DHS Safeguards Assessment Tool Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: This office, program or area does not contain any confidential information. A Safeguard Assessment will not be completed. Administrative, Technical, and Physical Safeguards Policy AS-100-05 requires that we take reasonable steps to safeguard confidential information. Information to be safeguarded may be in any medium, including paper, electronic, oral and visual. We are required to assess those safeguards annually. HIPAA Security Rule also requires periodic evaluations in relation to policies and entity changes. The federal Office for Civil Rights, which is responsible for enforcing the HIPAA Privacy Rule, says that "Reasonable safeguard means that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of Protected Health Information (PHI) from any and all potential risks. In determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards." It is not necessary to construct walls, rearrange cubicles or soundproof interview rooms in order to apply reasonable safeguards. You will see from the Assessment Tool that most of the safeguards can be met through simple, logical steps and by raising awareness. Conducting a Self-Assessment It is recommended that you, as managers and supervisors, take a slow, deliberate walk throughout your office, program area, or your facility with the security of all confidential information in mind. Then, thoughtfully complete the Safeguards Assessment Tool. The Assessment will identify where safeguards are in place and practiced most of the time. It will also identify where some remediation is necessary to improve the safeguards. Complete the assessment. Document unmet safeguards and remediation plans on page 9. To request interpretation or clarification on any of the safeguards, use the privacy help email address below. Submit completed assessments to the hardcopy address indicated below or by attaching the assessment to the email link below. Keep a copy for your record. Return to: DHS Information Security Office, Attn Jane Alm 500 Summer Street, N.E., E – 24 Salem, OR 97301-1066 Or Email to: dhs.privacyhelp@state.or.us Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met A. Physical Environment (AS 100-005 reference) A1 Access to areas with confidential materials is monitored or locked to prevent unauthorized entrance. A2 Keys, keypad combinations, and key cards are controlled to assure only staff authorized by management have building access and/or after hours access. A3 Work place discussions of confidential information are conducted in private locations or in voice levels that inhibit casual eavesdropping. A4 A physical barrier separates reception and work areas, where necessary and appropriate. Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 2 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met B. Reception and Pedestrian Traffic (AS 100-005 reference) B1 Building or work area process/policy for escorting non-DHS visitors in areas with confidential information is followed. B2 If there is a building policy requiring ID to enter work area, it is enforced. B3 Contractors have completed confidentiality agreements. B4 Employees use reasonable measures, such as speaking in a soft voice when discussing confidential issues in public areas. B5 Janitorial staff are allowed access after hours only after completing a confidentiality agreement Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 3 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met C. Workstations, Printers, Copiers, Fax Machines (AS 100-005 reference) C1 The office has reasonable physical safeguards, such as partitions, view-limiting screen filters, or repositioning monitors to prevent unauthorized viewing of screens. C2 Staff exit applications or systems that have confidential information or lock their workstation upon leaving their cubicle or workspace. C3 Office equipment such as fax machines, printers, and copiers are located away from unsupervised public areas to prevent inadvertent access. C4 Office distributes confidential incoming faxes and materials left at copiers and printers timely, but at least within the workday. C5 Outgoing faxes include a cover page with the DHS privacy disclaimer. Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 4 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met D Electronic Media Storage (AS-090-001, AS-090-003, AS-100-005 reference) D1 When not in use, tapes, disks, CD-ROMs, Zip Drives and cartridges containing confidential material are secured in a locked cabinet, room or other secured location. D2 Only authorized staff has access to secure data locations, per DHS policy. D3 Staff complies with office procedures that prohibit confidential data removal from office except as authorized. D4 Information users are required to sign compliance statement as condition of access approval. Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 5 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met E. Document Storage (AS-100-005, AS-090-003 reference) E1 Confidential materials are stored in locked rooms, secured storage systems or where lockable storage is not available, reasonable efforts are taken to safeguard files in accordance with the DHS policy. E2 Only employees with authorization can access secured file rooms, cabinets or desks. E3 File cabinets containing confidential materials are secured when not in use. E4 Access to file cabinets or files is secured from access by unauthorized persons. E5 In keeping with DHS policy, confidential materials on desktops, tables, printers, copiers, fax machines will be adequately shielded from visual inspection by unauthorized parties. Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 6 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met F. Document Destruction (AS-100-005, AS-090-003 reference) F1 Approved DHS contractor performs removal and destruction of confidential materials. F2 Confidential material collected for disposal is placed in properly labeled containers. Container is labeled confidential and covered to prevent casual viewing. F3 Confidential material waiting for disposal is placed in a designated secure storage area, or reasonable procedures are in place to minimize access if a secured storage area is not available. F4 Confidential material is not placed within common or desk waste paper baskets. F5 Shredding of files and documents is consistent with DHS record retention requirements and/or unit policy. Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 7 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Date of Assessment: Not Applicable Safeguard Not Met Remediation Plan Documented Safeguard Assessment Safeguard Met G. Administrative Procedures (AS 100-005, AS-090-004 reference) G1 Managers include building privacy/security practices in new employee orientation. G2 DHS Manager or their designee conduct periodic internal reviews of site compliance with confidentiality practices and policies. G3 At a minimum of once per year, managers review systems access for staff members, in order to ensure that appropriate access is added, maintained, or revoked. G4 Non-DHS staff stationed in shared facilities are covered by a confidentiality agreement or are physically separated from areas where DHS staff discuss confidential information. G5 Staff complies with office procedures regarding confidential information taken off–site in personal or state vehicles. G6 DHS managers ensure that staff members under their supervision are aware of privacy and information security policies, procedures, and guidelines, and have access to current versions. Document Remediation Plan (Page 9) Definitions Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place. Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place. Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed. DHS 3000 (9/05) Page 8 of 9 Office, Program or Area Assessed: Location Address: Name of Person or Group Conducting Assessment: Number Safeguard Date of Assessment: Remediation Plan Responsible Party Name/Contact Info. Date Completed DHS 3000 (9/05) Page 9 of 9