Version 1.0 July 31, 2012
1.0 - Program Description
1.1 - Program Type





State/Local Employees

Commercial Employees

Labor Union

Health Plans


1.2 - Program Type








EAP & Work life


1.3 - Program Description - Narrative


1.4 - Data Movement and Processes

Inputs - Where does data come from that is used in the program or office?

Processes - What is done with the data?

Outputs - Where is data sent and how?

Enter diagram of data flow

1.4a - Is all data encrypted? If no explain in note field?

1.5 - Language Spoken

1.5a - Is English only language used in this office/clinic?

1.5b - What other languages are required?

1.5c - Are required posters in English and/or other language?

1.5d - Are required posters translated other language? If so note in Notes field languages.

1.5e - Are policies in English?

1.5f - Are policies translated if different language is used?

2.0 Physical Building Safety and Security
2.1 - Physical Building Description

2.1a - The physical appearance of the building is well maintained. No noticeable structural damage or broken windows.

2.1b - Photo of exterior of main building
2.2 - General Building Security Controls

2.2a - Number of floors

2.2b - Offices located on which floors.

2.2c - Office (main lobby) located on which floor.

2.2d - High Rise

2.2e - Low rise

2.2f - Neighborhood

2.2g - Security Staff

2.2h - Lobby guard (Non-APS Areas)

2.2i - Lobby guard (APS)

2.3 - Physical Parking

2.3a - Garage Parking

2.3b - Garge parking underground

2.3c - Open parking lot

2.4 - Physical Security Measures

2.4a - Master Key Control Procedure 

2.4b - Inside of building appears well maintained 

2.5 - Physical Features of the Walls

2.5a Are outside walls of suite floor to ceiling

2.6 - Entrance to Suite (Access Controls)

2.6b -  Direct Pedestrian Access to suite

2.6c -  Inside/Outside Building (lobby entrance)

2.6d -  Shatter Resistant Glass Door (if main door is glass)

2.6e -  Secured entrance (locked at all times)

2.6f - After hours lock

2.6g - Data watch (badge access)

2.6h - Secondary Key system (primary badge; can use key to manually enter suite)

2.6i - Suite has a reception area

2.6j - CCTV on front door

2.6k - Buzz through (a person can be buzzed into suite)

2.6l - Reception Area is stafed at all times

2.6m - Vistor "Check In Sheet"

2.6n - Confidentiality Agreement available or on sign in sheet (guest)

2.6o - Guess badges available

2.6p - CCTV (cover reception area)

2.6q -CCTV used on Outer Perimeters

2.6r - Systems Monitors and alert guard by CCTV and/or motion

2.6s - External Monitored (outside contracted vendor monitor security systems)

2.6t - Is area Patrolled by land lord

2.6u -Photo of main lobby

2.6v - Main lobby secured via card access or security guard.

2.6w - Main door to APS office has card key access?

2.6x - Main Door have physical key access?

2.6y - There is a physical key inventory control procedure?

2.6z - If main access is through a solid door (no physical view of other side) CCTV used to identify those who enter?

3.0 - Data Destruction

3a - Are shred bins used? If so how many bins?

3b - How are hard drives or other electronic media destroyed?

4.0 - Privacy

4a - Executive Director or Department heads excepts responsibility for local Privacy and Security.

4b - The office uses PHI?

4c - The local office uses PII and/or NPII?

4d - The local office has a continual privacy risk assessment process?

4e - Follows a documented, repeatable process for reporting repeatable process.

4f - All on workforce members who are not direct on company payroll are trained in privacy and security before access is granted to resources that contain PHI, PII or NPII?

4g - Business Associates have BAAs in place? List BAs in note field and note if BAAs are in place.

4h -PIAs have been conducted on all BAs? If BAAs do not have a PIA list BAs in note field.

4i - Is there an ongoing program to identify risk of private information being disclosed t the local level? 164.402

4j - Is there a process in place for workforce members to contact either the CPO or CSO of suspected privacy violations?

4k - Is there a process for notifying the privacy or security office as soon as possible of a possible disclosure? 164.404

4l - Does workforce members know where the form is to describe the disclosure? 164.404

4m - Do all BAs contracted through the local office know to contact the local office of a confirmed Disclosure/Breach? 164.410

4n - Policy or procedures exist encase a law enforcement official makes a request to a local office or Business Associate that the compliance department is notified immediately? §164.412

4o - What education is given to local office employees related to disclosing information on a deceased individual? §164.502

4p - How is consent verified for individuals that act on the behalf of an individuals who is an adult or emancipated minor? §164.502

4q -Inquire of management as to whether workforce members know how to use secure methods of communicating PHI/PII ? §164.502

4r - Inquire of management as to whether policies or procedure are in place in sharing information with companies that are plan sponsor? §164.504

4s -Where authorization is required how does the local office obtain valid authorization? §164.508

4t - What policies or procedures to disclose PHI to a family member? §164.508

4u - Determine how persons or classes of persons, who need access to protected PHI is identified and controlled? §164.510

4v - Determine how data is kept to a minimum necessary when shared either internally or externally. §164.514

4w - How is it determined the identity of the individual who has made a request for PHI? §164.514

4x - Does each workforce member know where the company privacy policy is located and is able to refer individuals to the publically viewable Privacy statement? §164.520

4y - Does each workforce member know how an individual may get “access” (accounting for Access) to PHI ? §164.524

4z - Does each workforce member know how and where to refer an individual if a request for disclosure or access is made of APS? §164.528

4aa - Beyond annual training are workforce members given additional local office Privacy training? §164.530(b)(1)A

4ab -Are there procedures existing for receiving and processing complaints over the entity's privacy practices? §164.530(d)(1)A

4ac - How does local management mitigate any identified issues of a use or disclosure of PHI at the local level? §164.530(f)(1)A

4ad - How does local management prevent intimidation against workforce members or for participants when reporting a Privacy or Security violation? §164.530(f)(1)A

4ae - Procedures for terminating access to electronic protected health information with in one day when the employment of a workforce member ends. §164.308(a)(3)(ii)(C)

4af - Have you implement additional a security awareness and training program for the local office? §164.308(a)(5)

4ag - Are policies or procedures to identify and report suspected or known security incidents to the CSO or CPO? .§164.308(a)(6)

4ah - Does the local office have a contingency plan responding to system emergencies? .§164.308(a)(7)(i)

4ai - Does the have a procedure to check an office or cubical for PHI when a workforce member terminates or moves? §164.308(a)(7)(i)

5.0 - General Security

5a - Badges worn

5b - Badges worn above waist

5c - Monitored emergency exit

5d - Group Printers Procedure

5e - Group Fax Procedure

5f - Mailroom secure

5g - Mailroom away from public area

5h - File cabinets Locked (in common areas)

5i - Procedure for end of day File cabinet locking

5j - Shred It bins (note # of bins)

5k - Building Security Education

5l - Building Awareness Program (fire routes)

5m - Security Plan Posted (evacuation)

5.1 - Cubicles

5.1a - Locks on Drawers (in place)

5.1b - Locked Drawers (being used)

5.1c - Locks on overhead (in place) 

5.1d - Locked Overheads (being used)

5.1e - Locks on File Cabinets (in place)

5.1f - Locked File Cabinets (being used)

5.1g - PHI/PII Visible on work space

5.1h - Individual Printers w/PHI 

5.1i - Screen Time out 

5.1j - Limited use of speaker phones

5.1k - Laptop Locks Used 

5.1l - Trash can PHI

5.2 - Office 

5.2a - Visible (can see inside offices)

5.2b - Locked @ Night 

5.2c - Locked during day when empty

5.2d - Locks for desk

5.2e - Locks for desk used

5.2f - Locks for File Cabinets

5.2g - Locks for file cabinet used 

5.2h - Laptops Locks Used 

5.2i - Trash can PHI

5.3 - Emergency Exit

5.3a - Always locked

5.3b - Panic/Crash bars

5.3.c - Area Clear of obstruction 

5.3d - Camera system 

5.3e - Clearly marked 

5.3f- Direction Signage

5.4 - Fire Safety

5.4a - Fire extinguisher

5.4b - Number of Fire Extinguisher

5.4c -Is there a current certificate of inspection for the fire extinguishers?

5.4d - Enter the Date:
5.5 - Designated Fire Person & Policy

5.5a - Is there a designated Fire Marshall?

5.5b - Name of Fire Marshall:

5.5c - Is there a Practice Fire Policy available?

5.5d - Are there Fire Protocols on display (exit maps)?

5.6 - Fire extinguishers

5.6a - List of positions for the fire extinguishers:

5.6b - Fire Extinguishers are available in critical areas.

5.6c - Extinguishers in place, clearly marked for type of fire?

5.6d - Extinguishers recently serviced? (Check 6 monthly punch mark on tag) record date

5.6e - Are the extinguishers AS2444 compliant?

5.6f - Indicator signs 2.1 m above floor level?

5.6g - Extinguishers clear of obstructions?

5.7 - Fire Exits

5.7a - Are the fire exits adequately signed?

5.7b - Examples of dental practice signs.

5.7c - Paths of travel clear and well defined?

5.7d - Are the fire exits free of clutter and easy to use?

5.7e - Are the fire exits adequate for disabled access?

5.7f - Can the fire exit be opened?

5.7g - Extinguishers no more than 1200 mm max height & base not lower that 100 mm?

5.9 - Fire Alarm

5.9a - Is there a Fire panel or OWS present? (only for ceiling mounted sprinkler system)

5.9b - Are regular fire alarm checks conducted?

5.9c - Are there log books on site? If so what is the last test date?

5.9d - Are there monthly staff +/- patient fire alarm practices undertaken?

5.9e - Are there adequate number of detectors?

5.9f - Is the system AS1670 compliant?

6.0 - General Lighting

6a - Good natural lighting?

6b - Light fittings clean and in good condition?

7.0 - Emergency and Exit Lighting

7a - Emergency exit lighting operable?

7b - Example of emergency lighting.

7c - Log books on site? If so what is the last test date?

7d - Any defect noted in log book?

7e - Is lighting adequate?

7F - If patient records are stored in paper form is a fire extinguisher within 3 feet of door (interior or Exterior)

8.0 - Alarm System

8a - Wrongful entry

8b - Response procedure documented

8c - Fire plan tested

8d - Last Fire Plan Test activated

8e - Central meeting location identfied and staff notified

8f - Employee identification (who is absent from work)

9.0 - Signage

9a - Minimum Wage (Fair Labor Standards Act)

9b - Family and Medical Leave (Family and Medical Leave ACT OF 1993

9c - Equal Employment, Age Discrimination, Disability (Civil Rights Act of 1964, Age Discrimination Act of 1967 (ADEA), Americans with Disabilities Act, Rehabilitation Act of 1973)

9d - Occupational Safety and Health Act (Occupational Safety and Health Act)

9e - Medical Fraud and Abuse

10.0Other safety

10a - Bathroom Emergency Key

10b - Use of portable heaters (prohibited)

10c - Computer Room (if present)

10d - Does the facility have a server in a data closet or Computer room?

10e - Controlled entry

10f - Data watch system

11 - Data Closet (if present)

11a - Controlled entry

11b - Data watch system

12.0 - Mobile Workforce (if present)

12a - Has Mobile Workforce

12b - Workforce carries paper PHI or PII

12c - Use of “Secure Briefcase” for paper records

12d - Secure cable are supplied to secure briefcase (any) in car

13.0 - Work @ Home (if present)

13a - Has home based Workforce

13b - Workforce handles PHI or PII

13c - All workforce members have an approved shredder

13d - All workforce members have an approved laptop lock

13e - All workforce members have away of locking up paper PHI and laptop when not in use (locking drawer)

14.0 - WIFI (if present)

14a -  Present

14b -  Access Point Secured

14c - Rouge Access Points present that are unsecure

14d - Non-APS secure Access Point broadcast into APS space

Please note that this checklist is a hypothetical example and provides basic information only. It is not intended to take the place of, among other things, workplace, health and safety advice; medical advice, diagnosis, or treatment; or other applicable laws. You should also seek your own professional advice to determine if the use of such checklist is permissible in your workplace or jurisdiction.