DHS Safeguards Assessment Tool DHS 3000 9/05

advertisement
DHS Safeguards Assessment Tool
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
This office, program or area does not contain any confidential information. A Safeguard
Assessment will not be completed.
Administrative, Technical, and Physical Safeguards Policy AS-100-05 requires that we take
reasonable steps to safeguard confidential information. Information to be safeguarded may be in any
medium, including paper, electronic, oral and visual. We are required to assess those safeguards
annually. HIPAA Security Rule also requires periodic evaluations in relation to policies and entity
changes.
The federal Office for Civil Rights, which is responsible for enforcing the HIPAA Privacy Rule, says
that "Reasonable safeguard means that covered entities must make reasonable efforts to prevent
uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to
guarantee the privacy of Protected Health Information (PHI) from any and all potential risks. In
determining whether a covered entity has provided reasonable safeguards, the Department will take
into account all the circumstances, including the potential effects on patient care and the financial and
administrative burden of any safeguards."
It is not necessary to construct walls, rearrange cubicles or soundproof interview rooms in order to
apply reasonable safeguards. You will see from the Assessment Tool that most of the safeguards can
be met through simple, logical steps and by raising awareness.
Conducting a Self-Assessment
It is recommended that you, as managers and supervisors, take a slow, deliberate walk throughout
your office, program area, or your facility with the security of all confidential information in mind. Then,
thoughtfully complete the Safeguards Assessment Tool. The Assessment will identify where
safeguards are in place and practiced most of the time. It will also identify where some remediation is
necessary to improve the safeguards.
 Complete the assessment.
 Document unmet safeguards and remediation plans on page 9.
 To request interpretation or clarification on any of the safeguards, use the privacy help email
address below.
 Submit completed assessments to the hardcopy address indicated below or by attaching the
assessment to the email link below.
 Keep a copy for your record.
Return to:
DHS Information Security Office, Attn Jane Alm
500 Summer Street, N.E., E – 24
Salem, OR 97301-1066
Or Email to: [email protected]
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
A. Physical Environment (AS 100-005 reference)
A1 Access to areas with confidential materials is monitored or locked to
prevent unauthorized entrance.
A2 Keys, keypad combinations, and key cards are controlled to assure
only staff authorized by management have building access and/or after
hours access.
A3 Work place discussions of confidential information are conducted in
private locations or in voice levels that inhibit casual eavesdropping.
A4 A physical barrier separates reception and work areas, where
necessary and appropriate.
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 2 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
B. Reception and Pedestrian Traffic (AS 100-005 reference)
B1 Building or work area process/policy for escorting non-DHS visitors
in areas with confidential information is followed.
B2 If there is a building policy requiring ID to enter work area, it is
enforced.
B3 Contractors have completed confidentiality agreements.
B4 Employees use reasonable measures, such as speaking in a soft
voice when discussing confidential issues in public areas.
B5 Janitorial staff are allowed access after hours only after completing
a confidentiality agreement
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 3 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
C. Workstations, Printers, Copiers, Fax Machines (AS 100-005 reference)
C1 The office has reasonable physical safeguards, such as
partitions, view-limiting screen filters, or repositioning monitors to
prevent unauthorized viewing of screens.
C2 Staff exit applications or systems that have confidential
information or lock their workstation upon leaving their cubicle or
workspace.
C3 Office equipment such as fax machines, printers, and copiers
are located away from unsupervised public areas to prevent
inadvertent access.
C4 Office distributes confidential incoming faxes and materials left
at copiers and printers timely, but at least within the workday.
C5 Outgoing faxes include a cover page with the DHS privacy
disclaimer.
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 4 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
D Electronic Media Storage (AS-090-001, AS-090-003, AS-100-005 reference)
D1 When not in use, tapes, disks, CD-ROMs, Zip Drives and cartridges
containing confidential material are secured in a locked cabinet, room or
other secured location.
D2 Only authorized staff has access to secure data locations, per DHS
policy.
D3 Staff complies with office procedures that prohibit confidential data
removal from office except as authorized.
D4 Information users are required to sign compliance statement as
condition of access approval.
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 5 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
E. Document Storage (AS-100-005, AS-090-003 reference)
E1 Confidential materials are stored in locked rooms, secured storage
systems or where lockable storage is not available, reasonable efforts are
taken to safeguard files in accordance with the DHS policy.
E2 Only employees with authorization can access secured file rooms,
cabinets or desks.
E3 File cabinets containing confidential materials are secured when not in
use.
E4 Access to file cabinets or files is secured from access by unauthorized
persons.
E5 In keeping with DHS policy, confidential materials on desktops, tables,
printers, copiers, fax machines will be adequately shielded from visual
inspection by unauthorized parties.
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 6 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
F. Document Destruction (AS-100-005, AS-090-003 reference)
F1 Approved DHS contractor performs removal and destruction of
confidential materials.
F2 Confidential material collected for disposal is placed in properly labeled
containers. Container is labeled confidential and covered to prevent
casual viewing.
F3 Confidential material waiting for disposal is placed in a designated
secure storage area, or reasonable procedures are in place to minimize
access if a secured storage area is not available.
F4 Confidential material is not placed within common or desk waste paper
baskets.
F5 Shredding of files and documents is consistent with DHS record
retention requirements and/or unit policy.
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 7 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Not Applicable
Safeguard Not Met
Remediation Plan
Documented
Safeguard Assessment
Safeguard Met
G. Administrative Procedures (AS 100-005, AS-090-004 reference)
G1 Managers include building privacy/security practices in new employee
orientation.
G2 DHS Manager or their designee conduct periodic internal reviews of
site compliance with confidentiality practices and policies.
G3 At a minimum of once per year, managers review systems access for
staff members, in order to ensure that appropriate access is added,
maintained, or revoked.
G4 Non-DHS staff stationed in shared facilities are covered by a
confidentiality agreement or are physically separated from areas where
DHS staff discuss confidential information.
G5 Staff complies with office procedures regarding confidential
information taken off–site in personal or state vehicles.
G6 DHS managers ensure that staff members under their supervision are
aware of privacy and information security policies, procedures, and
guidelines, and have access to current versions.
Document Remediation Plan (Page 9)
Definitions
Safeguard Met
Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to
ensure that reasonable safeguard is in place.
Not Applicable
Safeguard does not apply to the protection of confidential information within the
structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 8 of 9
Office, Program or Area Assessed:
Location Address:
Name of Person or Group Conducting Assessment:
Number
Safeguard
Date of Assessment:
Remediation Plan
Responsible Party
Name/Contact Info.
Date
Completed
DHS 3000 (9/05)
Page 9 of 9
Download