Conceptual MindWorks, Inc., dba Sevocity®

HIPAA Compliance Statement

Conceptual MindWorks, Inc. (CMI), has put into place many measures to certify that its information technology program is compliant with the requirements and conditions set forth in the Health Insurance Portability and Availability Act of 1996, including the provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), and the regulations promulgated thereunder (HIPAA). CMI is committed to continually improving its available technology to become increasingly more secure and better capable of meeting the high demand of information access against the increasing demands for information security. A risk analysis, a risk management plan, and a broad range of HIPAA related policies and procedures have been put in place and are regularly reviewed, adjusted, and monitored by an assigned HIPAA Security Officer and an empowered Privacy and Security Risk Management Council. This statement will identify certain facets of our compliance with the HIPAA security standards and regulations. For those entities wishing to obtain more detailed information regarding our compliance program, please contact Randy Surratt, Certified HIPAA Professional (CPH), HIPAA Security Officer, at rsurratt@teamcmi.com or at (210) 737-0777.

Administrative Safeguards (HIPAA 164.308). CMI has put numerous initiatives in place to provide for the appropriate assignment of access permissions to the appropriate person. Actions are in place to govern the movement of our workforce and visitors as well as the privileges associated with those movements. Periodic information security awareness training is mandated for all staff, as well as annual review of contingency plans, audit trails, and security accreditation.

Physical Safeguards (HIPAA 164.310). CMI and its data center are physically secure. Access to the data center servers is controlled via man traps and biometric controlled doors. The CMI facility has 24/7/365 manned security, gated entry, and entrances (including loading docks) are equipped with digital video monitoring and recording. The facility is equipped with a 4 layer plan for fire prevention and suppression, dual input power, and emergency power for all systems, including refrigeration. Access to CMI’s office building, office floor, and development data center are all independently controlled via card access at each level, preventing walk-up intrusion, especially after hours. The data center is above the first level of the building with no specific signage indicating its location, is monitored 24 hours a day with manned security and video surveillance, advanced fire protection systems, uninterruptible power, and emergency power for all systems, including refrigeration. Annual reviews of the facility security plan, disaster recovery plan, and contingency plans are in place. Specific workstation usage and security measures are in place. Policies are also in place to guard against equipment disposal and reuse which may inadvertently compromise sensitive information.

Technical Safeguards (HIPAA 164.312). CMI complies with these regulations by enforcing unique user identifications, many varied audit controls, data integrity mechanisms, data redundancy and backups, entity authentication programs( including the expanding use of digital certificate technology for all staff), data encryption in transit and at rest, and increasing measures to provide better data integrity and encryption.

CMI regularly reviews the required and addressable HIPAA security standards and revises and adapts its policies as necessary to respond to current cybersecurity threats to achieve full compliance with all measures as quickly as possible.