We recognize and respect the privacy expectations of today’s consumers and the requirements of applicable federal and state privacy laws. We believe that making you aware of how we use your non-public personal Information (“Personal Information”), and to whom it is disclosed, will form the basis for a relationship of trust between us and the public that we serve. This Privacy Statement provides that explanation. We reserve the right to change this Privacy Statement from time to time consistent with applicable privacy laws.

See our lending partner WebBank’s privacy policy here.

In the course of our business, we may collect Personal Information about you from the following sources:

• From applications or other forms we receive from you or your authorized representative
• From your transactions with, or from the services performed by, us, our affiliates, or others
• From our internet web sites
• From the public records maintained by governmental entities that we either obtain directly from those entities, or from our affiliates or others
• From consumer or other reporting agencies

Our Policies Regarding the Protection of the Confidentiality and Security of Your Personal Information

We maintain physical, electronic and procedural safeguards to protect your Personal Information from unauthorized access or intrusion. We limit access to the Personal Information only to those employees, contractors and agents who need such access in connection with providing products or services to you or for other legitimate business purposes. We will at all times comply with all laws and regulations to which we are subject regarding the collection, use and disclosure of individually identifiable Information.

Our Policies and Practices Regarding the Sharing of Your Personal Information

We may share your Personal Information with our affiliates. We also may disclose your Personal Information to:

• Agents, brokers or representatives to provide you with services you have requested
• Third-party contractors or service providers who provide services or perform marketing or other functions on our behalf
• Governmental entities to meet our legal requirements connected to the collection, retention and disclosure of individually identifiable
• Information, such as tax reporting or identification of money laundering
• Law enforcement in connection with investigations, or civil or criminal subpoenas or court orders

In addition, we will disclose your Personal Information when you direct or give us permission, when we are required by law to do so, or when we suspect fraudulent or criminal activities. We also may disclose your Personal Information when otherwise permitted by applicable privacy laws such as, for example, when disclosure is needed to enforce our rights arising out of any agreement, transaction or relationship with you.

Certain states afford you the right to access your Personal Information and, under certain circumstances, to find out to whom your Personal Information has been disclosed. Also, certain states and the Safe Harbor principles afford you the right to request correction, amendment or deletion of your Personal Information. We reserve the right, where permitted by law, to charge a reasonable fee to cover the costs incurred in responding to such requests.

All requests must be made in writing to the following address:

440 Monticello Ave
Ste 1802 PMB 61161
Norfolk, VA 23510

1.  Policy Overview

This document (“Policy”) governs the oversight of the whistleblower process utilized by Lane Health in connection with protecting individuals who report activities believed to be illegal, dishonest, unethical, or otherwise improper.

1.1. Purpose

The purpose of the Policy is to ensure that the risks related to whistleblower activities are understood and managed in a systematic fashion that is compliant with Lane Health policy, applicable laws, regulations and guidance, and serves the best interests of Lane Health, shareholders and customers.

1.2. Scope

This Policy applies to all report activities believed to be illegal, dishonest, unethical, or otherwise improper.

1.3. Definitions

The following definition should be used when reviewing this policy:

Whistleblower is defined by this policy as an employee who reports, to one or more of the parties specified in this policy, an activity that he/she considers to be illegal, dishonest, unethical, or otherwise improper.

Employee or public employee means a person who performs a service for wages or other remuneration under a contract of hire, written or oral, express, or implied, for the district.

Matter of public concern means:

1. a violation of a state, federal, or municipal law, regulation, or ordinance;
2. a danger to public health or safety; and/or
3. gross mismanagement, substantial waste of funds, or a clear abuse of authority.

1.4. Compliance

Lane Health will comply with all applicable laws, regulations and guidance pertaining to whistleblowers for regulated financial institutions.

2.  Program Governance

See the CMS Policy for information related to Program Governance, including roles and responsibilities.

3.  Policy Elements

The expectation and guidance shown below constitute a high-level overview of the standards Lane Health will use when made aware of potential whistleblower complaints.

5.1 General

1. The organization will not retaliate against a whistleblower. This includes, but is not limited to, protection from retaliation in the form of an adverse employment action such as termination, compensation decreases, or poor work assignments and threats of physical harm. Any whistleblower who believes he/she is being retaliated against must contact the Chief Compliance Officer immediately. The right of a whistleblower for protection against retaliation does not include immunity for any personal wrongdoing that is alleged and investigated.
2. Whistleblower protections are provided in two important areas: confidentiality and retaliation. Insofar as possible, the confidentiality of the whistleblower will be maintained. However, identity may have to be disclosed to conduct a thorough investigation, to comply with the law, and to provide accused individuals their legal rights of defense.
3. Individuals protected include:
   1. the employee, or a person acting on behalf of the employee, who reports to a public body or is about to report to a public body a matter of public concern; or
   2. the employee who participates in a court action, an investigation, a hearing, or an inquiry held by a public body on a matter of public concern.
4. The organization may not discharge, threaten, or otherwise discriminate against an employee regarding the employee’s compensation, terms, conditions, location, or privileges of employment.
5. The organization may not disqualify an employee or other person who brings a matter of public concern, or participates in a proceeding connected with a matter of public concern, before a public body or court, because of the report or participation, from eligibility to bid on contracts with the organization; receive land under a district ordinance; or receive another right, privilege, or benefit.
6. The provisions of this policy do not:
   1. require the organization to compensate an employee for participation in a court action or in an investigation, hearing, or inquiry by a public body;
   2. prohibit the organization from compensating an employee for participation in a court action or in an investigation, hearing, or inquiry by a public body;
   3. authorize the disclosure of information that is legally required to be kept confidential; or
   4. diminish or impair the rights of an employee under a collective bargaining agreement.
7. Limitation to protections:
   1. A person is not entitled to the protections under this policy unless he or she reasonably believes that the information reported is, or is about to become, a matter of public concern; and reports the information in good faith.
   2. A person is entitled to the protections under this policy only if the matter of public concern is not the result of conduct by the individual seeking protection, unless it is the result of conduct by the person that was required by his or her employer.
   3. Before an employee initiates a report to a public body on a matter of public concern under this policy, the employee shall submit a written report concerning the matter to the organization’s Chief Compliance Officer. However, the employee is not required to submit a written report if he or she believes with reasonable certainty that the activity, policy, or practice is already known to the Chief Compliance Officer; or that an emergency is involved.

5.2 Procedures

1. If an employee has knowledge of or a concern of illegal or dishonest/fraudulent activity, the employee is to contact his/her immediate supervisor or the Chief Compliance Officer. All reports or concerns of illegal and dishonest activities will be promptly submitted by the receiving supervisor to the Chief Compliance Officer, who is responsible for investigating and coordinating any necessary corrective action. Any concerns involving the Chief Compliance Officer should be reported to the Chief Executive Officer.
2. The whistleblower is not responsible for investigating the alleged illegal or dishonest activity, or for determining fault or corrective measures; appropriate management officials are charged with these responsibilities.
3. Examples of illegal or dishonest activities include violations of federal, state, or local laws; billing for services not performed or for goods not delivered; and other fraudulent financial reporting. The employee must exercise sound judgment to avoid baseless allegations. An employee who intentionally files a false report of wrongdoing will be subject to disciplinary action.

6.    Policy Operations

See associated procedures for additional requirements related to the day-to-day processes to ensure compliance with this Policy.

7.    Policy Exceptions

See the CMS Policy for information related to Policy Exceptions.

Submitting whistleblower claims:Claims can be submitted to a restricted email: whistleblower@lanehealth.com

Guiding Principles

At Lane Health, we strive to provide services to our customers in a secure and responsible manner. As we built an industry only pre-tax and post-tax lending platform, HSA and other benefits administration solutions, as well as customer facing web and mobile interfaces, we’ve done it with security built into the architecture and our processes. Lane Health is committed to protecting the confidential information, data integrity, and transparency of our operations.

This page goes over our approach to securing PII against cyber-attacks—combining secure design and quality engineering practices, developing strong connections with the cybersecurity community, and developing a world-class Risk & Compliance process.

Cybersecurity

Lane Health follows industry accepted best practices when it comes to security. We established joined internal operations between SREs, NOC and Software Engineering teams to implement and deploy controls designed to secure the perimeter of our systems and minimize the threat of attacks.

Fraud Prevention

Our Fraud Prevention Operation is employing the best practices of fraud prevention and cybersecurity monitoring through rigorous security training and systematic monitoring to identify and secure the data of our clients.

Compliance

Lane Health Compliance department operates at the enterprise level: managing operational, financial, and security risks for the entire company. They interface with internal and external audit entities and implement state of the industry transparent operation.

Incident Management and Communication

Lane Health created a robust Incident Management and Communication policy that was certified by our banking institution.

Privacy

Lane Health developed the Data Privacy policy based on the detailed analysis of government regulations and validated by rigorous audits. Our state-of-the-art technology teams build systems with security and privacy in mind. The Privacy Policy can be found here: /resources#nav-documents

Lane Health Security Features:

• Regular 3rd-party vulnerability scanning and testing
• Dynamic capacity and scalability management
• Intrusion detection monitoring
• Multiple redundant data centers
• Annual review of policies
• Call centers with high responsiveness SLA
• All employees and contractors with access to Lane Health systems and data complete mandatory compliance, privacy, and security training as part of hiring process
• Third party verification of cloud-native architecture for Health Insurance Portability and Accountability Act (HIPAA) compliance
• Background checks for US employees with access to PII

Security and Vulnerability Reporting

Lane Health encourages security researchers to report discovered issues with Lane Health systems by reporting them to securityreporting@lanehealth.com.