DHS Safeguards Assessment Tool
Office, Program or Area Assessed:Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
This office, program or area does not contain any confidential information. A Safeguard Assessment will not be completed.
Administrative, Technical, and Physical Safeguards Policy AS-100-05 requires that we take reasonable steps to safeguard confidential information. Information to be safeguarded may be in any medium, including paper, electronic, oral and visual. We are required to assess those safeguards annually. HIPAA Security Rule also requires periodic evaluations in relation to policies and entity changes.
The federal Office for Civil Rights, which is responsible for enforcing the HIPAA Privacy Rule, says that "Reasonable safeguard means that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of Protected Health Information (PHI) from any and all potential risks. In determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards."
It is not necessary to construct walls, rearrange cubicles or soundproof interview rooms in order to apply reasonable safeguards. You will see from the Assessment Tool that most of the safeguards can be met through simple, logical steps and by raising awareness.
Conducting a Self-Assessment
It is recommended that you, as managers and supervisors, take a slow, deliberate walk throughout your office, program area, or your facility with the security of all confidential information in mind. Then, thoughtfully complete the Safeguards Assessment Tool. The Assessment will identify where safeguards are in place and practiced most of the time. It will also identify where some remediation is necessary to improve the safeguards.
· Complete the assessment.
· Document unmet safeguards and remediation plans on page 9.
· To request interpretation or clarification on any of the safeguards, use the privacy help email
address below.
· Submit completed assessments to the hardcopy address indicated below or by attaching the
assessment to the email link below.
· Keep a copy for your record.
Return to: DHS Information Security Office, Attn Jane Alm
500 Summer Street, N.E., E – 24
Salem, OR 97301-1066
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 2 of 2
Or Email to:
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 2 of 2
Office, Program or Area Assessed:Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (6/04)
Page 9 of 1
A. Physical Environment (AS 100-005 reference)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (6/04)
Page 9 of 1
Safeguard Assessment
/ Safeguard Met / Safeguard Not MetRemediation Plan
Documented / Not Applicable
A1 Access to areas with confidential materials is monitored or locked to prevent unauthorized entrance.
A2 Keys, keypad combinations, and key cards are controlled to assure only staff authorized by management have building access and/or after hours access.
A3 Work place discussions of confidential information are conducted in private locations or in voice levels that inhibit casual eavesdropping.
A4 A physical barrier separates reception and work areas, where necessary and appropriate.
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (6/04)
Page 9 of 1
Document Remediation Plan (Page 9)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (6/04)
Page 9 of 1
Office, Program or Area Assessed:Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 3 of 1
B. Reception and Pedestrian Traffic (AS 100-005 reference)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 3 of 1
Safeguard Assessment
/Safeguard Met
/ Safeguard Not MetRemediation Plan
Documented / Not Applicable
B1 Building or work area process/policy for escorting non-DHS visitors in areas with confidential information is followed.
B2 If there is a building policy requiring ID to enter work area, it is enforced.
B3 Contractors have completed confidentiality agreements.
B4 Employees use reasonable measures, such as speaking in a soft voice when discussing confidential issues in public areas.
B5 Janitorial staff are allowed access after hours only after completing a confidentiality agreement
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 3 of 1
Document Remediation Plan (Page 9)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 4 of 1
Office, Program or Area Assessed:Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 4 of 1
C. Workstations, Printers, Copiers, Fax Machines (AS 100-005 reference)
DHS 3000 (6/04)
Page 9 of 1
DRAFT
Safeguard Assessment
/ Safeguard Met / Safeguard Not MetRemediation Plan
Documented / Not Applicable
C1 The office has reasonable physical safeguards, such as partitions, view-limiting screen filters, or repositioning monitors to prevent unauthorized viewing of screens.
C2 Staff exit applications or systems that have confidential information or lock their workstation upon leaving their cubicle or workspace.
C3 Office equipment such as fax machines, printers, and copiers are located away from unsupervised public areas to prevent inadvertent access.
C4 Office distributes confidential incoming faxes and materials left at copiers and printers timely, but at least within the workday.
C5 Outgoing faxes include a cover page with the DHS privacy disclaimer.
DRAFT
Document Remediation Plan (Page 9)
Office, Program or Area Assessed:Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 5 of 1
D Electronic Media Storage (AS-090-001, AS-090-003, AS-100-005 reference)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 5 of 1
Safeguard Assessment
/ Safeguard Met / Safeguard Not MetRemediation Plan
Documented / Not Applicable
D1 When not in use, tapes, disks, CD-ROMs, Zip Drives and cartridges containing confidential material are secured in a locked cabinet, room or other secured location.
D2 Only authorized staff has access to secure data locations, per DHS policy.
D3 Staff complies with office procedures that prohibit confidential data removal from office except as authorized.
D4 Information users are required to sign compliance statement as condition of access approval.
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 5 of 1
Document Remediation Plan (Page 9)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 7 of 1
Office, Program or Area Assessed:Location Address:
Name of Person or Group Conducting Assessment:
Date of Assessment:
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 7 of 1
E. Document Storage (AS-100-005, AS-090-003 reference)
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 7 of 1
Safeguard Assessment
/ Safeguard Met / Safeguard Not MetRemediation Plan
Documented / Not Applicable
E1 Confidential materials are stored in locked rooms, secured storage systems or where lockable storage is not available, reasonable efforts are taken to safeguard files in accordance with the DHS policy.
E2 Only employees with authorization can access secured file rooms, cabinets or desks.
E3 File cabinets containing confidential materials are secured when not in use.
E4 Access to file cabinets or files is secured from access by unauthorized persons.
E5 In keeping with DHS policy, confidential materials on desktops, tables, printers, copiers, fax machines will be adequately shielded from visual inspection by unauthorized parties.
Definitions
Safeguard Met Safeguard is met at least 75% of the time. Reasonable safeguard is in place.
Safeguard Not Met Safeguard is met less than 75% of the time. Remediation action required to ensure that reasonable safeguard is in place.
Not Applicable Safeguard does not apply to the protection of confidential information within the structure, lay out, or activity within the location being assessed.
DHS 3000 (9/05)
Page 7 of 1
Document Remediation Plan (Page 9)
Definitions