Vendor Application 4th of July Fireworks Spectacular

July 4, 2019

Please submit this fully completed application by Wednesday, June 5, 2019 along with the payment made payable to City of Los

Alamitos. Booths will be selected on a first come, first serve basis. No refunds for inclement weather or vendor no show.

Company/Organization Name: __________________________________________________________________________________ Contact Full Name: ___________________________________________________________________________________________ Address: ___________________________________________________________________________________________________ City: State: Zip: _______________________ Daytime Phone: Evening Phone: ______________________________________ Email: Fax: _____________________________ Date of Birth: _______________________________ Driver’s License #:_______________________ State Issued: _______________ I, the undersigned, represent the listed organization and do hereby agree to contribute the agreed upon dollar amount and to participate in the aforementioned activity and further agree to indemnify, defend, and hold harmless the City of Los Alamitos, City of Seal Beach, Community of Rossmoor, and Military Department of the State of California and the event sponsors or any other individuals or organizations associated with the above, and any of their officers, agents, or employees from any liability, claim, or action for damages resulting from or in any way arising out of, or in any way connected with participation in this activity. I further agree to abide by and enforce the rules and regulations of the City of Los Alamitos, City of Seal Beach, Community of Rossmoor, and Military Department of the State of California. My booth may be shut down by event officials at anytime if they deem my product or marketing supplies to be unsuitable for the event participants or if they will cause damage or problems to the Joint Forces Training Base. I hereby certify that, on behalf of our organization, we shall be personally responsible for any damage or unnecessary abuse of booth, grounds, or equipment by our organization.

Signature: __________________________________________________ Date: __________________________________________

Vendor Information Product sales vendors must complete additional AAFES Application

$250 – Commercial Vendor includes: 10’ x 15’ space. No canopy or equipment (tables, chair) will be given.

$175 – Nonprofit, informational Vendor includes: 10’ x 15’ space. No canopy or equipment (tables, chair) will be given.

**If you plan on bringing a static display, please list here: _________________________________________________ Please provide items to be sold and pricing for each item:____________________________________________________________ __________________________________________________________________________________________________________ *All items intended for sale and listed on this application will be subject to approval by the 4 th of July Fireworks Committee and any additional items not listed will not be allowed. Please list what additional equipment you will be bringing or renting for the event (i.e. tables, chairs, canopies, lights, etc.)

___________________________________________________________________________________________________________

Power Sources

You are required to provide your own generators. We will NOT provide any electricity. Please list what source you will be bringing for your booth:

________________________________________________________________________

Payment Information Pay by check, money order, cash, MasterCard or Visa ONLY, payable to the City of Los Alamitos.

Print Name:

Method of Payment (check one): Cash Money Order #__________ Check #_________ MasterCard Visa CVV2:__ __ __

Card Number: ___ ___ ___ ___ - ___ ___ ___ ___- ___ ___ ___ ___ - ___ ___ ___ ___ Exp. Date: ___ ___ / ___ ___

Signature for Credit Card: Date:

Please read, complete, sign, and send the form with payment to: City of Los Alamitos 4th of July Food Vendor, 10911 Oak Street, Los Alamitos, CA 90720 Phone: (562) 430-1073 Fax: (562) 594-9657 Email: skenny@cityoflosalamitos.org

Vendor Policies 4th of July Fireworks Spectacular

July 4, 2019

1. Registration for a vendor booth in the Patriot’s court will be conducted through walk in, mail-in and faxed registration only. Applications must be postmarked by Wednesday, June 5, 2019. Applications are processed in order of being received. Mail

all applications to: City of Los Alamitos, Attn: Samantha Kenny, 10911 Oak Street, Los Alamitos, CA 90720.

2. $250 per booth *includes 2 parking passes in vendor parking lot

3. Booths spaces are 10’ x 15’. If additional space is needed please notify us and we will do our best to accommodate the space needed.

4. Vendors will be expected to fulfill their commitment on Thursday, July 4 from 3:30 p.m. - 9:30 p.m. No refunds will be granted if

you do not show up.

5. Setup time begins at 12:00 noon and vendors MUST BE READY TO SELL by 3:30 p.m. or earlier. Cleanup is from 9:30-11:00

p.m. Adherence to this requested time frame will be considered when awarding booths for the 2020 4th of July Fireworks Spectacular.

6. The 4th of July Fireworks Committee reserves the right to approve those groups and items that are best suited for the event.

Cities fund the costs of the events and State Law prohibits cities from expending funds to support a campaign. As a result, no booths supporting or approaching candidates for public office, ballot measures, or other election activities other than voter registration will be permitted.

7. Also, location of booth space will be made at the discretion of the Committee. Because of aisle clearance requirements between booths and emergency vehicle lanes, vendors will not be allowed to extend their booth beyond the allotted space.

8. A Certificate of Liability Insurance and Additional Insured Specific Endorsement naming the certificate holders must be submitted by June 5th , for the following certificate holders: City of Los Alamitos (10911 Oak St., Los Alamitos, CA 90720), Military Department of the State of California (4522 Saratoga Avenue Building 15., Los Alamitos, CA 90720),and Army and Air Force Exchange Service (4522 Saratoga Avenue Building 15., Los Alamitos, CA 90720).

Vendors will be responsible for obtaining this on their own.

9. Confirmations of Vendors will be sent out the week of June 10, 2019 via email. Included will be another copy of the rules and regulations, set-up times and booth locations. Once you receive this confirmation, please reply confirming you received it.

10. Vendor booths are granted contingent upon the condition that all rules and regulations established City of Los Alamitos, Military Department of the State of California, and Joint Forces Training Base Fire Departments will be observed.

11. The vendor shall accept full responsibility for any breakage or damage to City or Military properties or equipment.

12. The vendor shall accept full responsibility for the conduct of those in the using the booth spaces. Vendor must leave the booth and immediate area in a clean and orderly condition. Each booth must be supervised by at least two adults at all times.

13. No alcohol, dogs, firearms, fireworks, motor homes are permitted at the event or on the Joint Forces Training Base.

14. Storage space will not be available prior to or after the event. Vendors are encouraged to bring all supplies necessary for the event, as it will be near impossible to get off and on to the Joint Forces Training Base once the event begins.

15. This vendor booth may be revoked for failure to observe the regulations, improper conduct, or when cancellation is necessary

for other reasons deemed by the City of Los Alamitos, Military Department of the State of California, Orange County Health, and Joint Forces Training Base Fire Departments.

16. There will be no refunds for the vendor booths for any reason other than the event is cancelled or other circumstances deemed worthy of a refund by the city of Los Alamitos.

17. All rules and regulations of the City of Los Alamitos, Military Department of the State of California, Orange County Health, and Joint Forces Training Base Fire Departments must be followed.

18. Vendors are not allowed to sell/promote their items outside of their booth

19. Vehicles will be able to drop off equipment between 12:00pm-3:00pm. After 3:00pm – ALL vehicles must be parked in the vendor lot.

Federal Regulatory Guidance for PII and PHI

We all have personal information that we use to identify ourselves. This information could be a driver's license number, an address, a

birthdate, or even a previous health condition. The Federal Government collects and maintains personally identifiable information, or

PII, about individuals in order to govern; for example, to track Social Security payments, collect taxes, and guarantee citizens' right to

vote. The PII the government collects must be relevant, accurate, timely, and complete. PII can be used to distinguish or trace an

individual's identity, such as a name, Social Security number, or a biometric record or identifier. How does the Government store PII

and who uses it? The government normally stores PII in records, which can be a single item or a collection of items maintained by an

organization or agency, or by a contractor on behalf of that organization or agency. Only individuals with a "need to know" -- that is,

individuals with official authorized access to the information -- may access and use a record or system of records containing PII.

Protected health information, or PHI, is a special subset of PII. PHI carries all of the safeguarding requirements that apply to PII, but

it requires additional safeguards. PHI is individually identifiable health information that a covered entity creates or receives, relating to

the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the

past, present, or future payment for the provision of health care to an individual. Covered entities include health plans and almost all

healthcare providers engaged in electronic billing and eligibility verification transactions. In the case of DoD, the TRICARE program

is a covered entity health plan. DoD regulations also define specific DoD Components, such as military treatment facilities, as

healthcare provider covered entities. This concept of a covered entity is important because, when a covered entity discloses PHI to a

non-covered entity, the information in the hands of the receiving non-covered entity is no longer PHI. Instead, it becomes PII in the

hands of that receiving entity. Imagine a commanding officer needs information from the health records of a member of the officer's

command. That information, such as physical or medical exam results, is the healthcare provider's PHI. If regulatory conditions are

met, a covered entity may disclose that PHI to the commander. The disclosed health information in the hands of the commander is no

longer PHI. The information is, however, still PII so he must protect it as such. It is important to note that the health care provider, as

long as it retains the shared information in its records, must continue to treat it as PHI. Select Covered entities to read more about

what this term means in the context of the DoD.

PII is information that either by itself or when combined with other information is linked solely to an individual. If someone tampers

with or steals this information it can have grave consequences for the individuals whose PII was disclosed. If an individual's PII is

stolen, he or she is susceptible to identity theft. Social security numbers and birthdates could help a thief apply for credit cards in

someone else's name or commit other criminal acts under that identity. Losing PII can damage a person's reputation. It can also cause

embarrassment and great inconvenience. Because of the extreme consequences associated with the loss or misuse of PII, the Federal

Government is required by law to safeguard its collections of PII. A federal agency that loses or misuses PII will lose the trust of the

public and the agency's constituents. It may incur significant legal liability. And consequences may include remediation, such as

offering credit monitoring to the individuals affected by the lost or misused PII.

How does the government protect PII? Responsibilities for safeguarding it fall on both the organization that holds it and each member

of the organization's workforce. Some of these responsibilities may overlap. Safeguarding measures fall into three categories:

administrative, physical, and technical. Ensuring only people with a need to know have access to PII is an example of an administrative

safeguard. Properly storing paper records in accordance with agency policies and procedures reduces the risk of loss or damage to

information and limits access to those who need-to-know. In an age in which so much information is digitized, technical safeguards

become incredibly important. One example is the use of encryption. In the DoD, PII must be encrypted before being electronically

transferred.

Let's examine some of the primary sources of the legal and regulatory requirements that apply to PII and PHI. The legal responsibility

to safeguard PII collected by the Federal Government stems from the Privacy Act of 1974. The Privacy Act requires the establishment

of the rules of conduct that apply to PII for the Federal Government, as well as safeguards for protecting PII. The Privacy Act requires

the Federal Government to maintain accurate, relevant, timely, and complete information. The Freedom of Information Act, or FOIA,

provides that any person has a right, enforceable in court, to obtain access to federal agency records, except to the extent that such

records, or portions of them, are protected from public disclosure. The FOIA established a statutory right of public access to Executive

Branch information in the Federal Government. FOIA defines how to keep the public informed while still safeguarding the government's

collections of PII. It also protects the individual's right to access many types of records that are exempt from access under the Privacy

Act. For PHI, in addition to the regulations governing PII, Privacy and Security Rules issued under the Health Insurance Portability

and Accountability Act, or HIPAA, established national standards for safeguarding the confidentiality, integrity, and availability of PHI,

permitted uses and disclosure of PHI, and an individual's rights with regard to his or her PHI. In 2009, the Health Information

Technology for Economic and Clinical Health, or HITECH, Act established notification, mitigation, and remediation standards for

covered entities experiencing a breach with regard to their PHI. It specifically expanded the requirement to comply with HIPAA Privacy

and Security Rules to business associates of covered entities. The HITECH Act also significantly increased the civil and criminal

penalties for HIPAA violations. Further guidance on the impact these laws have on federal workforce members and organizations are

provided by the Office of Management and Budget, or OMB, as well as specific Department or Agency employers. Select Additional

Requirements for PII and PHI to learn more.

When working with PII, the government is responsible for balancing the need to maintain information about individuals with the privacy rights of those individuals. As you learned, there are different categories of safeguards that organizations can employ to protect PII, thereby protecting the individual to whom the PII belongs. These include administrative, physical, and technical safeguards. Select each category to learn more.

Organizations are responsible for establishing safeguards that physically protect PII from threats that could result in unauthorized access, alteration, or destruction of records or information. Facilities handling PII should ensure appropriate access controls are in place to protect that information and that all hardware is locked up as required. Organizations must provide items to aid in handling paper records and other physical forms of information, such as storage containers, locking cabinets, and cover sheets for transmittal. For the disposal of paper and electronic records, organizations must comply with the procedures of the National Archives and Records Administration, or NARA, on Records Management requirements for retention and disposal, for example, shredding and incineration. Organizations also must test all of these safeguards regularly to ensure they perform as intended. Let's look at some examples of administrative safeguards for PII. Organizations are charged with eliminating the unnecessary use of

Social Security numbers and exploring alternatives. Organizations should offer specific training on PII to their employees; for example,

orientation training, specialized training, management training, and training on systems of records containing PII. Organizations must

have policies and procedures in place for handling PII, specifically defining the impact to affected individuals and actions, as well as

on assigned agency roles and responsibilities, and the consequences of misusing or losing PII. Before collecting any PII, an

organization must conduct a Privacy Impact Assessment, or PIA, to assess the level of risk to the organizations or the individuals in

collecting and maintaining this data. Organizations must also review their PII holdings annually and report their status to Congress.

As far as technical safeguards for protecting PII, organizations must provide secure systems for storing and transmitting electronic

records. Examples include implementing encryption software, imposing controls on remote access, employing time-out functionality

to discourage unmonitored access to records, and logging and verifying all access by individuals. Organizations must also ensure that

role-based access controls are implemented properly for their workforce members. They must also ensure workforce members fully

understand their responsibilities for safeguarding electronic records.

As you just learned, one of the administrative safeguards organizations employ is to assess the level of risk involved in collecting and maintaining PII. Conducting a risk assessment is important in determining the risk to an agency when collecting and maintaining PII. For this reason, before gathering any PII, an organization must complete a Privacy Impact Assessment, or PIA. A PIA looks at how an organization handles information to ensure it meets legal, regulatory, and policy requirements. It also examines the risks involved in the collection, use, maintenance, and dissemination of PII in an electronic information system, with the goal of mitigating any unauthorized use or disclosure risks. If an organization determines that it must collect and maintain PII that will be retrieved by a personal identifier within that system, the organization must publish a System of Records Notice, or SORN, in the Federal Register. A SORN notifies the public an agency will collect and retrieve PII in a system of records. It must be published in the Federal Register before any data collection can begin. SORNs include: the legal authority to collect the PII, the type of PII that will be collected, the safeguards in place to protect the data in the system, how individuals can determine if they are part of that system, and how they can obtain a copy of their record if they are a part of that system. When must an organization conduct a PIA? And what does a risk analysis for PHI involve? Select each to learn more. An organization must complete a Privacy Impact Assessment when that organization collects PII into an existing electronic information

system or when the organization converts paper records into electronic form in a system for which a PIA had not been previously

completed. For new information system collections, an organization must conduct a PIA before developing or purchasing the system,

and anytime it wants to convert paper records into electronic ones. An organization does not need to complete a PIA when the

information system does not collect, maintain or disseminate PII, when the system is a National Security System, including systems

that process classified information, or when the information is solely paper-based.

The DoD Health Information Security Regulation contains requirements for electronic PHI risk analyses. The organization must assess

the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic PHI it creates, receives, stores, or

transmits. The analysis must include a threat assessment, exploitable vulnerabilities, and residual risk determination. It must take into

account both organizational and technical assessments that address all areas of security. Finally, it must take into account all relevant

losses that would be expected if security measures were not in place, including losses caused by unauthorized use and disclosure,

as well as losses of data integrity or accuracy.

Every member of an organization's workforce needs to be aware of their personal responsibilities to safeguard the confidentiality,

availability, and integrity of their organization's PII. These responsibilities are set out in the organization's policies and procedures.

Workforce members have safeguarding responsibilities that fall into the same three categories as for the organization: administrative

safeguards, physical safeguards, and technical safeguards. To learn about the responsibilities of individuals within organizations to

protect PII, select each category.

There are also physical ways for individuals to protect PII. All PII is sensitive information, so it must be treated as sensitive or FOUO

information, even if it is unmarked. While working with the information, mark PII as sensitive or FOUO as appropriate. When

transporting or transmitting PII by mail, fax, or by hand, use a properly marked cover sheet. When mailing the information determine

postal class and the proper wrappings and markings for the package. Reduce the risk of access to PII during working hours by covering

or placing it out of sight when not directly working on it. Lock your computer when leaving it unattended. Store PII appropriately after

working hours, for example, in locked or unlocked containers, desks, or cabinets. Dispose of all paper or electronic records according

to the standards defined in the SORN or by NARA. You must render discarded PII unrecognizable and beyond reconstruction.

Administrative safeguards for PII that individuals can apply include monitoring and minimizing the use of Social Security numbers.

Individuals should instead use DoD ID numbers wherever possible for internal DoD business processes. Individuals are also

responsible for determining who is authorized to access the PII and, beyond that, who has a legitimate need-to-know. Be mindful of

these factors when sharing information and limit access accordingly. Here are some questions individuals should ask themselves: Is

using PII necessary? Consider whether a task can be completed without PII. If it cannot be completed without using or disclosing PII,

do not use or disclose more PII than is the minimum amount necessary to support the use or disclosure. Also, make sure its use

matches the purpose of collection in the SORN. Do not use information that was previously collected in a system of records for a new

use before altering the existing SORN or creating a new one and publishing it in the Federal Register. Do not even use a subset of

existing PII for a new purpose. And do not maintain data collections in secret. Is it safe to talk about this PII? Be aware of the

surrounding environment when engaging in conversation involving PII. Not all of those around you have a need to know. Ensure that

telephone conversations are private. Do you have the right information and is it correct? If possible, collect information directly from

the subject of the PII; this will guarantee you have the most up-to-date information. Verify that data is accurate, relevant, timely, and

necessary. Ensure that other information comes from the authorized official source, such as government sources.

Individuals must use technical safeguards to protect PII. One way to do this is by using only government-approved devices and

software. This safeguards PII because the government has determined these devices and software provide adequate protection.

Individuals should make sure they are encrypting PII appropriately, and limit access to PII on shared drives to individuals with a need-

to-know. Individuals need to follow agency policies and procedures for transmitting PII, such as confirming fax receipt, encrypting e-

mails, and verifying e-mail distribution lists contain only authorized individuals. Individuals who handle PII while teleworking must use

only a government-furnished computer, must get approval from a manager before extracting PII onto that computer, and must never

transmit PII via personal web e-mail.

All of the safeguards and best practices that apply to PII also apply to PHI. But as you learned, PHI receives even greater protection.

The HIPAA Privacy and Security Rules require covered entities to have in place appropriate administrative, technical, and physical

safeguards to protect PHI. Based on its risk analysis and risk management plan, each covered entity can establish its own specific

administrative, physical, and technical safeguards. They do this by evaluating their needs, the types of PHI involved, and specific

business risks. For DoD covered entity Components, individual implementation is subject to DoD's implementation of the HIPAA

Privacy and Security Rules. Covered entities must train workforce members on the policies and procedures that apply to PHI. Other

than required disclosures of an individual's PHI to that individual or the use and disclosure of PHI for treatment of an individual, covered

entities must limit permitted uses and disclosures of PHI to the minimum necessary to accomplish the purpose of that use or disclosure.

Non-covered entities that are business associates of covered entities also have responsibilities to safeguard PHI. They must make

sure their workforce members are able to recognize PHI, and understand that HIPAA Rules provide additional protection and controls

for PHI, beyond what is required for PII.

Welcome to the Use and Disclosure of PII and PHI lesson. When you have completed this lesson, you will be able to identify the procedures for use and disclosure of PII and PHI. You will also be able to identify the penalties for failing to comply with the safeguarding requirements that apply to this information. There are four topics for this lesson. After completing this introduction, you will learn about the authorized and unauthorized use and disclosure of PII and PHI. You will also explore the penalties for non-compliance with the requirements governing use and disclosure of PII and PHI before the lesson concludes.

Let's look at the authorized ways organizations and individuals may use and disclose PII. The Privacy Act limits an agency's right to

disclose any record contained in a system of records to any person or another agency unless the disclosure is made at the written

request of the individual to whom the record pertains, or that individual has given prior written consent to its disclosure. Disclosure of

the record is also allowed under any of the 12 permitted Privacy Act disclosures, which will be available for review at the end of this

screen. One of these permitted disclosures is for the "routine use" of the records. The Privacy Act defines "routine use" as disclosure

of a record for a purpose compatible with the purpose for which the government collected it. The System of Records Notice identifies

routine uses and disclosures of the system's records. A breach occurs when an organization or individual improperly uses or discloses

PII. In the event of a breach, both organizations and individuals have specific responsibilities aimed at mitigating potential damage to

the subjects of the unauthorized use or disclosure. Select Permitted Disclosures to view the 12 exceptions to the disclosure rule.

Select Organizational and Individual Responsibilities to learn about requirements for handling a breach.

OMB Memorandum M-07-16 requires agencies to establish a breach notification policy and plan. If a breach occurs, the head of the

organization must notify the proper individuals by providing this information. Within the DoD, the organization must also alert the

United States Computer Emergency Readiness Team, or US-CERT, to the potential or confirmed breach within an hour of discovery

or detection. The organization has 24 hours from the discovery of the breach to report it to the Component Privacy Office and 48 hours

to report it to the Defense Privacy and Civil Liberties Office.

If you think PII has been stolen, compromised, unlawfully disclosed, or inadvertently lost, you are required by law and Federal

Government policy to immediately report this incident. If the breach also involves PHI, you must also report it simultaneously through

appropriate channels for PHI reporting. You will learn about that later in this lesson, but it is important to know that you may have to

perform two separate reporting activities for a single breach. In the case of PII, you are required to report the breach to the appropriate

authority, such as your supervisor, privacy officer, or system manager. In some cases, your management may have to notify DoD and

national authorities, as well as the individuals whose personal data was compromised. You should note the circumstances surrounding

the potential breach, and document when and where it was discovered. For example, you may overhear someone giving information

to an unauthorized individual. Or you might receive an e-mail or e-mail attachment containing unencrypted PII. Or you might observe

an employee who consistently leaves people's personal medical files out on his or her desk or unattended computer. Or, maybe you

noticed someone left a document behind after a meeting. In particular, if you find sensitive data on the Internet, be sure to write down

the Uniform Resource Locator, or URL, where it was posted. Regardless of the circumstances or where the personal information was

left or posted, always notify the appropriate authority. Remember, because PHI is a subset of PII, these responsibilities also apply to

breaches of PHI.

Let's look at the authorized ways organizations and their workforce may use and disclose PHI. Remember, only covered entities and

their business associates hold PHI. Generally, covered entities may use or disclose an individual's PHI: to the individual, or pursuant

to that individual's written authorization, for treatment, payment, or health care operations, or as otherwise permitted or required under

the HIPAA Privacy Rule. The HIPAA Breach Notification Rule defines a breach of PHI as the acquisition, access, use, or disclosure

of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the information. In the

event of a breach of PHI, both organizations and their workforce have specific responsibilities. Select Organizational and Individual

Responsibilities to learn more about each.

If an individual working at a covered entity becomes aware of lost, stolen, or compromised PHI, he or she must report it to the

designated organization official. That report should contain a complete description of the compromised PHI and a statement of when

and where the breach was discovered.

If a breach of PHI occurs, covered entities must notify the affected individuals as soon as possible, but not later than 60 days. The

covered entity must also report annually to the Secretary of Health and Human Services, HHS, of all PHI breaches. There are special

notification requirements for breaches of PHI affecting 500 or more individuals. In addition to notifying affected individuals, covered

entities must report all large-scale breaches to the Secretary of HHS without unreasonable delay, and in any case, no later than 60

days after discovery. In the same time frame, they must also notify prominent media outlets serving the State or jurisdiction, most

likely by issuing a press release.

If an organization does not comply with regulations for safeguarding PII or PHI, it may incur civil penalties for refusing to remove a

record or refusing access to a record unlawfully, for failing to properly maintain the information, for failing to comply with any Privacy

Act provision or agency rule, or for failing to comply with HIPAA Privacy and Security Rules, any of which causes harm to the subject

of the PII or PHI. For violations of PII, the penalties include payments of actual damages and reasonable attorney fees. For PHI, civil

monetary penalties depend on the intent behind the failure to safeguard the information and the level of damage the breach caused.

Criminal penalties may apply to any official or employee who knowingly discloses information from a system of records to a person

not entitled to receive it. Criminal penalties also apply to individuals who maintain a system of records without publishing the required

public notice in the Federal Register. Criminal penalties on individuals for violating the laws on safeguarding PII include conviction of

a misdemeanor and fines of up to five thousand dollars. Individuals who wrongfully obtain or disclose PHI may be sentenced to up to

one year in prison and subject to a fine of up to fifty thousand dollars. Offenses committed under false pretenses or for commercial

purposes, such as selling PHI or using PHI for personal gain or malicious harm, carry even more severe penalties: up to ten years in

prison, and up to $250,000 in fines, or both.

Unlike for PII, individuals may incur civil money penalties for failing to comply with the HIPAA Rules' requirements and standards.

These civil fines depend on the severity of the individual violation. The HITECH Act increased the civil penalties in 2009. It divides

them into four tiers. Roll your cursor over each tier to review the definition and applicable fine for each.

The Overview of PII identified PII and PHI, why they need to be safeguarded, and the legal and regulatory guidance governing their

maintenance and protection. Safeguarding PII detailed organizational and individual responsibilities for protecting PII and PHI. It

specified administrative, physical, and technical safeguards, including risk assessments. Use and Disclosure of PII and PHI outlined

the circumstances and procedures involved with authorized and unauthorized use and disclosure of PII and PHI. The lesson also

explained the civil and criminal penalties that individuals and government organizations can incur if they fail to comply with the laws

on safeguarding PII and PHI. You should now be able to identify PII and why it is important to protect it, identify the organization's and

individual's responsibilities for safeguarding PII, and recognize the policy and procedures related to the use and disclosure of PII.

I have read and understand the above information and will uphold and adhere to all recommendations and safety standards.

_______________________________________ ________________________________ Signature Date _______________________________________ Printed Name