Administrative Safeguards Audit

The Health Insurance Portability and Accountability Act and privacy officer installed electronic health records called practice fusion. All staff is assigned passwords for clinic system access and database where protected health information is stored (Kruse et al, 2017). The protected health information data is shredded in the bin and emptied every week by a business associate that provides shredding services. Protected health information is stored in practice fusion, billing software, and calendar for managing patient’s appointments. All clinical charts are adequately secured on-site, and all staff has access to them. Patients write down their name in a different sheet, and all computer workstation is encrypted, and the team has to log in and out (Kruse et al, 2017).

Business associates in various organizations makes their contacts information accessible to staff members and an overseer of business associate contracts and agreements to ensure that subcontractor’s business associate agreements meet HIPAA requirements and any other entity that access protected health information (Gardazi et al 2012, June). Intentional, unintentional release of data or breach is prohibited and ensures no external devices are inserted in laptops, PCs, and other web-enabled equipment. Policy and procedures for privacy and security that include managing all PHI data, passwords and access, breach notification, and among others   enhance the protection of electronically protected health information.

Initial training for new employees and annual training for all employees on privacy and security updating on annual clinical competency skills on issues of malware access, preventing cyber threats, changing passwords, and log in reminders (Zhou & Liu,2005). Emergency plan, incident response, and downtime response policy have been established to know what to do in time of power failure or machine unable to connect to electronic health records, roles for incident response, and the ways staffs are to function during downtime and emergencies. Annual risk assessment and ongoing assessment policy to assess potential risks with business associate agreements and have procedures and policies regarding cybersecurity by training and alerting on cyber threats (Zhou & Liu,2005). For known threats, like unsecured fax machines connected to the telephone line, staffs make sure they receive lab results from the imaging center and lock down all workstations and all cabinets containing PHI, such as charts at the end of the day.

 Hardware, software, and physical system policy that ensures all PHI is backed up to cloud storage one server with multiple workstations and another through the web. Auditing is done every three months to see which system, databases, or electronic health records are accessed at any time (Zhou & Liu,2005). Audit access controls to software, hardware, and physical buildings is done every six months and risk analysis on the same every year on risk analysis. Despite data being encrypted, someone might intercept it while in transit, and to solve this contract is to be signed with the company to assist with tracking this data while in transit.



Kruse, C. S., Smith, B., Vanderlinden, H., & Nealand, A. (2017). Security techniques for the electronic health records. Journal of medical systems41(8), 127.

Gardazi, S. U., Shahid, A. A., & Salimbene, C. (2012, June). HIPAA and QMS based architectural requirements to cope with the OCR audit program. In 2012 Third FTRA International Conference on Mobile, Ubiquitous, and Intelligent Computing (pp. 246-253). IEEE.

Zhou, Z., & Liu, B. J. (2005). HIPAA compliant auditing system for medical images. Computerized Medical Imaging and Graphics29(2-3), 235-241.