint must do so through any of the following means: a written submission by mail, an electronic submission via email, or through a dedicated section on BTLCC’s website. Complaints should include the complainant’s contact information, a detailed description of the complaint, any relevant dates, and preferably, suggestions for resolving the issue. Upon receipt of a complaint, the Privacy Officer is notified immediately, and a file is opened to document the proceedings and outcomes related to the complaint. BTLCC commits to acknowledging receipt of each complaint within five business days and aims to resolve all complaints within thirty business days of receipt. Throughout the complaint process, the complainant is kept informed of the status of their complaint and any actions taken.
-
- Response Mechanisms: Upon the filing of a complaint, BTLCC initiates a thorough investigation to determine the validity of the complaint and to assess what corrective action, if any, is required. The investigation is conducted by the Privacy Officer or an appointed committee, depending on the nature of the complaint. If the complaint is found to be justified, BTLCC will take appropriate steps to rectify the issue, which may include modifying its procedures, retraining staff, or making changes to physical or technical safeguards. The complainant is provided with a written statement detailing the findings of the investigation, the conclusions drawn, and the steps taken or to be taken to resolve the issue. This response not only serves to inform the complainant but also acts as a documented assurance that BTLCC treats all privacy concerns with the utmost seriousness and adherence to regulatory compliance.
-
- Non-Retaliation Policy: BTLCC adheres to a strict non-retaliation policy to protect individuals who make complaints. This policy ensures that no individual will be subject to any form of retaliation or penalty for good faith participation in the complaint process, whether by filing a complaint about a potential violation, providing information during a complaint investigation, or otherwise participating in procedures involving the handling of PHI under HIPAA. Employees of BTLCC are informed about this policy through regular training sessions and are reminded that retaliation against a complainant is a serious violation of company policy and civil rights laws, which can result in disciplinary action, up to and including termination of employment. This policy underscores BTLCC’s commitment to fostering a transparent and accountable environment where concerns about privacy can be raised without fear of retribution.
- AUDIT AND MONITORING
-
- Regular Audit Procedures: BTLCC is committed to maintaining the highest standards of compliance with the HIPAA through the implementation of regular audit procedures. These audits are designed to ensure that all aspects of BTLCC’s operations conform to federal and state laws regarding the protection and privacy of PHI. Regular audits involve a systematic review of both physical and electronic security measures, access controls, employee compliance with privacy policies, and the effectiveness of communication and consent procedures. Each department within BTLCC, from clinical operations to IT support, undergoes periodic audits, the frequency of which is determined by the sensitivity of the PHI handled and the prior history of compliance issues, if any. Audit findings are documented meticulously, providing a clear trail of accountability and facilitating the identification of areas requiring improvement.
-
- Compliance Monitoring: To supplement regular audits, BTLCC engages in continuous compliance monitoring activities. These activities are designed to ensure ongoing adherence to HIPAA regulations and BTLCC's internal policies throughout the year. Compliance monitoring includes routine checks of system access logs, real-time alerts for unauthorized PHI access, and the review of patient feedback concerning privacy practices. Compliance officers at BTLCC are equipped with the latest tools and technologies to facilitate effective monitoring and are trained in recognizing patterns or practices that may indicate breaches or potential vulnerabilities in the handling of PHI. This proactive approach allows BTLCC to address minor compliance issues before they escalate into significant breaches, ensuring that the integrity of patient data is always preserved.
-
- Reporting and Resolution of Compliance Issues: In the event that compliance issues are identified, either through regular audits or ongoing monitoring activities, a structured reporting and resolution process is initiated. This process ensures that all compliance issues are escalated appropriately and addressed promptly. Reports of compliance issues can be generated by staff, patients, automated systems, or during routine audits and are logged into a central compliance management system. Each report triggers a preliminary investigation to verify the issue, followed by a detailed assessment conducted by the compliance team. Based on the severity and nature of the issue, corrective actions are planned and implemented. These may include staff retraining, system upgrades, policy revisions, or other remedial measures. The resolution process is closely monitored, with follow-up audits conducted to ensure the efficacy of the corrective actions. Additionally, significant compliance issues, particularly those involving potential breaches of PHI, are reported to relevant authorities as required by law, along with notifications to affected individuals in compliance with breach notification rules under HIPAA.
- AMENDMENT AND UPDATES TO THE POLICY
-
- Procedures for Policy Review and Updates: BTLCC is committed to ensuring that its HIPAA Policy remains current and effective, reflecting the latest legal requirements and best practices in patient data protection. To this end, BTLCC has instituted a comprehensive procedure for the regular review and update of its HIPAA Policy. This procedure mandates an annual review of the policy by the Privacy Officer, in collaboration with legal counsel and key department heads. The review process includes a thorough assessment of any changes in HIPAA regulations, technological advancements, and internal operational changes that may affect the security and management of PHI. In addition to scheduled annual reviews, the policy may be updated as needed in response to significant compliance issues, security breaches, or other incidents that indicate a need for policy modification. The review process involves a detailed risk assessment, consideration of stakeholder feedback, and benchmarking against industry standards. Any proposed changes to the policy are drafted by the Privacy Officer, reviewed by legal counsel for compliance with applicable laws, and then presented to the executive management team for approval. Once approved, the updated policy is documented formally, with changes clearly highlighted and rationed to ensure traceability and transparency.
-
- Notification of Policy Changes: Upon the approval of any updates or amendments to the HIPAA Policy, BTLCC undertakes to promptly notify all affected parties, including employees, business associates, and patients. Notification to employees is conducted via internal communication channels, such as email, staff meetings, and the intranet, accompanied by an explanation of the changes and their implications for daily operations. Employees are often required to attend training sessions to familiarize themselves with the revised policy and procedures. Patients and business associates are notified of any significant changes to the policy through email notifications, updates on the BTLCC website, or through direct mailings. The notification includes a summary of the changes, the reasons for the changes, and how the changes may affect the handling of their PHI. For transparency and accessibility, the full revised HIPAA Policy is made available on the BTLCC website, with the effective date of the new policy clearly stated. Additionally, BTLCC maintains an archive of previous versions of the HIPAA Policy, which can be accessed upon request, providing a historical perspective on policy evolution for legal, compliance, and informational purposes.