The Health Insurance Portability and Accountability Act (hereinafter the 'HIPAA'), was enacted into law on August 21, 1996. The Act, among other things, contains requirements to issue regulations related to the security and privacy of patients' health information. These requirements take two forms - Privacy Rules and Security Rules. The Privacy Rules became effective on April 14, 2001. Most "covered entities" must comply with the rules by April 14, 2003. The Security Rules have not to date been published in final format. The Act, which is intended to protect medical records and other health information held or disclosed by covered entities, has recently received final approval by the Bush Administration.

While many of Universal Security System's healthcare customers are considered to be covered entities, it should be noted that Universal Security Systems is not defined as a covered entity but rather is a "business associate" for purposes of HIPAA.

Universal Security Systems takes seriously its role as a business associate under HIPAA. The extent to which Universal Security Systems, as a business associate, is obligated under the HIPAA to implement policies and procedures over and above those already in existence has been reviewed by senior management. Universal Security Systems has implemented minor policy changes to bring us into full compliance with the Privacy Rules and Security Rules. Universal Security Systems is also cooperating with our clients who are covered entities by providing require documentation and information regarding our systems, procedures and or policies. Since many of the rules are interrelated, evaluation of compliance with HIPAA regulations will continue to be a work in progress as the regulations (and interpretations thereof) evolve.

Universal Security Systems is committed to full compliance with HIPAA Privacy Rules regardless of our limited interaction with patient information. Universal has implemented training programs for all employees regarding non-disclosure of patient information. Universal has also expanded our information disclosure policies to provide improved privacy compliance.

HIPAA requires system administrators to standardize record security on Local Area Networks (LAN), prohibiting unauthorized users from accessing patient information. In addition, HIPAA requires the ability to generate an accountability log defining when and who has accessed patient information. Universal Security Systems that contain patient information are subject to these regulations. Universal is both cooperating with manufacturers and clients to provide and implement the necessary security and accountability to meet the HIPAA Security requirements in both new and existing systems.

Universal Security Systems recognizes the importance of this act and will initiate such compliance programs and procedures as necessary to meet our obligations and to assist our clients in meeting their compliance requirements within the mandated timeframes.