If you answer any of the following statements "False," you may need to change your office procedures.

1. My office does not use a patient/client sign-in sheet that includes confidential patient/client information.

  True
  False

A sign-in sheet will allow patient/clients who come into your office to learn the identity of patient/clients who came to your office earlier. This is acceptable, so long as the sign-in sheet does not contain confidential patient/client information, such as reason for the visit.

In some cases this information seems very innocent. However, some physicians specialize in treating sensitive issues or conditions, e.g., cancer, psychological problems or pregnancy, and simply disclosing that an individual had an appointment with you for a specific purpose may be a breach of patient/client confidentiality. At minimum, the sign-in sheet should be changed periodically during the day.

2. My office does not locate patient/client schedules in any places that may be seen by patient/clients or other non-staff individuals.

  True
  False

Some practices print out the schedule for the day and post it for the professional staff. Often the schedule is posted where it may be seen by a patient/client - either in an examination room or corridor, or on a door. This may result in the unauthorized disclosure of patient/client information. As with the previous consideration, disclosing information about a patient/client may be a breach of confidentiality.

3. In my office, all confidential conversations take place to the maximum extent possible in areas that cannot be overheard by other patient/clients or non-staff individuals.

  True
  False

Conversations may be overheard easily in many settings. For example, a receptionist may schedule appointments or provide results over the telephone. This requires taking and verifying the name of the caller, as well as discussion of medical information, e.g., the reason for the appointment or the results of the tests. If patient/clients and others are sitting in the waiting room, they may hear this exchange of confidential information, and this could represent an unauthorized disclosure of patient/client information.

The same is true of conversations between staff members in a hallway or if a professional takes a call from a patient/client in the presence of another patient/client, e.g., in an exam room, or if a professional dictates notes into a recording device. (Providers must use their best professional judgment to reduce the risk of such information being shared, but do not have to guarantee it can never occur.)

4.   In my office patient/clients and non-staff individuals cannot gain access to our computers or fax machines and cannot view our computer screens.

  True
  False

Offices use computers for a variety of reasons including billing, accounts receivable, scheduling and medical records. Usually computers and fax machines are placed only in the reception area, although sometimes they are throughout the office, including patient/client exam rooms. It is important that both physical and viewing access to fax machines and computers be restricted to only staff members.

In addition, computers should have screen-savers so that unauthorized persons cannot read the information if they happen to wander into a restricted area. Also, computers should be password protected. When a staff person steps away from a computer for a period of time, the staff person should be required to re-enter a password.

5. Each computer user in my office has a personal computer password. These passwords change on a regular basis, and passwords of terminated employees get deleted immediately.

  True
  False

Ensure that each person in your office has access only to the computer(s) and information to which they are entitled. Toward that end, each user needs to have a password. In addition, passwords need to be kept confidential (i.e., not shared with anyone else) and changed on a regular basis to ensure security. Passwords must never be left on "Post-it" notes next to the computer.

6. In my office, patient/clients and other non-staff individuals do not have any opportunity to access patient/client medical records, laboratory reports and faxes.

  True
  False

Paper medical records are located in a number of places around the office, including the receptionist area, bins in the exam rooms, on the professional's desk and at checkout. It is vital that no patient/client or non-staff individual have access to any medical records at any place in the office.

For most offices, this will require a change in the manner in which medical records are handled and stored. However, this also includes appointment lists and charts outside exam room doors.

7. My office has formal documented procedures to ensure patient/client confidentiality when transferring paper files, orders, images and specimens to other offices.

  True
  False

Every office should have formal policies for the transfer of confidential patient/client information outside its office, and office staff must understand these policies. You must make sure that only appropriate information is transferred and that it goes to the proper individuals. (You may need specific authorization from a patient/client to transfer information.)

If you use e-mail, make certain that the e-mail is secure. If you use couriers, you must ensure that they will keep the information confidential in transit and deliver it only to authorized individuals. If you use a transcription service, you must ensure that the transcription service can keep your information confidential, in compliance with the HIPAA requirements.

Even if you currently have such policies, they will need to be reviewed to meet HIPAA requirements. You may have to change your agreements with business associates to make them comply with HIPAA requirements.

8. My office has formal documented procedures for the acceptance of confidential patient/client information from outside our office.

  True
  False

As with records sent offsite, you will need to have formal policies for accepting confidential patient/client information from outside your office and keeping it confidential. This includes e-mail. Your office staff must understand these policies. Even if you have such policies in place, review those policies to ensure they meet HIPAA requirements.

9. My office has confidentiality statements in place and we make patient/clients aware of our confidentiality policies.

  True
  False

HIPAA requires every health care professional to sign confidentiality statements. These statements must be posted in a prominent place in your office. In addition, patient/clients must sign a consent form allowing you to release their confidential information for billing and other purposes. Even if you have confidentiality policies in place and make patient/clients aware of your policies, review them to ensure they meet HIPAA requirements.

10. My office has formal privacy and security procedures regarding access to confidential information, access to computer information, and access to   areas of the office that may contain confidential information.

  True
  False

Unauthorized personnel must never have access to confidential information. Your office must have formal policies and procedures to ensure that only appropriate staff and other individuals gain access to confidential information.
This may mean limiting access to certain parts of your office, to certain computers, or to certain programs or files in your computers. (For example, if you have separate accounting staff, those individuals do not need to see patient/client encounter notes, only the billing form prepared by the treating healthcare professional. The cleaning staff should not be able to see any confidential information.)

11. My office requires the return of all keys and other items that allow access to the office and to computer files when a person no longer is authorized to access information.

  True
  False

Unauthorized personnel must never have access to confidential information. This includes all staff and other individuals who may at one time have been authorized with such access. Your office must have formal policies and procedures to ensure the return of all keys and other items that allow access to information, both physical and computer access.

12. My office has formal privacy and security policies for all office personnel, provides training for all office personnel, and documents the training of each individual.

  True
  False

All office personnel must receive training about your privacy and security policies and records must be kept regarding the training. The policies must detail which personnel have access to different kinds of confidential information in different circumstances, personnel clearance procedures, procedures to be followed when a member of the office staff is terminated, and procedures for identifying and correcting potential problems.

Training requirements should be included in your human resources policy manual or booklet. In addition, you must have a formal policy manual that details all of your privacy and security procedures. Even if you have a policy manual in place, you must review it to ensure it meets HIPAA requirements.

13. If my office uses laptops or other portable equipment that holds confidential patient/client information, this equipment is secure and can only be accessed by authorized personnel.

  True
  False

Many offices use portable equipment, including laptops, calendars and "personal assistants." All of these devices may contain confidential information that must be kept secure in an appropriate fashion. Your office must have policies and procedures regarding the setup, use, security and disposal of this equipment.

14. My office has policies and procedures in place to ensure patient/client confidentiality by off-site contractors, such as billing and accounting services.

  True
  False

You are responsible for ensuring your confidential information remains confidential, even when it is sent off-site. This is not a concern when you send information to another health care provider or a health insurance company. Those entities also are required to comply with the privacy rule and to protect the information they receive.

Most billing services will be covered by HIPAA rules, although you should double check with them. However, many businesses are not covered by the rules, e.g., auditors and software vendors. Establish agreements with these businesses to ensure the confidentiality of any patient/client information they will see or transfer.

15. My office has a comprehensive survey of all our computer systems, including all software.

  True
  False

Security rules require you to keep a complete listing of your computer systems, including all software. This will help you manage your systems and detect any problems that might lead to a breach of patient/client confidentiality. Remember: Confidential information is contained in billing and accounting records, in letters to patient/clients and other health care providers, as well as in medical records.

16. My office has a disaster plan to protect patient/client information and contingency plans in the event of a computer systems failure. We perform regular virus checks and correct identified problems.

  True
  False

You must ensure your access to confidential information, even in the case of a disaster. For computer records, this can be fairly simple: Back-up computer files on a daily basis and store the back-up offsite. For paper records, this can be more difficult.

In addition, you must ensure your confidential information is safe and cannot be seen or altered without your permission. Electronic information - including billing records and correspondence - is subject to attack if it is not protected from computer viruses and unauthorized intruders (hackers).

17. All confidential information - paper and electronic - is stored with appropriate safeguards.

  True
  False

Protect all confidential information from inappropriate access. This includes both electronic and paper records. For electronic records, use passwords and other methods to ensure that only authorized people have access to information. For paper records, ensure your records are stored and locked in a secure manner. Examine what types of safeguards are in place for shredding and disposal of paper records.

18. Internet transmissions, including e-mail and telephone conversations, are secure.

  True
  False

You must be sure that Internet and telephone conversations are secure. In the case of the Internet - most commonly e-mail - you must ensure communications are "encrypted." For telephone conversations, you must make reasonable efforts to prevent others from listening, e.g., on a second telephone. In most cases, the staff should have some assurance of the identity of the person with whom they are communicating.

19. My office has patient/clients sign a consent form.

  True
  False

Patient/clients must sign a consent form allowing you to release their confidential information for treatment, billing and other purposes. Even if you have such a form in place, review to make it meet HIPAA requirements.

20. My office has confidentiality statements on all faxes and e-mail sent by the office staff.

  True
  False