2a) Do users have access to all patient records? 2b) If so, how do you regulate cross-patient queries? 2c) Is access granted or denied to the entire medical record, or is the record segmented and access granted to segments? 2d) If segmented, who defines these segments and decides access policy to them? Is it the information systems department, a medical records committee, . . . .?
3a) Is restriction of access to medical records preemptive, or is presumptive access granted with audit based review? 3b) How do you monitor staff access to other resources? 3c) Is there a regular report generated on access requests and access grants/denials?
4a) Are certain types of records kept more secure (field limitations on HIV lab tests, VIP records, etc.)? 4b) Are psychiatric records on-line? If so are they treated specially for access? 4c) Is HIV status on-line. Is it treated specially for access? Is HIV infection or AIDS suppressed from the problem list? 4d) Are medication lists altered to hide HIV or psychiatric medications?
1a) Are databases encrypted? If so, what type of encryption is used? If not, are databases protected only through access control?
2a) Are data encrypted during transmission over the network or to remote sites? If so, what type of encryption is used?
E. Protection Against External Threats
1a) What mechanisms are used to secure access from outside the institution? Dial-back schemes? Firewalls? Private lines or public networks? Authentication schemes? Encryption techniques?
2a) Are mechanisms in place to detect outsider probes? How do you know if someone is ''sniffing" your system? 2b) Are there technical means available for detecting intrusion? 2c) What administrative mechanisms are used (awareness, reporting mechanisms, etc.)?
F. Software Discipline
1a) What types of software controls are in place to protect against Trojan horses and viruses?
2a) How do you attempt to control/limit the copying of data to prevent its subsequent release or unauthorized use?
G. Backup Procedures
1a) Do you have procedures in place for regularly backing up computer data? 1b) If so, what data are backed up: medical records, administrative data, password and access files? 1c) How frequently are