Information
-
Client / Site
-
Conducted on
-
Prepared by
-
Location
Check-in Procedures
-
Is a sign in sheet used?
-
New Patient information form - Is there completion assistance?
-
Do we verify insurance and how do we verify insurance?
-
How do we verify demographic information?
-
Is the appointment schedule in plain view of the patients?
-
Are any computer screens visible from the waiting room or by patients at the check out counter?
-
Is there a signed consent form in the patient record to use and disclose information for TPO ( Treatment, Payment, or Heathcare Operations)?
-
Has the patient signed the Notice of Privacy Practices Acknowledgement?
-
A appointments confirmed over the phone? What information is left on voicemail?
-
Are postcards used as reminders?
-
Does the practice verify the identity of patients upon arrival and on the phone?
Clinical Areas
-
How are patients called to the room?
-
Do providers and/or staff discuss patient information in or near clinical areas where other patients can overhear?
-
Do Physicians dictate at a workstation central to patient care areas?
-
Are telephone calls made to other providers, labs, pharmacies, hospitals, managed care administrators, or case managers in which patient information is discussed and other patients can overhear?
-
Are all exam room doors kept shut during patient encounters?
-
Are telephones used in exam rooms?
-
Are lab or X-ray logs kept covered to prevent PHI from being visible?
-
Are X-ray films, folders, and requisitions kept out of public view?
-
Are patients escorted from the waiting room to exam room, exam room to X-ray, exam room to lab, etc?
-
Are orders given to patients privately or in a low voice as to not be overheard during their check out process?
-
Is any PHI visible in the clinical workstations while unattended?
-
Are PHI shred bins emptied and not overfilled?
-
Are passwords of any kind visible in the clinical workstations?
Front Office and Business Office
-
Does the practice have a telephone policy to identify callers when asking for their clinical or billing information?
-
Is the fax machine located in a secure place?
-
Is the a log on/log off policy?
-
Are there any security passwords visible?
Medical Records
-
Are all staff members allowed access to the medical records department?
-
Is the an out-guide system or other mechanism for flagging charts that a pulled?
-
What is the physical security of medical records?
-
Are medical records transferred between locations?
-
Does the practice have a records release policy?
-
Is the patients written authorization received before release of PHI?
-
Are authorizations filed in the patients medical record?
-
Does the practice document disclosure of PHI for non-TPO activities? Is this tracked in the event of a request for accounting of disclosures?
-
Does the practice have a staff member who is trained to answer patient questions about their records?
-
Is an outside vendor used for microfilm, storage and shredding?
-
Can PHI be destroyed after the expiration of the retention period?
Methods of Conveying PHI
-
How can medical records be sent to specialists or other providers the patient is being referred to?
-
Can patients and providers communicate by e-mail?
-
Does the practice allow patients to access information over their website? For example, test results.
-
Can test results and other information be given to patients over the telephone?
All Areas
-
Are computer monitors positioned away from public areas to avoid observation by visitors or patients?
-
A screens on unattended computers turned to the log-on screen or have a password enabled screen protector?
-
Does staff protect their ID and passwords and never share them?
-
Are paper records and medical charts stored or filed to avoid observation by patients and visitors?
-
Are paper records stored behind locked rooms when not staffed?
-
Confidential patient information is not left on an unsecured printer, photocopier, or fax machine unless these devices are in a secure area.
-
Are visitors and patients appropriately escorted to ensure they do not access staff areas, dictating areas, chart storage, etc.?
Personnel Policies
-
Does the practice have HIPAA privacy policies written and incorporated in the employee handbook?
-
Are the privacy policies and procedures up to date?
-
Do new employees receive privacy training as part of their orientation?
-
Has all existing staff undergone Privacy Training?
-
Is employee training documented?
Signatures
-
Name and Signature of Auditor