Information
-
Audit Title
-
Document No.
-
Client / Site
-
Conducted on
-
Prepared by
-
Location
-
Personnel
Version 1.0 July 31, 2012
1.0 - Program Description
1.1 - Program Type
-
Private
-
Public
-
Medicare
-
Medicaid
-
State/Local Employees
-
Commercial Employees
-
Labor Union
-
Health Plans
-
Other
1.2 - Program Type
-
DM
-
Wellness
-
BH
-
UM
-
EQRO
-
PASSRR
-
HI
-
EAP & Work life
-
Other
1.3 - Program Description - Narrative
-
Narrative
1.4 - Data Movement and Processes
-
Inputs - Where does data come from that is used in the program or office?
-
Processes - What is done with the data?
-
Outputs - Where is data sent and how?
-
Enter diagram of data flow
-
1.4a - Is all data encrypted? If no explain in note field?
1.5 - Language Spoken
-
1.5a - Is English only language used in this office/clinic?
-
1.5b - What other languages are required?
-
1.5c - Are required posters in English and/or other language?
-
1.5d - Are required posters translated other language? If so note in Notes field languages.
-
1.5e - Are policies in English?
-
1.5f - Are policies translated if different language is used?
2.0 Physical Building Safety and Security
2.1 - Physical Building Description
-
2.1a - The physical appearance of the building is well maintained. No noticeable structural damage or broken windows.
-
2.1b - Photo of exterior of main building
2.2 - General Building Security Controls
-
2.2a - Number of floors
-
2.2b - Offices located on which floors.
-
2.2c - Office (main lobby) located on which floor.
-
2.2d - High Rise
-
2.2e - Low rise
-
2.2f - Neighborhood
-
2.2g - Security Staff
-
2.2h - Lobby guard (Non-APS Areas)
-
2.2i - Lobby guard (APS)
2.3 - Physical Parking
-
2.3a - Garage Parking
-
2.3b - Garge parking underground
-
2.3c - Open parking lot
2.4 - Physical Security Measures
-
2.4a - Master Key Control Procedure
-
2.4b - Inside of building appears well maintained
2.5 - Physical Features of the Walls
-
2.5a Are outside walls of suite floor to ceiling
2.6 - Entrance to Suite (Access Controls)
-
2.6b - Direct Pedestrian Access to suite
-
2.6c - Inside/Outside Building (lobby entrance)
-
2.6d - Shatter Resistant Glass Door (if main door is glass)
-
2.6e - Secured entrance (locked at all times)
-
2.6f - After hours lock
-
2.6g - Data watch (badge access)
-
2.6h - Secondary Key system (primary badge; can use key to manually enter suite)
-
2.6i - Suite has a reception area
-
2.6j - CCTV on front door
-
2.6k - Buzz through (a person can be buzzed into suite)
-
2.6l - Reception Area is stafed at all times
-
2.6m - Vistor "Check In Sheet"
-
2.6n - Confidentiality Agreement available or on sign in sheet (guest)
-
2.6o - Guess badges available
-
2.6p - CCTV (cover reception area)
-
2.6q -CCTV used on Outer Perimeters
-
2.6r - Systems Monitors and alert guard by CCTV and/or motion
-
2.6s - External Monitored (outside contracted vendor monitor security systems)
-
2.6t - Is area Patrolled by land lord
-
2.6u -Photo of main lobby
-
2.6v - Main lobby secured via card access or security guard.
-
2.6w - Main door to APS office has card key access?
-
2.6x - Main Door have physical key access?
-
2.6y - There is a physical key inventory control procedure?
-
2.6z - If main access is through a solid door (no physical view of other side) CCTV used to identify those who enter?
3.0 - Data Destruction
-
3a - Are shred bins used? If so how many bins?
-
3b - How are hard drives or other electronic media destroyed?
4.0 - Privacy
-
4a - Executive Director or Department heads excepts responsibility for local Privacy and Security.
-
4b - The office uses PHI?
-
4c - The local office uses PII and/or NPII?
-
4d - The local office has a continual privacy risk assessment process?
-
4e - Follows a documented, repeatable process for reporting repeatable process.
-
4f - All on workforce members who are not direct on company payroll are trained in privacy and security before access is granted to resources that contain PHI, PII or NPII?
-
4g - Business Associates have BAAs in place? List BAs in note field and note if BAAs are in place.
-
4h -PIAs have been conducted on all BAs? If BAAs do not have a PIA list BAs in note field.
-
4i - Is there an ongoing program to identify risk of private information being disclosed t the local level? 164.402
-
4j - Is there a process in place for workforce members to contact either the CPO or CSO of suspected privacy violations?
-
4k - Is there a process for notifying the privacy or security office as soon as possible of a possible disclosure? 164.404
-
4l - Does workforce members know where the form is to describe the disclosure? 164.404
-
4m - Do all BAs contracted through the local office know to contact the local office of a confirmed Disclosure/Breach? 164.410
-
4n - Policy or procedures exist encase a law enforcement official makes a request to a local office or Business Associate that the compliance department is notified immediately? §164.412
-
4o - What education is given to local office employees related to disclosing information on a deceased individual? §164.502
-
4p - How is consent verified for individuals that act on the behalf of an individuals who is an adult or emancipated minor? §164.502
-
4q -Inquire of management as to whether workforce members know how to use secure methods of communicating PHI/PII ? §164.502
-
4r - Inquire of management as to whether policies or procedure are in place in sharing information with companies that are plan sponsor? §164.504
-
4s -Where authorization is required how does the local office obtain valid authorization? §164.508
-
4t - What policies or procedures to disclose PHI to a family member? §164.508
-
4u - Determine how persons or classes of persons, who need access to protected PHI is identified and controlled? §164.510
-
4v - Determine how data is kept to a minimum necessary when shared either internally or externally. §164.514
-
4w - How is it determined the identity of the individual who has made a request for PHI? §164.514
-
4x - Does each workforce member know where the company privacy policy is located and is able to refer individuals to the publically viewable Privacy statement? §164.520
-
4y - Does each workforce member know how an individual may get access (accounting for Access) to PHI ? §164.524
-
4z - Does each workforce member know how and where to refer an individual if a request for disclosure or access is made of APS? §164.528
-
4aa - Beyond annual training are workforce members given additional local office Privacy training? §164.530(b)(1)A
-
4ab -Are there procedures existing for receiving and processing complaints over the entity's privacy practices? §164.530(d)(1)A
-
4ac - How does local management mitigate any identified issues of a use or disclosure of PHI at the local level? §164.530(f)(1)A
-
4ad - How does local management prevent intimidation against workforce members or for participants when reporting a Privacy or Security violation? §164.530(f)(1)A
-
4ae - Procedures for terminating access to electronic protected health information with in one day when the employment of a workforce member ends. §164.308(a)(3)(ii)(C)
-
4af - Have you implement additional a security awareness and training program for the local office? §164.308(a)(5)
-
4ag - Are policies or procedures to identify and report suspected or known security incidents to the CSO or CPO? .§164.308(a)(6)
-
4ah - Does the local office have a contingency plan responding to system emergencies? .§164.308(a)(7)(i)
-
4ai - Does the have a procedure to check an office or cubical for PHI when a workforce member terminates or moves? §164.308(a)(7)(i)
5.0 - General Security
-
5a - Badges worn
-
5b - Badges worn above waist
-
5c - Monitored emergency exit
-
5d - Group Printers Procedure
-
5e - Group Fax Procedure
-
5f - Mailroom secure
-
5g - Mailroom away from public area
-
5h - File cabinets Locked (in common areas)
-
5i - Procedure for end of day File cabinet locking
-
5j - Shred It bins (note # of bins)
-
5k - Building Security Education
-
5l - Building Awareness Program (fire routes)
-
5m - Security Plan Posted (evacuation)
5.1 - Cubicles
-
5.1a - Locks on Drawers (in place)
-
5.1b - Locked Drawers (being used)
-
5.1c - Locks on overhead (in place)
-
5.1d - Locked Overheads (being used)
-
5.1e - Locks on File Cabinets (in place)
-
5.1f - Locked File Cabinets (being used)
-
5.1g - PHI/PII Visible on work space
-
5.1h - Individual Printers w/PHI
-
5.1i - Screen Time out
-
5.1j - Limited use of speaker phones
-
5.1k - Laptop Locks Used
-
5.1l - Trash can PHI
5.2 - Office
-
5.2a - Visible (can see inside offices)
-
5.2b - Locked @ Night
-
5.2c - Locked during day when empty
-
5.2d - Locks for desk
-
5.2e - Locks for desk used
-
5.2f - Locks for File Cabinets
-
5.2g - Locks for file cabinet used
-
5.2h - Laptops Locks Used
-
5.2i - Trash can PHI
5.3 - Emergency Exit
-
5.3a - Always locked
-
5.3b - Panic/Crash bars
-
5.3.c - Area Clear of obstruction
-
5.3d - Camera system
-
5.3e - Clearly marked
-
5.3f- Direction Signage
5.4 - Fire Safety
-
5.4a - Fire extinguisher
-
5.4b - Number of Fire Extinguisher
-
5.4c -Is there a current certificate of inspection for the fire extinguishers?
-
5.4d - Enter the Date:
5.5 - Designated Fire Person & Policy
-
5.5a - Is there a designated Fire Marshall?
-
5.5b - Name of Fire Marshall:
-
5.5c - Is there a Practice Fire Policy available?
-
5.5d - Are there Fire Protocols on display (exit maps)?
5.6 - Fire extinguishers
-
5.6a - List of positions for the fire extinguishers:
-
5.6b - Fire Extinguishers are available in critical areas.
-
5.6c - Extinguishers in place, clearly marked for type of fire?
-
5.6d - Extinguishers recently serviced? (Check 6 monthly punch mark on tag) record date
-
5.6e - Are the extinguishers AS2444 compliant?
-
5.6f - Indicator signs 2.1 m above floor level?
-
5.6g - Extinguishers clear of obstructions?
5.7 - Fire Exits
-
5.7a - Are the fire exits adequately signed?
-
5.7b - Examples of dental practice signs.
-
5.7c - Paths of travel clear and well defined?
-
5.7d - Are the fire exits free of clutter and easy to use?
-
5.7e - Are the fire exits adequate for disabled access?
-
5.7f - Can the fire exit be opened?
-
5.7g - Extinguishers no more than 1200 mm max height & base not lower that 100 mm?
5.9 - Fire Alarm
-
5.9a - Is there a Fire panel or OWS present? (only for ceiling mounted sprinkler system)
-
5.9b - Are regular fire alarm checks conducted?
-
5.9c - Are there log books on site? If so what is the last test date?
-
5.9d - Are there monthly staff +/- patient fire alarm practices undertaken?
-
5.9e - Are there adequate number of detectors?
-
5.9f - Is the system AS1670 compliant?
6.0 - General Lighting
-
6a - Good natural lighting?
-
6b - Light fittings clean and in good condition?
7.0 - Emergency and Exit Lighting
-
7a - Emergency exit lighting operable?
-
7b - Example of emergency lighting.
-
7c - Log books on site? If so what is the last test date?
-
7d - Any defect noted in log book?
-
7e - Is lighting adequate?
-
7F - If patient records are stored in paper form is a fire extinguisher within 3 feet of door (interior or Exterior)
8.0 - Alarm System
-
8a - Wrongful entry
-
8b - Response procedure documented
-
8c - Fire plan tested
-
8d - Last Fire Plan Test activated
-
8e - Central meeting location identfied and staff notified
-
8f - Employee identification (who is absent from work)
9.0 - Signage
-
9a - Minimum Wage (Fair Labor Standards Act)
-
9b - Family and Medical Leave (Family and Medical Leave ACT OF 1993
-
9c - Equal Employment, Age Discrimination, Disability (Civil Rights Act of 1964, Age Discrimination Act of 1967 (ADEA), Americans with Disabilities Act, Rehabilitation Act of 1973)
-
9d - Occupational Safety and Health Act (Occupational Safety and Health Act)
-
9e - Medical Fraud and Abuse
10.0Other safety
-
10a - Bathroom Emergency Key
-
10b - Use of portable heaters (prohibited)
10c - Computer Room (if present)
-
10d - Does the facility have a server in a data closet or Computer room?
-
10e - Controlled entry
-
10f - Data watch system
11 - Data Closet (if present)
-
11a - Controlled entry
-
11b - Data watch system
12.0 - Mobile Workforce (if present)
-
12a - Has Mobile Workforce
-
12b - Workforce carries paper PHI or PII
-
12c - Use of Secure Briefcase for paper records
-
12d - Secure cable are supplied to secure briefcase (any) in car
13.0 - Work @ Home (if present)
-
13a - Has home based Workforce
-
13b - Workforce handles PHI or PII
-
13c - All workforce members have an approved shredder
-
13d - All workforce members have an approved laptop lock
-
13e - All workforce members have away of locking up paper PHI and laptop when not in use (locking drawer)
14.0 - WIFI (if present)
-
14a - Present
-
14b - Access Point Secured
-
14c - Rouge Access Points present that are unsecure
-
14d - Non-APS secure Access Point broadcast into APS space