CONFIDENTIALITY AND SECURITY
Whether you are using diskettes, USB flash drives, or testing online, when you are using the Gambler Addiction Index (GAI), you can rest assured, knowing that your client's privacy and confidentiality are safe. Any identifying information (name, ID numbers, etc.) is encrypted before being stored in our database. A secure algorithm, built into the Gambler Addiction Index (GAI) software, unencrypts this information before displaying it to you over the web. This ensures that only you can access the data and reports for your clients. This encryption method is HIPAA (federal regulation 45 C.F.R. 164.501) compliant.
Online Test users are encouraged to delete client names, when their assessment process is completed. This proprietary name deletion procedure involves a few keystrokes. Once names are deleted, they are gone and cannot be retrieved. Deleting names does not delete demographics or test data, which is downloaded into the GAI database for subsequent analysis. This name deletion procedure insures confidentiality and compliance with HIPAA (federal regulation 45 C.F.R. 164.501) requirements.
Windows diskettes and flash drives are sent out with 25 or 50 tests on them. When these tests are used, the customer returns the diskette or flash drive to Behavior Data Systems, Ltd. (BDS). As explained in the GAI Training Manual, before returning diskettes or flash drives to Behavior Data Systems, Ltd. (BDS), customers are instructed to delete the client names from the diskettes/flash drives.
When the diskette or flash drive is received at BDS, it is logged in as returned in our tracking system. The diskette or flash drive, then, is processed through a File Transfer Program (FTP) that extracts client demographics (age, sex, race, date of birth, education, etc.), history questions (age of first arrest, number of arrests, etc.), and client response data (answers). This data is used for GAI research � no names or identifying numbers are needed and, none are collected. After the data is transferred to our database (minus names and/or identifying numbers), physical diskettes and flash drives are destroyed.
DISKETTE / USB FLASH DRIVE DELETE NAMES OPTION
You have the option to delete client names after each test. This is optional. If you want to use this option, remember, that once you delete client names -- they are gone and cannot be retrieved. We recommend you only use this option. when your client's report is no longer needed. Deleting client names does not delete demographic, or test data. When you use this option, it only deletes client names. This option is provided to protect client confidentiality. Once the names have been deleted, there is no way for you to retrieve them.
ONLINE (INTERNET) DELETE NAMES OPTION
The "Delete Client Name" option is provided on the "Supervisor Options" section of the test�s online webpage. To delete the client's name, log in, and navigate to the test that client has taken. On that test's main menu, click on that client's name and, then, click the "Supervisor Options" button. On the Supervisor Options page, click on the "Delete Client Name" button and, then, click the "Continue" button. When this step is completed, the test report will no longer exist, or be available for review or printing.
These software features provide BDS and Online-Testing customers �client confidentiality,� at no additional cost. It is the test user's responsibility to delete the client's name, thereby, insuring that they are HIPAA (federal regulation 45 C.F.R 164.501) compliant.
DATABASE SECURITY
Our database server is located in a secure facility, with a guard, on duty, 24 hours a day, 7 days a week. The facility is monitored constantly by cameras outside and inside of the building. Entrance to this facility is only permitted with proper ID. Once proper ID has been presented to a camera, the security guard, on duty, remotely unlocks the door to permit entrance.
To gain access to the actual server room, the guard, on duty, must personally unlock the door. No visitors are allowed, under any circumstances. Our servers are in locked cabinets. The cabinets and servers, themselves, have fail-safe alarms. If a cabinet is opened or a server moved, an alarm goes off in the guard station and in the monitoring station.
Our web server and database server communicate via non-routable protocols. SSL is used to communicate any sensitive information to, or from our web servers, via the web or FTP.
A Sonicwall 240 Network Security Appliance (firewall) protects our servers. The Sonicwall 240 utilizes Deep Packet Inspection, application control, intrusion prevention and SSL VPN, for real-time protection, without compromising performance.
Before a test record is stored in our database, any identifying information (name, ID numbers, etc.) is encrypted before being saved. Thus, all identifying information in the database is unintelligible to anyone. A secure algorithm, built into the Online Testing software, unencrypts this information before displaying it to a client over the internet. This insures that only the person, who entered the data, can access the names and reports for their respective clients.
In addition, at any time, clients have the option of taking an additional encryption step that renders all information irretrievable. We recommend that all clients perform this step as soon as they can.
Behavior Data Systems, Ltd.
P.O. Box 44256
Phoenix, Arizona 85064-4256
Toll Free Telephone: 1 (800) 231-2401
info@bdsltd.com
Copyright © 2004. Behavior Data Systems, Ltd. All Rights Reserved.
* * *