Free Essay

Time

In: Business and Management

Submitted By outlander1
Words 12363
Pages 50
Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Information Security Program
Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide
September 14, 2005

Page i

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Table of Contents
Table of Contents .......................................................................................... i Preface.........................................................................................................iii Document Change History ............................................................................iv 1. Introduction ....................................................................................... 1 1.1 1.2 1.3 1.4 2. 2.1 Purpose ........................................................................................... 1 Background...................................................................................... 1 Scope.............................................................................................. 2 Document Organization ..................................................................... 4 HIPAA Administrative Simplification Requirements ........................... 5 General Overview ............................................................................. 5 2.1.1 HIPAA Administrative Simplification Goals and Objectives ............. 5 2.1.2 HIPAA Definitions .................................................................... 5 2.1.2.1 Covered Entity .................................................................... 5 2.1.2.2 Hybrid Entity....................................................................... 6 2.1.2.3 Affiliated Covered Entity ....................................................... 7 2.1.2.4 Medicare Prescription Drug Card Sponsors............................... 7 2.1.3 Protected Health Information .................................................... 7 2.1.4 HIPAA Exceptions.................................................................... 7 HHS Regulatory Guidance for Compliance with the HIPAA Privacy Final Rule ................................................................................................ 8 2.2.1 History of the Privacy Final Rule ................................................ 8 2.2.2 Goals of the Privacy Final Rule .................................................. 8 2.2.3 Provisions of the Privacy Final Rule ............................................ 8 2.3 HHS Regulatory Guidance for Compliance with the HIPAA Security Final Rule .......................................................................................11 2.3.1 History of the Security Final Rule..............................................11 2.3.2 Goals of the Security Final Rule ................................................11 2.3.3 Provisions of the Security Final Rule..........................................11 2.3.3.1 Standards and Implementation Specifications .........................11 2.3.3.2 Required and Addressable Measures of the Security Final Rule ..12 2.3.4 Security Safeguards ...............................................................14 2.3.4.1 Administrative Safeguards ...................................................15 2.3.4.2 Physical Safeguards ............................................................17 2.3.4.3 Technical Safeguards...........................................................18 2.3.5 Policies, Procedures, and Documentation Requirements ...............19 2.4 2.5 3. 3.1 3.2 Relationship Between Privacy Final Rule and the Security Final Rule ........20 Relationship Between the Security Final Rule and Other Security Requirements ..................................................................................21 HIPAA Administrative Simplification Compliance ............................. 23 Step One: Determine Whether the Entity is Covered by HIPAA ...............23 Step Two: Identify Applicable Information ...........................................23

2.2

Page i

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services 3.3 3.4 3.5 3.6 Step Three: Conduct Gap Analysis......................................................24 Step Four: Document Policies and Procedures ......................................24 Step Five: Define Compliance Methodology..........................................26 HIPAA Timelines and Deadlines ..........................................................27

3.7 Consequences of HIPAA Noncompliance ..............................................28 Appendix A: Document Feedback Form ...................................................... 29 Appendix B: References ............................................................................. 30 Appendix C: Acronyms ............................................................................... 32 Appendix D: Glossary ................................................................................. 33 Appendix E: Information Security Program Documents ............................. 39 Acknowledgements .................................................................................... 40

Page ii

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Preface
As the Department of Health and Human Services (HHS) Information Technology Security Program evolves, this document will be subject to review and update, which will occur annually or when changes occur that signal the need to revise the HHS Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide. These changes may include the following: Changes in roles and responsibilities; Release of new executive, legislative, technical, or Departmental guidance; Identification of changes in governing policies; Changes in vulnerabilities, risks or threats; and/or HHS Inspector General findings that stem from a security audit. The HHS Chief Security Officer (CSO) must approve all revisions to the HHS Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide. Revisions are to be highlighted in the Document Change History table. Each revised guidance document is subject to HHS’ document review and approval process before becoming final. When it is approved, a new version of the HHS Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide will be issued, and all affected parties will be informed of the changes made. The procedures outlined in the HHS HIPAA Compliance Guide are proven practices that will provide guidance to the Department in meeting or exceeding the mandatory policies identified in the HHS Information Security Program Policy document. The HHS HIPAA Compliance Guide provides specific information for the recommended implementation of HIPAA compliance. While the specifics of how to undertake the implementation are not mandatory, any security implementation undertaken by an OPDIV must result in security controls and processes that are equal to or stronger than those articulated in the Policies, Handbooks, and related Guides. If an OPDIV or STAFFDIV chooses not to adopt the baseline guidance set forth in this HHS HIPAA Compliance Guide, it must document this decision and assume responsibility for the creation of procedures of equal or greater stringency.

Page iii

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Document Change History
Version Number 1.0 2.0 Release Date 10/29/2003 09/14/2005 Summary of Changes Initial document release Updated to reflect new regulatory requirements Section Number/ Paragraph Number NA Throughout Changes Made By NA HHS CSO

Page iv

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

1. Introduction
The Department of Health and Human Services (HHS) is responsible for implementing and administering an information security program to protect its information resources, in compliance with applicable public laws, federal regulations, and Executive Orders. These directives include the Federal Information Security Management Act of 2002 (FISMA); the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, dated November 28, 2000; and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). To meet these requirements, the Department has instituted the HHS Information Security Program Policy document and accompanying HHS Information Security Program Handbook document. This HHS Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide was created as part of the HHS Information Security Program to act as a guide for handling specific aspects of HIPAA security and privacy compliance. This guide may be used along with other security-related guidance documents to assist in FISMA and other regulatory compliance efforts.

1.1 Purpose
This document provides a summary of the requirements of the HIPAA Privacy Final Rule and the HIPAA Security Final Rule. It also provides a general outline to use as a first step in designing a HIPAA Privacy and Security compliance program.

1.2 Background
Congress passed HIPAA (Public Law 104-191) in part to simplify and standardize health care administrative processes to reduce costs and other burdens in the health care industry. HIPAA charges HHS and the Operating Divisions (OPDIVs) with adopting national uniform standards for handling certain individually identifiable health information (IIHI). In addition to its effect on the portability of health insurance, HIPAA requires all covered entities that deliver health care to follow standard practices related to recording, storing, and processing information. These requirements are often referred to as HIPAA’s “Administrative Simplification” requirements or provisions. According to the HIPAA statute, HHS has published final standards related to unique health identifiers, code sets, security, privacy, electronic signatures, and the transfer of information among health plans. (See Figure 1.)

Page 1

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Figure 1. HIPAA “Administrative Simplification” Requirements Security and Privacy have presented particular challenges to many “covered entities” (as defined in Section 2.1.2). Unlike some other categories of HIPAA’s Administrative Simplification requirements, specific steps and activities for complying with the Privacy and Security requirements will require covered entities to analyze their organizational structure, goals, and activities, and determine what measures are “reasonable and appropriate” to ensure the security of protected health information under their control. HIPAA requires HHS and the OPDIVs to adopt regulations setting privacy and security standards for all covered entities to follow. The privacy standards as 1 modified (also referred to in this document as “the Privacy Final Rule” ) define appropriate and inappropriate disclosures of certain IIHI and indicate requirements for policies and practices that protect patients’ privacy rights. Similarly, compliance with the HIPAA Security Final Rule (also referred to in this document as “the Security Final Rule”) will enable covered entities to improve the protection of the confidentiality, integrity, and availability of certain IIHI before, during, and after electronic transmission.

1.3 Scope
This guide sets forth requirements under HIPAA as they apply to federal agencies that are also covered entities under the HIPAA Rules. Although FISMA applies to all federal agencies and all information types, only a subset of agencies is subject to the HIPAA Privacy and Security rules based on their functions and use of IIHI. A number of the OPDIVs, and/or their contractors, may have obligations under the HIPAA Privacy and Security rules. These obligations are based on the nature of their business and whether they create, receive, maintain, or transmit any IIHI that must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Some of the security risk assessment activities undertaken as

1 While this document refers to the “HIPAA Privacy Final Rule,” readers should be aware that the HIPAA Privacy Final Rule that initially appeared in the Federal Register on December 28, 2000, was modified by an amendment that appeared in the Federal Register on August 14, 2002. The HHS Office for Civil Rights provides further links (http://www.hhs.gov/ocr/hipaa/) to the full text of the Privacy Final Rule, the 2002 amendments, and an unofficial integrated version that combines the rule as originally published and its amendments. http://www.hhs.gov/ocr/hipaa/

Page 2

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services part of the FISMA process may assist in the HIPAA compliance efforts. Figure 2 outlines the individuals that may be most interested in this guide.
2

Figure 2. HIPAA Guide Audience

2 HIPAA also applies to some federal organizations outside of the HHS organization, including the Veterans Administration and the Department of Defense Military Health Services. While the information in this guide may be useful and applicable to these organizations, this guide was prepared exclusively for the use of HHS and the OPDIVs.

Page 3

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

1.4 Document Organization
The remainder of this guide is structured as follows: Section 2 discusses HIPAA Administrative Simplification requirements with particular attention to the Privacy Final Rule, the Security Final Rule, and their relationship to each other; HHS guidance available for help in complying with HIPAA; and other useful references. Section 3 describes steps toward compliance with HIPAA Administrative Simplification requirements, outlines a timeline for compliance, and provides a list of possible noncompliance consequences. This guide also contains the following appendices: Appendix A provides a feedback form to submit comments on the document. Appendix B lists the references used in this document. Appendix C lists the acronyms used in this document. Appendix D defines terms frequently used in this document. Appendix E provides a list of the guidance associated with the HHS Information Security Program.

Page 4

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

2. HIPAA Administrative Simplification Requirements
2.1 General Overview
As required by Congress under HIPAA, HHS and the OPDIVs have adopted security and privacy standards, which are published in the Privacy Final Rule and the Security Final Rule. These regulatory requirements are discussed in Sections 2.2 and 2.3, respectively.

2.1.1

HIPAA Administrative Simplification Goals and Objectives

HIPAA provisions, presented in Figure 3, are designed to meet the following goals and objectives:

Figure 3. HIPAA Administrative Simplification Goals and Objectives

2.1.2

HIPAA Definitions

HHS’ Office for Civil Rights has published an interactive tool to help entities determine whether they are covered entities and thus subject to HIPAA rules. Appendix B provides a link to this tool at the Centers for Medicare & Medicaid Services (CMS) website. 2.1.2.1 Covered Entity

Under HIPAA, “covered entities” are as follows:

Page 5

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Health care providers who transmit any health information in electronic form 3 in connection with certain financial and administrative transactions, and Health plans and health care clearinghouses, as defined in section 160.103 of 4 the Privacy Rule, that process or facilitate the processing of health information received from another entity to a standard format for purposes of complying with HIPAA standard transaction requirements. In addition to these entities, the HIPAA Privacy and Security Final rules may have implications for the business associates of covered entities. Business associates are independent entities that assist in performing a function that involves using or disclosing IIHI on behalf of a covered entity or on behalf of an organized health care 5 arrangement in which the covered entity participates. While the HIPAA rules do not regulate business associates, they charge HIPAA-covered entities with “obtain[ing] satisfactory assurance that the business associate will appropriately safeguard the information.” Business associates may be HIPAA-covered entities in their own right. For more information on requirements of covered entities relative to their business associates, see section 164.314 of the HIPAA Security Final Rule (to be codified at 45 Code of Federal Regulation (CFR) 164.314). 2.1.2.2 Hybrid Entity

Some covered entities may have some business activities that are covered by the HIPAA Privacy and/or Security rules and other business functions that are not. Some of these entities may be able to designate certain components of their business as health care components. Hybrid entities that choose to designate certain components as health care components: Must assign the designation to any component that would meet the designation of covered entity if it were a separate legal entity; and May only designate a component as a “health care component” to the extent that it performs health care functions or activities that would make it a “business associate” of one of the covered entity’s other components that performs covered functions, if the two components were separate legal entities. Hybrid entities must consider their status as such in designing a HIPAA Administrative Simplification compliance plan. For more information on hybrid entities, see section 164.105 of the HIPAA Security Final Rule (to be codified at 45 CFR 164.105).

3 Such covered transactions include “all transactions covered by this Subchapter” (see Privacy Rule section 160.102 and Security Rule section 164.104). For a list of these transactions, see the definition of “transaction” included in the Privacy Rule 160.103 (to be codified at 45 CFR 160.103, applicable to both the Privacy and Security Rule). 4 The definition of “health care clearinghouse” at section 160.103 of the Final Privacy Rule is also applicable to the Security Final Rule, as the definition will appear in 45 CFR 160.103 which applies to both rules. 5 For a full definition of “business associate,” see section 160.103 of the HIPAA Privacy Final Rule.

Page 6

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services 2.1.2.3 Affiliated Covered Entity

Another type of entity that may have special considerations in designing a HIPAA Administrative Simplification compliance program is an affiliated covered entity. An affiliated covered entity is legally separated from one or more covered entities that are all under common control. Affiliated covered entities must consider their status as such in designing a HIPAA Administrative Simplification compliance plan. For more information on affiliated covered entities, see section 164.105 of the HIPAA Security Final Rule (to be codified at 45 CFR 164.105). 2.1.2.4 Medicare Prescription Drug Card Sponsors

The Medicare Prescription Drug Improvement and Modernization Act of 2003 (Public Law 108-173) added an additional covered entity for whom the HIPAA Privacy and Security rules are applicable. A Medicare prescription drug card sponsor is a nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act. This fourth category of covered entity will remain in effect until the drug card program ends in 2006.

2.1.3

Protected Health Information

HIPAA rules apply to covered entities that collect, store, transfer, or use IIHI; however, not all IIHI is covered by the rules. Health care providers, for example, are covered by the Privacy Final Rule and the Security Final Rule only if they handle IIHI that is also protected health information (PHI), which is information that is: Transmitted by electronic media; Maintained in any media covered by the rules’ definition of “electronic media”; or Transmitted or maintained in any other form. The standards of the Privacy Rule apply to all PHI. The standards of the Security Rule apply only to the first two kinds, information that is transmitted or maintained via electronic media. This type of PHI is referred to as electronic protected health information (EPHI).

2.1.4

HIPAA Exceptions

Some health information is not covered by the HIPAA rules. For example, the Privacy Rule specifically exempts health information that has been “de-identified” for research purposes. Information may be de-identified by aggregating it into a data report or by removing all information from the record that may enable it to be attributed to a specific individual. For more information on these exceptions, see sections 164.502(d) and 164.514(a) of the Privacy Final Rule.

Page 7

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

2.2 HHS Regulatory Guidance for Compliance with the HIPAA Privacy Final Rule
2.2.1 History of the Privacy Final Rule

The Privacy Final Rule initially appeared in the Federal Register on December 28, 2000, beginning at page 82,461, and was modified August 14, 2002. The regulatory text itself appears between pages 82,798 and 82,829 of 65 Fed. Reg. 82462 and between pages 53,266 and 53,273 of 67 Fed. Reg. 53182. Appendix B provides a link to a web page hosted by the HHS Office for Civil Rights that provides additional links to the full text of the Privacy Final Rule, the 2002 modifications, and an unofficial integrated version that combines the rule as originally published with its modifications.

2.2.2

Goals of the Privacy Final Rule

The Privacy Final Rule provides the first comprehensive federal protection for the privacy of certain health information. The rule balances an individual’s interest in keeping health care information confidential against improving the efficiency and effectiveness of health care delivery and the quality of health care in the United States.

2.2.3

Provisions of the Privacy Final Rule

As required by HIPAA, the Privacy Final Rule applies to health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., billing and funds transfers) electronically. All IIHI held by a covered entity in any form, whether in electronic, paper, or oral form, are covered by the Privacy Final Rule’s provisions. Under the Privacy Final Rule, patients have significant new rights that will permit them to receive information about their health information and control how it is used. Patients must be directly informed of the following rights: Patient education on privacy protections. Providers and health plans are required to give patients or members a clear, written explanation of how they can use, keep, and disclose patient PHI. Ensuring patient access to their medical records. Patients must be able to see and get copies of their designated record sets and request amendments (e.g., corrections) to those records. In most cases, patients must be informed of disclosures that the plan or provider makes to third parties, although some exceptions to this principle apply. Receiving notification of how information is released. Health care providers are required to notify patients concerning the use and disclosure of patient information for treatment, payment, and operations (TPO) purposes.

Page 8

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Patients have the right to request restrictions on the use and disclosure of their PHI. Ensuring that consent is not coerced. Providers and health plans generally cannot predicate treatment on a patient's agreement to allow for the disclosure of their PHI for non-treatment, payment, or other operations uses. Providing recourse if privacy protections are violated. Patients have the right to complain to a covered provider, to a health plan, or to the Secretary of HHS about perceived violations of the provisions of this rule or on the policies and procedures of the covered entity. The Privacy Final Rule also grants rights of access to health care consumers to their PHI, notifies consumers on how their PHI is used and to whom it is disclosed, and amends consumers’ designated record sets. The HIPAA Privacy Final Rule specifies that patients must be notified that they have the following rights to: Receive notice of the uses and disclosures of their protected health information; Request restrictions on certain uses and disclosures of their health information; Receive confidential communications related to their health information; Request and receive access to their medical records; Request amendments to their medical records; Receive an account of disclosures of their protected health information; and Receive a notice of these rights. The Privacy Final Rule also places restrictions on the use of PHI. With few exceptions, an individual's PHI can be used only for TPO purposes. The following restrictions apply: Ensuring limited uses of PHI. Patient information can generally only be used or disclosed by a health plan, provider, or clearinghouse for purposes of TPO. PHI cannot be used for purposes unrelated to health care, such as employers making personnel decisions, without explicit authorization from the subject individual. Providing the minimum amount of information necessary. Disclosure of information must be limited to the minimum necessary. However, this provision does not apply to the transfer of medical records for purposes of treatment since physicians, specialists, and other providers need access to the full record to provide the best quality care. Ensuring informed and voluntary authorization. Nontreatment, payment, or operations disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary. The regulation establishes the privacy safeguard standards that covered entities must meet, but it leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity. In this way, implementing the

Page 9

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services standards will be flexible and scalable to account for the nature of each entity's business, its size, and its resources. Covered entities must include the following: Adopting written privacy procedures. These procedures must state who has access to PHI, how it will be used within the entity, and when the information will or will not be disclosed to others. Covered entities must also take steps to ensure that their business associates protect the privacy of PHI they receive from the covered entity. Training employees and designating a privacy officer. Covered entities must provide sufficient training to their employees to ensure that they understand an employer’s HIPAA privacy protections and designate an individual, sometimes called a chief privacy officer (CPO), who will be responsible for ensuring an employer’s HIPAA privacy procedures are followed. Establishing grievance processes. Covered entities must provide a means for patients to make inquiries or complaints on the privacy of their records. Under the Privacy Final Rule, certain PHI disclosures are permitted that do not require individual authorization, including information that is vital to public policy interests as well as certain activities that assist in the smooth operation of the health care system. The Privacy Final Rule states that covered entities may disclose information as necessary for the following: Statutory and other legal requirements; Public health activities; Protecting likely victims of abuse, neglect, or domestic violence; Certain health oversight activities; Certain judicial and administrative proceedings; Certain law enforcement purposes; Certain activities related to deceased persons, including identification (ID) and determining the cause of death; Cadaver organ, eye, or tissue donation; Research; Protecting the health or safety of a person or the public; Specialized military or government functions; and Workers’ compensation. Many restrictions and exceptions apply to these permitted disclosures. For more specifics on these categories, see section 164.512 of the Privacy Final Rule.

Page 10

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

2.3 HHS Regulatory Guidance for Compliance with the HIPAA Security Final Rule
2.3.1 History of the Security Final Rule

The Security Final Rule was published in Volume 68 of the Fed. Reg. on February 20, 2003. Appendix B provides a link to the full text of the Security Final Rule.

2.3.2

Goals of the Security Final Rule

The main goal of the Security Final Rule is to protect the confidentiality, integrity, and availability of EPHI, which is certain “individually identifiable health information…that is…transmitted by electronic media or maintained in electronic 6 media.” Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.” Integrity is “the property that data or information has not been altered or destroyed in an unauthorized manner.” Availability is “the property that data or information is accessible and useable 7 upon demand by an authorized person.”

2.3.3

Provisions of the Security Final Rule

It is the intent of HHS to afford covered entities “the flexibility to select appropriate 8 technology and to adopt new technology over time.” The Security Final Rule requirements are “technology-neutral,” which means that covered entities will have many options in selecting technology and software packages that are compatible with the HIPAA Administrative Simplification requirements. 2.3.3.1 Standards and Implementation Specifications

The Security Final Rule sets out 18 “standards” and 36 “implementation specifications” as shown in Table 1.

6 Some types of IIHI are exempt from the definition of PHI, and therefore from the definition of EPHI. These exemptions are: “(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as an employer.” See definition of “Protected Health Information” at 45 CFR 160.103. 7 See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 160.304). 8 See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) at 8335.

Page 11

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Table 1. Standards and Implementation Specifications

A “standard” is a requirement that must be met by all covered entities. An “implementation specification” is a specific requirement or instruction for implementing a “standard.” According to the Security Final Rule, six standards “[include] all the necessary instructions for implementation” and have no associated implementation specifications; three standards have only one implementation specification; and the remaining nine standards have more than one implementation specification associated with them. Note that in some cases, a covered entity may implement all the “implementation specifications” but must still look to the wording of the standard and assess whether it must also take further steps to comply with the letter and spirit of the standard. For example, the “Security Awareness and Training” standard has four implementation specifications, but none explicitly require a training program or manual for new hires. Obviously, for most covered entities, some initial training activity would be critical to instituting a meaningful Security Awareness and Training Program. 2.3.3.2 Required and Addressable Measures of the Security Final Rule

To comply with the Security Final Rule, “required” measures must be implemented by all covered entities. All 18 standards are required and must be implemented by all covered entities. Fourteen of the 36 implementation specifications are required, and the other 22 are addressable. For the addressable implementation specifications, each covered entity must determine whether each measure (or some equivalent alternative measure) is “reasonable and appropriate” for that entity. This determination is based on the covered entity’s: Risk analysis; Risk mitigation structure; Existing security measures; Organizational size, complexity, and capability; and

Page 12

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Cost of implementation. Each covered entity is required to develop its own methodology for determining whether it needs to comply with each addressable implementation specification. The covered entity’s methodology must incorporate the five considerations listed above, and the covered entity must document the methodology and show how it was applied to each implementation specification. If an addressable implementation specification is deemed not “reasonable and appropriate,” the covered entity must: Implement the alternative and document its decision and rationale if an alternative measure that accomplishes the same goal as the addressable implementation specification is reasonable and appropriate; or Document its decision to implement neither the addressable implementation specification or an equivalent measure and provide its rationale if no alternative measure that accomplishes the same goal as the addressable implementation specification is reasonable and appropriate.

Page 13

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

2.3.4

Security Safeguards

Table 2 lists the three categories of security safeguards—Administrative, Physical, and Technical—and their respective standards. Table 2. Summary of Security Safeguards

Page 14

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services 2.3.4.1 Administrative Safeguards

Administrative safeguards are defined as the “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic-protected health information and to manage the conduct of the covered entity's workforce in relation to the 9 protection of that information.” The Security Final Rule includes nine standards under the heading “Administrative Safeguards”: Security Management Process—implement policies and procedures to prevent, detect, contain, and correct security violations. The Security Management Process standard has four implementation specifications: Risk Analysis (required): conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity. Risk Management (required): implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Sanction Policy (required): apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. Information Activity System Review (required): implement procedures to regularly review the records of information system activity such as audit logs, access reports, and security incident tracking reports. Assigned Security Responsibility—identify the security official who is responsible for developing and implementing the policies and procedures that are required by this subpart. Workforce Security—implement policies and procedures to ensure that all members of the entity’s workforce have appropriate access to EPHI and to prevent those workforce members who do not have access from obtaining EPHI. The Workforce Security standard has three implementation specifications: Authorization and/or Supervision (addressable): implement procedures for authorizing or supervising workforce members who work with EPHI or who work in locations where EPHI might be accessed. Workforce Clearance Procedure (addressable): implement procedures to determine that the access of a workforce member to EPHI is appropriate. Termination Procedures (addressable): implementing procedures for terminating access to EPHI when a workforce member’s employment ends or when employee access to EPHI is not appropriate.
9 See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 160.304).

Page 15

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Information Access Management—implement policies and procedures for authorizing access to EPHI. The Information Access Management standard has three implementation specifications: Isolating Health Care Clearinghouse Function (required): if a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization. Access Authorization (addressable): implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism. Access Establishment and Modification (addressable): implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Security Awareness and Training—implement a security awareness and training program for all members of the entity’s workforce (including management). The Security Awareness and Training standard has four implementation specifications: Security Reminders (addressable): implement periodic security updates. Protection from Malicious Software (addressable): implement procedures for guarding against, detecting, and reporting malicious software. Log-in Monitoring (addressable): implement procedures for monitoring log-in attempts and reporting discrepancies. Password Management (addressable): implement procedures for creating, changing, and safeguarding passwords. Security Incident Procedures—implement policies and procedures to address security incidents. The Security Incident Procedures standard has one implementation specification: Response and Reporting (required): identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Contingency Plan—set policies and procedures for responding to an emergency or other occurrence that threatens EPHI. The Contingency Plan standard has five implementation specifications: Data Backup Plan (required): establish and implement procedures to create and maintain retrievable exact copies of EPHI.

Page 16

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Disaster Recovery Plan (required): establish (and implement as needed) procedures to restore any loss of data. Emergency Mode Operation Plan (required): establish (and implement as needed) procedures to continue critical business processes for protecting the security of EPHI while operating in emergency mode. Testing and Revision Procedure (addressable): implement procedures for periodic testing and revision of contingency plans. Applications and Data Criticality Analysis (addressable): assess the relative criticality of specific applications and data in support of other contingency plan components. Evaluation—perform periodic technical and nontechnical evaluations of security policies and procedures. Business Associate Contracts (BAC) and Other Arrangements—obtain satisfactory assurances that business associates with access to EPHI will appropriately safeguard it. The Business Associate standard has one implementation specification: Written Contract or Other Arrangement (required): document satisfactory assurances of the adequate protection of the confidentiality, integrity, and availability of the EPHI through a written contract or other 10 arrangement. 2.3.4.2 Physical Safeguards

Physical safeguards are defined as the “physical measures, policies and procedures to protect a covered entity's electronic information systems and related buildings and 11 equipment from natural and environmental hazards, and unauthorized intrusion.” The Security Final Rule includes four standards under the heading “Physical Safeguards”: Facility Access Controls—implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed. The Facility Access Controls standard has four implementation specifications: Contingency Operations (addressable): establish (and implement as needed) procedures that allow facility access in support of restoring lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

10 For further information on the specifics required of a BAC or other arrangement, see 45 CFR 164.306, 164.308(b)(1), and 164.314(a). 11 See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003), at 8376 (to be codified at 45 CFR section 160.304).

Page 17

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Facility Security Plan (addressable): implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Access Control and Validation Procedures (addressable): implement procedures to control and validate a person's access to facilities based on his or her role or function, including visitor control and control of access to software programs for testing and revision. Maintenance Records (addressable): implement policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks). Workstation Use—implement policies and procedures that specify the use, functions, and physical attributes of workstations that can access EPHI. Workstation Security—implement physical safeguards for all workstations that access EPHI. Device and Media Controls—implement policies and procedures that govern the internal movement and external transfer, receipt, and removal of hardware and electronic media. The Device and Media Controls standard has four implementation specifications: Disposal (required): implement policies and procedures to address the final disposition of EPHI, and/or the hardware or electronic media on which it is stored. Media Reuse (required): implement procedures for removal of EPHI from electronic media before the media are made available for reuse. Accountability (addressable): maintain a record of the movements of hardware and electronic media and any person responsible thereof. Data Backup and Storage (addressable): create a retrievable, exact copy of EPHI, when needed, before moving equipment. 2.3.4.3 Technical Safeguards

Technical safeguards are defined as “the technology and the policy and procedures 12 for its use that protect EPHI and control access to it.” The Security Final Rule includes five standards under the heading “Technical Safeguards”: Access Controls—implement technical policies and procedures that restrict access to EPHI. The Access Controls standard has four implementation specifications: Unique User ID (required): assign a unique name and/or number for identifying and tracking user identity.
12 See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003), at 8376 (to be codified at 45 CFR section 160.304).

Page 18

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Emergency Access Procedure (required): establish (and implement as needed) procedures for obtaining necessary EPHI during an emergency. Automatic Logoff (addressable): implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Encryption and Decryption (addressable): implement a mechanism to encrypt and decrypt EPHI. Audit Controls—implement hardware, software, and/or procedural mechanisms that record and examine activity occurring in information systems. Integrity—implement policies and procedures to protect EPHI from improper alteration or destruction. The Integrity standard has one implementation specification: Mechanism to Authenticate EPHI (addressable): implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. Person or Entity Authentication—implement procedures to confirm the identity of a person or entity seeking access to EPHI. Transmission Security—implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. The Transmission Security standard has two implementation specifications: Integrity Controls (addressable): implement security measures to ensure that transmitted EPHI is not improperly modified without detection until its disposal. Encryption (addressable): implement a mechanism to encrypt EPHI whenever deemed appropriate.

2.3.5

Policies, Procedures, and Documentation Requirements

The Security Rule requires all covered entities to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Final Rule. This requirement does not permit or excuse an action that violates any other standard, implementation specification, or other requirement of the Security Rule, the Privacy Rule, or any of the other Administrative Simplification provisions. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the HIPAA Security Final Rule. Covered entities must also maintain the policies and procedures implemented to comply with the Security Rule in written (which may include electronic) form. If an action, activity, or assessment is required by this subpart to be documented, the covered entity must maintain a written (which may be electronic) record of the action, activity, or assessment. Documentation must be retained for six years from

Page 19

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services the date of its creation or from the date when it was last in effect, whichever is later. Covered entities must make that documentation available to those persons responsible for implementing the procedures to which the documentation pertains. Covered entities must also review documentation periodically and update it as needed in response to environmental or operational changes affecting the security of the EPHI.

2.4 Relationship Between Privacy Final Rule and the Security Final Rule
Privacy and security are linked concepts, and the Privacy Final Rule and the Security Final Rule address some of the same business functions and practices (see Figure 4). In announcing the Security Final Rule, HHS stated, “[it] is likely that covered entities will meet a number of the requirements in the security standards through the implementation of the privacy requirements.” For example, both the Privacy Final Rule and the Security Final Rule require all staff (including management) to receive training on the covered entity’s HIPAA Administrative Simplification compliance policies and practices. The Privacy Final Rule also requires “appropriate administrative, technical, and physical safeguards to protect the privacy of PHI” and to “reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation” of the Privacy Final Rule. For most entities, compliance with the far more specific requirements of the Security Final Rule will also satisfy the requirements of the Privacy Final Rule. Both rules also require entities to: Ensure that business associates and other third parties adequately safeguard EPHI; Appoint a single, identifiable individual to be accountable for compliance with HIPAA Administrative Simplification requirements; and Identify and secure all processes in which PHI is collected, stored, used, or transmitted. Because these processes are similar in their requirements and required resources, most covered entities should conduct their assessments and compliance programs for HIPAA Security and Privacy in a coordinated fashion.

Page 20

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Figure 4. Overlap Between Requirements in the Privacy Final Rule and the Security Final Rule

2.5 Relationship Between the Security Final Rule and Other Security Requirements
Under FISMA, Congress linked information security with enterprise architecture. FISMA also updates requirements for federal agencies to perform a privacy impact assessment (PIA) on every information system and program, and codifies OMB’s policy that agencies place clearly marked privacy policies on their websites. By analyzing and comparing the requirements of the Security Final Rule and FISMA, it is possible to identify Security Final Rule standards that might be partly or wholly satisfied by compliance with FISMA. For these measures, compliance with FISMA may reduce or even satisfy the level of effort required to comply with the Security Final Rule. Conducting HIPAA Security Final Rule and FISMA compliance activities in a coordinated manner may reduce duplication and the burden associated with compliance. In Section 3, we recommend that, as a preliminary step to organizing a HIPAA Administrative Simplification compliance program, covered entities conduct a gap analysis. Agencies would benefit from coordinating the activities that are covered by FISMA as well as HIPAA, and by paying special attention to compliance efforts that are covered by only the Security Final Rule. Note also that certain FISMA activities, specifically the requirement to conduct PIAs, may also overlap with some HIPAA Privacy requirements. In addition, there are other security best practices that already may be in place within HHS and/or the OPDIVs that might partly or wholly satisfy the requirements of the Security Final Rule. A

Page 21

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services coordinated review of the enterprise-wide security practices may reduce the level of effort and eliminate the duplication of effort required to comply with the Security Final Rule. The National Institute of Standards and Technology (NIST) is another potential source of guidance for entities that are researching and developing a HIPAA Administrative Simplification compliance program. NIST is responsible for developing standards and guidelines, including minimum requirements, used by the OPDIVs in providing adequate information security for protecting HHS operations and assets. According to this mission, NIST’s Information Technology Laboratory (ITL) has developed guidance to improve the efficiency of IT planning, implementation, management, and operation. These NIST Special Publications (SP) in the 800 series and Federal Information Processing Standards (FIPS) may be used by HHS to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems. The information provided by these publications can make a significant contribution toward satisfying the requirements of FISMA and HIPAA. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, summarizes the HIPAA security standards and explains some of the structure and organization of the Security Rule. NIST SP 800-66 also helps to educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the rule. Readers can use these publications for consideration in implementing the Security Rule. NIST SP 800-66 also provides a crosswalk of the Administrative, Technical, and Physical standards and implementation specifications of the HIPAA Security Rule to the requirements of FISMA, which contains requirements relevant to the HHS Information Security Program. In many areas, both FISMA and the HIPAA Security Rule specify similar requirements.

Page 22

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

3. HIPAA Administrative Simplification Compliance
There are numerous methods of performing the tasks associated with HIPAA Compliance. There is no one approach or single “best practice” that guarantees compliance with the HIPAA Privacy and HIPAA Security rules. However, these steps outline suggested activities covered entities could take in their situation, if applicable.

3.1 Step One: Determine Whether the Entity is Covered by HIPAA
The first step in HIPAA Administrative Simplification compliance is determining whether the entity under consideration is a covered entity under HIPAA. Appendix B cites a link to the tool at the CMS website that will assist a potentially HIPAA-covered entity in making this determination.

3.2 Step Two: Identify Applicable Information
Once step one is completed, the covered entity must identify all information that it collects, discloses, accesses, maintains, transmits, or manipulates that may be subject to either or both the Privacy Final Rule and Security Final Rule. Covered entities must determine whether any information under consideration qualifies as PHI for purposes of the Privacy Rule or qualifies as EPHI for the purposes of the Security Rule. Covered entities should ask the following questions of each manager at each level of the organization: What activities or programs do you conduct? What information do you control or have access to that might be covered by the rules? How is the information obtained? How is the information stored? Who within your division has regular access to that information? What persons or external entities have regular access to or are routinely provided with that information? What persons or external entities request access to that information on an ad hoc basis? How is that information used, processed, or manipulated?

Page 23

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

3.3 Step Three: Conduct Gap Analysis
Having identified what information, personnel, and processes must be considered in developing a compliance program, the covered entity should assemble and assess existing relevant policies that pertain to information security and privacy and to procedures and actual practices. The covered entity must then compare existing policies, procedures, and compliance efforts with those of the HIPAA rules. Government entities should incorporate the FISMA requirements into their analyses and crosswalks to determine whether efficiencies can be realized in complying with the two authorities. Most covered entities will find it necessary to develop a comparison chart or tool to evaluate their current practices with those required by HIPAA. Many HIPAA-specific tools that may assist in this process are available commercially. Alternatively, covered entities may wish to develop their own tools, using common spreadsheet, word processing, or program management tools.

3.4 Step Four: Document Policies and Procedures
Both the Privacy Final Rule and the Security Final Rule require that covered entities develop policies and procedures to implement the rules’ requirements. Policies and procedures must be documented and updated whenever changes are made. Developing policies and procedures governing how PHI or EPHI is handled is the most critical step of developing a HIPAA Privacy and Security compliance process. Since the Privacy Final Rule and the Security Final Rule establish new requirements, existing HHS policies and procedures may not address handling PHI or EPHI to the required level. In the Security Final Rule, HHS described developing and implementing policies and procedures as “the foundation on which all of the [other steps] depend.” This step, then, should be conducted only after steps one through three have been completed, since step four depends on the thoroughness of the information collected in the preceding steps. As such, steps one through three must be accomplished with as much attention to detail and comprehensiveness as possible. Once these three steps have been completed, the covered entity must draft new documents and modify existing ones as appropriate. Many entities will want to compile their privacy and security documents into a single guidance document for easy reference. The document should describe and provide guidance on all required privacy and security policies and practices and on any others that: Are specifically required of HHS; Address requirements and practices that are specific to the particular nature of HHS or its functions; and

Page 24

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Relate to any other policies and practices that HHS, its security and privacy officers, and its management believe are necessary to the smooth and effective operation of HHS. The covered entity should institute a process by which policies and procedures are regularly reviewed and periodically updated as necessary.

Page 25

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

3.5 Step Five: Define Compliance Methodology
Once current gaps in an OPDIV’s HIPAA Administrative Simplification compliance are identified, the OPDIV can design an overall compliance strategy that will permit it to address those gaps and be fully compliant by the deadlines for compliance discussed in Section 3.6. Figure 5 provides a sample timeline for establishing a HIPAA Administrative Simplification compliance program that can be started at any quarter in the fiscalyear cycle and completed within a 12-month time frame. In establishing their compliance programs, agencies should be mindful of the deadlines established by the various Administrative Simplification Rules, as summarized in Section 3.6. Until a covered entity completes steps one through four, it cannot know the number of areas that require attention, or schedule the time to address these problem areas.

Figure 5. Sample Timeline for Establishing a HIPAA Administrative Simplification Compliance Program

Page 26

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

3.6 HIPAA Timelines and Deadlines
Consistent with timeframes established by the HIPAA statute, the HIPAA Administrative Simplification Rules state the deadlines for covered entities to comply with each rule. These requirements are presented in Table 3. Table 3. Standards and Deadlines for Compliance

Page 27

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

3.7 Consequences of HIPAA Noncompliance
Penalties for covered entities that misuse protected health information are outlined in the text of the HIPAA statute. The following are the civil and federal penalties for violating the HIPAA privacy rules: Civil penalties. Health plans and health care providers and clearinghouses that violate these standards are subject to civil penalties. The maximum penalty that may be imposed on any person is $100 per violation, and the maximum aggregate penalty for identical violations during a calendar year is $25,000. Federal criminal penalties. Violations of HIPAA standards carry federal criminal penalties for covered entities that knowingly and improperly obtain, use or cause to be used, or disclose a unique health identifier or IIHI, or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are set at up to $50,000 and one year in prison for obtaining or disclosing PHI; up to $100,000 and up to five years in prison for obtaining PHI under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm. On April 18, 2005, the Secretary of HHS proposed rules for imposing civil monetary penalties on entities that violate rules adopted by the Secretary to implement the Administrative Simplification provisions of HIPAA. The proposed rule would amend the existing rules relating to investigating noncompliance to make them apply to all of the HIPAA Administrative Simplification rules, rather than exclusively to the privacy standards. It would also amend the existing rules relating to the process for imposing civil monetary penalties. Among other matters, the proposed rules would clarify and elaborate on the investigation process, basis for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process. The final rules will be forthcoming after public comment and consideration by HHS. Other potential consequences to noncompliance include: Enforcement and oversight by HHS. Enforcement and oversight of HIPAA rules may involve such actions as increased on-site investigations, requests for information and documents, and demands for written action plans if the extent or nature of noncompliance so warrants. Loss of public trust. Americans value privacy, and once public trust is lost, it’s difficult to regain. Private lawsuits. While HIPAA does not create a private right of action based on compliance or noncompliance with its provisions, its standards may serve as evidence of the measure of confidentiality protections that individuals may expect and demand of their providers.

Page 28

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Appendix A: Document Feedback Form
This form is for reviewer-suggested corrections, revisions, or updates and is intended to improve the usefulness of the document for possible inclusion in future versions. Please forward recommended changes and comments to the U.S. Department of Health and Human Services (HHS), Office of Chief Information Officer (OCIO). By E-mail: Subject Line: Guidance Feedback By Phone: Document Title: > Section Number: > Category of Comment: A Administrative. Administrative comments correct what appear to be inconsistencies between sections, typographical errors, or grammatical errors.

S C M

Substantive. Substantive comments are provided because sections in the publication appear to be or are potentially incorrect, incomplete, misleading, or confusing. Critical. Critical comments will cause non-concurrence with the publication if concerns are not satisfactorily resolved. Major. Major comments are significant concerns that may result in a non-concurrence of the entire document if not satisfactorily resolved. This category may be used with a general statement of concern with a subject area, thrust of the document, etc., followed by detailed comments on specific entries in the publication which, taken together, constitute the concern.

Category

Comment

Name of Submitting Operating Division (OPDIV): > Your Name and Title: > Telephone: > E-mail: > Note: Use an additional blank sheet if needed.

Page 29

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Appendix B: References
Medicare Prescription Drug Improvement and Modernization Act of 2003 (Public Law 108-173). Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, November 28, 2000. OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, November 28, 2000. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996 (HIPAA), August 21, 1996. Public Law 107-347 [H.R. 2458], The E-Government Act of 2002 Title III of this Act is the Federal Information Security Management Act of 2002 (FISMA), December 17, 2002. National Institute of Standards and Technology (NIST), Special Publication (SP) 80066, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005. Resources: the HIPAA Privacy Final Rule General Overview of Standards for Privacy of Individually Identifiable Health Information: http://www.hhs.gov/ocr/hipaa/guidelines/overview.pdf HIPAA Privacy Final Rule, available at the HHS Office for Civil Rights Web page “Medical Privacy – National Standards to Protect the Privacy of Personal Health Information”. http://hhs.gov/ocr/hipaa/finalreg.html HIPAA Privacy Final Rule as it appears at Title 45 of the CFR, Part 164. http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html Resources: the HIPAA Security Final Rule View the HIPAA Security Final Rule at: http://cms.hhs.gov/hipaa/

Page 30

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Resources: General HIPAA Resources The Centers for Medicare & Medicaid Services’ interactive tool for entities to determine whether they are covered by the HIPAA Administrative Simplification Rules: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp Analysis and updates on HIPAA issues: http://www.hipaadvisory.com/

Page 31

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Appendix C: Acronyms
BAC CFR CIO CMS CPO CSO DAA EPHI FIPS FISMA HHS HIPAA ID IIHI ISSO IT ITL NIST OCIO OMB OPDIV PHI PIA SP TPO U.S. U.S.C. Business Associate Contract Code of Federal Regulations Chief Information Officer Centers for Medicare & Medicaid Services Chief Privacy Officer Chief Security Officer Designated Approving Authority Electronic Protected Health Information Federal Information Processing Standards Federal Information Security Management Act of 2002 Department of Health and Human Services Health Insurance Portability and Accountability Act of 1996 Identification Individually Identifiable Health Information Information Systems Security Officer Information Technology Information Technology Laboratory National Institute of Standards and Technology Office of the Chief Information Officer Office of Management and Budget Operating Division Protected Health Information Privacy Impact Assessment Special Publication Treatment, payment, and operations United States United States Code

Page 32

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Appendix D: Glossary
Administrative Safeguards—administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect EPHI and to manage the conduct of the covered entity's workforce in relation to protecting that information. See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003), at 8376 (to be codified at 45 CFR section 160.304). Accountability—assigned responsibility for ensuring that entities operate in a lawful manner that protects against waste, fraud, and abuse of the health care system and its resources. Addressable—as applied to an implementation specification of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); describes a feature that is mandatory for all HIPAA-covered entities unless the entity concludes the measure is not “reasonable and appropriate” after conducting a required analysis. The covered entity may still be required to implement an equivalent measure if the equivalent measure is “reasonable and appropriate” and achieves the same end as the addressable implementation specification. Affiliated Covered Entities—legally separated covered entities that are under common ownership or control and that have all designated themselves as single affiliated covered entities for the purposes of the Privacy and the Security rules (more precisely, those parts of the rules appearing at 45 CFR, Part 160, Subparts C and E). See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 164.105). Authentication—the corroboration that a person is the one claimed. See NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (to be codified at 45 C.F.R section 164.304). Availability—the property that data or information is accessible and useable on demand by an authorized person. See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 160.304). Business Associate—an entity independent of a HIPAA-covered entity that handles IIHI received from or provided to the covered entity. For examples of the kinds of activities conducted by business associates, as well as certain exceptions to the definition, see Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82798 (to be codified at 45 CFR section 160.103). Confidentiality—the property that data or information is not made available or disclosed to unauthorized persons or processes. See Health Insurance Reform:

Page 33

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 164.304). Contingency—an event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions; for example, a power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster. See NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook. Controls—the management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system and the security controls in place or planned for meeting those requirements. See NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. Countermeasures—actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards. See Committee for National Security System No. 4009. Covered Entities—entities that must comply with any or all of the HIPAA rules; in this document that means certain providers, health plans, and health care clearinghouses that are regulated by the HIPAA Security Rule and/or the HIPAA Privacy Rule. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82799 (to be codified at 45 CFR section 160.103). Draft Rule—proposed requirements for compliance with a statute that is published for public comment by HHS empowered to do so by the relevant statute. Draft rules are not binding (e.g., covered entities will not be subject to penalty for not complying with a draft rule). Electronic Protected Health Information —individually identifiable health information that is transmitted or maintained electronically. EPHI excludes information transmitted or maintained in media that are not electronic. Some other categories of information included in “IIHI” are excluded by PHI, such as some educational and employment records. For specifics, see Health Insurance Reform: Security Standards; Final Rule 68 Fed. Reg. 8334 (2003), at 8376 (to be codified at 45 CFR section 160.103). Final Rule—the version of the specific requirements for compliance with a statute published by HHS empowered to do so by the relevant statute. Final Rules are published after a public comment period and are usually redrafted to account for issues identified by these public comments. The Final Security and Privacy Rules set compliance deadlines, after which they are enforceable by law. Gap Analysis—a process that entities can use to identify the differences between the practices, policies, and procedures required by a law and current practices,

Page 34

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services policies, and procedures; or to identify the differences between best practices and current practices, policies, and procedures. Health Care Clearinghouse—a public or private entity that processes or facilitates the processing of health information received from another entity to or from a standard format. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82799 (to be codified at 45 CFR section 160.103). Health Care Provider—a provider of medical or health services and any other person who furnishes, bills, or is paid for health care in the normal course of business. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82799 (to be codified at 45 CFR section 160.103). Health Information—any information, whether oral or recorded, in any form or medium that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health of an individual, the provision of health care to an individual, or the past, present or future payment of the provision of health care to an individual. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82799 (to be codified at 45 CFR section 160.103). Health Plan—an individual or group plan that provides or pays the cost of medical care. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82799 (to be codified at 45 CFR section 160.103). Hybrid Entity—a single legal entity that is a covered entity, whose business activities include both covered and noncovered functions, and that has designated one or more of its components as health care components in accordance with 45 CFR section 164.105(a)(2)(iii)(C). See Health Insurance Reform: Security Standards; Final Rule, 68 Fed. Reg. 8334 (2003), at 8375 (to be codified at 45 CFR section 164.103) Implementation Specification—specific requirements or instructions for implementing a standard. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82800 (to be codified at 45 CFR section 160.103). Individually Identifiable Health Information—information that is a subset of health information, including demographic information collected from an individual, that identifies the individual or provides a reasonable basis to believe the information can be used to identify the individual. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82804 (to be codified at 45 CFR section 160.103).

Page 35

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Information Security—protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide (1) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; (2) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; and (3) availability, which means ensuring timely and reliable access to and use of information. See NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (to be codified at 44 U.S.C. section 3542). Information System—an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.13 See NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (to be codified at 45 CFR section 164.304). Information Technology—any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For purposes of this definition, equipment is used by an OPDIV whether the OPDIV uses the equipment directly or it is used by a contractor under a contract with the OPDIV which (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment that is acquired by a federal contractor incidental to a federal contract. (Defined in the Clinger Cohen Act of 1996, §§5002, 5141 & 5142) See NIST SP 80066, An Introductory Resource Guide for Implementing the HIPAA Security Rule (to be codified at 40 U.S.C. section 1401). Integrity—the property that data or information has not been altered or destroyed in an unauthorized manner. See Health Insurance Reform: Security Standards; Final Rule 68 Fed. Reg. 8334 (2003), at 8376 (to be codified at 45 CFR section 164.304). Measures—the management, operational , and technical controls (safeguards or countermeasures) prescribed for an information system and the security controls in place or planned for meeting those requirements. See NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.

13 FISMA defines “information system” as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” 44 U.S.C., Sec. 3502.

Page 36

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services Mitigate—to select and implement security controls to reduce risk to a level acceptable to management, within applicable constraints. See NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook. Physical Safeguards—physical measures, policies, and procedures to protect a covered entity's electronic information systems, related buildings, and equipment from natural and environmental hazards, and unauthorized intrusion. See Health Insurance Reform: Security Standards; Final Rule 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 164.304). Protected Health Information—individually identifiable health information that is transmitted or maintained electronically or by using any other medium. Some categories of information included in “IIHI” are not considered to be PHI, such as some educational and employment records. See Health Insurance Reform: Security Standards; Final Rule 68 Fed. Reg. 8334 (2003) at 8376 (to be codified at 45 CFR section 160.103). Portability—assurance of continuity of health care coverage for people who change jobs, which is required of health care coverage providers by provisions of HIPAA. Required—addressable to a HIPAA implementation specification; mandatory for all covered entities to comply with HIPAA rules. Risk—the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from operating an information system given the potential impact of a threat and the probability of that threat occurring. See NIST SP 800-30, Risk Management Guide for Information Technology Studies. Safeguard—an action, policy, or procedure intended to protect information or another asset. Both “standards” and “implementation specifications” are “safeguards.” Security—protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide (1) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; (2) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; and (3) availability, which means ensuring timely and reliable access to and use of information. See NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (to be codified at 44 U.S.C. section 3542). Security Controls—the management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system and the security controls in place or planned for meeting those requirements. See NIST FIPS

Page 37

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services 199, Standards for Security Categorization of Federal Information and Information Systems. Standard—a rule, condition, or requirement that must be met by a covered entity. See Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82462 (2000) at 82800 (to be codified at 45 CFR section 160.103). Technical Safeguards—the technology used and the policy and procedures for its use that safeguard electronic-protected health information and control access to it. See Health Insurance Reform: Security Standards; Final Rule 68 Fed. Reg. 8334 (2003), at 8376 (to be codified at 45 CFR section 164.304). Threat—the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. See NIST SP 800-30, Risk Management Guide for Information Technology Studies. Threat Source—either (1) a method targeted at the intentional exploitation of a vulnerability, or (2) a situation and method that may accidentally trigger a vulnerability. See NIST SP 800-30, Risk Management Guide for Information Technology Studies. User—a person or entity with authorized access. See NIST SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule (to be codified at 45 CFR section 164.304). Vulnerability—a flaw or weakness in the design or implementation of an information system (including the security procedures and security controls associated with the system) that could be intentionally or unintentionally exploited to adversely affect an organization’s operations or assets through a loss of confidentiality, integrity, or availability. See NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

Page 38

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Appendix E: Information Security Program Documents
The HHS IT Security Program is supplemented by a series of HHS Information Security documents, including: HHS Information Security Program Policy HHS Information Security Program Handbook HHS Information Security Program Rules of Behavior Baseline Security Requirements Guide Certification and Accreditation (C&A) Guide Configuration Management Guide Contingency Planning for Information Security Systems Guide Critical Infrastructure Protection (CIP) Planning Guide Data Cryptography Guide Disaster Recovery Planning Guide Firewall Configuration Guide Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide Incident Response Planning Guide Information Privacy Program Policy Information Privacy Program Handbook Information Technology (IT) Penetration Testing Guide IT Personnel Security Guide IT Physical and Environmental Security Guide IT Privacy Impact Assessment Guide IT Security Capital Planning Guide Machine-Readable Privacy Policy Guide Plan of Actions and Milestones (POA&M) Guide Risk Assessment Guide Security Test and Evaluation (ST&E) Planning Guide Web Security Guide Wireless Security Program Development Guide

Page 39

Health Insurance Portability and Accountability Act Compliance Guide US Department of Health and Human Services

Acknowledgements
Pat Higgins, Carla Dancy Smith, and Daniel Steinberg were instrumental in developing this document.

Page 40…...

Similar Documents

Free Essay

Time

...Time is said to be eternal. It is said that it has neither a beginning nor an end. Yet men are able to measure it as years, months, days, hours, minutes and seconds. They have also given meanings to the words – past, present and future. True, time has a meaning. It moves. What was yesterday is not today. What is today will not be tomorrow. Yesterday is gone. Today is and tomorrow is yet to come. Yet time is said to have no holiday. It exists always. The entire creation moves on according to a time pattern. There is birth, growth and death. There is time for everything. Plants flower and give fruits. Seasons come according to time. A child is born, grows into boyhood, adolescence, youth, middle age and old age according to age and time. Every movement of creation is linked with time. One cannot grow paddy in a month nor can a child become an adult in a year. Everything is fixed to a time-frame. Time is a free force. It does not wait for any one. It is commonly said that time and tide waits for no man. Time is money. A minute not usefully spent is an eternal loss. You can never get back the lost minute. One has to strike the iron when it is hot. The time flies and never returns. If you waste time it wastes you. ‘Time is the best medicine’, says Ovid. It is said that time heals all wounds and it even heals what reason cannot. All human beings are emotional. When negative emotions like fear, anger, envy and jealousy overtake them, they lose reason and act in haste......

Words: 584 - Pages: 3

Premium Essay

Time

...Where Did the Time Go There never seems to be enough hours in the day. Where does all the time go? The alarm goes off at 4:45 a.m., I normally hit the snooze so that I can get fifteen more minutes of sleep. I get up; feed the dogs, than head for the shower. While getting ready for work, I’m keeping an eye on the time, knowing that if I don’t leave by 5:45 a.m. I will be stuck in base traffic and will be late for work. On my ride into work, I’m constantly thinking of all the things I need to juggle hoping to fit everything into my busy schedule. Since starting college this semester, the evenings consist of going to class and homework. My husband will call me and ask what my plans are for after work and it’s always, cook dinner, feed the dogs and homework. If I’m lucky, I’ll finish with my classwork and be able to sit and relax for about thirty minutes. Then it’s time to put the dogs out and off to bed. I feel like I am consistently juggling my time between work, school, dogs and oh yeah, my husband. Then there is always trying to find time to complete household chores. Most of these have to happen over the weekend. Laundry, dusting and cleaning the floors are only a few of the indoor items needing to be done. Then there are dogs that need to be bathed and poop that needs to be scooped. When I was getting ready to go back to college, my husband kept saying, “I can’t wait to see how you plan to keep doing all the things you do and go to school.”...

Words: 526 - Pages: 3

Free Essay

Time

...the best tool because questionnaire are relatively quicker and easier to create, code and interpret. In addition, we are able to contact large numbers of respondents easily and efficiently. This is also one of the methods providing us with most reliable data. Our questionnaire is designed with four parts. The first part is to identify the difficulties of students in managing time. The second part is to find out the popular reasons by seeking the respondents agreement to our suggestive options. Besides, two questions in the part three give the importance of controlling the time effectively. Finally, the forth part gives possible solutions to help control the time. To collect the data to do the research, we delivered 50 copies of questionnaire to 50 students from different classes. They were all second-year English Department students. We conducted the survey among second- year students because they are more mature than the first-year students and not too busy like the students in the last semesters. In addition, they are also familiar with studying environment at university. After a quite long learning time, whether they can find out methods to balance their lives between studying and other activities. Before carrying out the real survey, we had a sample in one of our class for one day. We received the useful comments from our classmates. Our original questionnaire does not have various types of question, so they see that it is quite boring. Therefore, we added some......

Words: 446 - Pages: 2

Free Essay

Time

...new phases is common throughout the book. Tom's adolescence is a time of great accomplishment and pain, as he is horrifyed by the accident that is brother Daniel was involved with and the inmpact it had on the family. Throughtout this time he is also trying to find himself after the event change his life. In this time he questions what is really inportant to him. His realtionship with is new football tean in Coghill is highly significant. In his role as halfback for his football team, he takes on the role of trainning and guiding the team. This involvement with football become an important symbol of growing up. He starts to appreciate and enjoy the game and comes to realise winning isn;t everything. But in the book it take a while for the characters to venture into the world. n the story of Tom Brennan many individulas venture into new experiences but coming across new experices you may have to encounter obstacles. In the end its all worth it because you may also gain significant rewards. New phases and experiences in life are exciting for all individuals. in the story of tom brennan, this idea of new phases is common throughout the book. Tom's adolescence is a time of great accomplishment and pain, as he is horrifyed by the accident that is brother Daniel was involved with and the inmpact it had on the family. Throughtout this time he is also trying to find himself after the event change his life. In this time he questions what is really inportant to him. His......

Words: 793 - Pages: 4

Premium Essay

Time

...Time What does time mean to me? For a long portion of my life time meant the hours I had in a day to do things that I thought were fun. Time was a way I measured how long I had until the next instance of something that I had to do. Time was not important it was numbers on a clock. Time was what I had to keep track of the days as they flew by with nothing important to do. Time in its essence had no meaning, no value, or no real importance. Then one remark made a point in time the most important occurrence of time in my life. One question asked gave value to time, one voice gave meaning to time, and one smile forever made time important. The first time I saw her made me question what I was using time for. How could someone I just met change my views on the importance of time? “How big is that shirt? It is like a tarp on you.” That one question followed by that one comment was the first event in my time that had real importance. It was the first time in my life that time had meaning, value, and importance. Her answer made me blush. Her smile made me forget who I was, and her eyes slowed time. As I tried to regain my thoughts I hurried to the back office. What was I thinking was the first thing that came to my mind. That was the first real event in my life. It was the first event in my life where time had a meaning....

Words: 274 - Pages: 2

Free Essay

Time

...Time Management "Things that mmost should never be at the mercy of thing that matter least". atter We, as human beings, let this happen much too often. Many of us waste our time on things that are neither important nor necessary, instead of using that time for thing of that are significannot . Time management is not only how to get more out of you're time, but really how to become a better person. Time is a very hard thing to manage, because we can neither see it or feel it until its has passed. Before we can manage our time we must know exactly what time is. The dictionary describes it as, the duration of one's life; the hours and days which a person has at his disposal. How we dispose of that time is time management. It's the way we spend our time to organize and execute around our priorities. Remember just because time is intangible doesn't mean that it is not valuable. I want to teach you about the background of time management, the different styles and how to use them, and how it will change your life. Background Time management today is not as it was in the past. It has grown with time. Stephen R. Covey places time management into four generations. He feels it has evolved the same way society has. Each generation grows on the one before it. For example, the agriculture revolution was followed by the industrial revolution, which was then followed by the informational revolution. The first wave or generation is basically notes and......

Words: 317 - Pages: 2

Free Essay

Time

...and I tell myself that whenever I get big and become a lady I want to be just like her, she is beautiful in every way I call her beauty with a purpose. My mother oh god! she is like the devil from the pit of hell, it seems she makes it her point of duty to tell me how ugly I am, that I am good for nothing and that I will never be nothing like Ms. Chin she said “gal being like miss Chin is just a figment of your imagination a dat mi a tell u”. I am just seven and she talks to me as if i am a 30 year old person she makes me do everything u can think of and this is the sad part sigh! her boyfriend is so unhealthy for me and she fail to see that, each time he comes by he looks at me and say “gwaan grow me wife” he would tell me occasionally that he loves me and wish I was older and he touch me as if am a woman, I cry each time he comes by my mom, because he is back and forth my mom would send me on Saturday’s to him for money at his house, I would pray and ask god to take away this forsaking day called Saturday. I would watch the television and pray asking god to send either the Minister of Youth Sports and Culture or Child Development Agency (CDA) to send someone to take me from this hell hole I call a home which houses me my mother’s boyfriend and her, they should be the protectors which I should trust with my life but they are the one that stole my childhood in a vilest and most terrifying way. I never thought he would touch me but he did and the pain in my heart is......

Words: 538 - Pages: 3

Free Essay

Time

...Time. Many people use their time differently, Some use there time inventing, inspiring. There is one thing that everyone can agree on is time is not something to waste. Steve Jobs once said, “Your time is limited, so don't waste it living someone ease’s life. Don't be trapped by dogma which is living with the results of other people's thinking. Don't let the noise of others' opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition.” .this quote explains time well because you don’t want to let other peoples options get in the way of your goal and cause someone to waste their time. One will never know when their time will be up, Good time management for a student requires three points. One step to make time management effective is to develop a time strategy. The time strategy should be based on a short list of time priorities. This short list forms the basis for a student's time planning for every week of the year. The dictionary definition of the word time is “the system of those sequential relations that any event has to any other, as past, present, or future; indefinite and continuous duration regarded as that in which events succeed one another.” My own personal definition of time is the opportunity you are give to succeed of or fail. The first of the three points that a student should keep in his or her mind is not taking on more than he or she can handle. If a student has scheduled to many classes to take in one......

Words: 946 - Pages: 4

Premium Essay

Time

... |428 | | | | | | | | | | | | | | | | | | | | | | Team Members/Contact Information |Name | |Phone | |Time zone and | |Email | | | | | |Availability During the Week | | | |Marcella | |(803)347-9611 | |(Evening) | |Marcy926@email.phoenix.edu | |Bouldrick | | | | | | | |Shamika Lewis | |(706)4218275 | |(Open) | |whoreg@email.phoenix.edu | | ...

Words: 336 - Pages: 2

Premium Essay

Time

...Introduction cont.. * Poor time management can negatively affect the performance of the working students in several ways. First if they don’t structure their time for homework & projects, they may not able to complete them on time. Second is the cramming for examination which is the another common trait of disorganized or undisciplined college students that rather than setting aside time each evening for study, poor time managers try to absorb everything in a few late hours the day before the test. * Trying to manage all the demands of working and going to school is not an easy task, but it is possible. Time management is the key to their daily survival and success in reaching their goal. Introduction cont.. * Poor time management can negatively affect the performance of the working students in several ways. First if they don’t structure their time for homework & projects, they may not able to complete them on time. Second is the cramming for examination which is the another common trait of disorganized or undisciplined college students that rather than setting aside time each evening for study, poor time managers try to absorb everything in a few late hours the day before the test. * Trying to manage all the demands of working and going to school is not an easy task, but it is possible. Time management is the key to their daily survival and success in reaching their goal. Statement of the problem The study aims to answer the following......

Words: 1189 - Pages: 5

Free Essay

Time

...understanding and compassionate. I also have very strong interpersonal skills and a couple of experience in customer service from my home country Tanzania. I believe that these skills acquired from my experiences can be applicable to my position as a waitress in a benefiting way.  My resume, which is attached to this letter, contains additional information on my education and skills. I look forward to hearing from you and will be glad if you could set me up for an interview. Your time taken to read this is highly appreciated.   Sincerely yours, 
 Angela Kundi. Angela Kundi #4-1520 1st Street South. Cranbrook BC. V1C 1B9 | angelkundi@yahoo.com| C+1-250-464-0099                        Objective  To find a full time job in Cranbrook Skills/Qualification Summary * Positive Team Player * Great Customer Service Skills * Ability to pay attention to details * Great interpersonal communication skills * Knowledge on Microsoft Word, Excel and Access Work Experience * Baraza resort and spa April 2012- June......

Words: 327 - Pages: 2

Free Essay

Time

...HOW TO SPEND YOUR 168 HOURS A WEEK WISELY Time or the lack of time is a major problem for many college students. The week won't expand to 200 hours, so it's up to you to make your activities fit the time you have. Follow these directions and use the calendar on the other side to analyze your time use and find some solutions. About 100 of the 168 hours are taken up with sleeping, eating, personal care, travel, chores, religious activities, and some leisure time.            TOTAL THE HOURS ALLOWED FOR CLASS, STUDY, WORK, AND OUTSIDE ACTIVITIES. EXAMINE YOUR SCHEDULE AS IT IS           FIRST, FILL IN MAJOR COMMITMENTS AND PERSONAL TIME: Pencil in all your class times, work hours, and other regular commitments such as meetings and practices. Allow for travel times. Allow time to shower, eat meals, do laundry, shop for groceries, etc. REMEMBER TO ALLOW ENOUGH TIME TO SLEEP! If you consistently try to get by on less then 7 hours of sleep per day, you may risk your physical health and undermine everything else. It's true-- you should allow about two hours of study time for every hour you spend in class. A 5-credit math or science class requires ten hours a week to read, study, and do homework problems. Schedule study and review times as soon after classes as possible. Allow study time every day for difficult subjects. Study specific subjects at specific times- math at 2 on Sunday. Try to study at the times of day that are best for you. If you are at your......

Words: 592 - Pages: 3

Premium Essay

Time

...Running head: Time management in nursing 1 Time management in nursing Running Head: Time management in nursing 2 Nursing is a demanding career in and of itself. Without effective time management both at work and home a nurse be easily become affected by prolonged stress. Learning to manage your time effectively is highly rewarding. By managing time you become more effective and less hassled . At the end of the work day you go home with little more energy and better attitude. Time may be one of the the precious source to manage.There is an old saying that time is money. In health care time affects both money and quality. For each nurse there is a finite and identifiable limit to the hours to do work. With the same second in every minuites nurse need to find ways to stretch the time available to meet the needs that arise(Hurber,20006)Many nurses complain about needing more time. They are stressed and frustrated . At any point in time nurse guggle work and other roles such as student, partner, parent, child,or friend.As work places are restructures for efficiency and employ......

Words: 878 - Pages: 4

Premium Essay

Time

...Once your files are backed up, shut down your MacBook Pro. Plug it into the AC adapter, and then boot it back up. Finally, press and hold “Command-R” (the “Command” and “R” keys at the same time) to start the restore process. Hold these keys until the Apple logo appears on the screen, and then release them. You will be taken to an alternative boot screen with a “Mac OS X Utilities” menu. Step 3 In order to complete a system restore, you will need to connect your computer to the Internet. Select “Wi-Fi” from the Utilities menu and find the router you will be using. Enter your Wi-Fi username and password to connect. Step 4 Depending on which version of OS X you are using, your Utilities menu will be slightly different. Look for either “Internet Recovery” or “OS X Recovery,” and select whichever one you find. This should present you with a “Reinstall OS X” option. Click on it, and then wait as your MacBook Pro connects to the Internet and gathers information on your laptop from Apple servers. You may be prompted to provide your Apple account information, including username and password. If so, provide it. In any case, this process will eventually reach the point where your MacBook downloads the latest version of OS X, as well as the standard programs that Apple includes pre-installed on every laptop. Your hard drive will then be automatically formatted, and the computer will restore itself to factory settings. Step 5 Once the reinstallation process is......

Words: 398 - Pages: 2

Premium Essay

Time

...guys are all bundled up." Clearly animated and looking well, he said he didn't feel much different than he did after his five-month station mission five years ago. Kelly and Kornienko had checked out of the space station 3½ hours earlier. In total, they traveled 144 million miles through space, circled the world 5,440 times and experienced 10,880 orbital sunrises and sunsets during the longest single spaceflight by an American. Kelly posted one last batch of sunrise photos Tuesday on Twitter, before quipping, "I gotta go!" His final tweet from orbit came several hours later: "The journey isn't over. Follow me as I rediscover # Earth!" Piloting the Soyuz capsule home for Kelly, 52, and Kornienko, 55, was the much fresher and decade younger cosmonaut Sergey Volkov, whose space station stint lasted the typical six months. The two yearlong spacemen faced a series of medical tests following touchdown. Before committing to even longer Mars missions, NASA wants to know the limits of the human body for a year, minus gravity. As he relinquished command of the space station Monday, Kelly noted that he and Kornienko "have been up here for a really, really long time" and have been jokingly telling one another, "We did it!" and "We made it!"...

Words: 724 - Pages: 3

SamSung SSD 860 Evo Pro 500GB 256GB 250G 512G Solid State Drive Laptop SATA 2.5 | Ford Transit Tipper Truck | Thám Tử Lừng Danh Conan chap 219