Regulatory Compliance and Voluntary Standards are Met or Exceeded

  • Focus: Transparency Around Corporate Policies and Practices

    CVS Health has long-standing policies in place to ensure transparency in our governance practices, including Board-level accountability, open and accessible engagement with our shareholders, and communication and compliance related to our participation in the political process.

  • Ensuring Board-Level Accountability

    CVS Health's Board has adopted Corporate Governance Guidelines, which are available on our investor relations website. These Guidelines meet the listing standards adopted by the New York Stock Exchange (NYSE), on which our common stock is listed.

    Meeting Board Independence Requirements

    Under our Corporate Governance Guidelines, a substantial majority of directors must meet the NYSE’s requirements for independence. The Board determines the independence of each director annually and re-evaluates its determinations during the year as needed. In 2016, we have 11 members on our Board, all of whom are independent, except for our President and Chief Executive Officer, Larry Merlo. Only independent Directors serve on our Board’s Audit, Nominating and Corporate Governance, and Management Planning and Development Committees, as well as its newly formed Patient Safety and Clinical Quality Committee.

    Sharing Responsibility via Board Committees

    The Board considers its role in risk oversight when evaluating the company’s Corporate Governance Guidelines and its leadership structure. The Chairman and the CEO are each focused on the company’s risk management efforts and ensure relevant matters are appropriately brought to the Board and its Committees for their review. The other Board Committees are responsible for oversight of risk management practices for the categories relevant to the functions.

    Building Board Diversity

    The Nominating and Corporate Governance Committee focuses on the following qualities in identifying and evaluating candidates for Board membership: background, experience and skills; character, reputation and personal integrity; judgment; independence; ethnic diversity; commitment to the company and service on the Board; and any other factors that the Committee may determine to be relevant and appropriate.

    While we do not currently have any specific minimum qualifications for candidates or a specific policy regarding diversity, the Committee believes that the Board’s composition, which represents diverse backgrounds and experiences, provides significant benefits to the company. The Board membership in 2016 includes eight men and three women, one of whom is African American.

  • Engaging with Shareholders

    We regularly interact with shareholders on a variety of matters, and recently engaged them to better understand and address their concerns. For example, they told us they wanted our Proxy Statement to be easier to read. This led to a complete makeover of our 2015 Proxy Statement, which received positive feedback from shareholders. Shareholder feedback also prompted a recomposition of our peer group, effective January 1, 2015, to better represent the market in which we compete for talent, as well as other factors. Details of other issues and actions can be found in our 2015 Proxy Statement.

    Contacting Board Members

    Shareholders and other parties, including our colleagues, can communicate directly with the Board of Directors by sending correspondence to the Board’s attention, care of CVS Health Corporation, One CVS Drive, Woonsocket, RI 02895. The Corporate Secretary of the company reviews and forwards to the Board copies or summaries of correspondence that, in her opinion, deal with the functions of the Board or its Committees or that she otherwise determines requires their attention.

    Considering Stockholder Proposals

    CVS Health views the stockholder proposal process as an important avenue for stockholders to raise material concerns relating to environmental, social and governance issues. When a stockholder proposal is submitted, we typically engage proactively with the filing parties to better understand and address their concerns. Through this type of engagement, we are often able to resolve the concerns and the proposal will subsequently be withdrawn. In cases where matters are not resolved, we comply with the Securities and Exchange Commission (SEC) rules and reprint properly submitted stockholder proposals and supporting statements, as they were submitted to us, in our annual proxy statement. There was one stockholder proposal in the 2015 CVS Health Proxy Statement, requesting increased transparency on the congruency between the company's corporate values and its political contributions. Five percent of stockholders entitled to vote at the 2015 Annual Meeting voted in favor of this proposal.

    In connection with the 2016 proxy season, the Board of Directors received a stockholder proposal requesting that the company amend its by-laws to provide "proxy access," which gives stockholders meeting certain qualifications the ability to nominate a candidate for possible election to the Board and have information regarding the candidate included in the company’s proxy statement and on its proxy card. After discussions with the proponent and a number of other stockholders, CVS Health adopted a proxy access by-law in January 2016, and the proponent withdrew its proposal.

  • Participating in the Political Process

    CVS Health is committed to supporting the development of sound public policy in health care, and we participate in the political process to address legislation that has a direct impact on our company and the industry as a whole. Reflecting our purpose to help people on their path to better health, we work with federal and state policymakers to ensure people get the right care, at the right time and in the right setting.

    It is CVS Health’s policy that the CEO and the Board are responsible for determining the company’s public policy and political interests in a manner consistent with applicable laws. The Nominating and Corporate Governance Committee reviews and considers the company’s policies and practices, including expenditures regarding political contributions and direct and indirect lobbying. It also reviews and considers the company’s policies and practices regarding other significant public policy issues.

    Articulating Our Public Policy Principles

    Our Public Policy Principles outline our priorities for participating in the public policy sphere. We are committed to addressing health care costs, quality and access because they are essential factors in helping people on their path to better health. To advance our policies, we work with federal and state policymakers, others in our industry, the broader business community, and non-profit and civic partners.

    Keeping Our Lobbying Activities Focused

    Lobbying is highly regulated in the United States, and we comply with applicable federal and stat laws, including the Lobbying Disclosure Act and Honest Leadership and Open Government Act that require reporting on lobbying activities and certification of compliance with Congressional gift rules.

    Our Government Affairs team represents the company’s point of view in Washington, in state capitals and with regulatory agencies around the country. We focus on legislative and public policy issues that impact the company’s delivery of health care and long-term business interests. We communicate with policymakers and stakeholders on issues that impact our business, health plan clients and customers. In addition to our efforts to advocate for health care access, quality and affordability, we continued our commitment to address prescription drug abuse in 2015, joining President Obama’s ongoing efforts to combat this national epidemic.

    For example, we participate in the Alliance to Prevent the Abuse of Medicines, a non-profit partnership of key stakeholders representing every aspect of the prescription drug supply chain, to develop and offer policy solutions aimed at decreasing prescription drug abuse. We are involved in other initiatives related to prescription drug abuse as well, which are described in detail here.

    Beginning in 2015, we posted copies of our federal lobby reports on our website to make the information more accessible to our stakeholders.

    Transparency Regarding Political Donations

    All of the Company’s contributions promote the interests of the Company and are made without regard to the private political preferences of the Company’s officers and directors and in strict compliance with applicable laws. CVS Health is prohibited by federal law from making corporate contributions directly to candidates or political parties in federal elections. We make contributions at the state level as allowed by state laws, and to other organizations as described below, in each case in alignment with our public policy priorities and business interests.

    Our Political Activities and Contributions Report discloses all of our political contributions, which may be made, depending on our priorities for the particular year, to candidates for state and federal office, political action committees and entities organized under Section 501(c)(4) or Section 527 of the Internal Revenue Code. Note that CVS Health makes contributions only to those 527 organizations that are campaign committees or political parties that are regulated by the Federal Election Commission or state campaign finance laws, whose transparency rules enable us to understand how our funds are used.

    With respect to 501(c)(4) and 527 organizations, we disclose amounts paid to advocacy and/or political purposes for any organization whose CVS Health contribution is $25,000 or greater.

    Disclosing CVS Health Colleagues Political Action

    As with many corporations, we offer certain eligible colleagues an opportunity to participate in the political process by voluntarily contributing to the CVS Health Employees Political Action Committee (EPAC). Political to federal candidates, certain state candidates, political party committees and political action committees are made by our EPAC.

    Consistent with federal law, CVS Health pays the administrative, solicitation and compliance costs ofthe committee. The activities of the CVS Health EPAC are subject to comprehensive regulation by the federal government and certain state governments, including detailed disclosure requirements.

    Under the Lobbying Disclosure Act of 1995, CVS Health submits to Congress semi-annual reports, which also include a listing of CVS Health EPAC’s contributions to federal candidates. We report these contributions in the Political Activities and Contributions report on our website. Included on our website are disclosures of the contributions the CVS Health EPAC also makes at the state level. We also operate employee-funded state Political Action Committees (PACs) in Rhode Island, Massachusetts and New York.

    CVS Health has a policy governing political contributions made from corporate and EPAC funds to ensure that all potential political contributions made by or on behalf of CVS Health or a CVS Health EPAC are reviewed and approved internally for compliance with all federal, state and local laws, and that all of the company’s political activities are conducted in accordance with high ethical standards. This policy applies to all colleagues of CVS Health, and each of its subsidiaries and affiliates. CVS Health does not make independent expenditures in federal, state or local elections. CVS Health requires certifications of compliance with this policy, generally through the company’s annual compliance training. Certifications must be submitted following training by all CVS Health representatives and colleagues at the director-level and above who maintain budgetary authority for potential political contributions.

    CVS Health participates in various federal and state trade associations or organizations that operate in support of specific industries. Trade associations participate in activities such as education, advertising and lobbying to influence public policy. Many associations offer other services, such as producing conferences, networking or charitable events or offering classes or educational materials. Some associations also make political contributions or operate a PAC. 

    Details regarding CVS Health’s 2015 membership dues can be found in our annual Trade Association and Coalition Participation Report, along with past reports. These reports include the names of trade and industry associations to which we pay annual total dues of $25,000 or more and the amount of dues paid. The amount of such dues totaled $4.0 million in 2015, of which approximately $1.5 million was used for advocacy and/or political activities.

  • Focus: Compliance Policies, Practices and Processes

    Complying with legal requirements and acting with integrity are important to CVS Health for many reasons. In addition to the fines and penalties associated with violating laws and regulations, non-compliance can significantly impact shareholder value and profitability, as well as corporate reputation. Violating health care laws, including customer and patient privacy, can also result in being excluded from federally funded programs such as Medicare. We are committed to ensuring that we have sound practices, policies, processes and compliance mechanisms in place.

  • Ensuring Compliance and Integrity

    Our commitment extends to everyone within our organization. Our colleagues are expected to uphold our standards in all interactions with customers, plan members, clients, physicians, vendors and all other business relationships. Our Compliance and Integrity Program provides a framework for fostering a culture of compliance throughout the company. The program includes the following components:

    • Compliance oversight and governance
    • Policies, procedures and standards of conduct
    • Due diligence in authority personnel
    • Training and education
    • Monitoring, auditing and reporting systems
    • Effective lines of communication
    • Enforcing standards and discipline procedures

    Providing Effective Compliance Oversight

    Our Chief Compliance Officer (CCO) is responsible for overseeing and implementing our Compliance and Integrity Program. This position reports to the Audit Committee of the Board of Directors and to the company’s CEO. As part of the administration of the program, the CCO chairs the Corporate Compliance Committee, a cross-functional group comprised of company legal and business leaders who provide expertise, coordination and oversight.

    Implementing Policies, Procedures and Standards of Conduct

    The CVS Health Code of Conduct articulates the company’s expectation of legal and ethical conduct, and provides information on what to do when confronted with a potential compliance issue. The CCO leads the development of and updates to the Code, which takes place at least annually. The Code is reviewed by the Board of Directors.

    Conducting Due Diligence in Hiring

    CVS Health vets colleagues and contractors based on their role and responsibilities. Prior to employment, we perform background checks, licensure searches and exclusion screenings for all candidates. Candidates who do not pass the screening are denied employment. We also conduct post-hiring monitoring to ensure continued good standing.

    Providing Training and Education

    We provide compliance training to all new full- and part-time colleagues on a number of issues, with the aim of raising awareness of policies through the presentation of real-life work situations that pose ethical dilemmas or may violate aspects of our Code of Conduct. Training includes our Code of Conduct; fraud, waste and abuse; firewalls; insider trading; Health Insurance Portability and Accountability Act/privacy; corporate integrity agreement, antimoney laundering; and charitable giving practices. Ongoing compliance training requirements are based on employee job function and responsibilities, and existing government mandates. Training is reviewed and approved by the Compliance Office, and training is tracked and completion statistics are shared with executive management.

    Implementing Monitoring, Auditing and Reporting Systems

    Our Business Compliance Officers work with business segments to communicate new or changing compliance requirements and to identify and create action plans to address potential compliance issues. We also utilize a number of tools to monitor and detect policy violations or improper conduct.

    Maintaining Lines of Communication

    CVS Health contracts with an independent third party that provides secure, confidential telephone and web-based systems for use by individuals who wish to report a concern or submit an inquiry relating to business conduct. This service is available 24 hours per day, 365 days per year. In addition, the third party offers translation services that allow telephone and web reports to be made in several different languages.

    Individuals also have the option of directly communicating a concern to the Compliance Department via email, facsimile or hard copy mail. Employees have the ability to raise a compliance issue and seek guidance directly with the CCO and members of management, human resources and the legal department. CVS Health has a strict non-retaliation policy that protects our colleagues who use these resources in good faith.

    Enforcing Standards and Discipline Procedures

    The CCO oversees the Ethics Line as well as other alleged violations and the Compliance department is responsible for logging, triaging, following up and tracking reported potential compliance violations to conclusion. This includes directing a thorough investigation and, upon completion, determining whether credible evidence of a violation exists. When it is confirmed that misconduct has occurred, corrective action, which may include remedial action to address the specific issue or help prevent similar issues in the future, discipline and/or additional training is initiated promptly.

    As appropriate, certain confirmed violations may be reported to outside agencies or authorities. In addition, the CCO provides the Audit Committee of the Board of Directors with information concerning significant violations or alleged significant violations of the Code of Conduct and applicable policies and procedures.

  • Managing Information Security

    In today’s world of connectivity, cyberspace touches nearly every part of our daily lives. Broadband networks and wireless signals link us at work, at home and even while we move between them. Connectivity provides massive opportunity and convenience, but it also demands sophisticated security to ensure that our individual, corporate and government information is protected from increasingly insistent intruders.

    At CVS Health, we are committed to protecting the privacy and security of our colleagues, customers and patients. Maintaining the confidentiality, integrity and accountability of CVS Health data is not only a legal responsibility, it is essential to our purpose. The measures we take to protect and secure personal information across the enterprise are implemented through our Information Governance Framework.

    Enhancing Our Information Security Program

    CVS Health employs industry standard technology safeguards, including network firewalls, intrusion prevention, and malware detection systems to identify and prevent potential cyber attacks. We maintain rigorous policies and procedures for authentication and authorization to systems that restrict access to and define appropriate use of client and plan member data. Through our audit compliance plan, we continuously monitor and assess our systems and networks so appropriate safeguards can be implemented to mitigate the risk of security violations and intrusions. We also conduct regular assessments against our security and privacy controls, and address any issues that may have been identified during the assessment period in a timely manner.

    We were early adopters of the National Institute of Standards and Technology Cybersecurity Framework for improving critical infrastructure cybersecurity. In addition, through our participation in NH-ISAC, the nation’s Healthcare and Public Health Information Sharing and Analysis Center, we continue to be vigilant about advancing physical and cybersecurity national critical infrastructure resilience. In 2015, we upgraded our data loss prevention capabilities and rolled out the first phase of the program early in 2016.

    Security awareness is promoted throughout the organization, and our colleagues are required to complete security training annually. Training is also conducted within 30 days after the date of hire for contractors, within 21 days for retail colleagues, and within 12 days for PBM colleagues. In 2015, we launched a new mandatory Information Security Awareness curriculum for all colleagues and Social Engineering Detection training for those colleagues who work in our store operations.

    Also in 2015, in accordance with the Payment Card Industry Data Security Standard, we completed an annual external assessment by a qualified security assessor of our policies and safeguards in connection with cardholder data. The assessment found no major security risks or faults for cardholders or our company.

    Ensuring Customer, Patient and Employee Privacy

    Protecting private information and the confidentiality of those we serve are conditions of employment with CVS Health and are described in detail in our Code of Conduct. All of our colleagues receive privacy and security training, the frequency of which depends on a number of factors, including where an employee works within the company and how likely that position is to encounter privacy risks. Generally, this equates to upon hire for new employees, an annual training for corporate employees, semi-annual training for in-store and pharmacy employees, and as-needed retraining for employees following their involvement in a potential incident.

    We also maintain a privacy program aimed at improving and enhancing our privacy practices. Internal privacy activities include an investigation and response team that manages the review and response to any potential privacy incident. When potential privacy incidents are discovered, the team uses a protocol that involves an assessment of the incident and, when necessary, tracking and resolving the incident so that we mitigate any privacy risks. When appropriate, we retrain our colleagues or develop a corrective action plan. In addition, we conduct a periodic risk assessment of our privacy practices. For example, we periodically review our retail facilities by using an independent assessor to review a statistically significant sample of stores to ensure implementation of our privacy protections and safeguards.

    Our Privacy Commitments, along with our privacy policy, are posted on our website.

    Assessing Third Party Risk

    CVS Health maintains a Third Party Risk Assessment Program, and through it, each vendor who collects, uses, stores, shares, processes, transmits or destroys confidential information on our behalf must undergo initial and recurring assessments to ensure they are operating in accordance with our privacy and information security policies and procedures. In 2015, control of our third-party vendor assessment program transferred to our enterprise security team. As part of this transfer, we reviewed and enhanced vendor-screening protocols. We also stepped up collaboration with the company’s information technology (IT) department and began a program to undertake IT audits of all current vendors. We expect to complete this initiative in 2016.

    Providing Program Oversight

    We operate privacy oversight committees, which meet periodically to make recommendations aimed at enhancing our practices. We also engage senior leaders in decision-making processes related to new digital interfaces and analytical technologies to help ensure appropriate protections and safeguards are taken into consideration when we implement these tools.

Learn about our other strategic priorities within our Leader in Growth pillar:

Safe, Rewarding and Inclusive Workplace

Supply Chain Responsibility​

Read the full report:

2015 CSR Report