Grantees, Subrecipients, and Service Sites

Privacy and Security Capacity Assessment of the Title X Network

0990-Title X P+S Capacity Assessment OMB submission copy 2 18 2015

Grantees, Subrecipients, and Service Sites

OMB: 0990-0444

Document [docx]
Download: docx | pdf

Form Approved

OMB No. 0990-

Exp. Date XX/XX/20XX


The goal of this assessment is for OPA to learn about what privacy and security practices and policies already exist throughout the Title X network. The information will help OPA better prepare to receive de-identified encounter-level data for FPAR 2.0 and inform OPA of the anticipated technical assistance needs of the community.


The best person to complete this assessment is someone who works in a Title X-funded health center and whose role includes supporting records administration, site administration, privacy or human resources.


If you are in a network consisting of multiple Title X-funded health centers, please think of the largest center (in terms of patient volume) in your network, as you answer the following questions.


All key words, underlined throughout this assessment, will be defined appropriately as per HIPAA using links/mouse-over technology.


  1. Which of the following does your organization do to provide clients with notice of your privacy practices and how you use and disclose their Protected Health Information (PHI)? (check all that apply)

      • Have a written policy

      • Have a poster hanging on the walls of our waiting room

      • Have a notice posted on our website

      • Provide all new clients with a pamphlet

      • Client signs paperwork that they have been notified about HIPAA

      • Have an informal process to discuss privacy with the client

      • Have a documented process to discuss privacy with the client

      • All staff are trained on the basics of how to discuss privacy with the client

      • Don’t know

      • Other (Please explain) __________________________________________


  1. Which of the following does your organization do to respond to client complaints about privacy or to requests for amendments, restrictions or for access to their information? (check all that apply)

      • Have a written policy

      • Have an informal process to record and respond to a complaint or request

      • Have a documented process to record and respond to a complaint or request

      • Train all staff on how to collect, document, and respond to client complaints or requests that related to privacy

      • Use software to collect complaints or document requests

      • Have a form to collect the complaints or requests

      • Have a designated point person in the organization to escalate complex complaints or requests

      • Don’t know

      • Other (Please explain) __________________________________________


  1. In an average month, how many clients typically make a request for restrictions, access to their information, amendment or to log complaint about privacy (i.e., how disruptive to your clinical practice are privacy-related requests)?



None

1-10

11-25

26-50

50+

ALL

We do not keep track of such requests

Other (Please explain)

Requests for Restrictions

Open text field

Requests for Access

Open text field

Requests for Amendment

Open text field

Complaints


Open text field


  1. In the event of a breach, which of the following does your organization do to prepare to handle privacy and security incidents or breaches? (Check all that apply)

      • Have a written policy

      • Have an informal process to identify, escalate, notify and manage breaches?

      • Have a documented process to identify, escalate, notify and manage breaches?

      • Train all staff on how to identify, and escalate breaches?

      • Have a form or method to record breach investigations and notifications?

      • Have a designated point person in the organization to escalate suspected breaches?

      • Don’t know

      • None of the above (Please explain)________________________________________

      • Other (Please explain) __________________________________________


  1. Which of the following does your organization do to obtain authorization, where needed, for the use or disclosure of a client’s PHI?

      • Have a written policy describing how and when to request and record authorization

      • Have an informal process to request and record authorization

      • Have a documented process to request and record authorization

      • Train all staff on how to request and record authorization

      • Use software to request and record authorization

      • Have a form to request and record authorization

      • Have a designated point person in the organization to request and record authorization

      • Don’t know

      • Other (Please explain) __________________________________________




  1. Which of the following does your organization do to encourage that the minimum necessary PHI is used or disclosed?

      • Have a written policy

      • Have an informal process to record and respond to a complaint or request

      • Have a documented process to record and respond to a complaint or request

      • Train all staff on how to collect, document, and respond to client complaints or requests that related to privacy

      • Use software to collect complaints or document requests

      • Have a form to collect the complaints or requests

      • Have a designated point person in the organization to escalate complex complaints or requests

      • No formal, written process for documentation or policy manual

      • No designated point person

      • Don’t know

      • Other (Please explain) __________________________________________


  1. What procedures or technologies does your organization have in place to log disclosures of PHI?

      • Meaningful Use Compliant audit software

      • Other audit software

      • Manual sign-in/sign-out sheets

      • Written log/notebook

      • None

      • Other (Please describe) _________________________________________


  1. Please describe any additional privacy or security safeguards not mentioned in this survey that your organization has worked hard to implement and that you feel are important for the protection of your clients’ privacy. Examples might include: access control, de-Identification, encryption, methods for ensuring remote access policies, risk assessment and mitigation, or secure email capability.

___________ _________________________________________________________________

___________ _________________________________________________________________


  1. Which of the following best describes your organization’s primary Title X-funding status? (select one, *optional)

  • Grantee (we receive Title X funds from the Office of Population Affairs)

  • Sub-recipient/delegate (we receive Title X funds from a Title X grantee organization)

  • Service site (we receive Title X funds from a subrecipient/delegate organization)

  • Not sure


  1. Which of the following best describes your workplace setting? (Select one)

  • Health department (e.g., state, county, local)

  • Hospital-based

  • Planned Parenthood

  • Free-standing Family Planning Organization

  • Community health center/Federally Qualified Health Center

  • Tribal health center

  • University-based

  • School-based

  • Faith-based

  • Correctional facility-based

  • Other private, non-profit

  • Other, please specify: _____________________________


  1. How many Title X visits did your organization report in your most recent annual FPAR submission (e.g., visits in calendar year 2014)?

  • <1,000

  • 1,000-9,999

  • 10,000-49,999

  • 50,000-100,000

  • 100,000-500,000

  • >500,000

  • Not sure


  1. What best describes your primary role at your workplace? (Select one)

  • Billing/Finance Assistant

  • Clinical Provider

  • Community Outreach Staff

  • Front Desk/Reception

  • Health Educator/Counselor/Health Care Associate/Medical Assistant

  • Manager/Administrator/Center Coordinator

  • Nurse

  • Privacy and/or Security Officer

  • Other, please specify: _____________________________


  1. What state is the health center located in that you thought about as you answered the above questions?

_ _


  1. Currently, the electronic health record system this health center is using is: SOFTWARE NAME and VERSION NUMBER

  • This health center is not yet using an EHR

  • I am not sure which EHR this health center is using



Thank you for providing us with this important information! If you would like the OPA Health IT Team to follow-up with you to discuss any successes, challenges or questions you might have in regards to your current privacy and security practices, please email us at [email protected] and someone will be in touch with you as soon as possible.

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0990-xxxx . The time required to complete this information collection is estimated to average ___hours/ minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer



File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorChristina Lachance
File Modified0000-00-00
File Created2021-01-25

© 2024 OMB.report | Privacy Policy