Home
Health Services
Local Office (Non-Corporate) HIPAA/HITECH Privacy/Security/Safety
Local Office (Non-Corporate) HIPAA/HITECH Privacy/Security/Safety
APS

Local Office (Non-Corporate) HIPAA/HITECH Privacy/Security/Safety

Healthcare clinics

Use this Template
Print as PDF
graphic of a hand making an okay sign ×

Free Local Office (Non-Corporate) HIPAA/HITECH Privacy/Security/Safety Checklist

Use this Template

Information

  • Audit Title

  • Document No.

  • Client / Site

  • Conducted on

  • Prepared by

  • Location

  • Personnel

Version 1.0 July 31, 2012

1.0 - Program Description

1.1 - Program Type

  • Private

  • Public

  • Medicare

  • Medicaid

  • State/Local Employees

  • Commercial Employees

  • Labor Union

  • Health Plans

  • Other

1.2 - Program Type

  • DM

  • Wellness

  • BH

  • UM

  • EQRO

  • PASSRR

  • HI

  • EAP & Work life

  • Other

1.3 - Program Description - Narrative

  • Narrative

1.4 - Data Movement and Processes

  • Inputs - Where does data come from that is used in the program or office?

  • Processes - What is done with the data?

  • Outputs - Where is data sent and how?

  • Enter diagram of data flow

  • 1.4a - Is all data encrypted? If no explain in note field?

1.5 - Language Spoken

  • 1.5a - Is English only language used in this office/clinic?

  • 1.5b - What other languages are required?

  • 1.5c - Are required posters in English and/or other language?

  • 1.5d - Are required posters translated other language? If so note in Notes field languages.

  • 1.5e - Are policies in English?

  • 1.5f - Are policies translated if different language is used?

2.0 Physical Building Safety and Security

2.1 - Physical Building Description

  • 2.1a - The physical appearance of the building is well maintained. No noticeable structural damage or broken windows.

  • 2.1b - Photo of exterior of main building

2.2 - General Building Security Controls

  • 2.2a - Number of floors

  • 2.2b - Offices located on which floors.

  • 2.2c - Office (main lobby) located on which floor.

  • 2.2d - High Rise

  • 2.2e - Low rise

  • 2.2f - Neighborhood

  • 2.2g - Security Staff

  • 2.2h - Lobby guard (Non-APS Areas)

  • 2.2i - Lobby guard (APS)

2.3 - Physical Parking

  • 2.3a - Garage Parking

  • 2.3b - Garge parking underground

  • 2.3c - Open parking lot

2.4 - Physical Security Measures

  • 2.4a - Master Key Control Procedure 

  • 2.4b - Inside of building appears well maintained 

2.5 - Physical Features of the Walls

  • 2.5a Are outside walls of suite floor to ceiling

2.6 - Entrance to Suite (Access Controls)

  • 2.6b -  Direct Pedestrian Access to suite

  • 2.6c -  Inside/Outside Building (lobby entrance)

  • 2.6d -  Shatter Resistant Glass Door (if main door is glass)

  • 2.6e -  Secured entrance (locked at all times)

  • 2.6f - After hours lock

  • 2.6g - Data watch (badge access)

  • 2.6h - Secondary Key system (primary badge; can use key to manually enter suite)

  • 2.6i - Suite has a reception area

  • 2.6j - CCTV on front door

  • 2.6k - Buzz through (a person can be buzzed into suite)

  • 2.6l - Reception Area is stafed at all times

  • 2.6m - Vistor "Check In Sheet"

  • 2.6n - Confidentiality Agreement available or on sign in sheet (guest)

  • 2.6o - Guess badges available

  • 2.6p - CCTV (cover reception area)

  • 2.6q -CCTV used on Outer Perimeters

  • 2.6r - Systems Monitors and alert guard by CCTV and/or motion

  • 2.6s - External Monitored (outside contracted vendor monitor security systems)

  • 2.6t - Is area Patrolled by land lord

  • 2.6u -Photo of main lobby

  • 2.6v - Main lobby secured via card access or security guard.

  • 2.6w - Main door to APS office has card key access?

  • 2.6x - Main Door have physical key access?

  • 2.6y - There is a physical key inventory control procedure?

  • 2.6z - If main access is through a solid door (no physical view of other side) CCTV used to identify those who enter?

3.0 - Data Destruction

  • 3a - Are shred bins used? If so how many bins?

  • 3b - How are hard drives or other electronic media destroyed?

4.0 - Privacy

  • 4a - Executive Director or Department heads excepts responsibility for local Privacy and Security.

  • 4b - The office uses PHI?

  • 4c - The local office uses PII and/or NPII?

  • 4d - The local office has a continual privacy risk assessment process?

  • 4e - Follows a documented, repeatable process for reporting repeatable process.

  • 4f - All on workforce members who are not direct on company payroll are trained in privacy and security before access is granted to resources that contain PHI, PII or NPII?

  • 4g - Business Associates have BAAs in place? List BAs in note field and note if BAAs are in place.

  • 4h -PIAs have been conducted on all BAs? If BAAs do not have a PIA list BAs in note field.

  • 4i - Is there an ongoing program to identify risk of private information being disclosed t the local level? 164.402

  • 4j - Is there a process in place for workforce members to contact either the CPO or CSO of suspected privacy violations?

  • 4k - Is there a process for notifying the privacy or security office as soon as possible of a possible disclosure? 164.404

  • 4l - Does workforce members know where the form is to describe the disclosure? 164.404

  • 4m - Do all BAs contracted through the local office know to contact the local office of a confirmed Disclosure/Breach? 164.410

  • 4n - Policy or procedures exist encase a law enforcement official makes a request to a local office or Business Associate that the compliance department is notified immediately? §164.412

  • 4o - What education is given to local office employees related to disclosing information on a deceased individual? §164.502

  • 4p - How is consent verified for individuals that act on the behalf of an individuals who is an adult or emancipated minor? §164.502

  • 4q -Inquire of management as to whether workforce members know how to use secure methods of communicating PHI/PII ? §164.502

  • 4r - Inquire of management as to whether policies or procedure are in place in sharing information with companies that are plan sponsor? §164.504

  • 4s -Where authorization is required how does the local office obtain valid authorization? §164.508

  • 4t - What policies or procedures to disclose PHI to a family member? §164.508

  • 4u - Determine how persons or classes of persons, who need access to protected PHI is identified and controlled? §164.510

  • 4v - Determine how data is kept to a minimum necessary when shared either internally or externally. §164.514

  • 4w - How is it determined the identity of the individual who has made a request for PHI? §164.514

  • 4x - Does each workforce member know where the company privacy policy is located and is able to refer individuals to the publically viewable Privacy statement? §164.520

  • 4y - Does each workforce member know how an individual may get “access” (accounting for Access) to PHI ? §164.524

  • 4z - Does each workforce member know how and where to refer an individual if a request for disclosure or access is made of APS? §164.528

  • 4aa - Beyond annual training are workforce members given additional local office Privacy training? §164.530(b)(1)A

  • 4ab -Are there procedures existing for receiving and processing complaints over the entity's privacy practices? §164.530(d)(1)A

  • 4ac - How does local management mitigate any identified issues of a use or disclosure of PHI at the local level? §164.530(f)(1)A

  • 4ad - How does local management prevent intimidation against workforce members or for participants when reporting a Privacy or Security violation? §164.530(f)(1)A

  • 4ae - Procedures for terminating access to electronic protected health information with in one day when the employment of a workforce member ends. §164.308(a)(3)(ii)(C)

  • 4af - Have you implement additional a security awareness and training program for the local office? §164.308(a)(5)

  • 4ag - Are policies or procedures to identify and report suspected or known security incidents to the CSO or CPO? .§164.308(a)(6)

  • 4ah - Does the local office have a contingency plan responding to system emergencies? .§164.308(a)(7)(i)

  • 4ai - Does the have a procedure to check an office or cubical for PHI when a workforce member terminates or moves? §164.308(a)(7)(i)

5.0 - General Security

  • 5a - Badges worn

  • 5b - Badges worn above waist

  • 5c - Monitored emergency exit

  • 5d - Group Printers Procedure

  • 5e - Group Fax Procedure

  • 5f - Mailroom secure

  • 5g - Mailroom away from public area

  • 5h - File cabinets Locked (in common areas)

  • 5i - Procedure for end of day File cabinet locking

  • 5j - Shred It bins (note # of bins)

  • 5k - Building Security Education

  • 5l - Building Awareness Program (fire routes)

  • 5m - Security Plan Posted (evacuation)

5.1 - Cubicles

  • 5.1a - Locks on Drawers (in place)

  • 5.1b - Locked Drawers (being used)

  • 5.1c - Locks on overhead (in place) 

  • 5.1d - Locked Overheads (being used)

  • 5.1e - Locks on File Cabinets (in place)

  • 5.1f - Locked File Cabinets (being used)

  • 5.1g - PHI/PII Visible on work space

  • 5.1h - Individual Printers w/PHI 

  • 5.1i - Screen Time out 

  • 5.1j - Limited use of speaker phones

  • 5.1k - Laptop Locks Used 

  • 5.1l - Trash can PHI

5.2 - Office 

  • 5.2a - Visible (can see inside offices)

  • 5.2b - Locked @ Night 

  • 5.2c - Locked during day when empty

  • 5.2d - Locks for desk

  • 5.2e - Locks for desk used

  • 5.2f - Locks for File Cabinets

  • 5.2g - Locks for file cabinet used 

  • 5.2h - Laptops Locks Used 

  • 5.2i - Trash can PHI

5.3 - Emergency Exit

  • 5.3a - Always locked

  • 5.3b - Panic/Crash bars

  • 5.3.c - Area Clear of obstruction 

  • 5.3d - Camera system 

  • 5.3e - Clearly marked 

  • 5.3f- Direction Signage

5.4 - Fire Safety

  • 5.4a - Fire extinguisher

  • 5.4b - Number of Fire Extinguisher

  • 5.4c -Is there a current certificate of inspection for the fire extinguishers?

  • 5.4d - Enter the Date:

5.5 - Designated Fire Person & Policy

  • 5.5a - Is there a designated Fire Marshall?

  • 5.5b - Name of Fire Marshall:

  • 5.5c - Is there a Practice Fire Policy available?

  • 5.5d - Are there Fire Protocols on display (exit maps)?

5.6 - Fire extinguishers

  • 5.6a - List of positions for the fire extinguishers:

  • 5.6b - Fire Extinguishers are available in critical areas.

  • 5.6c - Extinguishers in place, clearly marked for type of fire?

  • 5.6d - Extinguishers recently serviced? (Check 6 monthly punch mark on tag) record date

  • 5.6e - Are the extinguishers AS2444 compliant?

  • 5.6f - Indicator signs 2.1 m above floor level?

  • 5.6g - Extinguishers clear of obstructions?

5.7 - Fire Exits

  • 5.7a - Are the fire exits adequately signed?

  • 5.7b - Examples of dental practice signs.

  • 5.7c - Paths of travel clear and well defined?

  • 5.7d - Are the fire exits free of clutter and easy to use?

  • 5.7e - Are the fire exits adequate for disabled access?

  • 5.7f - Can the fire exit be opened?

  • 5.7g - Extinguishers no more than 1200 mm max height & base not lower that 100 mm?

5.9 - Fire Alarm

  • 5.9a - Is there a Fire panel or OWS present? (only for ceiling mounted sprinkler system)

  • 5.9b - Are regular fire alarm checks conducted?

  • 5.9c - Are there log books on site? If so what is the last test date?

  • 5.9d - Are there monthly staff +/- patient fire alarm practices undertaken?

  • 5.9e - Are there adequate number of detectors?

  • 5.9f - Is the system AS1670 compliant?

6.0 - General Lighting

  • 6a - Good natural lighting?

  • 6b - Light fittings clean and in good condition?

7.0 - Emergency and Exit Lighting

  • 7a - Emergency exit lighting operable?

  • 7b - Example of emergency lighting.

  • 7c - Log books on site? If so what is the last test date?

  • 7d - Any defect noted in log book?

  • 7e - Is lighting adequate?

  • 7F - If patient records are stored in paper form is a fire extinguisher within 3 feet of door (interior or Exterior)

8.0 - Alarm System

  • 8a - Wrongful entry

  • 8b - Response procedure documented

  • 8c - Fire plan tested

  • 8d - Last Fire Plan Test activated

  • 8e - Central meeting location identfied and staff notified

  • 8f - Employee identification (who is absent from work)

9.0 - Signage

  • 9a - Minimum Wage (Fair Labor Standards Act)

  • 9b - Family and Medical Leave (Family and Medical Leave ACT OF 1993

  • 9c - Equal Employment, Age Discrimination, Disability (Civil Rights Act of 1964, Age Discrimination Act of 1967 (ADEA), Americans with Disabilities Act, Rehabilitation Act of 1973)

  • 9d - Occupational Safety and Health Act (Occupational Safety and Health Act)

  • 9e - Medical Fraud and Abuse

10.0Other safety

  • 10a - Bathroom Emergency Key

  • 10b - Use of portable heaters (prohibited)

10c - Computer Room (if present)

  • 10d - Does the facility have a server in a data closet or Computer room?

  • 10e - Controlled entry

  • 10f - Data watch system

11 - Data Closet (if present)

  • 11a - Controlled entry

  • 11b - Data watch system

12.0 - Mobile Workforce (if present)

  • 12a - Has Mobile Workforce

  • 12b - Workforce carries paper PHI or PII

  • 12c - Use of “Secure Briefcase” for paper records

  • 12d - Secure cable are supplied to secure briefcase (any) in car

13.0 - Work @ Home (if present)

  • 13a - Has home based Workforce

  • 13b - Workforce handles PHI or PII

  • 13c - All workforce members have an approved shredder

  • 13d - All workforce members have an approved laptop lock

  • 13e - All workforce members have away of locking up paper PHI and laptop when not in use (locking drawer)

14.0 - WIFI (if present)

  • 14a -  Present

  • 14b -  Access Point Secured

  • 14c - Rouge Access Points present that are unsecure

  • 14d - Non-APS secure Access Point broadcast into APS space

Local Office (Non-Corporate) HIPAA/HITECH Privacy/Security/Safety
APS

Local Office (Non-Corporate) HIPAA/HITECH Privacy/Security/Safety

Healthcare clinics

Use this Template
The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.

Related checklists

back arrow for carousel
back arrow for carousel
iAuditor Logo Icon ©SafetyCulture 2022