HIPAA and Security

Bright Minds HIPAA Compliance Summary
Bright Minds combines the best-outsourced transcription service with a HIPAA compliant, Secure Internet-based document management and distribution system.

This document provides information on the systems and procedures Capitol Medical Technologies Inc. has implemented to comply with HIPAA requirements related to the Bright Minds Mail product. These systems and procedures fall into three categories: Administrative Procedures, Physical Safeguards and Technical Data Security.

Each of these categories is described briefly below:

I. Administrative Procedures:

This category includes systems and procedures used to guard data integrity, confidentiality and availability. These are formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.

HIPAA Compliance Management: Bright Minds has established HIPAA Compliance Management Committee consisting of the CEO and director-level managers for operations and sales.

The HIPAA Compliance Steering Committee performs internal assessments and audits, performs gap analyses, conducts training, sets policies for security and access to components and monitors the HIPAA implementation rules on an ongoing basis and assigns activities and responsibilities to ensure compliance.

All personnels with access to customer data or customer records are required to sign a confidentiality agreement. All business partners with access to protected information must enter into a business associate agreement that requires full compliance with all HIPAA requirements and safeguards.

II. Physical Safeguards:

This category includes safeguards to protect physical computer systems and related buildings and equipment from intrusion as well as fire and other environmental hazards. The use of locks, keys and administrative measures used to control access to computer systems and facilities are also included.

Bright Minds servers and databases are housed in a state-of-the-art data center. The data center facilities provide a secure, climate-controlled environment that is operational 24 hours a day, 7 days a week, 365 days a year.

HIPAA Comliance Summary
The data center is physically secured and requires the use of special electronic access codes to enter. Keys are only issued to individuals authorized by the HIPAA compliance officer.

Logs of all entry and exit from the facility are automatically maintained. The data center facilities are equipped with climate control systems, fire detection and suppression systems, and backup UPS and generator.

III. Technical Data Security:

This category includes systems and procedures used to protect, control, and monitor information access and include processes used to prevent unauthorized access to data transmitted over a communications network. Security is addressed at all layers: physical, network, database, application and user.

Physical Security
See previous section.

Network Security
All Bright Minds servers and databases are located on a secured internal network that is protected by a Cisco Secure PIX Firewall (hardware firewall). This appliance holds the top ranking in performance and employs IPSEC encryption built-in. (More info on the PIX at www.cisco.com/warp/public/cc/pd/fw/sqfw500).

Database Security
Bright Minds uses the Microsoft SQL Server 7.0 and SQL Server 2000 databases and implements the SQL Server Security Model. In summary, this model addresses security at multiple layers including securing access to the server, securing access to the database, securing access to database objects and securing access through application roles. (More information on this security model can be found on the web: http://www.microsoft.com/sql/techinfo/administration/70/Security.doc)

Application Security
The proprietary Bright Minds desktop application applies 128-bit encryption to all files prior to any file transmission via the public Internet. All use of the Capitol Medical Technologies web application is forced to occur using the HTTPS protocol (SSL – secure socket layer) with 128-bit encryption strength. Attempts to access the

HIPAA Comliance Summary
application without SSL are redirected. (More information about SSL is at
http://www.rsasecurity.com/standards/ssl/basics.html)

User Security & Audit Trail
Access to the Bright Minds system is limited to registered users. Users must provide their username and password to gain entry. A complete audit trail is maintained including user session information. All database transactions are logged.