Form – sagenik.com

Section 1: Foundational & Corporate Compliance

1. What is the current status of your Medical Practice's formal compliance program?
We have a designated Compliance Officer and review our program annually. We have some policies but no designated officer or formal review process. We operate based on informal knowledge and handle issues as they arise.

2. How are your key operational policies and procedures (P&Ps) stored?
In a centralized digital system that is version-controlled and accessible to all staff. In a physical binder that is mostly up-to-date. In various locations, on individual computers, or they are not formally documented.

3. Do you have signed Business Associate Agreements (BAAs) with all third-party vendors who handle patient data?
Yes, we have a signed BAA on file for every required vendor. We have them for some, but may be missing a few. We are unsure or do not have BAAs in place.

Section 2: HIPAA Security & Privacy

1. When was your last formal HIPAA Security Risk Analysis (SRA) completed?
Within the last 12 months, and we have a documented mitigation plan. More than 12 months ago. We have never completed a formal SRA.

2. How do you manage staff access to electronic patient health information (ePHI)
Each user has a unique login, and access is based on their specific job role. We use shared logins for some computers or systems. All users have the same level of access to all patient data.

3. Are all devices that store or access ePHI (laptops, servers, mobile devices) encrypted?
Yes, all devices are encrypted. Only some of our devices are encrypted. We are unsure or no devices are encrypted.

Section 3: OSHA & Staff Safety

1. Is your OSHA Exposure Control Plan (for bloodborne pathogens) reviewed and updated annually?
Yes, it is reviewed and updated annually, and the updates are documented. We have a plan, but it is not reviewed on a formal annual schedule. We do not have a formal Exposure Control Plan.

2. How do you maintain your log of workplace injuries and illnesses (OSHA 300 Log)?
We maintain a formal log and it is up-to-date. We document incidents but not in the formal OSHA 300 format. We do not maintain a formal log.

3. How do you manage Safety Data Sheets (SDS) for hazardous chemicals used in your facility?
We have an organized binder or digital system with an SDS for every chemical, accessible to all staff. We have some SDS sheets, but the collection is incomplete or disorganized. We do not maintain an SDS library.

Section 4: Staff Training & Credentialing

1. How do you prove that a staff member has read and understood a new or updated policy?
We use a digital system to assign policies and track electronic attestations with a timestamp. We use a paper sign-in sheet during a meeting. We rely on verbal confirmation or email announcements.

2. How do you track the expiration dates of staff licenses and certifications?
We use a digital system with automated reminders for upcoming expirations. We use a manual spreadsheet or calendar. We rely on the staff member to inform us.

3. Do you perform primary source verification for all clinical licenses upon hiring?
Yes, for every clinical staff member. Only for physicians, but not other clinical staff. No, we rely on the copy of the license provided by the employee.

Company