HIPAA COMPLIANCE CHECKLIST
Name


A red asterisk (*) indicates required questions.

  1. Phone conversations are in areas where PHI cannot be overheard.*


  1. The screens on unattended computers are locked to the logon screen or have a password-enabled screen.*


  1. Staff protect their ID and password. They are kept confidential, never shared and not in plain view at workstations.*


  1. Staff never share the use of a workstation while logged in. Work is not done under another specialist's login.*


  1. Staff do not use the preview pane to view e-mail.*


  1. E-mails from an unknown or suspicious source are reported to the IT department. *


  1. Websites are closed when not in use. *


  1. Data is not downloaded without management/IT department approval.*


  1. Paper records are stored or filed in such a way as to avoid observation by those who are not authorized.*


  1. EPHI is saved on the network.*


  1. Release of confidential information is done by staff specifically authorized to do so. When transmitting confidential information over the internet, EPHI is encrypted through Zixmail or in a password protected zip file.*


  1. Confidential patient information is not left on an unattended printer, copier or fax machine, unless these devices are in a secure area. Physical access to fax machines and printers is limited to authorized staff. End of day materials are removed from printers and fax machines.*


  1. Voicemail passwords are not the default settings or the last four digits of your office phone number.*


  1. Only authorized staff has access to confidential patient information and they access only the minimum amount necessary to accomplish their duties.*


  1. All supervisors regularly review institutional policies that are applicable for their work assignments with their staff to ensure that current practices and procedures protect patient privacy.*


  1. Staff does not discuss confidential patient information with patients, family members or other authorized staff in public areas of hallways.*


  1. Patients are taken to conference rooms. Only staff and clients are allowed in the medical billing area.*


  1. Family members and visitors are taken to the employee lounge. Only staff and clients are allowed in the medical billing area.*


  1. Computer monitors are positioned so PHI is not readily available to those who are not authorized.*


  1. Confidential information/PHI is out of sight or turned over, especially when a workstation is vacated.*


  1. Current work is available to team leaders and supervisors and is never kept in a locked drawer or on the floor. *


  1. Confidential information/PHI is discarded daily in the appropriate locked container and shredded.*


  1. PHI is only faxed when a deadline is approaching. The fax number is verified and the SVA cover sheet is used. Highly sensitive PHI is never faxed.*


  1. Checks and cash are locked up overnight.*


  1. Computers and scanners are shut down completely at end of day, unless otherwise authorized where lockout is required.*


  1. Confidential information/PHI is not brought into common areas such as the restrooms or break rooms where unauthorized people have access to them.*


  1. Staff know how to report misuse of confidential patient information to their supervisor, online compliance report or Compliance Hotline.*





SVA Professional Services