EAP & Work life
Inputs - Where does data come from that is used in the program or office?
Processes - What is done with the data?
Outputs - Where is data sent and how?
1.4a - Is all data encrypted? If no explain in note field?
1.5a - Is English only language used in this office/clinic?
1.5b - What other languages are required?
1.5c - Are required posters in English and/or other language?
1.5d - Are required posters translated other language? If so note in Notes field languages.
1.5e - Are policies in English?
1.5f - Are policies translated if different language is used?
2.1a - The physical appearance of the building is well maintained. No noticeable structural damage or broken windows.
2.2a - Number of floors
2.2b - Offices located on which floors.
2.2c - Office (main lobby) located on which floor.
2.2d - High Rise
2.2e - Low rise
2.2f - Neighborhood
2.2g - Security Staff
2.2h - Lobby guard (Non-APS Areas)
2.2i - Lobby guard (APS)
2.3a - Garage Parking
2.3b - Garge parking underground
2.3c - Open parking lot
2.4a - Master Key Control Procedure
2.4b - Inside of building appears well maintained
2.5a Are outside walls of suite floor to ceiling
2.6b - Direct Pedestrian Access to suite
2.6c - Inside/Outside Building (lobby entrance)
2.6d - Shatter Resistant Glass Door (if main door is glass)
2.6e - Secured entrance (locked at all times)
2.6f - After hours lock
2.6g - Data watch (badge access)
2.6h - Secondary Key system (primary badge; can use key to manually enter suite)
2.6i - Suite has a reception area
2.6j - CCTV on front door
2.6k - Buzz through (a person can be buzzed into suite)
2.6l - Reception Area is stafed at all times
2.6m - Vistor "Check In Sheet"
2.6n - Confidentiality Agreement available or on sign in sheet (guest)
2.6o - Guess badges available
2.6p - CCTV (cover reception area)
2.6q -CCTV used on Outer Perimeters
2.6r - Systems Monitors and alert guard by CCTV and/or motion
2.6s - External Monitored (outside contracted vendor monitor security systems)
2.6t - Is area Patrolled by land lord
2.6v - Main lobby secured via card access or security guard.
2.6w - Main door to APS office has card key access?
2.6x - Main Door have physical key access?
2.6y - There is a physical key inventory control procedure?
2.6z - If main access is through a solid door (no physical view of other side) CCTV used to identify those who enter?
3a - Are shred bins used? If so how many bins?
3b - How are hard drives or other electronic media destroyed?
4a - Executive Director or Department heads excepts responsibility for local Privacy and Security.
4b - The office uses PHI?
4c - The local office uses PII and/or NPII?
4d - The local office has a continual privacy risk assessment process?
4e - Follows a documented, repeatable process for reporting repeatable process.
4f - All on workforce members who are not direct on company payroll are trained in privacy and security before access is granted to resources that contain PHI, PII or NPII?
4g - Business Associates have BAAs in place? List BAs in note field and note if BAAs are in place.
4h -PIAs have been conducted on all BAs? If BAAs do not have a PIA list BAs in note field.
4i - Is there an ongoing program to identify risk of private information being disclosed t the local level? 164.402
4j - Is there a process in place for workforce members to contact either the CPO or CSO of suspected privacy violations?
4k - Is there a process for notifying the privacy or security office as soon as possible of a possible disclosure? 164.404
4l - Does workforce members know where the form is to describe the disclosure? 164.404
4m - Do all BAs contracted through the local office know to contact the local office of a confirmed Disclosure/Breach? 164.410
4n - Policy or procedures exist encase a law enforcement official makes a request to a local office or Business Associate that the compliance department is notified immediately? §164.412
4o - What education is given to local office employees related to disclosing information on a deceased individual? §164.502
4p - How is consent verified for individuals that act on the behalf of an individuals who is an adult or emancipated minor? §164.502
4q -Inquire of management as to whether workforce members know how to use secure methods of communicating PHI/PII ? §164.502
4r - Inquire of management as to whether policies or procedure are in place in sharing information with companies that are plan sponsor? §164.504
4s -Where authorization is required how does the local office obtain valid authorization? §164.508
4t - What policies or procedures to disclose PHI to a family member? §164.508
4u - Determine how persons or classes of persons, who need access to protected PHI is identified and controlled? §164.510
4v - Determine how data is kept to a minimum necessary when shared either internally or externally. §164.514
4w - How is it determined the identity of the individual who has made a request for PHI? §164.514
4y - Does each workforce member know how an individual may get access (accounting for Access) to PHI ? §164.524
4z - Does each workforce member know how and where to refer an individual if a request for disclosure or access is made of APS? §164.528
4aa - Beyond annual training are workforce members given additional local office Privacy training? §164.530(b)(1)A
4ab -Are there procedures existing for receiving and processing complaints over the entity's privacy practices? §164.530(d)(1)A
4ac - How does local management mitigate any identified issues of a use or disclosure of PHI at the local level? §164.530(f)(1)A
4ad - How does local management prevent intimidation against workforce members or for participants when reporting a Privacy or Security violation? §164.530(f)(1)A
4ae - Procedures for terminating access to electronic protected health information with in one day when the employment of a workforce member ends. §164.308(a)(3)(ii)(C)
4af - Have you implement additional a security awareness and training program for the local office? §164.308(a)(5)
4ag - Are policies or procedures to identify and report suspected or known security incidents to the CSO or CPO? .§164.308(a)(6)
4ah - Does the local office have a contingency plan responding to system emergencies? .§164.308(a)(7)(i)
4ai - Does the have a procedure to check an office or cubical for PHI when a workforce member terminates or moves? §164.308(a)(7)(i)
5a - Badges worn
5b - Badges worn above waist
5c - Monitored emergency exit
5d - Group Printers Procedure
5e - Group Fax Procedure
5f - Mailroom secure
5g - Mailroom away from public area
5h - File cabinets Locked (in common areas)
5i - Procedure for end of day File cabinet locking
5j - Shred It bins (note # of bins)
5k - Building Security Education
5l - Building Awareness Program (fire routes)
5m - Security Plan Posted (evacuation)
5.1a - Locks on Drawers (in place)
5.1b - Locked Drawers (being used)
5.1c - Locks on overhead (in place)
5.1d - Locked Overheads (being used)
5.1e - Locks on File Cabinets (in place)
5.1f - Locked File Cabinets (being used)
5.1g - PHI/PII Visible on work space
5.1h - Individual Printers w/PHI
5.1i - Screen Time out
5.1j - Limited use of speaker phones
5.1k - Laptop Locks Used
5.1l - Trash can PHI
5.2a - Visible (can see inside offices)
5.2b - Locked @ Night
5.2c - Locked during day when empty
5.2d - Locks for desk
5.2e - Locks for desk used
5.2f - Locks for File Cabinets
5.2g - Locks for file cabinet used
5.2h - Laptops Locks Used
5.2i - Trash can PHI
5.3a - Always locked
5.3b - Panic/Crash bars
5.3.c - Area Clear of obstruction
5.3d - Camera system
5.3e - Clearly marked
5.3f- Direction Signage
5.4a - Fire extinguisher
5.4b - Number of Fire Extinguisher
5.4c -Is there a current certificate of inspection for the fire extinguishers?
5.5a - Is there a designated Fire Marshall?
5.5b - Name of Fire Marshall:
5.5c - Is there a Practice Fire Policy available?
5.5d - Are there Fire Protocols on display (exit maps)?
5.6a - List of positions for the fire extinguishers:
5.6b - Fire Extinguishers are available in critical areas.
5.6c - Extinguishers in place, clearly marked for type of fire?
5.6d - Extinguishers recently serviced? (Check 6 monthly punch mark on tag) record date
5.6e - Are the extinguishers AS2444 compliant?
5.6f - Indicator signs 2.1 m above floor level?
5.6g - Extinguishers clear of obstructions?
5.7a - Are the fire exits adequately signed?
5.7c - Paths of travel clear and well defined?
5.7d - Are the fire exits free of clutter and easy to use?
5.7e - Are the fire exits adequate for disabled access?
5.7f - Can the fire exit be opened?
5.7g - Extinguishers no more than 1200 mm max height & base not lower that 100 mm?
5.9a - Is there a Fire panel or OWS present? (only for ceiling mounted sprinkler system)
5.9b - Are regular fire alarm checks conducted?
5.9c - Are there log books on site? If so what is the last test date?
5.9d - Are there monthly staff +/- patient fire alarm practices undertaken?
5.9e - Are there adequate number of detectors?
5.9f - Is the system AS1670 compliant?
6a - Good natural lighting?
6b - Light fittings clean and in good condition?
7a - Emergency exit lighting operable?
7c - Log books on site? If so what is the last test date?
7d - Any defect noted in log book?
7e - Is lighting adequate?
7F - If patient records are stored in paper form is a fire extinguisher within 3 feet of door (interior or Exterior)
8a - Wrongful entry
8b - Response procedure documented
8c - Fire plan tested
8d - Last Fire Plan Test activated
8e - Central meeting location identfied and staff notified
8f - Employee identification (who is absent from work)
9a - Minimum Wage (Fair Labor Standards Act)
9b - Family and Medical Leave (Family and Medical Leave ACT OF 1993
9c - Equal Employment, Age Discrimination, Disability (Civil Rights Act of 1964, Age Discrimination Act of 1967 (ADEA), Americans with Disabilities Act, Rehabilitation Act of 1973)
9d - Occupational Safety and Health Act (Occupational Safety and Health Act)
9e - Medical Fraud and Abuse
10a - Bathroom Emergency Key
10b - Use of portable heaters (prohibited)
10d - Does the facility have a server in a data closet or Computer room?
10e - Controlled entry
10f - Data watch system
11a - Controlled entry
11b - Data watch system
12a - Has Mobile Workforce
12b - Workforce carries paper PHI or PII
12c - Use of Secure Briefcase for paper records
12d - Secure cable are supplied to secure briefcase (any) in car
13a - Has home based Workforce
13b - Workforce handles PHI or PII
13c - All workforce members have an approved shredder
13d - All workforce members have an approved laptop lock
13e - All workforce members have away of locking up paper PHI and laptop when not in use (locking drawer)
14a - Present
14b - Access Point Secured
14c - Rouge Access Points present that are unsecure
14d - Non-APS secure Access Point broadcast into APS space