Security Checklist: Firewall Checklist

Firewall Checklist

  • Policies should be in place prescribing the use, configuration and operation of firewalls and firewall logs.
  • All computers should be protected by a properly configured firewall.
  • All staff should understand and agree that they should not hinder the operation of firewalls.

HIPAA Security Checklist: Anti-Virus Checklist

Anti-Virus Checklist 

  • Policies should be in place requiring use of anti-virus software.
  • All staff should understand and agree that they should not hinder the operation of anti-virus software.
  • All staff should know how to recognize possible symptoms of viruses or malware on their computers.
  • All staff should know what to do to avoid virus/malware infections.
  • Anti-virus software should be installed and operating effectively on each computer in compliance with manufacturer recommendations.
  • Anti-virus software should be set up to allow automatic updates from the manufacturer.
  • Anti-virus software should be fully up-to-date according to manufacturer’s standards.
  • Handheld or mobile devices should support anti-virus software.

HIPAA Password Checklist

Password Checklist

  • Policies should be in place prescribing password practices for the organization.
  • All staff should understand and agree to abide by password policies.
  • Each staff member should have a unique username and password.
  • Passwords should not be revealed or shared with others.
  • Passwords should not be written down or displayed on screen.
  • Passwords should be hard to guess, but easy to remember.
  • Passwords should be changed routinely.
  • Passwords should not be re-used.
  • Any default passwords that come with a product should be changed during product installation.
  • Any devices or programs that allow optional password protection should have password protection turned on and in use.


Strong passwords should:

  • Be at least 8 characters in length
  • Include a combination of upper case and lower case letters, at least one number and at least one special character, such as a punctuation mark 

Sample HIPAA Compliance Checklist

HIPAA Compliance Checklist


This sample checklist provides a good idea of things to consider.








Is there PHI (protected   health information) in the regular trash bins?





Are shred containers or   other PHI disposal bins easily accessible by staff members?





Are shred containers   locked?





Are documents to be   shredded left in the open, including overnight?





Are documents containing   PHI (appointment schedules, lab orders, client invoices) visible to   unauthorized individuals, including the general public?





Are documents containing   PHI left in unattended areas?





Are client charts   maintained and stored in a secure area?





Are materials removed from   printers and fax machines in a timely manner? Are the machines checked at   night? Are unclaimed documents stored in a secure manner and location?





Do staff members verify fax   numbers before sending a fax?





Are staff members   restricted within electronic records to only have access to PHI for which they   are approved? (PIMSY lets you set any desired parameters via security   profiles.)





Have all staff and faculty   completed HIPAA training?





Do staff members ensure   that all conversations containing PHI are necessary and the minimum amount of   PHI possible is discussed?





Do staff members ensure   that all necessary conversations containing PHI are kept private and out of   earshot of unauthorized individuals?





Is there a process for   identifying and issuing clients who need to receive a Notice of Privacy   Practices (NPP) and for collecting and documenting the client’s signed   acknowledgement of receiving the NPP?





Do staff members log-off   computers before leaving workstations? PIMSY has auto-log off that can be set   to desired time-out specifications).





Are computer monitors and   printers located in secure areas, and are they positioned so that the public   can’t access or view PHI on them?





Do staff members protect   their hardware and/or software logins and make sure they are not accessible   at their workstations or by unauthorized individuals?





Do staff members make sure   they’re not sharing another employee’s login to hardware and/or software?





Can clients in the waiting   room overhear the registration process?





Do clients or the public   have access to any areas in the building where confidential information is   stored or accessible?





Do staff members know that   they should not access the health information of their co-workers, family or   friends?





Do staff members know what   to do if clients request amendments to their records/chart?





Do staff members know what   to do if clients request their records/chart?





Do staff members know who   to contact if they have questions about HIPAA and/or client privacy (ie,   Chief Compliance Officer and Privacy Director)?





Do staff members know where   they should refer questions regarding HIPAA and/or client privacy?





Are staff members making   sure they don’t use the preview pane when viewing emails?





Are checks and cash locked   up overnight?





Are computers and scanners   shut down completely at the end of the day?





Are   privacy/confidentiality/security signs posted for the custodial staff?





Are security doors (file   room, office) locked and operation?






Easy HIPAA compliance ideas to consider:


  • A fax cover page that goes out with all documents letting the recipient know that the information is confidential and needs to be handled under HIPAA privacy guidelines
  • “Remember to log off” stickers place at every workstation to remind staff members to restrict access to any confidential materials before leaving their desks.

HIPAA Compliance Deadlines


Deadline Description
January 1, 2016 New standards developed for health care claims attachments
January 1, 2016 Operating rules for referral certification and authorization transactions
January 1, 2016 Operating rules for health premium payments
January 1, 2016 Operating rules for health plan enrollment/disenrollment
January 1, 2016 Operating rules for coordination of benefits
January 1, 2016 Operating rules for health care claims or equivalent encounter information
January 1, 2014 Operating rules for health care payment and remittance advice (ERA)
January 1, 2014 Operating rules for electronic funds transfers (EFT) (New standards must be adopted for electronic funds transfers (EFT))
October 1, 2013 ICD10- all covered entities
January 1, 2013 Operating rules for health claim status
January 1, 2013 Operating rules for eligibility for a health plan

HIPAA Compliance by September 23, 2013 or Face Huge Fines

Every dental office must be HIPAA compliant by September 23, 2013, based upon the new “2013 HIPAA Omnibus Rule.”
On January 25, 2013, U.S. Department of Health and Human Services (HHS) released the required “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.” The Omnibus Rule became effective on March 26, 2013, and every dental office must be compliant by September 23, 2013. ARE YOU READY!

If you are not ready, beware, because the fines for non-compliance range from $100.00 to $50,000.00 per violation, and up to 1.5 million per year.

If you do not have a new 2013 HIPAA manual, you are out of compliance. If you have not modified your Privacy, Security, Enforcement or Breach Notification Procedures to comply with the new 2013 Omnibus Rule, you are not compliant.

If you have any questions regarding whether your office is HIPAA compliant, please feel free to call us.