You should conduct a HIPAA Privacy/Security Walk-through at least annually to identify areas in your office compliance that may need attention. Security experts agree that conducting a walk-through of your practice is a good way to make sure your employees are following the requirements in your practice's HIPAA Privacy and Security policies and procedures. Here is a checklist you can use to make sure you know what to look for during a walk-through at your practice. This checklist requires you to assess employee conduct, workstation use, access controls, and environmental controls. You may customize this checklist to your practice's needs. You should be able to answer YES to the following items:
- Employees and visitors wear ID badges.
- Employees challenge persons who are not wearing badges.
- Employees protect the security of PHI by speaking softly, and when appropriate, using non-public areas.
- Workstations and computer monitors are positioned to prevent unauthorized persons from viewing ePHI.
- Employees protect user IDs and passwords and do not share them.
- Employees do not share workstations while logged in.
- User IDs and passwords are not posted on or near workstations.
- Documents with PHI are face down or concealed, especially in public areas and when employees leave their workstations.
- When documents with PHI are not in use, they are stored or filed to avoid observation or access by unauthorized persons.
- Unattended computers are returned to the login screen (automatically or by user) or have password-enabled screen savers when not in use.
- All computers are shut down after hours.
- Laptops, PDAs, and other portable equipment are physically secured with a lock that does not have a key present or nearby.
- PHI on printers, photocopiers, or fax machines is always attended by employees.
- Backups of ePHI are secured in a safe area (e.g., off-site, and not in or near workstations)
- PHI is shredded or discarded in a secure container.
- Doors with access-control mechanisms, such as locks or swipe-card systems, are closed.
- Access to the computer room is restricted to authorized personnel.
- Access to fax machines and printers is limited to authorized staff.
- Office doors, filing cabinets, and desks are closed and locked when unoccupied.
- If after hours, office doors, filing cabinets, and desks are locked and/or the building is alarmed properly.
- Smoke detectors and fire extinguishers are accessible and operational.
- Computer equipment is plugged into surge protectors and, where appropriate, uninterruptible power supplies.