full_toolkit.rtf

7/27/2019 full_toolkit.rtf

1/37

{\rtf\ansi\ansicpg1252\deff0\viewkind1{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\froman\fcharset0 Times-Italic;}{\f2\fswiss\fcharset0 Helvetica;}{\f3\fswiss\fcharset0 Helvetica;}{\f4\froman\fcharset0 Times-Roman;}{\f5\froman\fcharset0 Times-Italic;}{\f6\froman\fcharset0 Times-Roman;}{\f7\fswiss\fcharset0 Helvetica-Bold;}{\f8\froman\fcharset0 Times-BoldItalic;}{\f9\froman\fcharset0 Times-Bold;}{\f10\froman\fcharset0Times-Bold;}{\f11\ftech\fcharset2 Symbol;}{\f12\froman\fcharset0 Times-Italic;}{\f13\froman\fcharset0 Times-Roman;}{\f14\fswiss\fcharset0 Helvetica;}{\f15\froman\fcharset0 Times-Italic;}{\f16\froman\fcharset0 Times-Roman;}{\f17\fswiss\fcharset0 Helvetica-Bold;}{\f18\froman\fcharset0 Times-Bold;}{\f19\fswiss\fcharset0 Helvetica;}{\f20\fswiss\fcharset0 Helvetica-Bold;}{\f21\froman\fcharset0 Times-Bold;}{\f22\froman\fcharset0 Times-Roman;}}{\colortbl;\red255\green255\blue255;\red255\green0\blue0;\red0\green0\blue255;}\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy785\absw1028\absh147\f5\i\fs18 Chapter One\par}{\phpg\posx9009\pvpg\posy785\absw1543\absh147\f5\i\fs18 Executive Summary\par}{\phpg\posx1800\pvpg\posy14964\absw1050\absh147\f5\i\fs18 CPRI Toolkit\par}{\phpg\posx5966\pvpg\posy14890\absw384\absh221\f4\fs24 1{\fs20 -}1\par}{\phpg\posx8534\pvpg\posy14945\absw2042\absh167\f6\fs18 Revision: October 2,1999\par}{\phpg\posx5145\pvpg\posy1480\absw2098\absh206\f7\b\fs22 Toolkit Section 1.0\par}{\phpg\posx5059\pvpg\posy1721\absw2274\absh392\f8\b\i\fs39 Chapter One\par}{\phpg\posx3811\pvpg\posy2575\absw4822\absh364\f9\b\fs39 EXECUTIVE SUMMARY\par}

{\phpg\posx1800\pvpg\posy3314\absw8507\absh484\f10\b\fs23 \li720 \fi-720 Introduction \par\sb0\fi0 \b0 \f4 Computer-based patient record systems (CPRS) may potentially achieve greater\par}{\phpg\posx1800\pvpg\posy4053\absw8227\absh2504\f4\fs22 protection of health information than paper-based records. Ensuring an appropriate and consistent levelof information security for computer-based patient records, both within individual health care organizations and throughout the entire health care delivery system, requires organizations entrusted with health care information to establish formal information security programs. Recognizing the importance of informationsecurity in managing computer-based patient records, the Computer-based PatientRecord Institute (CPRI) chartered the Work Group on Confidentiality, Privacy, and Security to promote this process. Since its inauguration in 1993, the Work Group has developed and published a series of topical guidelines on improving info

rmation security for organizations implementing CPRS.\par}{\phpg\posx1800\pvpg\posy6796\absw8425\absh2248\f4\fs22 \fi720 The guideline series addresses individual issues in information security, but, taken as a whole,promotes a comprehensive organizational process. The CPRI believes that managing health care information requires integrating good security processes into theeveryday working routines of all staff, not just implementing security measures.Toward that end, the CPRI created a new Task Force to consolidate its guidelin

e series into a toolkit that outlines general principles and provides \ldblquotebest practice\rdblquote examples of how health care providers should manage the security of their paper and electronic records. The sections of the{\i \f1CPRI Toolkit} identify key activities that health care providers should initiateas part of managing information security, including:\par}{\phpg\posx1800\pvpg\posy9370\absw386\absh241\f11\b\fs24 {\f0\bullet} {\b0 \f2

}\par}{\phpg\posx2160\pvpg\posy9389\absw7520\absh221\f4\fs24 Monitoring and adjustingto the changing laws, regulations, and standards\par}{\phpg\posx1800\pvpg\posy9667\absw386\absh241\f11\b\fs24 {\f0\bullet} {\b0 \f2}\par}{\phpg\posx2160\pvpg\posy9704\absw7495\absh478\f4\fs23 Developing, implementing,and continuously updating data security policies, procedures, and practices\par}{\phpg\posx1800\pvpg\posy10234\absw386\absh241\f11\b\fs24 {\f0\bullet} {\b0 \f2}\par}


2/37

{\phpg\posx2160\pvpg\posy10263\absw8127\absh212\f4\fs23 Enhancing patient understanding of the organization\rquote s information security efforts\par}{\phpg\posx1800\pvpg\posy10526\absw386\absh241\f11\b\fs24 {\f0\bullet} {\b0 \f3}\par}{\phpg\posx2160\pvpg\posy10546\absw5689\absh221\f4\fs24 Institutionalizing responsibility for information security\par}{\phpg\posx1800\pvpg\posy11279\absw8119\absh2248\f4\fs22 \fi360 Each section includes an introduction, a copy of the latest edition of the pertinent CPRI guideline, several case studies with sample policies, procedures and forms, and extensive references to print and Internet sources of more information. A consolidated annotated bibliography, a list of Web sites, and a glossary of terms appear atthe end of the{\i \f1 CPRI Toolkit}. With this toolkit, any health care provider should be able to plan, implement, and evaluate a security surveillance process scaled to their organizational needs. These resources should aid healthcareorganizations in securely managing information, particularly as they develop responses to new federal regulations and laws such as the Health Insurance Portability and Accountability Act of 1996.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy785\absw1028\absh147\f5\i\fs18 Chapter One\par}{\phpg\posx9009\pvpg\posy785\absw1543\absh147\f5\i\fs18 Executive Summary\par}{\phpg\posx1800\pvpg\posy14964\absw1050\absh147\f5\i\fs18 CPRI Toolkit\par}{\phpg\posx5966\pvpg\posy14890\absw384\absh221\f4\fs24 1{\fs20 -}2\par}{\phpg\posx8534\pvpg\posy14945\absw2042\absh167\f6\fs18 Revision: October 2,199

9\par}{\phpg\posx1800\pvpg\posy1500\absw8375\absh484\f10\b\fs23 \li720 \fi-720 Monitoring Changing Laws, Regulations, and Standards \par\sb0\fi0 \b0 \f4 Currently, questions of health information security and medical privacy are of\par}{\phpg\posx1800\pvpg\posy2418\absw8305\absh4807\f4\fs22 utmost importance in theUnited States. Hardly a day goes by that {\i \f1 The Washington Post}, \i \f1The New York{\i0 \f4 }Times{\i0 \f4 , or }USA Today{\i0 \f4 do not feature anarticle about some aspect of} \i0 \f4 medical privacy. Opinion polls document that the American public regards the data management practices of most large organizations with great skepticism. In partial response to these and other expressions of public concern, President Clinton commissioned a task force on medical privacy as part of his health care reform efforts. Although the recommendations of the privacy task force died along with Clinton\rquote s plan, federal legislat

ors have incorporated some of their intent, particularly the requirement of federal medical privacy legislation, into subsequent approaches to health care reform. . The Health Insurance Portability and Accountability Act of 1996 (HIPAA))creates specific requirements for the Congress and the Department of Health and Human Services (DHHS). Because of HIPAA, the legal and regulatory environment for managing patient medical records has dramatically changed. DHHS has developedregulations for managing health information security (see below Chapter Three).Efforts to develop federal medical privacy requirements continue in both Congr

ess and DHHS. DHHS led the way on medical privacy by designing model rules to guide Congress and/or its own process of rulemaking if necessary. Meanwhile, many standards-setting organizations are busy addressing the problems of medical privacy and the security of health care information from their own perspectives.\par}

{\phpg\posx1800\pvpg\posy7372\absw8693\absh2339\f4\fs23 \fi720 The {\i \f1 CPRIToolkit} contains summaries of the DHHS rules, the DHHS model medical privacy provisions, information about tracking state laws on medical privacy, and a thorough explanation of the standards-setting process in medical informatics. As anexample of how two important standards-setting organizations in health care, the Joint Commission on the Accreditation of Healthcare Organizations and the National Committee on Quality Assurance, are beginning to incorporate demands for adequate data security practices into their evaluation criteria, a copy of the Executive Summary of \i \f1 Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment {\i0 \f4 can be found in


3/37

chapter three of the }CPRI Toolkit{\i0 \f4 .}\par}{\phpg\posx1800\pvpg\posy10053\absw8696\absh484\f10\b\fs23 \li720 \fi-720 Developing Policies, Procedures, and Practices for Information Security \par\sb0\fi0 \b0 \f4 Changes in the regulatory and legal environments, the security risks of distributed\par}{\phpg\posx1800\pvpg\posy10833\absw8425\absh3016\f4\fs22 networks and systems, ever-changing information technology, and rising patient expectations all requirehealth care organizations to continuously update their data security policies, procedures, and practices. A security team must take primary responsibility for coordinating this effort through careful risk analysis, security policy review, and technical and operational enhancements. The security team\rquote s efforts will fail, however, without strong business and clinical leadership from throughout the organization. Even if key leaders accept responsibility for maintaining the confidentiality of patient identifiable information, staff will probably resist taking on new tasks that further complicate their work and compete with current tasks. The security team must recognize that enhancing the organization\rquote s security capability requires transforming institutional resistanceinto a mission-based mobilized security effort. A security team that neglectsbuilding support for its efforts risks failure.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy785\absw1028\absh147\f5\i\fs18 Chapter One\par}{\phpg\posx9009\pvpg\posy785\absw1543\absh147\f5\i\fs18 Executive Summary\par}{\phpg\posx1800\pvpg\posy14964\absw1050\absh147\f5\i\fs18 CPRI Toolkit\par}

{\phpg\posx5966\pvpg\posy14890\absw384\absh221\f4\fs24 1{\fs20 -}3\par}{\phpg\posx8534\pvpg\posy14945\absw2042\absh167\f6\fs18 Revision: October 2,1999\par}{\phpg\posx1800\pvpg\posy1624\absw8308\absh1737\f4\fs22 \fi720 Included in the {\i \f1 CPRI Toolkit} are sample documents illustrating approaches to security policies, security risk analyses, patient consent and disclosure documents, and other issues from several organizations including the American Health Informationand Management Association, Kaiser Permanente of Northern California, Partner HealthCare System, Inc., Harvard Vanguard Medical Associates, and several NLM-funded sites. These examples should assist any health care program, large or small,in its efforts to enhance the security of its confidential information.\par}{\phpg\posx1800\pvpg\posy3708\absw7957\absh484\f10\b\fs23 \li720 \fi-720 Enhancing Patient Understanding of Information Security Efforts \par\sb0\fi0 \b0 \f4 As

the DHHS recommendations on confidentiality make clear, health care\par}{\phpg\posx1800\pvpg\posy4568\absw8377\absh4040\f4\fs22 providers face new obligations in informing patients about how they manage health information. The DHHSrecommendations signal some broad social changes, however, whose significance transcends the narrow legal and regulatory context of their development. Reformsin health care finance (specifically the emergence of managed care) are refocusing some aspects of health care from the doctor-patient relationship to the organization-patient relationship, thus making health care organizations accountable to patients in new ways. In addition to being accountable for health careprocesses and outcomes, organizations are becoming accountable to patients for their business practices, particularly for what they do with information about their individual cases. These changes, as well as DHHS proposals, will increasingly require health care organizations to obtain new types of consent, provide p

atients access to information historically reserved for institutional use only,educate patients about their business practices, and extend new services to their patients using electronic media. Patients are also demanding a variety of Internet and web-based healthcare services, including email and access to theirmedical records. Model examples for how some health care organizations are trying to meet these new obligations are included in the {\i \f1 CPRI Toolkit}.\par}{\phpg\posx1800\pvpg\posy8970\absw8595\absh463\f10\b\fs22 \li720 \fi-720 Institutionalizing Responsibility for Information Security \par\sb0\fi0 \b0 \f4 The well known maxim \ldblquote Confidentiality is everybody\rquote s business\rdblquote states the basic\par}


4/37

{\phpg\posx1800\pvpg\posy9832\absw8479\absh4295\f4\fs22 truth. Transforming this truism into practice requires institutional work and personal commitment. Thistoolkit provides models and methods for assisting health care providers tomanage patient records as a broad institutional process, including the technical protection of the information system. In addition to these concrete methods,however, health care providers should institutionalize a sense of responsibility for maintaining patient confidentiality at all levels, including individual staff, program managers, and organizational administrators. Health care providersshould develop methods for binding these levels of responsibility together suchas in the illustration of the \ldblquote Trustee/Custodian Agreements\rdblquote from Kaiser Permanente explained in the final section of the {\i \f1 CPRIToolkit}. By creating the trustee/custodian relationship, Kaiser has institutionalized mutual responsibility for secure information control between clinical andinformation staff, thus integrating it not segregating it from everyday work.Not all health care providers require developing an arrangement as formal asKaiser\rquote s Trustee/Custodian Agreement. Yet, most organizations larger than a single physician office differentiate between clinical and information systems staff. Formulating roles institutionalizing a sense of mutual responsibility for information security among staff operationalizes the idea that confidentiality is everybody\rquote s business. Instead of relegating\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy785\absw1028\absh147\f5\i\fs18 Chapter One\par}{\phpg\posx9009\pvpg\posy785\absw1543\absh147\f5\i\fs18 Executive Summary\par}

{\phpg\posx1800\pvpg\posy14964\absw1050\absh147\f5\i\fs18 CPRI Toolkit\par}{\phpg\posx5966\pvpg\posy14890\absw384\absh221\f4\fs24 1{\fs20 -}4\par}{\phpg\posx8534\pvpg\posy14945\absw2042\absh167\f6\fs18 Revision: October 2,1999\par}{\phpg\posx1800\pvpg\posy1513\absw8698\absh744\f4\fs23 information security to the domain of the technical specialists and parceling responsibility for managing patients only to clinicians, all staff assumes responsibility for the enterprise, its patients, and the confidentiality of their information.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx5068\pvpg\posy1533\absw2250\absh316\f12\i\fs39 Chapter Two\par}{\phpg\posx4607\pvpg\posy2410\absw3198\absh356\f13\fs39 INTRODUCTION\par}{\phpg\posx1800\pvpg\posy3337\absw8660\absh5271\f4\fs23 Computer-based patient r

ecord systems (CPRS) may potentially achieve greater protection of health information than paper-based records. Ensuring an appropriate and consistent level ofinformation security for computer-based patient records, both within individualhealth care organizations and throughout the entire health care delivery system, requires organizations entrusted with health care information to establish formal information security programs. Recognizing the importance of information security in managing computer-based patient records, the Computer-based Patient Record Institute (CPRI) chartered the Work Group on Confidentiality, Privacy, andSecurity to promote this process. Since its inauguration in 1993, the Work Group has developed and published a series of topical guidelines on improving information security for organizations implementing CPRS. \par\sb0\fi0 The guideline series addresses individual issues in information security, but, taken as a whole, promotes a comprehensive organizational process. The CPRI believes that manag

ing health care information requires integrating good security processes into the everyday working routines of all staff, not just implementing security measures. Toward that end, the CPRI charged the Work Group to consolidate its guideline series into a toolkit that outlines general principles and provides \ldblquotebest practice\rdblquote examples of how health care providers should manage the security of their paper and electronic records. The sections of the CPRI Toolkit identify key activities that health care providers should initiate as part ofmanaging information security, including:\par}{\phpg\posx1800\pvpg\posy8987\absw8676\absh1277\f4\fs23 Monitoring and adjustingto the changing laws, regulations, and standards \par\sb0\fi0 Developing, imple


5/37

menting, and continuously updating data security policies, procedures, and practices \par Enhancing patient understanding of the organization\rquote s information security efforts Institutionalizing responsibility for information security\par}{\phpg\posx1800\pvpg\posy10712\absw8299\absh1481\f4\fs22 Each section includes an introduction, a copy of the latest edition of the pertinent CPRI guideline, several case studies with sample policies, procedures and forms, and extensive references to print and Internet sources of more information. A consolidated annotated bibliography, a list of Web sites, and a glossary of terms appear at the end of the CPRI Toolkit. With this toolkit, any health care provider should be able to plan, implement, and evaluate a security surveillance process scaled to their organizational needs.\par}{\phpg\posx1800\pvpg\posy12391\absw8349\absh1737\f4\fs22 \fi720 The legal, social, and technical environment surrounding CPRS will remain dynamic, thus requiring all health care providers to be vigilant in the years to come. The CPRI has designed this toolkit to assist health care providers in adapting to the changingcircumstances affecting management of information security. The CPRI Toolkit contains examples of \ldblquote best practices,\rdblquote .\rdblquote but healthcare providers should consult with their legal departments and assess their ownsituations before adopting any forms, policies, or procedures contained in theCPRI Toolkit.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx5212\pvpg\posy1486\absw1957\absh205\f14\ul\fs22 Toolkit Section 2.1\p

ar}{\phpg\posx1800\pvpg\posy1993\absw3219\absh225\f10\b\fs24 How to Use the CPRI Toolkit\par}{\phpg\posx1800\pvpg\posy2904\absw8390\absh4551\f4\fs22 \fi720 Healthcare organizations will find valuable resources in the {\i \f1 CPRI Toolkit} to assist in managing the security of business, clinical and other types of health information, particularly in computer-based record systems. The {\i \f1 CPRI Toolkit }includes guiding principles, case studies and paradigmatic examples of how to build ahealth information security program, including \ldblquote hot links\rdblquoteover the World Wide Web to important sites. New regulations on the security of computer-based health information promulgated by the Department of Health and Human Services subsequent to the Health Insurance Portability and AccountabilityAct of 1996 make accomplishing this task salient and necessary for all healthcar

e providers, payers and clearinghouses. In order to keep faith with and maintain the trust of patients, clinical and business partners and the general public,nonetheless, healthcare organizations should seek capably to assure the confidentiality, integrity and secure accessibility of their information as a matter ofbasic business practice. Assuring information security has the reputation of being a highly esoteric technical enterprise. The {\i \f1 CPRI Toolkit }makes the case that maintaining information security should be an aspect of the everyday work of all members of the organization (including its customers), not just of \ldblquote security specialists\rdblquote or information technologists alone. The{\i \f1 CPRI Toolkit }offers guidance in accomplishing three basic security program functions, namely:\par}{\phpg\posx2520\pvpg\posy7513\absw342\absh221\f4\fs24 1){\f2 }\par}{\phpg\posx3240\pvpg\posy7513\absw5020\absh221\f4\fs24 Monitoring changing laws,

rules and regulations;\par}{\phpg\posx2520\pvpg\posy7786\absw342\absh221\f4\fs24 2){\f3 }\par}{\phpg\posx3240\pvpg\posy7786\absw7141\absh221\f4\fs24 Updating information security policies, procedures and practices, and;\par}{\phpg\posx2520\pvpg\posy8065\absw342\absh221\f4\fs24 3){\f2 }\par}{\phpg\posx1800\pvpg\posy8142\absw8235\absh969\f4\fs22 \fi1440 Enhancing patientunderstanding and acceptance. \par\sb0\fi0 By accomplishing these functions healthcare organizations potentially institutionalize a sense of responsibility forinformation security throughout their operations thus building the foundationsof a competent, defensible information assurance program.\par}


6/37

{\phpg\posx1800\pvpg\posy9502\absw8341\absh713\f4\fs22 \fi720 To take best advantage of the resources contained in the {\i \f1 CPRI Toolkit}, healthcare organizations should develop and sustain a security surveillance process that typicallyincludes the following critical steps:\par}{\phpg\posx2520\pvpg\posy10273\absw342\absh221\f4\fs24 1){\f2 }\par}{\phpg\posx3240\pvpg\posy10273\absw6117\absh221\f4\fs24 Assigning responsibilityfor managing information security;\par}{\phpg\posx2520\pvpg\posy10546\absw342\absh221\f4\fs24 2){\f3 }\par}{\phpg\posx3240\pvpg\posy10606\absw6552\absh713\f4\fs22 Developing and implementing a plan for managing risks to the confidentiality, integrity and secure accessibility of an organization\rquote s information;\par}{\phpg\posx2520\pvpg\posy11377\absw342\absh221\f4\fs24 3){\f3 }\par}{\phpg\posx3240\pvpg\posy11393\absw7173\absh478\f4\fs23 Measuring and documenting the impact of administrative and technical countermeasures taken in executionof the information security plan, and;\par}{\phpg\posx2520\pvpg\posy11929\absw342\absh221\f4\fs24 4){\f2 }\par}{\phpg\posx3240\pvpg\posy11929\absw5895\absh221\f4\fs24 Reevaluating and adapting the plan in light of experience.\par}{\phpg\posx1800\pvpg\posy12343\absw8328\absh1737\f4\fs22 \fi63 As implied by thefeedback loop linking experience to the original plan, the security surveillance process never ends but should occur as part of a healthcare organization\rquote s regular administrative operations. Such a broad-based, recurrent approach will build administrative support for and enterprise-wide awareness of the importance of information assurance - both of which will be necessary to meet the dea

dline for implementation of the HIPAA security regulations in early 2002. Thisapproach also shares with the HIPAA regulations a strategy of health informationsecurity based on risk\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1526\absw8307\absh457\f4\fs22 management, not risk avoidance. It thereby should help healthcare organizations comply with HIPAA as itenhances their overall competence in health information assurance.\par}{\phpg\posx1800\pvpg\posy2455\absw8400\absh1737\f4\fs22 \fi720 The organizationof the {\i \f1 CPRI Toolkit} encourages healthcare organizations to keep their eyes focused on three broad security functions: monitoring their federal, state and professional regulatory and legal environment, updating their own internal environment of policies, procedures and practices, and communicating with their

patients.{\i \f1 }As healthcare organizations work their way through the critical steps of the security surveillance process, they will find resources in the{\i \f1 CPRI Toolkit} linking the process to these three broad functions. The resources come in several forms.\par}{\phpg\posx2520\pvpg\posy4244\absw342\absh221\f4\fs24 1){\f2 }\par}{\phpg\posx1800\pvpg\posy4706\absw8336\absh5831\f4\fs22 \fi1440 Monitoring Laws,Regulations and Standards: Chapter 3 devotes great attention to the extensive HIPAA-provoked federal activity in health information security and provides extensive materials about state and professional activities in health information assurance. This chapter includes summaries of all the HIPAA electronic transactionand data security regulations and of the Notice of Proposed Rulemaking on medical privacy. A special matrix creates \ldblquote hot links\rdblquote between theHIPPA requirements and pertinent sections of the {\i \f1 CPRI Toolkit.} A sect

ion on state law includes information on how to investigate legislative actionin all fifty states as well as a recent evaluation of the state scene prepared by the Georgetown University Health Privacy Project. The Executive Summary of the JCAHO/NCQA Recommendations for Protecting Personal Health Information is republished with permission in recognition of the central role of these two accrediting bodies for healthcare providers. Finally, DHHS and professional informationsecurity specialists regularly refer to and depend upon the work of a range of standards setting organizations, a realm that often remains somewhat obscure to many healthcare professionals. In order to demystify and recognize the importance of standards setting organizations, the editors of {\i \f1 CPRI Toolkit} ask


7/37

ed Margaret Amatayakul, former executive director of the CPRI, to write an introduction to setting standards in health care information. Using the resources in this section of the {\i \f1 CPRI Toolkit}, any healthcare organization ought to be able to discover and track the various federal, state, and professional requirements in health information security and privacy to which they must comply.HIPAA gives this section special salience now; but, monitoring laws, regulations and standards for healthcare constitutes work that never ends for healthcare organizations in this and all aspects of their operation.\par}{\phpg\posx2520\pvpg\posy10594\absw272\absh221\f4\fs24 2)\par}{\phpg\posx1800\pvpg\posy10855\absw8289\absh3272\f4\fs22 \fi1440 Updating healthinformation policies, procedures and practices: Since its inception in 1993, the CPRI Work Group on Confidentiality, Privacy and Security has published booklets on specific topics in health information security. Each booklet is reprintedin Chapter 4 accompanied by samples and case studies illustrating the critical steps healthcare organizations should take to plan and implement a health information security program. Sample security policies illustrate how eight differenthealthcare organizations of varying scale have addressed the issues discussed in\ldblquote CPRI Guidelines for Information Security Policies.\rdblquote Section 4.5 contains an introduction to information security risk assessment and a case study on telemedicine from Georgetown University Medical Center. To learn about \ldblquote Assigning Roles and Responsibilities\rdblquote in health information security, consult section 4.4 with the reprinted \ldblquote CPRI Guidelinesfor Managing Information Security Programs\rdblquote and a case study from theUniversity of Pennsylvania. A comprehensive information security training cours

e complete with\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1727\absw8483\absh3016\f4\fs22 \ldblquote Instructor\rquote s Guide\rdblquote , all necessary slides, and pre and posttests accompaniesthe \ldblquote CPRI Guide to Information Security Training\rdblquote . Information about organizations that sponsor regular training in information security training and references to other resources complete the section. To learn about how organizations enforce security policies, consult section 4.8, which contains sample confidentiality statements/agreements and a case study on securing user agreement at Kaiser Permanente Northern California. A special section focuses on issues in the electronic transmission of health information such as email, fax and the Internet. HCFA\rquote s new Internet Policy appears accompani

ed by a discussion of PCASSO, an NLM-sponsored project giving patients and providers secure remote access to computer-based patient records at the University ofCalifornia San Diego Medical Center. This includes discussion of certain information security technologies such as firewalls and encryption.\par}{\phpg\posx2520\pvpg\posy4796\absw272\absh221\f4\fs24 3)\par}{\phpg\posx1800\pvpg\posy4993\absw8727\absh5271\f4\fs23 \fi1440 Enhancing patient understanding of an organization\rquote s health information security program.In the new millennium, patients will hold healthcare organizations accountable

for many aspects of their business practice as well as medical care. As this second edition of the {\i \f1 CPRI Toolkit} goes to press, Congress is debating Patients\rquote Bill of Right legislation to permit suit of managed care companies for denial of service and other business practices. Such bills and supporting anecdotes provide some evidence of public dissatisfaction with the consequence

s of reforms in healthcare finance during the last decade. Demands for greateraccountability in the use of personally identifiable health information reflectdistrust of complex organizations and their power over the lives of individuals.The DHHS suggests that federal medical privacy laws or regulations include req

uiring healthcare organizations to give patients the right to review and proposecorrections to their medical record as well as document and permit patients toreview lists of disclosures. Chapter 5 of the {\i \f1 CPRI Toolkit} includes procedures and forms from AHIMA illustrating how healthcare organizations might responsibly provide these services. Healthcare providers might actually go one step farther and use the public\rquote s concern about medical security and privacy


8/37

to build trust. Chapter 5 includes a discussion of \ldblquote HelpBot\rdblquote , Georgetown University Medical Center\rquote s web-based explanation of itsefforts to assure the confidentiality, integrity and secure accessibility of patient information in telemedicine. Instructions for tailoring \ldblquote HelpBot\rdblquote to an organization\rquote s own needs are included.\par}{\phpg\posx1800\pvpg\posy10793\absw8380\absh2504\f4\fs22 \fi720 Institutionalizing sound security practices requires creating sustaining structures at all levels of the organization. Security seminars routinely repeat two basic truisms: 1) the CEO should publicly support an organization\rquote s information securityprogram, and 2) confidentiality is everybody\rquote s business. Questions abouthow to integrate information security into an organization\rquote s life less frequently get posed. Of particular concern is the tendency to isolate information security from clinical and business operations. Through an arrangement called \ldblquote Trustee-Custodian Agreements\rdblquote Kaiser Permanente has developed a means of tightly sharing responsibility for information security betweeninformation specialists and clinical and business users. Chapter 6 includes adetailed discussion of the process and sample agreement forms.\par}{\phpg\posx1800\pvpg\posy13670\absw8027\absh457\f4\fs22 \fi720 The {\i \f1 CPRIToolkit} offers a gateway into thinking about managing information security in healthcare. Because this second edition exists \ldblquote on the web\rdblquoteas well as on\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1607\absw8497\absh1481\f4\fs22 paper, it literally func

tions as a means of finding resources beyond its own boundaries. To assist users in this task, Chapter 7 lists all the addresses of references to sites andinformation on the World Wide Web with activated \ldblquote hot links\rdblquote. Chapter 8 includes a glossary of terms updated from the previously publishedCPRI \ldblquote Glossary\rdblquote and a web link to the HIPAA glossary. Chapter 9 lists important references in the field of health information security.\par}{\phpg\posx1800\pvpg\posy3679\absw8336\absh3272\f4\fs22 \fi720 The {\i \f1 CPRIToolkit }does not contain recipes for compliance with HIPAA or a foolproof security system. Like the very best cookbooks, however, it includes extensive reviewof policies (what is wanted), procedures (how to do what is wanted) and practices (what actually gets done) which, when thoughtfully deployed, give evidence ofdue diligence and yield an administratively disciplined, defensible program. No

r will technology alone yield a responsible program. Each healthcare organization must blend technology with policies, procedures and practices to create a mixconsistent with its own mission and business philosophy. Information securitymanagement in healthcare as elsewhere requires managing risks that cannot be avoided as long as one remains in business. Managing risks requires exercising administrative judgement. The editors of the {\i \f1 CPRI Toolkit} hope that thisdocument will enhance the ability of all healthcare professionals to exercise competent administrative judgement as we work to better the health of our patients, enrich the working lives of our staff and protect our organizations.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1544\absw8096\absh713\f4\fs22 \fi720 In recognition ofthe projected long term development of the {\i \f1 CPRI Toolkit, }the CPRI creat

ed a committee to oversee its content. Its members include the following individuals:\par}{\phpg\posx1800\pvpg\posy2617\absw4816\absh744\f4\fs23 Ted Cooper, MD, Task Force Chair \par\sb0\fi0 National Director of Confidentiality and Security Kaiser Permanente\par}{\phpg\posx1800\pvpg\posy3721\absw3890\absh744\f4\fs23 Jeff Collmann, Ph.D., Editor Department of Radiology Georgetown University Medical Center\par}{\phpg\posx1800\pvpg\posy4825\absw2786\absh744\f4\fs23 Barbara Demster, MS, RRAComliance Officer Healtheon Corporation\par}{\phpg\posx1800\pvpg\posy5921\absw5454\absh478\f4\fs23 Kathleen Frawley, J.D. \p


9/37

ar\sb0\fi0 American Health Information Management Association\par}{\phpg\posx1800\pvpg\posy6747\absw1327\absh478\f4\fs23 Shonna Koss IBM\par}{\phpg\posx1800\pvpg\posy7585\absw2985\absh744\f4\fs23 Renee Ornes \par\sb0\fi0Webmaster \par 3Com Healthcare Corporation\par}{\phpg\posx1800\pvpg\posy8689\absw2985\absh744\f4\fs23 Bruce W. Patterson Director, Healthcare Industry 3Com Healthcare Corporation\par}{\phpg\posx1800\pvpg\posy9785\absw6667\absh478\f4\fs23 Paul Schyve, M.D. \par\sb0\fi0 Joint Commission for the Accreditation of Healthcare Organizations\par}{\phpg\posx1800\pvpg\posy10611\absw8484\absh478\f4\fs23 The following members ofthe Confidentiality and Security Program Task Force, Computer-based Patient Record Institute prepared the first edition of the CPRI Toolkit.\par}{\phpg\posx1800\pvpg\posy11449\absw4816\absh744\f4\fs23 Ted Cooper, MD, Task Force Chair \par\sb0\fi0 National Director of Confidentiality and Security Kaiser Permanente\par}{\phpg\posx1800\pvpg\posy12553\absw3890\absh744\f4\fs23 Jeff Collmann, Ph.D., Editor Department of Radiology Georgetown University Medical Center\par}{\phpg\posx1800\pvpg\posy13649\absw2838\absh478\f4\fs23 Barbara Demster, MS, RRAHealth Information Manager\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1484\absw2380\absh221\f4\fs24 Healtheon Corporation\par}{\phpg\posx1800\pvpg\posy2057\absw2300\absh478\f4\fs23 Keith MacDonald FirstConsulting Group\par}

{\phpg\posx1800\pvpg\posy2883\absw4322\absh478\f4\fs23 Susan K. Odneal, CISSP \par\sb0\fi0 Kaiser Permanente Information Technology\par}{\phpg\posx1800\pvpg\posy3721\absw2620\absh744\f4\fs23 Jeanne Reiners Information Services Baptist Healthcare System\par}{\phpg\posx1800\pvpg\posy4856\absw7942\absh713\f4\fs22 \fi720 The editors also want to recognize and thank the members of the CPRI Work group on Confidentiality, Privacy and Security who prepared the many previously published guideline books that are republished in the {\i \f1 CPRI Toolkit.}\par}{\phpg\posx1800\pvpg\posy5900\absw4075\absh221\f4\fs24 Kathleen Frawley, J.D., Co-chairperson\par}{\phpg\posx1800\pvpg\posy6452\absw3276\absh221\f4\fs24 Dale W. Miller, Co-chairperson\par}{\phpg\posx1800\pvpg\posy7004\absw6615\absh221\f4\fs24 Kenneth Kung, Team Leader

, Information Security Management\par}{\phpg\posx1800\pvpg\posy7565\absw8554\absh212\f4\fs23 Carol A. Romano, Ph.D., R.N., F.A.A.N, Team Leader, Information Security Education\par}{\phpg\posx1800\pvpg\posy8108\absw6462\absh221\f4\fs24 Cindy Beery, Team Leader,Model Confidentiality Agreements\par}{\phpg\posx1800\pvpg\posy8660\absw4900\absh221\f4\fs24 Cynthia Miller, Team Leader, Security Features\par}{\phpg\posx1800\pvpg\posy9254\absw7936\absh457\f4\fs22 \fi720 The CPRI would like to thank the following organizations, investigators, and projects for permission to use or site examples from their work.\par}{\phpg\posx1800\pvpg\posy10120\absw6694\absh969\f4\fs22 Noam H. Artzt, Ph.D., All Kids Count and Leonard Davis Institute of Health Economics, University of Pennsylvania, Philadelphia, Pennsylvania for \ldblquote Information Security and Imm

unization Information System.\rdblquote \par}{\phpg\posx1800\pvpg\posy11449\absw7164\absh744\f4\fs23 Dixie B. Baker, Ph.D., Principal Investigator, PCASSO, Science Applications International Corporation (SAIC), San Diego, California for information security policies from PCASSO.\par}{\phpg\posx1800\pvpg\posy12545\absw7221\absh478\f4\fs23 Christopher Chute, M.D.,DrPH, Mayo Foundation, Rochester, Minnesota for information security policies from Mayo Clinic.\par}{\phpg\posx1800\pvpg\posy13383\absw7412\absh744\f4\fs23 David Cochran, M.D., Harvard Pilgrim Healthcare and Richard Lopez, M.D., Harvard Vanguard Medical Associates, Brookline, Massachusetts for patient confidentiality policies of Harvar


10/37

d Vanguard Medical Associates\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1779\absw8749\absh478\f4\fs23 Janlori Goldman, J.D., Health Privacy Project, Georgetown University, Washington, D.C. for executive summary of report on state privacy laws.\par}{\phpg\posx1800\pvpg\posy2609\absw8176\absh478\f4\fs23 Karen Gallagher Grant, R.R.A., Partners Healthcare System, Boston, Massachusetts for information securitypolicies of PartnersS Healthcare Systems, Inc.\par}{\phpg\posx1800\pvpg\posy3496\absw7013\absh969\f4\fs22 The Joint Commission on Accreditation of Healthcare Organizations and the National Committee for QualityAssurance for permission to reprint the executive summary of \ldblquote Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment.\rdblquote \par}{\phpg\posx1800\pvpg\posy4825\absw6882\absh744\f4\fs23 Linda L. Kloss, R.R.A., Executive Vice President and CEO, American Health Information Management Association, Washington, D.C. for permission to reprint AHIMA\rquote s forms.\par}{\phpg\posx1800\pvpg\posy5941\absw6887\absh1010\f4\fs23 Seong K. Mun, Ph.D., Principal Investigator, Project Phoenix: telemedicine in hemodialysis, Georgetown University Medical Center, Washington, D.C., for documents from security programof Project Phoenix.\par}{\phpg\posx1800\pvpg\posy7320\absw7948\absh457\f4\fs22 \fi720 The editors will wish to offer special thanks to the following individuals who prepared new documents for inclusion in the CPRI Toolkit.\par}

{\phpg\posx1800\pvpg\posy8168\absw6099\absh713\f4\fs22 Margret Amatayakul, MBA,RRA for \ldblquote Standards, Processes and Organizations: Developing Standardsin Health Care Information Security\rdblquote ..\rdblquote \par}{\phpg\posx1800\pvpg\posy9241\absw7164\absh744\f4\fs23 Dixie B. Baker, Ph.D., Principal Investigator, PCASSO, Science Applications International Corporation (SAIC), San Diego, California for summary of PCASSO Project.\par}{\phpg\posx1800\pvpg\posy10376\absw7930\absh713\f4\fs22 \fi720 The editors wishto thank the following colleagues without whom neither the \i \f1 CPRI Toolkit{\i0 \f4 nor the work on information security in health care would have been} \i0\f4 possible.\par}{\phpg\posx1800\pvpg\posy11507\absw7231\absh2342\f4\fs23 Arwa Al-Ama, George Washington University, Washington, D.C. \par\sb0\fi0 Maj. Catherine Beck, TATRC, U.S. Army Medical Research and Materiel Command, Ft. Detrick, Maryland \par Glenn

C. Graber, University of Tennessee, Knoxville, Tennessee \par Lance Hoffman, Ph.D. George Washington University, Washington, D.C. Anya Kim, George Washington University, Washington, D.C. \par Marion C. Meissner, DynCorp I&E, Fairlakes, Virginia \par Anna-Lisa Silvestre, Kaiser Permanente, Oakland, California \par Willie E. Wright, SRA International, Inc., Fairlakes, Virginia\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1566\absw7762\absh969\f4\fs22 The National Library of Medicine and the Department of Defense supported some Projects referenced in the{\i \f1 CPRI Toolkit}. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the National Library of Medicine or the Department of Defense.\par}{\phpg\posx1800\pvpg\posy2944\absw8329\absh969\f4\fs22 The editors offer special

thanks to Janice Kennedy, Executive Director of Computer- based Patient RecordInstitute, for shepherding the CPRI Toolkit through the final, onerous stages ofediting, printing, and preparation for distribution. Without her patience andsense of detail, the Toolkit would not have ever been completed.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx4915\pvpg\posy1467\absw2568\absh392\f8\b\i\fs39 Chapter Three\par}{\phpg\posx5145\pvpg\posy1941\absw2098\absh206\f7\b\fs22 Toolkit Section 3.0\par}{\phpg\posx2836\pvpg\posy2223\absw6649\absh806\f9\b\fs38 \fi43 MONITORING CHANGI


11/37

NG LAWS, REGULATIONS, AND STANDARDS\par}{\phpg\posx5145\pvpg\posy3112\absw2098\absh206\f7\b\fs22 Toolkit Section 3.1\par}{\phpg\posx1800\pvpg\posy3371\absw1434\absh225\f10\b\fs24 Introduction\par}{\phpg\posx1800\pvpg\posy3857\absw8642\absh5259\f16\fs19 \fi720 Currently, questions of health information security and medical privacy are of utmost importancein the United States. Hardly a day goes by that {\i \f15 The Washington Post},{\i \f15 The New York} {\i \f15 Times}, or {\i \f15 USA Today} do not feature an article about some aspect of medical privacy. Opinion polls document that theAmerican public regards the data management practices of most large organizations with great skepticism. In partial response to these and other expressions ofpublic concern, President Clinton commissioned a task force on medical privacyas part of his health care reform efforts. Although the recommendations of theprivacy task force died along with Clinton\rquote s plan, Federal legislatorshave incorporated some of their intent, particularly the requirement of Federalmedical privacy legislation, into the piecemeal approach to health care reform developed during the last three years. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) creates specific requirements for the Congress and the Department of Health and Human Services (DHHS). Because of HIPAA, the legal and regulatory environment for managing patient medical records has dramatically changed. . DHHA has developed regulations for managing health informationsecurity. Efforts to develop federal medical privacy requirements continue inboth Congress and DHHS. DHHS led the way by designing model rules to guide Congress and/or implement the laws it passes. Moreover, many standards-setting organ

izations have been busy addressing the problems of medical privacy and the security of health care information from their own perspectives. \par\sb0\fi0 The {\i \f15 CPRI Toolkit} contains summaries of the proposed DHHS rules, the DHHS model medical privacy provisions, information about State laws on medical privacy, and a thorough explanation of the standards- setting process in medical informatics. As an example of how two important standards-setting organizations in health care, the Joint Commission on the Accreditation of Healthcare Organizations and the National Committee on Quality Assurance, are beginning to incorporatedemands for adequate data security practices into their evaluation criteria, acopy of the Executive Summary of {\i \f15 Protecting Personal} \i \f15 Health Information: A Framework for Meeting the Challenges in a Managed Care Environment{\i0 \f16 completes} \i0 \f16 this chapter of the {\i \f15 CPRI Toolkit}.\par}\sect\sectd\pard\plain

\pgwsxn12240\pghsxn15840{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz0\shpleft1694\shptop5592\shpright8899\shpbottom5870{\sp{\sn shapeType}{\sv 1}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fBehindDocument}{\sv 1}}{\sp{\sn fillColor}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop5578\shpright8899\shpbottom5578{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9143}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1680\shptop5592\shpright1680\shpbottom5870{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft38

59\shptop5592\shpright3859\shpbottom5870{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9143}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft8899\shptop5592\shpright8899\shpbottom5870{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop5870\shpright8899\shpbottom5870{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn li


12/37

neDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop6115\shpright8899\shpbottom6115{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop6360\shpright8899\shpbottom6360{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop6605\shpright8899\shpbottom6605{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop6850\shpright8899\shpbottom6850{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz0\shpleft1694\shptop9274\shpright9533\shpbottom9547{\sp{\sn shapeType}{\sv 1}}{\sp{\sn fLine}{\sv 0}}{\sp{\sn fBehindDocument}{\sv 1}}{\sp{\sn fillColor}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop9259\shpright9533\shpbottom9259{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}

{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop9547\shpright9533\shpbottom9547{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 12192}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop9840\shpright9533\shpbottom9840{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop10085\shpright9533\shpbottom10085{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft16

94\shptop10330\shpright9533\shpbottom10330{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop10574\shpright9533\shpbottom10574{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop10819\shpright9533\shpbottom10819{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9143}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop11064\shpright9533\shpbottom11064{\sp{\sn shapeType}{\sv 20}}{\sp{\sn f

FlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop11357\shpright9533\shpbottom11357{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop11645\shpright9533\shpbottom11645{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}


13/37

{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop11890\shpright9533\shpbottom11890{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}

{\shp {\*\shptop5678\shpleft1680\shpright1694\shpbottom5692\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich1\picwgoal20\pichgoal20\picscalex96\picscaley96ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc00011080001000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e1

25f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2803fffd9}}}}}{\shp {\*\shptop5678\shpleft3859\shpright3873\shpbottom5692\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich1\picwgoal20\pichgoal20\picscalex96\picscaley96ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f

634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc00011080001000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a43444546474849

4a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2803fffd9}}}}}{\shp {\*\shptop5678\shpleft8899\shpright8913\shpbottom5692\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich1\picwgoal20\pichgoal20\picscalex96\picscaley96ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318


14/37

281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc00011080001000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2803fffd9}}}}}{\shp {\*\shptop5970\shpleft1680\shpright1694\shpbottom6964\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich66\picwgoal20\pichgoal1320\picscalex98\picscaley98

ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc00011080042000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f010003010101010101010101000000000000010203040506070809

0a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a2800a28a2803fffd9}}}}}{\shp {\*\shptop5970\shpleft3859\shpright3873\shpbottom6964\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich66\picwgoal20\pichgoal1320\picscalex98\picscaley98

ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc00011080042000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a


15/37

838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a2800a28a2803fffd9}}}}}{\shp {\*\shptop5970\shpleft8899\shpright8913\shpbottom6964\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich66\picwgoal20\pichgoal1320\picscalex98\picscaley98ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc00011080042000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a10823

42b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a2800a28a2803fffd9

}}}}}{\shp {\*\shptop9359\shpleft1680\shpright1694\shpbottom12004\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich176\picwgoal20\pichgoal3520\picscalex98\picscaley98ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc000110800b0000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a10823

42b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4


16/37

c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2803fffd9}}}}}{\shp {\*\shptop9359\shpleft3859\shpright3873\shpbottom12004\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich176\picwgoal20\pichgoal3520\picscalex98\picscaley98ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc000110800b0000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a43444546474849

4a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2803fffd9}}}}}{\shp {\*\shptop9359\shpleft9533\shpright9547\shpbottom12004\shpfblwtxt1\shpbypage\shpbxpage\shpwr3{\sp{\sn shapeType}{\sv 75}}{\sp{\sn pib}{\sv{\pict\jpegblip\picw1\pich176\picwgoal20\pichgoal3520\picscalex98\picscaley98ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f

634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc000110800b0000103012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a43444546474849

4a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2803fffd9}}}}}{\phpg\posx5232\pvpg\posy1481\absw1912\absh186\f17\b\fs20 Toolkit Section 3.2\par}{\phpg\posx2693\pvpg\posy1737\absw7019\absh813\f9\b\fs39 \li2414 \fi-2414 Summary of Proposed DHHS Rules and Regulations\par}{\phpg\posx1800\pvpg\posy3072\absw8231\absh1628\f16\fs18 \fi720 Under the rubric


17/37

of \ldblquote Administrative Simplification,\rdblquote HIPAA requires Congressto pass laws that \ldblquote improve the efficiency and effectiveness of the health care system by encouraging the establishment of standards and requirements for the electronic transfer of certain health care information\rdblquote (PL No. 104- 191). In sections 261 through 264, HIPAA calls for standards and laws for two circumstances, namely 1) the electronic interchange of financial and administrative data between health plans, health care clearinghouses, and health care providers, and 2) maintaining the privacy of individually identifiable medical information. HIPAA also establishes a timetable by which Congress and DHHS must act. The timeline can be seen in the table below.\par}{\phpg\posx1800\pvpg\posy5081\absw4055\absh258\f18\b\fs27 The HIPAA Timetable -Enacted\par}{\phpg\posx1800\pvpg\posy5641\absw566\absh225\f10\b\cf1 \fs24 Date\par}{\phpg\posx3979\pvpg\posy5641\absw2044\absh225\f10\b\cf1 \fs24 Scheduled Release\par}{\phpg\posx1800\pvpg\posy5930\absw1447\absh186\f16\fs20 August 21, 1996\par}{\phpg\posx3979\pvpg\posy5930\absw1386\absh186\f16\fs20 HIPAA enacted\par}{\phpg\posx1800\pvpg\posy6175\absw1190\absh186\f16\fs20 July 31, 1997\par}{\phpg\posx3979\pvpg\posy6175\absw3705\absh186\f16\fs20 DHHS recommendations onconfidentiality\par}{\phpg\posx1800\pvpg\posy6419\absw1598\absh186\f16\fs20 February 28, 1998\par}{\phpg\posx3979\pvpg\posy6419\absw2887\absh186\f16\fs20 DHHS draft transaction standards\par}{\phpg\posx1800\pvpg\posy6664\absw1447\absh186\f16\fs20 August 21, 1999\par}

{\phpg\posx3979\pvpg\posy6664\absw3392\absh186\f16\fs20 Deadline for Federal privacy legislation\par}{\phpg\posx1800\pvpg\posy7193\absw8613\absh1280\f16\fs19 \fi720 Under the direction of the National Committee on Vital and Health Statistics, the Healthcare Finance Administration (HCFA) leads the DHHS effort to draft transaction and modelprivacy standards. HIPAA establishes an aggressive timetable for DHHS to draft,release for comment, and recommend for adoption such a complex, extensive, and important set of regulations. Although currently behind schedule, DHHS is makingprogress. New regulations are regularly released for comment in the Federal Register. The timetable can be seen in the table below.\par}{\phpg\posx1800\pvpg\posy8758\absw5599\absh258\f18\b\cf2 \fs27 The HIPAA Timetable as of February 1, 1999\par}{\phpg\posx1800\pvpg\posy9318\absw566\absh225\f10\b\cf2 \fs24 Date\par}

{\phpg\posx3979\pvpg\posy9318\absw1652\absh225\f10\b\cf2 \fs24 Actual Release\par}{\phpg\posx1800\pvpg\posy9607\absw1447\absh186\f16\cf2 \fs20 August 21, 1996\par}{\phpg\posx3979\pvpg\posy9610\absw832\absh221\f4\cf2 \fs24 HIPAA\par}{\phpg\posx1800\pvpg\posy9899\absw1213\absh186\f16\cf2 \fs20 Sept 11, 1997\par}{\phpg\posx3979\pvpg\posy9899\absw3731\absh186\f16\cf2 \fs20 Released: Confidentiality recommendations\par}{\phpg\posx1800\pvpg\posy10144\absw1085\absh186\f16\cf2 \fs20 July 6, 1998\par}{\phpg\posx3979\pvpg\posy10144\absw3779\absh186\f16\cf2 \fs20 Comment Period Closed: Provider Identifier\par}{\phpg\posx1800\pvpg\posy10389\absw1085\absh186\f16\cf2 \fs20 July 6, 1998\par}{\phpg\posx3979\pvpg\posy10389\absw4094\absh186\f16\cf2 \fs20 Comment Period Clo

sed: Transaction Standards\par}{\phpg\posx1800\pvpg\posy10634\absw1085\absh186\f16\cf2 \fs20 July 6, 1998\par}{\phpg\posx3979\pvpg\posy10634\absw3868\absh186\f16\cf2 \fs20 Comment Period Closed: Code Set Standards\par}{\phpg\posx1800\pvpg\posy10879\absw1225\absh186\f16\cf2 \fs20 June 16, 1998\par}{\phpg\posx3979\pvpg\posy10879\absw2417\absh186\f16\cf2 \fs20 NPRM: Employer Identifier\par}{\phpg\posx1800\pvpg\posy11127\absw1302\absh221\f4\cf2 \fs24 July 6, 1998\par}{\phpg\posx3979\pvpg\posy11127\absw5270\absh221\f4\cf2 \fs24 White Paper: UniqueHealth Identifier - Individuals\par}


18/37

{\phpg\posx1800\pvpg\posy11415\absw1820\absh221\f4\cf2 \fs24 October 13, 1998\par}{\phpg\posx3979\pvpg\posy11415\absw4571\absh221\f4\cf2 \fs24 Comment Period Closed: Security Standards\par}{\phpg\posx1800\pvpg\posy11704\absw741\absh186\f16\cf2 \fs20 Pending\par}{\phpg\posx3979\pvpg\posy11704\absw2671\absh186\f16\cf2 \fs20 NPRM: Identifier-Health Plans\par}{\phpg\posx1800\pvpg\posy12214\absw8538\absh838\f16\fs19 \fi720 Summaries of theproposed DHHS rules follow. To view the text of these recommendations and theexisting draft regulations for electronic transactions, please consult the DHHSWeb site, http://aspe.os.dhhs.gov/admnsimp/ You may also enroll to receive e-mail notice of newly posted draft regulations and comment on the proposed rules through this same Web site.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx4958\pvpg\posy1488\absw2501\absh217\f20\b\fs24 Toolkit Section 3.2.2\par}{\phpg\posx2193\pvpg\posy1768\absw8149\absh364\f9\b\fs39 Common Elements of AllProposed Standards\par}{\phpg\posx1800\pvpg\posy2454\absw4814\absh225\f10\b\fs24 Standard Definitions for All Proposed Rules\par}{\phpg\posx2520\pvpg\posy2957\absw6392\absh221\f4\fs24 A common set of definitions exists for all rules so far released.\par}{\phpg\posx1800\pvpg\posy3458\absw267\absh186\f16\fs20 1.{\f19 }\par}

{\phpg\posx2520\pvpg\posy3511\absw7762\absh1285\f21\b\fs19 Health care clearinghouse:{\b0 \f16 a public or private entity that processes or facilitates the processing} \b0 \f16 of nonstandard data elements of health information into standard elements. Such an entity receives health care transactions from health careproviders and other entities, translates the data from a given format into one acceptable to the intended recipient, and forwards the processed transaction to appropriate health plans and other health care clearinghouses for further action,as necessary.\par}{\phpg\posx1800\pvpg\posy5066\absw267\absh186\f16\fs20 2.{\f19 }\par}{\phpg\posx2520\pvpg\posy5081\absw7365\absh401\f21\b\fs19 Health care provider:{\b0 \f16 a provider of medical or other health services and those entities that} \b0 \f16 furnish or bill and are paid for health care services in the normal course of business.\par}

{\phpg\posx1800\pvpg\posy5757\absw267\absh186\f16\fs20 3.{\f19 }\par}{\phpg\posx2520\pvpg\posy5773\absw7463\absh401\f21\b\fs19 Health information:{\b0 \f16 any information, whether oral or recorded in any form or medium, that} \b0 \f16 a.{\f19 }\par}{\phpg\posx3240\pvpg\posy6009\absw6745\absh396\f16\fs19 Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and\par}{\phpg\posx2520\pvpg\posy6448\absw267\absh186\f16\fs20 b.{\f19 }\par}{\phpg\posx3240\pvpg\posy6479\absw6859\absh617\f16\fs19 Relates to the past, present, or future physical or mental health of condition of an individual, the provision of health care to an individual, or the past, present, or future paymentfor the provision of health care to an individual.\par}{\phpg\posx1800\pvpg\posy7365\absw267\absh186\f16\fs20 4.{\f19 }\par}

{\phpg\posx2520\pvpg\posy7381\absw7656\absh401\f21\b\fs19 Health plan:{\b0 \f16an individual or group health plan that provides, or pays the cost of, medicalcare} \b0 \f16 a.{\f19 }\par}{\phpg\posx2880\pvpg\posy7654\absw7541\absh1280\f16\fs19 Including group healthplans, health insurance issuers, health maintenance organizations, Part A or Part B of Medicare Act, Medicaid, Medicare supplemental policies, long term care policies, employee welfare plans that provide health benefits, the health plan foractive military personnel, the veterans health plan, CHAMPUS, the Indian HealthService, the Federal Employees Health Benefits Program, and other plans as designated by the Secretary of DHHS; but\par}


19/37

{\phpg\posx2520\pvpg\posy8978\absw267\absh186\f16\fs20 b.{\f19 }\par}{\phpg\posx2880\pvpg\posy8999\absw7393\absh396\f16\fs19 Not including plans suchas property and casualty insurance plans or workers compensation plans.\par}{\phpg\posx1800\pvpg\posy9669\absw267\absh186\f16\fs20 5.{\f19 }\par}{\phpg\posx2520\pvpg\posy9699\absw7889\absh843\f21\b\fs19 Medical care:{\b0 \f16the diagnosis, cure, mitigation, treatment, or prevention of disease or amount

s paid} \b0 \f16 for the purpose of affecting any body structure or function ofthe body; amounts paid for transportation primarily for and essential to these items; and amounts paid for insurance covering the items and the transportation specified in this definition.\par}{\phpg\posx1800\pvpg\posy10864\absw267\absh186\f16\fs20 6.{\f19 }\par}{\phpg\posx2520\pvpg\posy10903\absw7822\absh1064\f21\b\fs19 Participant:{\b0 \f16 any employee or former employee of an employer, or any member or former} \b0\f16 member of an employee organization, who is or may become eligible to receive a benefit of any type or from an employee benefit plan that covers employees of such an employer or members of such organizations, or whose beneficiaries maybe eligible any such benefits, including an individual treated as an employee under section 401 (c)(1) of the IRS code.\par}{\phpg\posx1800\pvpg\posy12242\absw267\absh186\f16\fs20 7.{\f19 }\par}{\phpg\posx2520\pvpg\posy12236\absw6074\absh192\f21\b\fs20 Small health plan:{\b0 \f16 a group health plan with fewer than 50 participants.}\par}{\phpg\posx1800\pvpg\posy12703\absw267\absh186\f16\fs20 8.{\f19 }\par}{\phpg\posx2520\pvpg\posy12737\absw7828\absh843\f21\b\fs19 Standard:{\b0 \f16 aset of rules for a set of codes, data elements, transactions, or identifiers pr

omulgated} \b0 \f16 either by an organization accredited by the American National Standards Institute (ANSI) or the Department of Health and Human Services (DHHS) for the electronic transmission of health information.\par}{\phpg\posx1800\pvpg\posy13855\absw267\absh186\f16\fs20 9.{\f19 }\par}{\phpg\posx2520\pvpg\posy13870\absw7167\absh401\f21\b\fs19 Transaction:{\b0 \f16the exchange of information between two parties to carry out financial and} \b

0 \f16 administrative activities related to health care.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1715\absw5240\absh225\f10\b\fs24 Implementation Requirements for all Standards\par}{\phpg\posx1800\pvpg\posy2103\absw8677\absh2827\f16\fs19 \fi720 DHHS proposes acommon set of implementation requirements for all HIPAA relevant standards and r

ules. All health care plans and clearinghouse, except small health plans, mustimplement the standards and code sets within 24 months of their enactment. Small health care plans must adopt the standards within 36 months of enactment. (Only health care providers that transmit health information in the electronic formcovered in the rules must implement the rules. Such health care providers mustimplement the rules within 24 months of enactment.) Once the rules are adopted,health plans may not delay or refuse to process claims submitted in the standardized format. Civil monetary penalties are proposed for violations of the rules. The DHHS rules will supersede any State law contrary to their requirements except where specifically waived. Financial institutions (such as credit card companies) or their agents may but are not required to comply with the rules. Formore details on alternatives to the recommendations and the process whereby DHHS developed its proposals, please consult the Federal Register for each proposed

set of rules. You may gain access to these documents, by consulting the Administrative Simplification Web site \par\sb0\fi0 ({\ul \cf3 http://aspe.os.dhhs.gov/admnsimp}). (\par}{\phpg\posx1800\pvpg\posy5549\absw8345\absh4301\f10\b\fs22 Penalties for Violations of the Proposed Rules \par\sb0\fi0 \b0 \f4 The Social Security Act establishes a civil monetary penalty for violation of the provisions under which the proposed rules would enter, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The procedural provisions inthe section of the Act, \ldblquote Civil Monetary Penalties,\rdblquote are app


20/37

licable. The Act establishes penalties for a knowing misuse of unique health identifiers and individually identifiable health information: 1) a fine of not more than $50,000 and/or imprisonment of not more than 1 year; 2) if misuse is \ldblquote under false pretenses,\rdblquote a fine of not more than $100,000 and/orimprisonment of not more than 5 years; and 3) if misuse is with intent to sell,transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years. These penalties do not affect any other penalties that may be imposed by other Federal programs, including ERISA.Under section 1178 of the Act, the provisions of part C of title XI of the Act

, as well as any standards established under them, supersede any State law thatis contrary to them. However, the Secretary may, for statutorily specified reasons, waive this provision.\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\phpg\posx1800\pvpg\posy1485\absw6914\absh225\f10\b\fs24 Proposed Standards forData Security and Electronic Signature\par}{\phpg\posx5054\pvpg\posy1753\absw2290\absh206\f7\b\fs22 Toolkit Section 3.2.3\par}{\phpg\posx1800\pvpg\posy2238\absw8336\absh2760\f4\fs22 \fi720 The DHHS makes general changes in the data security standards that broaden the scope and impact from earlier regulations. The transaction standards apply to electronic transactions between organizations, thus leaving health care providers who do not use electronic transmission media unaffected. In contrast, individualized health info

rmation becomes subject to the new rules when it is electronically stored, maintained or transmitted; exists in any format (standard transaction or proprietary); and communicated either internally or externally to a corporate entity. A health care provider who stores patient data on magnetic tape, for example, but sends paper documents to a health plan must comply with the data security rules butis not required to comply with the electronic transaction rules. As with the transaction rules, the data security rules apply to health information on any electronic media except telephone voice and faxback systems.\par}{\phpg\posx1800\pvpg\posy5150\absw8297\absh1225\f4\fs22 \fi720 The proposed rules also address electronic signatures. Although DHHS does not recommend requiring electronic signatures at this time, they specify mandatory rules for implementing an electronic signature if an organization so chooses. Use of this standardwould satisfy any Federal or State requirement for a signature, either electroni

c or on paper.\par}{\phpg\posx1800\pvpg\posy6694\absw8445\absh3272\f4\fs22 \fi720 DHHS firmly places responsibility for determining implementation of specific data security measures with health care providers, plans, and clearinghouses. DHHS defines a standard as \ldblquote a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information pertaining to individuals remains secure\rdblquote(Federal Register, August 12, 1998, p. 43249; see http://erm.aspe.hhs.gov/secnprm). The standard does not require or reference specific technological solutions or address the extent to which a particular entity should implement specific features. The standard does require each affected entity to assess its own security risks and develop methods to manage them. The proposal emphasizes manytimes that providers, plans, and clearinghouses must create and keep current det

ailed documentation of their data security assessments, plans, policies, and procedures. The people responsible for maintaining data security should have ready

access to the documentation.\par}{\phpg\posx1800\pvpg\posy10141\absw8113\absh1481\f4\fs22 \fi720 For presentationpurposes, DHHS groups the security requirements into four categories - administrative procedures, physical safeguards, technical security services, and technical security mechanism. DHHS requires only that the security measures be taken,not necessarily organized according to their groups. A general description andmatrix enumerating the requirements and implementation features of each groupingfollow.\par}


21/37

{\phpg\posx1800\pvpg\posy11996\absw8728\absh1277\f22\ul\fs23 Administrative Procedures \par\sb0\fi0 \ul0 Administrative procedures to guard data integrity, confidentiality, and availability are documented, formal practices used to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data. Administrative procedures canbe seen in the table below.\par}{\phpg\posx1800\pvpg\posy13611\absw5252\absh258\f18\b\fs27 Administrative Procedures to Protect Data\par}\sect\sectd\pard\plain\pgwsxn12240\pghsxn15840{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1680\shptop2237\shpright1680\shpbottom3389{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft6739\shptop2237\shpright6739\shpbottom3389{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft11870\shptop2237\shpright11870\shpbottom3389{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 6095}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop3384\shpright11870\shpbottom3384{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fF

lipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9143}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop3629\shpright11870\shpbottom3629{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9143}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1680\shptop3643\shpright1680\shpbottom12125{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft6739\shptop3643\shpright6739\shpbottom12125{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn l

ineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft11870\shptop3643\shpright11870\shpbottom12125{\sp{\sn shapeType}{\sv 20}}{\sp{\snfFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 6095}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop4334\shpright11870\shpbottom4334{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop4627\shpright11870\shpbottom4627{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}

{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop6710\shpright11870\shpbottom6710{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop8107\shpright11870\shpbottom8107{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop8626\shpright11870\shpbottom8626{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fF


22/37

lipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop9562\shpright11870\shpbottom9562{\sp{\sn shapeType}{\sv 20}}{\sp{\sn fFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\sn lineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop10498\shpright11870\shpbottom10498{\sp{\sn shapeType}{\sv 20}}{\sp{\snfFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\shp{\*\shpinst\shpfhdr0\shpbxpage\shpbypage\shpwr3\shpfblwtxt1\shpz1\shpleft1694\shptop12125\shpright11870\shpbottom12125{\sp{\sn shapeType}{\sv 20}}{\sp{\snfFlipH}{\sv 1}}{\sp{\sn lineWidth}{\sv 9144}}{\sp{\sn lineColor}{\sv 0}}{\sp{\snlineDashing}{\sv 0}}}}{\phpg\posx1674\pvpg\posy1434\absw0\absh1086596608\overlay{\*\shppict {\pict\jpegblip\picw681\pich53\picwgoal13620\pichgoal1060\picscalex100\picscaley100ffd8ffe000104a46494600010100000100010000ffdb004300100b0c0e0c0a100e0d0e1211101318281a181616183123251d283a333d3c3933383740485c4e404457453738506d51575f626768673e4d71797064785c656763ffdb0043011112121815182f1a1a2f634238426363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363ffc0001108003502a903012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01

020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00f3fa28a2800a28a2800a28a2800a28a280

0a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2800a28a2803d23c25e16d1b51f0e5a5dde59f993c9bf7379ae33876038071d00ad8ff8427c3bff0040ff00fc8d27ff001547813fe450b1ff00b69ffa31aba0a00e7ffe109f0eff00d03fff002349ff00c551ff00084f877fe81fff0091a4ff00e2aba0a28039ff00f8427c3bff0040ff00fc8d27ff001547fc213e1dff00a07ffe4693ff008aae828a00e7ff00e109f0effd03ff00f2349ffc551ff084f877fe81ff00f91a4ffe2aba0a28039fff008427c3bff40fff00c8d27ff1547fc213e1dffa07ff00e4693ff8aae828a00e7ffe109f0eff00d03fff002349ff00c551ff00084f877fe81fff0091a4ff00e2aba0a28039ff00f8427c3bff0040ff00fc8d27ff001547fc213e1dff00a07ffe4693ff

008aae828a00e7ff00e109f0effd03ff00f2349ffc551ff084f877fe81ff00f91a4ffe2aba0a28039fff008427c3bff40fff00c8d27ff1547fc213e1dffa07ff00e4693ff8aae828a00e7ffe109f0eff00d03fff002349ff00c551ff00084f877fe81fff0091a4ff00e2aba0a28039ff00f8427c3bff0040ff00fc8d27ff001547fc213e1dff00a07ffe4693ff008aae828a00e7ff00e109f0effd03ff00f2349ffc551ff084f877fe81ff00f91a4ffe2aba0a28039fff008427c3bff40fff00c8d27ff1547fc213e1dffa07ff00e4693

full_toolkit.rtf

Documents