Keystroke Pro are one of the very few outsourced typing companies to be certified to the demanding information security standard ISO/IEC 27001: 2005 - Information Security Systems. We spent eighteen months getting this certification and were duly certified in January 2007. This acceditation governs the handling of all data and ensures comprehensive security of client sensitive information. Our System Specific Security Policy is avavilable for review.

All data coming into Keystroke Pro is controlled by our sophisticated bespoke work flow and voice file handling system.

The integrity of your data is of paramount importance to you and also to us. Your voice files and documents are kept within a unique customer account environment. We offer the facility to accept encrypted voice files and can return documents encrypted to meet customer requirements.

All KeyStroke Pro staff have to sign a stringent Code of Conduct and Confidentiality Agreement. USB ports are disabled on PCs and access to removeable media (CDs, DVDs, Memory Sticks and floppy disc) is forbidden as it access to printers . Entry to our premises is controlled. At our Processing facility there is twenty four hour manned security.

KeyStroke Pro is also registered under the United Kingdom Data Protection Act 1998 - Registration number: Z539240X

KeyStroke Pro also complies with the US HIPAA Regulations.

Under the Data Protection Act 1998 anyone processing personal data must comply with the eight enforceable principles of good practise. These are:

1. Personal data shall be processed fairly and lawfully
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
4. Personal data shall be accurate and, where necessary, kept up to date
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
6. Personal data shall be processed in accordance with the rights of data subjects under this Act
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data

KeyStroke Pro complies with these, and whilst the above apply, KeyStroke Pro will also sign additional bespoke Confidentiality Agreements/Deeds as required by individual customers.

READ THE COMPLETE DATA PROTECTION ACT
http://www.hmso.gov.uk/acts/acts1998/19980029.htm#aofs

The Act defines and regulates how health information is identified and used, including standard transaction forms and code sets for communicating between providers and payers, what information, known as Protected Health Information (PHI) is to be considered private and how it must be handled, and security policies and procedures for protecting PHI.

These regulations all fall under Title II of HIPAA and are collectively known as the Administrative Simplification Compliance Act (ASCA).

An entity falls under HIPAA if it is a health plan, clearinghouse, third-party insurer, employer maintaining health records, rehabilitation center, blood, sperm or organ tissue bank, social worker or counsellor, long-term care facility, ambulance company or pharmacy. However, many more companies and services are impacted, including those who provide services or supplies to health service providers or to patients under the direction of providers.

Outside technology vendors, transcription providers, accountants, attorneys and anyone else who may come in to contact with patient information in the course of normal business dealings is also affected.

HIPAA implementation work has concentrated on defining standard transactions for use by providers and third-party payers, and creating standard definitions for health care providers, employers, health plans and individuals to use in creating patient record information. Code sets have been created to define standard medical terms, diagnosis codes, diseases, injuries, etc. Medical procedure codes have also been defined for actions taken to prevent, diagnose, treat or manage diseases, injuries and impairments, as well as for medications, equipment, supplies and other items prescribed for treatment.

An affected organization must implement measures, policies and procedures to assure the security of any information systems that contain individually identifiable patient health information. These would be co-ordinated and integrated with other system configuration management practices in order to assure system integrity when changes to system hardware or software are made. Any software purchased as a package from an outside vendor must also be compliant.

In addition, affected parties must provide a contingency plan that provides for responding to information system emergencies, including periodic backing up of data, having and testing facilities for continuing operations in the event of an emergency, and developing effective disaster recovery procedures. Computer controls and security measures should be documented in the same manner as other policies and procedures.

Each organization is also required to have a policy on workstation use. These documented instructions and procedures should delineate the proper functions to be performed and the manner in which those functions are to be performed (e.g., logging off before leaving a terminal unattended). Restrictions must be put in place to prevent unauthorized personnel from accessing information stored on the entity's computers.

Facilities that use communications networks are required to protect messages containing health information when they transmit them electronically to prevent them from being intercepted and read by parties other than the intended recipient. They must also protect their information systems from intruders trying to access information from external communication points. This typically means that some form of encryption must be used to protect this information. As well, there needs to be documented policies and security features for the use of fax, e-mail, Internet, remote dictation and transcription services.

The HHS Office for Civil Rights is responsible for enforcement of the HIPAA Privacy Regulations. They maintain up to date information on their web site at http://www.hhs.gov/ocr/hipaa/.