HIPAA Privacy Risk Analysis

Information

Check-in Procedures

Is a sign in sheet used?
New Patient information form - Is there completion assistance?
Do we verify insurance and how do we verify insurance?
How do we verify demographic information?
Is the appointment schedule in plain view of the patients?
Are any computer screens visible from the waiting room or by patients at the check out counter?
Is there a signed consent form in the patient record to use and disclose information for TPO ( Treatment, Payment, or Heathcare Operations)?
Has the patient signed the Notice of Privacy Practices Acknowledgement?
A appointments confirmed over the phone? What information is left on voicemail?
Are postcards used as reminders?
Does the practice verify the identity of patients upon arrival and on the phone?

How are patients called to the room?
Do providers and/or staff discuss patient information in or near clinical areas where other patients can overhear?
Do Physicians dictate at a workstation central to patient care areas?
Are telephone calls made to other providers, labs, pharmacies, hospitals, managed care administrators, or case managers in which patient information is discussed and other patients can overhear?
Are all exam room doors kept shut during patient encounters?
Are telephones used in exam rooms?
Are lab or X-ray logs kept covered to prevent PHI from being visible?
Are X-ray films, folders, and requisitions kept out of public view?
Are patients escorted from the waiting room to exam room, exam room to X-ray, exam room to lab, etc?
Are orders given to patients privately or in a low voice as to not be overheard during their check out process?
Is any PHI visible in the clinical workstations while unattended?
Are PHI shred bins emptied and not overfilled?
Are passwords of any kind visible in the clinical workstations?

Does the practice have a telephone policy to identify callers when asking for their clinical or billing information?
Is the fax machine located in a secure place?
Is the a log on/log off policy?
Are there any security passwords visible?

Are all staff members allowed access to the medical records department?
Is the an out-guide system or other mechanism for flagging charts that a pulled?
What is the physical security of medical records?
Are medical records transferred between locations?
Does the practice have a records release policy?
Is the patients written authorization received before release of PHI?
Are authorizations filed in the patients medical record?
Does the practice document disclosure of PHI for non-TPO activities? Is this tracked in the event of a request for accounting of disclosures?
Does the practice have a staff member who is trained to answer patient questions about their records?
Is an outside vendor used for microfilm, storage and shredding?
Can PHI be destroyed after the expiration of the retention period?

How can medical records be sent to specialists or other providers the patient is being referred to?
Can patients and providers communicate by e-mail?
Does the practice allow patients to access information over their website? For example, test results.
Can test results and other information be given to patients over the telephone?

Are computer monitors positioned away from public areas to avoid observation by visitors or patients?
A screens on unattended computers turned to the log-on screen or have a password enabled screen protector?
Does staff protect their ID and passwords and never share them?
Are paper records and medical charts stored or filed to avoid observation by patients and visitors?
Are paper records stored behind locked rooms when not staffed?
Confidential patient information is not left on an unsecured printer, photocopier, or fax machine unless these devices are in a secure area.
Are visitors and patients appropriately escorted to ensure they do not access staff areas, dictating areas, chart storage, etc.?

Does the practice have HIPAA privacy policies written and incorporated in the employee handbook?
Are the privacy policies and procedures up to date?
Do new employees receive privacy training as part of their orientation?
Has all existing staff undergone Privacy Training?
Is employee training documented?