Why and How to Conduct a HIPAA Walkthrough

Much like the safety audits your office already performs, a walk-through can prevent violations before the Department of Health and Human Services’ Office for Civil Rights gets involved. Whether inspections are announced or executed without your staff’s knowledge, experts agree that they should be done at least annually for all departments and more often for high-risk areas. If you’ve found a problem area, then you want to do a walkthrough more often than once a year to get things really ironed out.

Though not mandated by the privacy rule, third party or anonymous reviewers are often an efficient, if costly, method of examining your facility’s HIPAA compliance program. The big thing is making sure that nobody knows what’s going to happen, because you want to see what people are doing on a day-to-day basis, not what they’re doing on their best behavior.

The types of violations often caught in walkthroughs range from simple mistakes—like leaving confidential faxes unattended or discussing Protected Health Information (PHI) in public areas—to trickier situations that may have been overlooked. Many times the problem is not a procedural violation, but an issue that hasn’t been thought through all the way.

Focus on Your Front Lines

Focus on areas with a significant amount of interaction with the public or patients. Waiting rooms, elevators and even fax machines are all areas where information can accidentally be heard or viewed by the public.

Example: In a recent walkthrough, I noticed that, though the office had obviously positioned computer monitors so that they could not be seen from the waiting room, staff members hadn’t considered the glass entryway to be an area of risk. As you walked in, you could look right over the employee’s shoulder.

Any time a privacy official is on the ground walking through, they should have their eyes and ears open.  However, experts agree that, while privacy officials should conduct informal walkthroughs frequently, there must be some method to document and track violations, and there must be follow-ups.

To solidify the process of monitoring HIPAA compliance, one consultant developed a walkthrough checklist. As a tangible record of violations, the checklist should be based on the privacy policies and procedures central to your organization. It can also include how many times the violation was observed. It gives you something to start tracking to see if you see any improvement or not.

The Next Step: Once the walkthrough has been performed and the violations logged, compliance officers and others can review the document to see what went wrong and where. The two main areas we look for are our training and the clarity of our policies.  If a violation is observed multiple times, you have to ascertain the causes behind it.

Some questions you should ask are:

1. Is our training missing the mark?
2. What could we do differently?
3. How can we better respond to complaints?
4. Are our policies unclear?

By pinning down answers to these questions, you can streamline your facility’s procedures and, thereby, avoid glaring HIPAA violations.


Tip: Remember to take HIPAA violations seriously, if and when they do occur. That means you’ll have to outline and impose sanctions according to the gravity of the violation. Not only does failure to apply penalties jeopardize your compliance program–it’s also against the law not to have a sanctions policy in place.

Following your sanctions policy will benefit you in the long run, as it proves to your employees the importance of maintaining privacy standards, while at the same time preventing them from using past inconsistencies to excuse or eliminate their responsibility to protect health information.

Word To The Wise: To correct the problems encountered during the walkthrough, experts concur that it is best left to the discretion of the privacy officer to determine how and when a sanction will be imposed. Usually, that officer complies with the overall HR sanctions policy; however, as the issues move in the direction of malicious and willful breaches of privacy, higher levels of sanctions—including termination—must be applied.

SAMPLE: The Walkthrough Checklist

Conduct a walkthrough to quickly and easily monitor your staff’s HIPAA compliance. This checklist, created by Patricia Johnston, a consultant with Texas Health Resources in Arlington, can help you catch violations and track problem areas.

 The Walkthrough Checklist  by Patricia Johnston, consultant with Texas Health Resourceds, Arlington


Activity Observed

# of




Confidential information is discussed by staff in public areas. ___ ___ __________ __________________
Conversations with patient/family regarding confidential information are held in public areas. ___ ___ __________ __________________
Overhead and intercom announcements include confidential information. ___ ___ __________ __________________
Phone conversations and dictation are in areas where confidential information can be overhead. ___ ___ __________ __________________
Computer monitors are positioned to be observed by visitors in public areas. ___ ___ __________ __________________
Unattended computers are not logged out or protected with password-enabled screen savers. ___ ___ __________ __________________
Computer passwords are shared or posted for unauthorized access. ___ ___ __________ __________________
Documents, films and other media with confidential patient information are not concealed from public view. ___ ___ __________ __________________
Whiteboards in public areas have more than the allowable information. ___ ___ __________ __________________
Medical records are not stored or filed in such a way as to avoid observation by passersby. ___ ___ __________ __________________
Confidential patient information is called out in the waiting room. ___ ___ __________ __________________
Confidential information is left on an unattended fax machine in unsecured areas. ___ ___ __________ __________________
Confidential information in left on an unattended printer in unsecured areas. ___ ___ __________ __________________
Confidential information is left on an unattended copier in unsecured areas. ___ ___ __________ __________________
Confidential information is found in trash, recycle bins or unsecured pre-shredding receptacles. ___ ___ __________ __________________
Patient lists, such as scheduled procedures, are readily visible by patients or visitors. ___ ___ __________ __________________
Contractors, vendors and other non-patient visitor third parties are not appropriately identified. ___ ___ __________ __________________
Staff are not wearing name badges. ___ ___ __________ __________________
Patient records not filed in locking storage cabinets or rooms that are locked when unattended. ___ ___ __________ __________________
Security access mechanisms for buildings or departments are bypassed. ___ ___ __________ __________________
When questioned, staff demonstrate lack of privacy awareness. ___ ___ __________ __________________


Dr. Eric S. Kaplan is CEO of Multidisciplinary Business Applications, Inc. (MBA), a comprehensive coaching firm with a successful, documented history of creating profitable multidisciplinary practices nationwide.  For more information, call (561) 626-3004.

Leave a Reply