At Crisalix, we take all necessary measures to comply with the strictest privacy and security regulations, including HIPAA guidelines. The Crisalix system is designed to allow customers to meet such requirements under applicable patient privacy laws. Namely, Crisalix uses Secure Sockets Layer (SSL), a data encryption technology, which ensures that data is unreadable during the transfer of images across the internet, and further takes all reasonable measures to limit the use or disclosure of protected health information (PHI) to a strict minimum in order to fulfill the provision of services it has engaged to provide its customers.

Although Crisalix is not a covered entity nor is it directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), we recognize the significant role that HIPAA has on our customers. Accordingly, we protect patient privacy and confidentiality in a manner that comports with HIPAA and other applicable laws and regulations. The Crisalix simulation system is utilized to transmit, store and manipulate digital images via the Internet that can contain PHI (patient identifiers, photos, etc.). We have prepared this statement to provide a brief overview of how the HIPAA Privacy and Security Rules pertain to 3D simulations. The Health Insurance Portability and Accountability Act (HIPAA) has two rules of importance for your practice in how it may relate to the use Crisalix: the Security Rule and the Privacy Rule that fall under a general HIPAA category known as the Administrative Simplification Act. Both rules have some influence on the transmission, storage and management of patient images.

In Security Rule: The HIPAA Security Rule became effective on April 21, 2003. The Security Rule is intended to protect the confidentiality of medical information. The Security Rule establishes requirements that facilitate a medical practice's storage, maintenance and transmission of PHI in a "secure electronic environment." This involves administrative procedures and physical safeguards as well as technical measures to control and monitor access to PHI and to prevent unauthorized access to data during transmission.

Privacy Rule: The HIPAA Privacy Rule, which covers the use and disclosure of protected health information (PHI), became effective on April 14, 2001. It mandated that all practices had to be compliant with the Privacy Rule effective April 14, 2003.

The Privacy Rule requires that practices make reasonable efforts to limit the use and disclosure of such PHI by staff members to the "minimum necessary" to perform their duties. Practices are also expected to minimize the likelihood of "incidental disclosures" to persons who have no legitimate need to view PHI. Further, practices must maintain a log of certain PHI disclosures that are not directly related to patient's treatment.

Crisalix has compiled some suggestions to help ensure that your practice manages patient images in a responsible and HIPAA-compliant manner while using Crisalix:

"HIPAA-compliant" 3D simulation softwares does not exist as such. Nevertheless Crisalix is doing its utmost to develop products and services that are HIPAA-compliant to assist our customers in fulfilling these requirements.

November, 2012