iAuditor Mobile App Preview

Audit

Check-in Procedures

Is a sign in sheet used?

New Patient information form - Is there completion assistance?

Do we verify insurance and how do we verify insurance?

How do we verify demographic information?

Is the appointment schedule in plain view of the patients?

Are any computer screens visible from the waiting room or by patients at the check out counter?

Is there a signed consent form in the patient record to use and disclose information for TPO ( Treatment, Payment, or Heathcare Operations)?

Has the patient signed the Notice of Privacy Practices Acknowledgement?

A appointments confirmed over the phone? What information is left on voicemail?

Are postcards used as reminders?

Does the practice verify the identity of patients upon arrival and on the phone?

Clinical Areas

How are patients called to the room?

Do providers and/or staff discuss patient information in or near clinical areas where other patients can overhear?

Do Physicians dictate at a workstation central to patient care areas?

Are telephone calls made to other providers, labs, pharmacies, hospitals, managed care administrators, or case managers in which patient information is discussed and other patients can overhear?

Are all exam room doors kept shut during patient encounters?

Are telephones used in exam rooms?

Are lab or X-ray logs kept covered to prevent PHI from being visible?

Are X-ray films, folders, and requisitions kept out of public view?

Are patients escorted from the waiting room to exam room, exam room to X-ray, exam room to lab, etc?

Are orders given to patients privately or in a low voice as to not be overheard during their check out process?

Is any PHI visible in the clinical workstations while unattended?

Are PHI shred bins emptied and not overfilled?

Are passwords of any kind visible in the clinical workstations?

Front Office and Business Office

Does the practice have a telephone policy to identify callers when asking for their clinical or billing information?

Is the fax machine located in a secure place?

Is the a log on/log off policy?

Are there any security passwords visible?

Medical Records

Are all staff members allowed access to the medical records department?

Is the an out-guide system or other mechanism for flagging charts that a pulled?

What is the physical security of medical records?

Are medical records transferred between locations?

Does the practice have a records release policy?

Is the patients written authorization received before release of PHI?

Are authorizations filed in the patients medical record?

Does the practice document disclosure of PHI for non-TPO activities? Is this tracked in the event of a request for accounting of disclosures?

Does the practice have a staff member who is trained to answer patient questions about their records?

Is an outside vendor used for microfilm, storage and shredding?

Can PHI be destroyed after the expiration of the retention period?

Methods of Conveying PHI

How can medical records be sent to specialists or other providers the patient is being referred to?

Can patients and providers communicate by e-mail?

Does the practice allow patients to access information over their website? For example, test results.

Can test results and other information be given to patients over the telephone?

All Areas

Are computer monitors positioned away from public areas to avoid observation by visitors or patients?

A screens on unattended computers turned to the log-on screen or have a password enabled screen protector?

Does staff protect their ID and passwords and never share them?

Are paper records and medical charts stored or filed to avoid observation by patients and visitors?

Are paper records stored behind locked rooms when not staffed?

Confidential patient information is not left on an unsecured printer, photocopier, or fax machine unless these devices are in a secure area.

Are visitors and patients appropriately escorted to ensure they do not access staff areas, dictating areas, chart storage, etc.?

Personnel Policies

Does the practice have HIPAA privacy policies written and incorporated in the employee handbook?

Are the privacy policies and procedures up to date?

Do new employees receive privacy training as part of their orientation?

Has all existing staff undergone Privacy Training?

Is employee training documented?

Signatures
Name and Signature of Auditor

HIPAA General Privacy Risk Analysis Checklist

Created by: SafetyCulture Staff | Industry: Health Services | Downloads: 61

Use this template to check how PHI and other information is generally handled in your institution. Use this for regular internal audits and to reinforce best practices and call out gaps.

Signup for a free iAuditor account to download and edit this checklist. It will be added to your free account and you will be able to conduct inspections from your mobile device.

Download and edit this free checklist

Browse for other checklists


iauditor logo

The World's #1 Cloud-Based Inspection Software and App

chevron logo
coles logo
emirates logo
overground logo
tesla logo
toyota logo

Audit

Check-in Procedures

Is a sign in sheet used?

New Patient information form - Is there completion assistance?

Do we verify insurance and how do we verify insurance?

How do we verify demographic information?

Is the appointment schedule in plain view of the patients?

Are any computer screens visible from the waiting room or by patients at the check out counter?

Is there a signed consent form in the patient record to use and disclose information for TPO ( Treatment, Payment, or Heathcare Operations)?

Has the patient signed the Notice of Privacy Practices Acknowledgement?

A appointments confirmed over the phone? What information is left on voicemail?

Are postcards used as reminders?

Does the practice verify the identity of patients upon arrival and on the phone?

Clinical Areas

How are patients called to the room?

Do providers and/or staff discuss patient information in or near clinical areas where other patients can overhear?

Do Physicians dictate at a workstation central to patient care areas?

Are telephone calls made to other providers, labs, pharmacies, hospitals, managed care administrators, or case managers in which patient information is discussed and other patients can overhear?

Are all exam room doors kept shut during patient encounters?

Are telephones used in exam rooms?

Are lab or X-ray logs kept covered to prevent PHI from being visible?

Are X-ray films, folders, and requisitions kept out of public view?

Are patients escorted from the waiting room to exam room, exam room to X-ray, exam room to lab, etc?

Are orders given to patients privately or in a low voice as to not be overheard during their check out process?

Is any PHI visible in the clinical workstations while unattended?

Are PHI shred bins emptied and not overfilled?

Are passwords of any kind visible in the clinical workstations?

Front Office and Business Office

Does the practice have a telephone policy to identify callers when asking for their clinical or billing information?

Is the fax machine located in a secure place?

Is the a log on/log off policy?

Are there any security passwords visible?

Medical Records

Are all staff members allowed access to the medical records department?

Is the an out-guide system or other mechanism for flagging charts that a pulled?

What is the physical security of medical records?

Are medical records transferred between locations?

Does the practice have a records release policy?

Is the patients written authorization received before release of PHI?

Are authorizations filed in the patients medical record?

Does the practice document disclosure of PHI for non-TPO activities? Is this tracked in the event of a request for accounting of disclosures?

Does the practice have a staff member who is trained to answer patient questions about their records?

Is an outside vendor used for microfilm, storage and shredding?

Can PHI be destroyed after the expiration of the retention period?

Methods of Conveying PHI

How can medical records be sent to specialists or other providers the patient is being referred to?

Can patients and providers communicate by e-mail?

Does the practice allow patients to access information over their website? For example, test results.

Can test results and other information be given to patients over the telephone?

All Areas

Are computer monitors positioned away from public areas to avoid observation by visitors or patients?

A screens on unattended computers turned to the log-on screen or have a password enabled screen protector?

Does staff protect their ID and passwords and never share them?

Are paper records and medical charts stored or filed to avoid observation by patients and visitors?

Are paper records stored behind locked rooms when not staffed?

Confidential patient information is not left on an unsecured printer, photocopier, or fax machine unless these devices are in a secure area.

Are visitors and patients appropriately escorted to ensure they do not access staff areas, dictating areas, chart storage, etc.?

Personnel Policies

Does the practice have HIPAA privacy policies written and incorporated in the employee handbook?

Are the privacy policies and procedures up to date?

Do new employees receive privacy training as part of their orientation?

Has all existing staff undergone Privacy Training?

Is employee training documented?

Signatures
Name and Signature of Auditor