CONFIDENTIALITY AND SECURITY

Whether you are using diskettes, USB flash drives or testing online, when you are using Behavior Data Systems, Ltd. (BDS) or its subsidiaries Risk & Needs Assessment, Inc. (Risk & Needs) or Professional Online Testing Solutions, Inc. (Online Testing) you can rest assured knowing that your client's (patient, offender) privacy and confidentiality are safe. Any identifying information (name, ID numbers, etc.) is encrypted before being stored in our database. A secure algorithm built into the test program software unencrypts this information before displaying it to you over the web. This ensures that only you can access the data and reports for your clients. This encryption method is HIPAA (federal regulation 45 C.F.R. 164.501) compliant.

Online Test users are encouraged to delete client names when their assessment process is completed. This proprietary name deletion procedure involves a few keystrokes. Once names are deleted they are gone and cannot be retrieved. Deleting names does not delete demographics or test data which is downloaded into the tests database for subsequent analysis. This name deletion procedure insures confidentiality and full compliance with HIPAA (federal regulation 45 C.F.R. 164.501) requirements.

Windows diskettes and flash drives are sent out with 25 or 50 tests on them. When these tests are used the assessor returns the diskette or flash drive to Behavior Data Systems, Ltd. (BDS) or Risk & Needs Assessment, Inc. (Risk & Needs). As explained in test manuals, before returning diskettes or flash drives to BDS or Risk & Needs test users are asked to delete client’s names from diskettes/flash drives. Name deletion is the test user’s responsibility.

When a diskette or flash drive is returned to BDS or Risk & Needs it is logged in as returned in our tracking system. The diskette or flash drive then is processed through a File Transfer Program (FTP) that extracts client demographics (age, sex, race, date of birth, education, etc.), history questions (age of first arrest, number of arrests, etc.) and client response data (answers). This data is used for research – no names or identifying numbers are needed and none are collected. After the data is transferred to our database (minus names and/or identifying numbers) physical diskettes and flash drives are destroyed.

DISKETTE / USB FLASH DRIVE “DELETE NAMES” OPTION

You have the option to delete client names after each test. This is optional. If you want to use this option, remember that once you delete client names -- they are gone and can not be retrieved. We recommend you only use this option when your reports are no longer needed. Deleting client names does not delete demographics or test data. When you use this option it only deletes client names. This option is provided to protect client confidentiality. Once the names have been deleted, there is no way for you or anybody else to retrieve them. Deleting client names is the test administrator’s responsibility.

ONLINE (INTERNET) “DELETE NAMES” OPTION

The "Delete Client Name" option is provided on the "Supervisor Options" section of a test’s online webpage. To delete the client's name, log in and navigate to the test that client has taken. On that test's main menu, click on that client's name and then click the "Supervisor Options" button. On the Supervisor Options page click on the "Delete Client Name" button and then click the "Continue" button. When this step is completed, the test report will no longer exist or be available for review or printing.

These software features are provided to provide BDS, Risk & Needs and Online-Testing customer’s “client confidentiality” at no additional cost. It is the test user's responsibility to delete the client's name, thereby insuring that they are HIPAA (federal regulation 45 C.F.R 164.501) compliant.

DATABASE SECURITY

Our database server is located in a secure facility with a guard on duty 24 hours a day, 7 days a week. The facility is monitored constantly by cameras outside and inside of the building. Entrance to this facility is only permitted with proper ID. Once proper ID has been presented to a camera, the security guard on duty remotely unlocks the door to permit entrance.

To gain access to the actual server room, the guard on duty must personally unlock the door. No visitors are allowed under any circumstances. Our servers are in locked cabinets. The cabinets and servers themselves have fail-safe alarms. If a cabinet is opened or a server moved, an alarm goes off in the guard station and in the monitoring station.

Our web server and database server communicate via non-routable protocols. SSL is used to communicate any sensitive information to or from our web servers via the web or FTP.

A Sonicwall 240 Network Security Appliance (firewall) protects our servers. The Sonicwall 240 utilizes Deep Packet Inspection, application control, intrusion prevention and SSL VPN for real-time protection without compromising performance.

Before a test record is stored in our database, any identifying information (name, ID numbers, etc.) is encrypted before being saved. Thus, all identifying information in the database is unintelligible to anyone. A secure algorithm built into the Online Testing software unencrypts this information before displaying it to a client (test user) over the internet. This insures that only the person who entered the data can access the names and reports for their clients.

In addition, at any time, clients (test users) have the option of taking an additional encryption step that renders all information irretrievable. We recommend that all clients (test users) perform this step as soon as they can.