Whether you are using diskettes, USB flash drives or testing online, when you are using Behavior Data Systems, Ltd. tests you can rest assured knowing that your client's privacy and confidentiality are safe. Any identifying information (name, ID numbers, etc.) is encrypted before being stored in our database. A secure algorithm built into each BDS test’s software unencrypts this information before displaying it to you over the web. This ensures that only you can access the data and reports for your clients. This encryption method is HIPAA (federal regulation 45 C.F.R. 164.501) compliant.
Online Test users are encouraged to delete client names when their assessment process is completed. This proprietary name deletion procedure involves a few keystrokes. Once names are deleted they are gone and cannot be retrieved. Deleting names does not delete demographics or test data which is downloaded into each test's database for subsequent analysis. This name deletion procedure insures confidentiality and compliance with HIPAA (federal regulation 45 C.F.R. 164.501) requirements. Windows diskettes and flash drives are sent out with 25 or 50 tests on them. When these tests are used the customer returns the diskette or flash drive to Behavior Data Systems, Ltd. (BDS). As explained in the test Training Manual, before returning diskettes or flash drives to Behavior Data Systems, Ltd. (BDS) customers are instructed to delete the client’s names from the diskettes/flash drives.
When the diskette or flash drive is received at BDS it is logged in as returned in our tracking system. The diskette or flash drive then is processed through a File Transfer Program (FTP) that extracts client demographics (age, sex, race, date of birth, education, etc.), history questions (age of first arrest, number of arrests, etc.) and client response data (answers). This data is used for each test's research – no names or identifying numbers are needed and none are collected. After the data is transferred to our database (minus names and/or identifying numbers) physical diskettes and flash drives are destroyed.
You have the option to delete client names after each test. This is optional. If you want to use this option, remember that once you delete client names -- they are gone and cannot be retrieved. We recommend you only use this option when your clients report is no longer needed. Deleting client names does not delete demographic or test data. When you use this option it only deletes client names. This option is provided to protect client confidentiality. Once the names have been deleted, there is no way for you to retrieve them.
The "Delete Client Name" option is provided on the "Supervisor Options" section of the test’s online webpage. To delete the client's name, log in and navigate to the test that client has taken. On that test's main menu, click on that client's name and then click the "Supervisor Options" button. On the Supervisor Options page, click on the "Delete Client Name" button and then click the "Continue" button. When this step is completed, the test report will no longer exist or be available for review or printing.
These software features are provided to provide BDS and Online-Testing customer’s “client confidentiality” at no additional cost. It is the test user's responsibility to delete the client's name, thereby insuring that they are HIPAA (federal regulation 45 C.F.R 164.501) compliant.
Our database server is located in a secure facility with a guard on duty 24 hours a day, 7 days a week. The facility is monitored constantly by cameras outside and inside of the building. Entrance to this facility is only permitted with proper ID. Once proper ID has been presented to a camera, the security guard on duty remotely unlocks the door to permit entrance.
To gain access to the actual server room, the guard on duty must personally unlock the door. No visitors are allowed under any circumstances. Our servers are in locked cabinets. The cabinets and servers themselves have fail-safe alarms. If a cabinet is opened or a server moved, an alarm goes off in the guard station and in the monitoring station.
Our web server and database server communicate via non-routable protocols. SSL is used to communicate any sensitive information to or from our web servers via the web or FTP.
A Sonicwall 240 Network Security Appliance (firewall) protects our servers. The Sonicwall 240 utilizes Deep Packet Inspection, application control, intrusion prevention and SSL VPN for real-time protection without compromising performance.
Before a test record is stored in our database, any identifying information (name, ID numbers, etc.) is encrypted before being saved. Thus, all identifying information in the database is unintelligible to anyone. A secure algorithm built into the Online Testing software unencrypts this information before displaying it to a client over the internet. This insures that only the person who entered the data can access the names and reports for their respective clients.
In addition, at any time, clients have the option of taking an additional encryption step that renders all information irretrievable. We recommend that all clients perform this step as soon as they can.
Behavior Data Systems, Ltd.
P.O. Box 44256
Phoenix, Arizona 85064-4256
Toll Free Telephone: 1 (800) 231-2401