Pre Employment Physical Request Form

Document Sample
Pre Employment Physical Request Form Powered By Docstoc
					                                                                        PRIVACY PHYSICAL SAFEGUARDS ASSESSMENT AND REMEDIATION CHECKLIST


       Division/Office/Institution Name:                                                                                                                                                               Unit:


                          Department/Unit:                                                                                                                                  Room or Cubicle #/Name:

                                                          Response*                                                                                 REMEDIATION OPTIONS
                                                  (Enter 'X' for responses, gray            Options listed in bold text require renovations/structural changes and must be requested via the 'Physical Safeguards Improvements Request' form.   Remediation Implemented**
#              Checklist Question                    columns indicate gap)                                              Remediation solutions may need to be supported by agency policies, procedures, and training.                                                                        Comments
                                                                                                                                                                                                                                                 (Record gap remediation/notes)
                                                    Yes        No        N/A                    Option #1                                 Option #2                                 Option #3                               Option #4

      Part I - Is the Room Secure?
                                                                                                                                                                                                                                                                                  Note: all remediation solutions
                                                                                                                                                                                                                                                                                  must be selected by agency
        Can all doors that allow access to
                                                                                                                                                                                                                                                                                  management according to the level
        the room/area containing individually
                                                                                                                                                                      Install proximity card system on                                                                            of protection determined to be
        identifiable health information (IIHI)                                     Install keyed lock on door if the       Install combination lock on door if the
                                                                                                                                                                      door to areas that contain a large                                                                          necessary for the area. For new
        be locked via a suitable device                                            room contains a small amount of         room contains a small amount of IIHI
1                                                                                                                                                                     amount of IIHI or if IIHI cannot be                                                                         leased spaces, include the
        (proximity card system, key lock,                                          IIHI that is already locked in filing   that is already locked in filing cabinets,
                                                                                                                                                                      locked in filing cabinets, file racks,                                                                      appropriate safeguards in the
        combination lock, etc.) during non                                         cabinets, file racks, drawers, etc.     file racks, drawers, etc.
                                                                                                                                                                      drawers, etc.                                                                                               lease requirements. For existing
        business hours or when the room is
                                                                                                                                                                                                                                                                                  leased spaces, the installation of
        not being supervised?
                                                                                                                                                                                                                                                                                  safeguards should be negotiated
                                                                                                                                                                                                                                                                                  with the landlord.

                                                                                   Implement a policy and procedure
                                                                                   for key/proximity card/combination
                                                                                   control and to ensure staff only has
        If key locks are used, is the
                                                                                   access to areas needed to perform
        distribution of keys well controlled so
                                                                                   job duties. Documentation to
2.a     that keys are provided only to
                                                                                   describe the areas that require
        individuals who are authorized to
                                                                                   locked entrances, the job duties
        access the area containing IIHI?
                                                                                   requiring access, and designated
                                                                                   authority for issuing keys/proximity
                                                                                   cards/combinations.

                                                                                   Rekey locking mechanism (keyed
                                                                                   lock, combination lock, proximity
                                                                                   card system) to ensure only
        Are all keys accounted for                                                 authorized personnel have access.
        (documented evidence), and are they                                        Inventory keys and proximity cards Implement option 1, but replace keyed
2.b     collected from employees upon                                              and document issuance as well as and combination locks with proximity
        termination or when access to the                                          combination distribution.           card system.
        area is no longer required?                                                Combinations to be changed and
                                                                                   keys/proximity cards to be returned
                                                                                   when staff (or volunteers) exit
                                                                                   employment.

                                                                                   Rekey locks and reissue keys with
        Are keys permanently stamped to                                            'Do Not Duplicate'. Whenever
2.c     indicate that duplication is                                               possible, provide maintenance staff
        prohibited?                                                                with key duplication equipment so
                                                                                   that control is maintained on site.
                                                                                   Alert Security staff to potential
        Are windows (particularly within
                                                                                   security risk. Security may address
3       doors) equipped with intruder-proof
                                                                                   this issue in accordance with
        glass?
                                                                                   Security best practices.

    * Grayed Response Cells indicates gaps requiring remediation.                                                                                                                   ** Record the remediation selected by agency mgmt and note if implementation is pending due to funding.
    5427991b-48f0-41de-9855-5f9ccae06bbf.xls                                                                                                                                                                                                                                                               1
                                                                       PRIVACY PHYSICAL SAFEGUARDS ASSESSMENT AND REMEDIATION CHECKLIST

                                                         Response*                                                                                  REMEDIATION OPTIONS
                                                 (Enter 'X' for responses, gray            Options listed in bold text require renovations/structural changes and must be requested via the 'Physical Safeguards Improvements Request' form.        Remediation Implemented**
#              Checklist Question                   columns indicate gap)                                              Remediation solutions may need to be supported by agency policies, procedures, and training.                                                                   Comments
                                                                                                                                                                                                                                                     (Record gap remediation/notes)
                                                   Yes        No        N/A                    Option #1                                 Option #2                                Option #3                                Option #4
                                                                                  Designate staff to monitor entry into
       Is the room containing IIHI                                                restricted areas or move IIHI to an
                                                                                                                        Install wall and/or door with locks/          Install wall and/or door with a    Install closed circuit television
       continually monitored during the                                           area accessible only by authorized
4                                                                                                                       combination locks to safeguard the            proximity card system to safeguard monitoring system and designate
       hours of operation? If not, is the                                         staff. Authorized staff is to monitor
                                                                                                                        entire area.                                  the entire area.                   staff to perform monitoring.
       room locked when not in use?                                               and safeguard the IIHI during the
                                                                                  move.
                                                                                  Contract with Governor Morehead
       Are authorized personnel identified in
                                                                                  School for the Blind, Dorothea Dix
       such a way (e.g., picture ID), such
                                                                                  Hospital, or Eastern School for the      Contract with Division of Motor            Purchase picture ID card-making
5      that others can easily recognize them
                                                                                  Deaf for creation of ID cards.           Vehicles for ID cards.                     equipment.
       as being authorized to access a
                                                                                  Categorize/code cards for easy
       controlled area?
                                                                                  recognition of access level.
                                                                                  Remove items used to prop doors
       Are any external doors in the area
                                                                                  open and ensure exterior doors that
       regularly propped open and/or left
                                                                                  open directly into areas containing
       unmonitored during temporary use                                                                                    Assign staff to monitor door at all
6                                                                                 IIHI do not allow access from                                                       Install automatic doors with timers.
       (e.g., smoker access, deliveries,                                                                                   times, or during delivery only.
                                                                                  outside of the building. Ensure
       trash/recycling collection, vending
                                                                                  policies state that external doors are
       machine maintenance, etc.)?
                                                                                  not to be propped open.
                                                                                  Install window locks where needed
       Are all windows in the room locked                                                                                  Ensure policies state that windows       Lock and remove opening
7                                                                                 and educate staff to ensure locking
       and/or secured?                                                                                                     areas are to remain locked at all times. mechanisms from windows.
                                                                                  of windows.
       Are there locking filing cabinets, file
                                                                                  Move IIHI to an area accessible only
       racks, drawers, etc. to be used for
                                                                                  to authorized staff. IIHI should only                                               Purchase locking filing cabinets,      Install walls and doors with locks,
       storing IIHI? (This is particularly                                                                              Install locks/locking bars on filing
8                                                                                 be moved when it can be monitered                                                   file racks, drawers, and safes as      combination locks, or proximity card
       important for open areas where it is                                                                             cabinets, file racks, drawers, etc.
                                                                                  and safeguarded by authorized                                                       needed.                                system.
       not possible for a wall/door to be
                                                                                  staff.
       installed to restrict access).
                                                                                  Ensure someone is always present,
       If the room is a nursing workstation,
                                                                                  unless there is an emergency.                                                       Install walls, doors and locks,
       is the workstation left                                                                                      Store IIHI in locking file cabinets, file
9                                                                                 Remove last names from bulletin                                                     combination locks, or proximity
       unlocked/unattended with                                                                                     racks, drawers, etc.
                                                                                  boards and place coversheets over                                                   card systems as needed.
       confidential information accessible?
                                                                                  IIHI.
                                                                                  Ensure maintenance/cleaning
                                                                                                                           If the activity must occur during non
                                                                                  occurs only during business hours
                                                                                                                           business hours, lock IIHI in appropriate
                                                                                  when someone is present to
       Do maintenance and cleaning                                                                                         storage devices and ensure security
                                                                                  monitor activities. If the activity
10     personnel have access to areas                                                                                      staff monitors activities. Also, train
                                                                                  must occur during non business
       containing IIHI?                                                                                                    cleaning/maintenance staff about the
                                                                                  hours, ensure all IIHI is locked in
                                                                                                                           importance of protecting health
                                                                                  filing cabinets, file racks, drawers,
                                                                                                                           information that could be encountered.
                                                                                  etc.




     * Grayed Response Cells indicates gaps requiring remediation.                                                                                                                 ** Record the remediation selected by agency mgmt and note if implementation is pending due to funding.
     5427991b-48f0-41de-9855-5f9ccae06bbf.xls                                                                                                                                                                                                                                                    2
                                                                      PRIVACY PHYSICAL SAFEGUARDS ASSESSMENT AND REMEDIATION CHECKLIST

                                                        Response*                                                                                 REMEDIATION OPTIONS
                                                (Enter 'X' for responses, gray            Options listed in bold text require renovations/structural changes and must be requested via the 'Physical Safeguards Improvements Request' form.         Remediation Implemented**
#             Checklist Question                   columns indicate gap)                                              Remediation solutions may need to be supported by agency policies, procedures, and training.                                                                    Comments
                                                                                                                                                                                                                                                     (Record gap remediation/notes)
                                                  Yes        No        N/A                    Option #1                                 Option #2                                Option #3                                Option #4
          Part II - Is Information Privacy a Problem?
       Within the room, is hardcopy IIHI                                         Move IIHI to an area accessible only
                                                                                                                                                                                                            Install walls and doors with locks,
       stored in an unlocked storage device                                      by authorized staff. Authorized staff Install locks/locking bars on filing         Purchase locking filing cabinets
11                                                                                                                                                                                                          combination, locks, or proximity card
       (e.g., filing cabinet without lock,                                       is to monitor and safeguard the IIHI cabinets, file racks, drawers, etc.           and safes as needed.
                                                                                                                                                                                                            system.
       unlocked file rack, open shelf, etc.)?                                    during the move.



                                                                                                                                                                   Install walls and doors with locks,
       Are any reports, records, or                                              Lock IIHI in filing cabinets, file       Move IIHI to an area accessible only by
                                                                                                                                                                   combination locks, or proximity
       documents containing IIHI left                                            racks, drawers, or rooms when not        authorized staff. Authorized staff is to
12                                                                                                                                                                 card system as needed if IIHI
       unattended and exposed to                                                 in use. Educate staff of importance      monitor and safeguard the IIHI during
                                                                                                                                                                   cannot be stored in locked filing
       unauthorized individuals?                                                 of protecting IIHI.                      the move.
                                                                                                                                                                   cabinents, drawers, etc.



                                                                                 Move copiers, faxes, and printers to
                                                                                 an area that allows access only to
                                                                                 staff with the authority to access the
                                                                                 IIHI. Designate staff to monitor/run
                                                                                 fax/copy machines and printers
       Are any reports or documents                                              machine to ensure IIHI is not
13     containing IIHI left unattended in fax                                    accidentally exposed. For fax
       machines, copiers, or printers?                                           machines: pre-program destination
                                                                                 fax numbers to avoid misdialing.
                                                                                 Verify destination phone numbers
                                                                                 are correct. Ask frequent fax
                                                                                 destinations to inform agency when
                                                                                 fax numbers change.
                                                                                 Install locked bins for IIHI waiting to
       Can hardcopy IIHI be found in an                                                                                  Install on site shredder/incinerator and
                                                                                 be destroyed or recycled. Ensure
14     open/unlocked recycling bin or trash                                                                              designate staff to dispose of
                                                                                 staff is trained on IIHI disposal
       receptacle?                                                                                                       documents.
                                                                                 procedures
       Is IIHI stored on other media such as
                                                                                 Label all electronic media so that it
       floppy discs, microfilm, microfiche,
                                                                                 is identifiable as containing IIHI.
15     CD, etc. left unattended and exposed
                                                                                 Store unattended media in locked
       to the public or unauthorized
                                                                                 cabinet, drawers, or safes.
       personnel?
       If the area is a multi-function area
                                                                                                                      Install cubicle walls to separate             Move IIHI to area that allows
       where both covered and non-                                               Lock IIHI in filing cabinets, file
                                                                                                                      covered from non-covered functions            access only to authorized
       covered functions are performed,                                          racks, drawers, or safes when not in
16                                                                                                                    and lock IIHI in filing cabinets, file        personnel. Authorized staff is to
       can only authorized staff (i.e., only                                     use. Educate all staff in the
                                                                                                                      racks, or rooms with door locks when          monitor and safeguard the IIHI
       those performing the covered                                              importance of protecting IIHI.
                                                                                                                      not in use.                                   during the move.
       function) access the IIHII?




     * Grayed Response Cells indicates gaps requiring remediation.                                                                                                                ** Record the remediation selected by agency mgmt and note if implementation is pending due to funding.
     5427991b-48f0-41de-9855-5f9ccae06bbf.xls                                                                                                                                                                                                                                                    3
                                                                       PRIVACY PHYSICAL SAFEGUARDS ASSESSMENT AND REMEDIATION CHECKLIST

                                                         Response*                                                                                REMEDIATION OPTIONS
                                                 (Enter 'X' for responses, gray           Options listed in bold text require renovations/structural changes and must be requested via the 'Physical Safeguards Improvements Request' form.   Remediation Implemented**
#             Checklist Question                    columns indicate gap)                                             Remediation solutions may need to be supported by agency policies, procedures, and training.                                                                        Comments
                                                                                                                                                                                                                                               (Record gap remediation/notes)
                                                   Yes        No        N/A                   Option #1                                 Option #2                                Option #3                                Option #4

       If biomedical equipment that displays
                                                                                  Place locks on equipment in use so
       or stores IIHI (e.g., EKG machines,
                                                                                  that only authorized staff can
       anesthesia machines, imaging
17                                                                                access IIHI. Store equipment not in
       equipment, etc.) is in the room, is the
                                                                                  use in areas that allow access to
       equipment safeguarded from
                                                                                  authorized personnel only.
       unauthorized access?

       Can IIHI be found in areas outside
                                                                                  Move IIHI to areas that allow access
       the room in hallways, lobbies, entry                                                                            Ensure IIHI in transit is placed in
                                                                                  only to authorized personnel.
18     ways, etc. (e.g., paper waiting to be                                                                           locked/sealed boxes and is
                                                                                  Authorized staff is to monitor and
       shredded, boxes or records to be                                                                                accompanied by authorized staff.
                                                                                  safeguard the IIHI during the move.
       sent to storage, etc.)?

          Part III - Is Computer Security a Problem?
                                                                                                                                                                    Move computers (desktop/laptop)
       Can unauthorized personnel or the
                                                                                  Position monitors so that only                                                    and/or monitors (mainframe
19     public view computer monitors that                                                                                Install security screens over monitors.
                                                                                  authorized staff can view.                                                        terminals) to areas accessible only
       display IIHI?
                                                                                                                                                                    by authorized staff.

       Are workstations left unattended
                                                                                  Implement password protected
       when logged into the network or an                                                                                Lock office/area doors when work area
20                                                                                screensavers or automatic log off
       application that allows access to                                                                                 is unattended.
                                                                                  procedures.
       IIHI?
                                                                                  Prohibit use of shared IDs and
                                                                                  passwords (i.e., ensure all users                                                                                                                                                             ITS policy requires users to
                                                                                  have unique IDs) as well as posting                                                                                                                                                           change passwords every 90 days.
21     Are passwords posted or visible?
                                                                                  of passwords. Enforce ITS policy                                                                                                                                                              (Administrators must change
                                                                                  requiring frequent changing of                                                                                                                                                                passwords every 30 days.)
                                                                                  passwords.

       I hereby verify that I have checked my work area and adjacent areas and to my knowledge the above answers are correct:
                                                                                                                                                                     Telephone Number (with Area
                          Print Full Name:                                                                                                                                                Code):



                                 Signature:                                                                                                                                                    Job Title:




     * Grayed Response Cells indicates gaps requiring remediation.                                                                                                                ** Record the remediation selected by agency mgmt and note if implementation is pending due to funding.
     5427991b-48f0-41de-9855-5f9ccae06bbf.xls                                                                                                                                                                                                                                                          4

				
DOCUMENT INFO
Description: Pre Employment Physical Request Form document sample