We have adopted the use of a state of the art 128 bit public-key private-key encryption system. It is the same that most banks use in their ATMs. You may have seen it used in Netscape Navigator & Internet Explorer when you submit credit card transactions on internet.

What is public-key private-key encryption?

In the days of WWII, German naval forces used a one-way encryption system called the enigma. Each ship had a deciphering system by which German ships could decode encrypted messages. Once this encryption key (the enigma) was captured, all the German transmissions could be easily decrypted by the allied forces. The only way to have secure transmissions in this single key encryption system is to ensure that the keys themselves are given out in a secure manner and that the keys are guarded safely from theft.

On the other hand in a public/private key encryption system the more widely distributed your public keys are, the better it is. People need not meet securely beforehand in order to exchange documents in this encryption method. Each person has two sets of keys: one public key which he/she gives out to everyone and another private key which is kept secure locally. Each public/private key can only encrypt or decrypt going in a one way direction. So basically if Dr. X sends us his daily log of encounters, he/she sends us information to the MDPad public key. Information sent to the MDPad public key is only decipherable by the MDPad private key. Now when information is sent via the MDPad servers to Dr. X, it is sent by encrypting to Dr. X's public key. Once Dr. X's local handheld receives the information, it is deciphered using Dr. X's private key. The advantage of a public/private key pair is that the keys themselves need not be securely transmitted before the transaction occurs. Hackers may obtain the data stream in either direction to or from our servers, but without the private key, the information is useless.

In summary it is extremely difficult, and nearly impossible to crack a public key/private key encryption system. We have gone through extraordinary efforts to keep patient information confidential.

What is HIPAA (Health Insurance Portability and Accountability Act)?

Congress passed the Health Insurance Portability and Accountability Act in 1996. The act set forth a framework of standard minimum protocols and procedures for ensuring the safety, security and integrity of electronically stored health care data.

Among other things, HIPAA regulations require that organizations must: have proper safeguards in place to protect medical record confidentiality, designate a privacy official, create a statement of the organization's practices regarding who has access to sensitive data, implement safeguards to prevent disclosure of private patient data, provide a means to lodge and log complaints, and to develop sanctions against those who violate these rules.

MDPad upholds the high standards of the HIPAA. MDPad has also proactively taken steps to insure we will be compliant with all the provisions of HIPAA. HIPAA currently mandates that all companies or hospitals using electronic records be compliant with HIPAA regulations by the end of 2001.

What kind of lengths will you go to protect patient confidentiality?

No computer system is 100% secure from hackers. We have gone through extraordinary efforts to protect confidential patient data from hackers, insurance companies and drug companies.

Perhaps the most long-term benefit that any electronic record can provide is in the area of data-mining. Patient information and physician prescribing habits are
extremely useful for the purpose of improving the general public health. Aggregated patient data is useful for the public health for research and academic purposes. MDPad assures that any patient identifiable data will be stripped before release to third parties. Information that requires the divulgence of patient identity will not be released without permission from the patient and their primary physician.

As a physician, I feel uncomfortable giving out the rights to my "records" to a private company?

Paper based patient records have stored by private companies for years. Iron Mountain is an example of a company that warehouses patient charts, and retrieves them on short notice. Our company is a modern day, computerized version of Iron Mountain. In fact, our security standards exceed those of traditional warehouses. As a company our integrity and business model would be irreparably damaged if we divulged patient data without consent.

What if I lose my handheld computer?

Assuming you do a nightly sync as suggested, your data is backed up on our servers. You simply get a new handheld and on the next synch, the patient data will be re-transmitted to your machine. The MDPad is designed so that no one can access your confidential data unless they know your secret log-on password, which should be shared with no one.

Will you be selling the patient demographic data to a third party?

No, MDPad's business model is to serve as an "electronic physician secretary". We would not threaten our relationship with physicians by divulging confidential patient information without explicit consent. We would not be able to operate a viable business if we lost physician trust.

The only information we will release to third party is that which is stripped of patient identifying information, for purposes of research and aggregate public health analysis.