You should conduct
a HIPAA Privacy/Security Walk-through at least annually to identify areas in
your office compliance that may need attention. Security experts agree that
conducting a walk-through of your practice is a good way to make sure your employees
are following the requirements in your practice's HIPAA Privacy and Security
policies and procedures. Here is a checklist you can use to make sure you know
what to look for during a walk-through at your practice. This checklist
requires you to assess employee conduct, workstation use, access controls, and
environmental controls. You may customize this checklist to your practice's
needs. You should be able to answer YES to the following items:
Employee Conduct
- Employees and visitors wear ID badges.
- Employees challenge persons who are not wearing badges.
- Employees protect the security of PHI by speaking softly, and when
appropriate, using non-public areas.
Workstation Use
- Workstations and computer monitors are positioned to prevent unauthorized persons from viewing ePHI.
- Employees protect user IDs and passwords and do not share them.
- Employees do not share workstations while logged in.
- User IDs and passwords are not posted on or near workstations.
- Documents with PHI are face down or concealed, especially in public areas and when employees leave their workstations.
- When documents with PHI are not in use, they are stored or filed to avoid observation or access by unauthorized persons.
- Unattended computers are returned to the login screen (automatically or by user) or have password-enabled screen savers when not in use.
- All computers are shut down after hours.
- Laptops, PDAs, and other portable equipment are physically secured with a lock that does not have a key present or nearby.
- PHI on printers, photocopiers, or fax machines is always attended by employees.
- Backups of ePHI are secured in a safe area (e.g., off-site, and not in or near workstations)
- PHI is shredded or discarded in a secure container.
Access Controls
- Doors with access-control mechanisms, such as locks or swipe-card systems, are closed.
- Access to the computer room is restricted to authorized personnel.
- Access to fax machines and printers is limited to authorized staff.
- Office doors, filing cabinets, and desks are closed and locked when unoccupied.
- If after hours, office doors, filing cabinets, and desks are locked and/or the building is alarmed properly.
Environmental Controls
- Smoke detectors and fire extinguishers are accessible and operational.
- Computer equipment is plugged into surge protectors and, where appropriate, uninterruptible power supplies.