Solving document lifecycle complexities with products built for developers.
Accusoft offers a robust portfolio of document and imaging tools created for developers. Our APIs and software development kits (SDKs) are built using patented technology, providing high performance document viewing, advanced search, image compression, conversion, barcode recognition, OCR, and other image processing tools for use in application and web development.
About accusoft
Accusoft provides a full spectrum of document, content and imaging solutions as fully supported, enterprise-grade, best-in-class client-server applications, mobile apps, cloud services and software development kits (SDKs). The company’s HTML5 viewing technology is available to the enterprise as PrizmDoc, in cloud-based SaaS versions, and in a version optimized for SharePoint integration.
Visit http://www.accusoft.com and download your free trial to see how our software can work for you.
4001 N Riverside Dr
Tampa, FL 33603
(800) 875-7009
Accusoft
HIPAA Training
Revision 1.0 - 05/06/2020
Module 1
Accusoft HIPAA Training
For All Employees
Learning Objectives
This training module addresses the requirements of maintaining privacy and security of
protected health information (PHI) and electronic health information (ePHI) as mandated by
HIPAA.
You will learn.
a. What is HIPAA? and Why HIPAA is important
b. HIPAA Definitions and Patients’ Rights
c. HIPAA Privacy Rule and Disclosures of PHI
d. HIPAA Security Rule and Safeguarding ePHI
e.
Breach Notifications
f.
BA Agreements
g.
Potential Violations and Employee Sanctions
h.
Security Best Practices for Software Systems
What is HIPAA why is it needed?
● The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of
legislation to address one particular issue: Insurance coverage for individuals that are between
jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between
jobs.
● HIPAA also established regulations to prevent healthcare fraud and ensure that all protected
health information (PHI) is appropriately secured to prevent unauthorized access/misuse.
Who must comply with HIPAA?
● As required by Congress in HIPAA, the Privacy Rule covers:
○ Health plans
○ Health care clearinghouses
○ Health care providers who conduct certain financial and administrative transactions
electronically. These electronic transactions are those for which standards have been
adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
● These entities (collectively called "covered entities") are bound by the new privacy standards
even if they contract with others (called "business associates") to perform some of their
essential functions.
Accusoft is a “business associate” of “covered entities” that use our SaaS products
Forms of Protected Health Information
Protected health information “Relates to the past,
present, or future physical or mental health or condition
of an individual; the provision of health care to an
individual; or the past, present, or future payment for the
provision of health care to an individual” that is:
○
Transmitted by electronic media;
○ Maintained in electronic media; or
○
Transmitted or maintained in any other
form or medium.
18 HIPAA PHI Identifiers
1.
Name
2.
Address
3.
All dates related to an individual (e.g. birth date)
4.
Phone numbers
5.
Fax numbers
6.
Email addresses
7.
Social Security numbers
8.
Medical record numbers
9.
Health plan beneficiary number
10. Account number
11. Driver’s license numbers
12. Vehicle identification numbers
13. Device identification numbers
14. Web url
15.
IP addresses
16. Biometric identifiers
17. Photos of face
18. Anything else that could be used to uniquely
identify an individual (e.g. Credit Card Numbers)
Who is responsible for protecting PHI?
● The improper use or disclosure of protected health information presents a risk of identity
theft and violation of privacy.
● Breaches of privacy can also result in criminal or civil penalties for both Accusoft and
those individuals who improperly access or disclose protected health information.
Every Accusoft employee is responsible for protecting the privacy and security of PHI
What Accusoft products are covered by HIPAA?
Accusoft products (e.g. OnTask and PrizmDoc) that involve the creation, use or transmission of
Protected Health Information must comply with HIPAA if:
●
the application collects personally identifiable data about an individual that will be shared
with a medical professional;
●
or Accusoft customers use our application to create, use or transmit Protected Health
Information
Accusoft customers that are HIPAA covered entities must execute a Business Associate
Agreement with Accusoft prior to using our products to process, transmit or store PHI
What are the HIPAA Rules?
Since it was originally written, many aspects of HIPAA have been amended. This includes the
addition of many “rules” that address specific aspects of patient and data privacy.
● Privacy Rule – The Privacy Rule also includes the Minimum Necessary Rule, which
stipulates that only the minimum amount of information required to complete a task may be
passed on to another authorized entity.
● Security Rule – The Security Rule addresses electronic PHI (ePHI). It outlines the
administrative, physical and technical safeguards needed to protect health data.
● Enforcement Rule – To help ensure that HIPAA is being followed, the Enforcement Rule was
introduced. It outlines the penalties for non-compliance, and gives the Department of Health
and Human Services the ability to prosecute for HIPAA violations.
● Breach Notification Rule – The Breach Notification Rule stipulates that a CE or BA has 30
days after the discovery of a breach to notify the OCR, customers and the media.
● Omnibus Final Rule – The most recent addition to HIPAA, the Omnibus Rule addresses a
wide range of areas and implemented the requirements of the HITECH Act.
Accusoft
As business associate under HIPAA rules, Accusoft is directly liable for compliance with
HIPAA Privacy and Security requirements and must:
● Enter into a Business Associate Agreement with covered entities
● Use appropriate safeguards to prevent the access, use or disclosure of PHI
● Obtain satisfactory assurances from any subcontractors or third party service
providers that appropriate safeguards are in place to prevent the access, use or
disclosure of PHI entrusted to them;
● Notify the covered entity of any breach of unsecured PHI;
● Ensure employees and subcontractors receive HIPAA training
10 Most Common HIPAA Violations
1. Snooping on healthcare records.
2. Failure to perform an organization-wide risk analysis.
3. Failure to manage security risks/Lack of a risk management process.
4. Failure to enter into a HIPAA-compliant business associate agreement.
5.
Insufficient ePHI access controls.
6. Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices.
7. Exceeding the 60-day deadline for issuing breach notifications.
8.
Impermissible disclosure of protected health information.
9.
Improper disposal of PHI.
10. Denying patient access to health records/exceeding timescale for providing access.
Source: HIPAA Journal
HIPAA Privacy Rule
Access Must be Authorized
An employee may only access or disclose PHI when this access is part of the employee’s job duties.
With few exceptions, if an employee access or disclose PHI without a patient’s written authorization
or without job-related reason for doing so, the employee is in violation of Accusoft Policies and
Procedures.
Employee Privacy Responsibilities
● An employee may only access or disclose PHI when this access is part of the employee’s
job duties.
● Avoid storing information on mobile devices, but it you must use encryption.
● Always keep portable devices physically secured under lock and key to prevent theft and
unauthorized access.
● Keep your passwords confidential, and don’t share accounts with others.
● Comply with Accusoft Policies and Procedures.
● Promptly report any loss or misuse of devices storing PHI or sensitive information to your
supervisor and Accusoft’s Privacy and Security Officer
Appropriate Disposal of Data
● Hard copy materials must be properly shredded or placed in a secure bin for shredding.
● Electronic media such as SSDs or hard drives must be physically destroyed or wiped using
approved software and procedures.
HIPAA Security Rule
What is addressed by HIPAA Security Rule?
The HIPAA security rule focuses on safeguarding PHI by addressing confidentiality, integrity,
and availability.
● Confidentiality means that data or information is not made or disclosed to
unauthorized persons or programs.
●
Integrity means that data or information has not been altered or destroyed in an
unauthorized manner.
● Availability means that data or information is accessible and useable upon demand
only by an authorized person.
All employees must be given security awareness training to help them identity threats and
vulnerabilities to the confidentiality, integrity, and availability of PHI.
● Physical security
● Cybersecurity
HIPAA Essentials
Employees must utilize the following security controls when storing and transmitting sensitive
information:
○ Strong passwords
○ Automatic log-off
○ Automatic screen lock
○ Encryption
○ Anti-virus
Physical Security Awareness
● Equipment used to access, store, process or transport PHI must be physically protected
○ For example PCs, workstations, mobile devices, portable drives, servers, mainframes, fax
machines, and copiers
○ Computer screens, copiers, and fax machines must be positioned so that they cannot be
accessed or viewed by unauthorized persons.
○ All computers must have auto-timeout and password-protected screen savers.
○ Block view of computer screens from external windows.
● Control and track access of individuals to buildings and restricted areas.
○ Servers and network devices must be in secure area where physical access is limited and
controlled.
○ Do not allow unauthorized persons access to buildings and restricted areas.
○ Supervise visitors at all times and limit their access to restricted areas.
○ Shared computers in open areas must be protected against theft or unauthorized access.
Mobile Devices
● Accusoft prohibits the storage of PHI on mobile devices.
○ This applies to all mobile computing devices, such as laptops, tablets, smart phones, or
other mobile computing devices.
● Never leave mobile computing devices unattended in unsecure locations.
●
Immediately report the loss or theft of any mobile computing device to your supervisor, and
Privacy & Security Officer.
Remote Access
● All computers and mobile devices used to connect to Accusoft’s networks or
systems from home or off-site location must meet the same standards that apply to
Accusoft workstations.
○ Make use of VPN
○ Enable auto updates, or manually install system and software updates on
your devices on a regular basis
○ Keep virus definitions current by using antivirus software
○ Don’t let anyone use or access your personal devices
Cybersecurity Training
All Accusoft personnel are required to complete cybersecurity training offered via the Paylocity
platform. The following areas are addressed in that training. If you have not completed this training
within the last 12 months please contact an HR representative.
a. Cybersecurity Awareness
b. Passwords
c. Safe Computing and Email Use
d. Phishing and Social Engineering
e. Ransomware
f. Other cyberthreats
Most cyber attacks are due to human error and easy to avoid, get trained today!
HIPAA Enforcement Rule
Disciplinary Actions
●
Individuals who violate Accusoft’s
HIPAA policies will be subject to
appropriate disciplinary action, up
to and including termination as
outline in Accusoft’s Policies and
Procedures, as well as subject to
possible criminal or civil
penalties.
● Administrative fines – Financial penalties
for HIPAA non-compliance be as high as
$1.5 million per violation category per
year. Penalty amounts depend on the
level of culpability.
● Personal fines – If an individual violated
HIPAA and there was malicious intent
behind their actions, they can face a
personal fine of up to $250,000.
●
Jail sentences – In some instances, if a
violation is deemed sufficiently severe, an
individual may receive a jail sentence of
up to 10 years.
Example HIPAA Violation Penalties
2018 Fines as reported by hipaaguide.net
● Anthem Inc - $16M for multiple HIPAA violations
● University of Texas MD Anderson Cancer Center - $4.3M for impermissible disclosure of
ePHI/No encryption
● Fresenius Medical Care North America - $3.5M for multiple HIPAA violations
● Cottage Health - $3M for server accessible over the internet
● Massachusetts General Hospital - $515K for filming patients without consent
● Advanced Care Hospitalists - $500K for no HIPAA compliance efforts prior to April 1, 2014
● Allergy Associates of Hartford - $125K for PHI disclosure to reporter
HIPAA Breach Notification Rule
What is a breach?
The definition of a breach provided by the US Department of Health and Human Services is as
follows:
“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that
compromises the security or privacy of the Protected Health Information.”
Breaches
The following events constitute a breach:
●
loss, theft or improper disposal of physical or electronic
records
○
paper or device containing PHI is improperly disposed of or unaccounted for
●
information accessed by unauthorized persons or
programs
○
hackers, viruses or malware compromise a system containing PHI
●
information is shared with people that lack official need to
receive it
○
gossip about information on a medical record
The leading cause of a breach is theft
Breach Notification Requirements
● Accusoft employees and contractors must report any breach and impermissible use or
disclosure of PHI
○ Notify your supervisor and Accusoft’s Privacy and Security Officer immediately
● All employees should take extreme care to avoid breaches. A breach can negatively impact
on Accusoft, our employees, and our customers.
○
The estimated cost in a data breach can exceed $200 per compromised record, and has potential to harm the Accusoft brand.
● Accusoft is required to take reasonable actions to minimize the harmful effects of a confirmed
breach involving PHI.
● Accusoft must report all breaches to the covered entity and Office of Civil Rights, and all
individuals whose information was breached or disclosed
○
Data breaches only need to be reported when there is a breach of unsecured (non-encrypted) ePHI.
References
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
http://www.hipaajournal.com/hospital-employee-receives-18-month-jail-term-for-hipaa-violations-025/
http://www.beckershospitalreview.com/healthcare-information-technology/10-common-hipaa-violations-and-
preventative-measures-to-keep-your-practice-in-compliance.html
https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/content-detail.html
https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/content-detail.html
HIPAA Training
Revision 1.0 - 05/06/2020
Module 1
Accusoft HIPAA Training
For All Employees
Learning Objectives
This training module addresses the requirements of maintaining privacy and security of
protected health information (PHI) and electronic health information (ePHI) as mandated by
HIPAA.
You will learn.
a. What is HIPAA? and Why HIPAA is important
b. HIPAA Definitions and Patients’ Rights
c. HIPAA Privacy Rule and Disclosures of PHI
d. HIPAA Security Rule and Safeguarding ePHI
e.
Breach Notifications
f.
BA Agreements
g.
Potential Violations and Employee Sanctions
h.
Security Best Practices for Software Systems
What is HIPAA why is it needed?
● The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of
legislation to address one particular issue: Insurance coverage for individuals that are between
jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between
jobs.
● HIPAA also established regulations to prevent healthcare fraud and ensure that all protected
health information (PHI) is appropriately secured to prevent unauthorized access/misuse.
Who must comply with HIPAA?
● As required by Congress in HIPAA, the Privacy Rule covers:
○ Health plans
○ Health care clearinghouses
○ Health care providers who conduct certain financial and administrative transactions
electronically. These electronic transactions are those for which standards have been
adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
● These entities (collectively called "covered entities") are bound by the new privacy standards
even if they contract with others (called "business associates") to perform some of their
essential functions.
Accusoft is a “business associate” of “covered entities” that use our SaaS products
Forms of Protected Health Information
Protected health information “Relates to the past,
present, or future physical or mental health or condition
of an individual; the provision of health care to an
individual; or the past, present, or future payment for the
provision of health care to an individual” that is:
○
Transmitted by electronic media;
○ Maintained in electronic media; or
○
Transmitted or maintained in any other
form or medium.
18 HIPAA PHI Identifiers
1.
Name
2.
Address
3.
All dates related to an individual (e.g. birth date)
4.
Phone numbers
5.
Fax numbers
6.
Email addresses
7.
Social Security numbers
8.
Medical record numbers
9.
Health plan beneficiary number
10. Account number
11. Driver’s license numbers
12. Vehicle identification numbers
13. Device identification numbers
14. Web url
15.
IP addresses
16. Biometric identifiers
17. Photos of face
18. Anything else that could be used to uniquely
identify an individual (e.g. Credit Card Numbers)
Who is responsible for protecting PHI?
● The improper use or disclosure of protected health information presents a risk of identity
theft and violation of privacy.
● Breaches of privacy can also result in criminal or civil penalties for both Accusoft and
those individuals who improperly access or disclose protected health information.
Every Accusoft employee is responsible for protecting the privacy and security of PHI
What Accusoft products are covered by HIPAA?
Accusoft products (e.g. OnTask and PrizmDoc) that involve the creation, use or transmission of
Protected Health Information must comply with HIPAA if:
●
the application collects personally identifiable data about an individual that will be shared
with a medical professional;
●
or Accusoft customers use our application to create, use or transmit Protected Health
Information
Accusoft customers that are HIPAA covered entities must execute a Business Associate
Agreement with Accusoft prior to using our products to process, transmit or store PHI
What are the HIPAA Rules?
Since it was originally written, many aspects of HIPAA have been amended. This includes the
addition of many “rules” that address specific aspects of patient and data privacy.
● Privacy Rule – The Privacy Rule also includes the Minimum Necessary Rule, which
stipulates that only the minimum amount of information required to complete a task may be
passed on to another authorized entity.
● Security Rule – The Security Rule addresses electronic PHI (ePHI). It outlines the
administrative, physical and technical safeguards needed to protect health data.
● Enforcement Rule – To help ensure that HIPAA is being followed, the Enforcement Rule was
introduced. It outlines the penalties for non-compliance, and gives the Department of Health
and Human Services the ability to prosecute for HIPAA violations.
● Breach Notification Rule – The Breach Notification Rule stipulates that a CE or BA has 30
days after the discovery of a breach to notify the OCR, customers and the media.
● Omnibus Final Rule – The most recent addition to HIPAA, the Omnibus Rule addresses a
wide range of areas and implemented the requirements of the HITECH Act.
Accusoft
As business associate under HIPAA rules, Accusoft is directly liable for compliance with
HIPAA Privacy and Security requirements and must:
● Enter into a Business Associate Agreement with covered entities
● Use appropriate safeguards to prevent the access, use or disclosure of PHI
● Obtain satisfactory assurances from any subcontractors or third party service
providers that appropriate safeguards are in place to prevent the access, use or
disclosure of PHI entrusted to them;
● Notify the covered entity of any breach of unsecured PHI;
● Ensure employees and subcontractors receive HIPAA training
10 Most Common HIPAA Violations
1. Snooping on healthcare records.
2. Failure to perform an organization-wide risk analysis.
3. Failure to manage security risks/Lack of a risk management process.
4. Failure to enter into a HIPAA-compliant business associate agreement.
5.
Insufficient ePHI access controls.
6. Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices.
7. Exceeding the 60-day deadline for issuing breach notifications.
8.
Impermissible disclosure of protected health information.
9.
Improper disposal of PHI.
10. Denying patient access to health records/exceeding timescale for providing access.
Source: HIPAA Journal
HIPAA Privacy Rule
Access Must be Authorized
An employee may only access or disclose PHI when this access is part of the employee’s job duties.
With few exceptions, if an employee access or disclose PHI without a patient’s written authorization
or without job-related reason for doing so, the employee is in violation of Accusoft Policies and
Procedures.
Employee Privacy Responsibilities
● An employee may only access or disclose PHI when this access is part of the employee’s
job duties.
● Avoid storing information on mobile devices, but it you must use encryption.
● Always keep portable devices physically secured under lock and key to prevent theft and
unauthorized access.
● Keep your passwords confidential, and don’t share accounts with others.
● Comply with Accusoft Policies and Procedures.
● Promptly report any loss or misuse of devices storing PHI or sensitive information to your
supervisor and Accusoft’s Privacy and Security Officer
Appropriate Disposal of Data
● Hard copy materials must be properly shredded or placed in a secure bin for shredding.
● Electronic media such as SSDs or hard drives must be physically destroyed or wiped using
approved software and procedures.
HIPAA Security Rule
What is addressed by HIPAA Security Rule?
The HIPAA security rule focuses on safeguarding PHI by addressing confidentiality, integrity,
and availability.
● Confidentiality means that data or information is not made or disclosed to
unauthorized persons or programs.
●
Integrity means that data or information has not been altered or destroyed in an
unauthorized manner.
● Availability means that data or information is accessible and useable upon demand
only by an authorized person.
All employees must be given security awareness training to help them identity threats and
vulnerabilities to the confidentiality, integrity, and availability of PHI.
● Physical security
● Cybersecurity
HIPAA Essentials
Employees must utilize the following security controls when storing and transmitting sensitive
information:
○ Strong passwords
○ Automatic log-off
○ Automatic screen lock
○ Encryption
○ Anti-virus
Physical Security Awareness
● Equipment used to access, store, process or transport PHI must be physically protected
○ For example PCs, workstations, mobile devices, portable drives, servers, mainframes, fax
machines, and copiers
○ Computer screens, copiers, and fax machines must be positioned so that they cannot be
accessed or viewed by unauthorized persons.
○ All computers must have auto-timeout and password-protected screen savers.
○ Block view of computer screens from external windows.
● Control and track access of individuals to buildings and restricted areas.
○ Servers and network devices must be in secure area where physical access is limited and
controlled.
○ Do not allow unauthorized persons access to buildings and restricted areas.
○ Supervise visitors at all times and limit their access to restricted areas.
○ Shared computers in open areas must be protected against theft or unauthorized access.
Mobile Devices
● Accusoft prohibits the storage of PHI on mobile devices.
○ This applies to all mobile computing devices, such as laptops, tablets, smart phones, or
other mobile computing devices.
● Never leave mobile computing devices unattended in unsecure locations.
●
Immediately report the loss or theft of any mobile computing device to your supervisor, and
Privacy & Security Officer.
Remote Access
● All computers and mobile devices used to connect to Accusoft’s networks or
systems from home or off-site location must meet the same standards that apply to
Accusoft workstations.
○ Make use of VPN
○ Enable auto updates, or manually install system and software updates on
your devices on a regular basis
○ Keep virus definitions current by using antivirus software
○ Don’t let anyone use or access your personal devices
Cybersecurity Training
All Accusoft personnel are required to complete cybersecurity training offered via the Paylocity
platform. The following areas are addressed in that training. If you have not completed this training
within the last 12 months please contact an HR representative.
a. Cybersecurity Awareness
b. Passwords
c. Safe Computing and Email Use
d. Phishing and Social Engineering
e. Ransomware
f. Other cyberthreats
Most cyber attacks are due to human error and easy to avoid, get trained today!
HIPAA Enforcement Rule
Disciplinary Actions
●
Individuals who violate Accusoft’s
HIPAA policies will be subject to
appropriate disciplinary action, up
to and including termination as
outline in Accusoft’s Policies and
Procedures, as well as subject to
possible criminal or civil
penalties.
● Administrative fines – Financial penalties
for HIPAA non-compliance be as high as
$1.5 million per violation category per
year. Penalty amounts depend on the
level of culpability.
● Personal fines – If an individual violated
HIPAA and there was malicious intent
behind their actions, they can face a
personal fine of up to $250,000.
●
Jail sentences – In some instances, if a
violation is deemed sufficiently severe, an
individual may receive a jail sentence of
up to 10 years.
Example HIPAA Violation Penalties
2018 Fines as reported by hipaaguide.net
● Anthem Inc - $16M for multiple HIPAA violations
● University of Texas MD Anderson Cancer Center - $4.3M for impermissible disclosure of
ePHI/No encryption
● Fresenius Medical Care North America - $3.5M for multiple HIPAA violations
● Cottage Health - $3M for server accessible over the internet
● Massachusetts General Hospital - $515K for filming patients without consent
● Advanced Care Hospitalists - $500K for no HIPAA compliance efforts prior to April 1, 2014
● Allergy Associates of Hartford - $125K for PHI disclosure to reporter
HIPAA Breach Notification Rule
What is a breach?
The definition of a breach provided by the US Department of Health and Human Services is as
follows:
“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that
compromises the security or privacy of the Protected Health Information.”
Breaches
The following events constitute a breach:
●
loss, theft or improper disposal of physical or electronic
records
○
paper or device containing PHI is improperly disposed of or unaccounted for
●
information accessed by unauthorized persons or
programs
○
hackers, viruses or malware compromise a system containing PHI
●
information is shared with people that lack official need to
receive it
○
gossip about information on a medical record
The leading cause of a breach is theft
Breach Notification Requirements
● Accusoft employees and contractors must report any breach and impermissible use or
disclosure of PHI
○ Notify your supervisor and Accusoft’s Privacy and Security Officer immediately
● All employees should take extreme care to avoid breaches. A breach can negatively impact
on Accusoft, our employees, and our customers.
○
The estimated cost in a data breach can exceed $200 per compromised record, and has potential to harm the Accusoft brand.
● Accusoft is required to take reasonable actions to minimize the harmful effects of a confirmed
breach involving PHI.
● Accusoft must report all breaches to the covered entity and Office of Civil Rights, and all
individuals whose information was breached or disclosed
○
Data breaches only need to be reported when there is a breach of unsecured (non-encrypted) ePHI.
References
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
http://www.hipaajournal.com/hospital-employee-receives-18-month-jail-term-for-hipaa-violations-025/
http://www.beckershospitalreview.com/healthcare-information-technology/10-common-hipaa-violations-and-
preventative-measures-to-keep-your-practice-in-compliance.html
https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/content-detail.html
https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/content-detail.html