Annual Privacy/Security Walk-through

Annual Privacy/Security Walk-through

It's that time again. You should conduct your HIPAA Privacy/Security Walk-through at least annually to identify areas in your office compliance that may need attention. Security experts agree that conducting a walk-through of your practice is a good way to make sure your employees are following the requirements set out in your practice's HIPAA Privacy and Security policies and procedures.

Here's a reminder checklist you can use to make sure you know what to look for during a walk-through of your practice. This checklist requires you to assess employee conduct, workstation use, access controls, and environmental controls. You may customize this checklist to your practice's needs. You should be able to answer YES to the following items:

Employee Conduct

  • Employees and visitors wear ID badges
  • Employees challenge persons who are not wearing badges
  • Employees protect the security of PHI by speaking softly, and when appropriate, using non-public areas

Workstation Use

  • Workstations and computer monitors are positioned to prevent unauthorized persons from viewing ePHI
  • Employees protect user IDs and passwords and don't share them
  • Employees don't share workstations while logged in
  • User IDs and passwords are not posted on or near workstations
  • Documents with PHI are face down or concealed, especially in public areas and when employees leave their workstations
  • When documents with PHI are not in use, they are stored or filed so as to avoid observation or access by unauthorized persons
  • Unattended computers are returned to the logon screen (automatically or by user) or have password-enabled screen savers when not in use
  • All computers are shut down after hours
  • Laptops, PDAs, and other portable equipment are physically secured with a lock that does not have a key present or nearby
  • PHI on printers, photocopiers, or fax machines is always attended by employees
  • Backups of ePHI are secured in a safe area (e.g., off-site and not in or near workstations)
  • PHI is shredded or discarded in a secure container


Access Controls

  • Doors with access-control mechanisms, such as locks or swipe-card systems, are closed
  • Access to the computer room is restricted to authorized personnel
  • Access to fax machines and printers is limited to authorized staff
  • Office doors, filing cabinets, and desks are closed and locked when unoccupied
  • If after hours, office doors, filing cabinets, and desks are locked and/or the building is alarmed properly


Environmental Controls

  • Smoke detectors and fire extinguishers are accessible and operational
  • Computer equipment is plugged into surge protectors and, where appropriate, uninterruptible power supplies