VAWA Confidentiality and Records Compliance Audit

Inspection template for reviewing VAWA-funded victim services confidentiality practices, including release of information, HMIS exemptions, file access controls, and staff training.

Audit Scope and Program Identification

• Program name, site, and audit date recorded
  Document the victim services program, location, and date of inspection.
• Audit scope confirms VAWA-funded victim services records review
  Confirm the review covers confidentiality, release of information, HMIS exemptions, file access controls, and staff training.
• Records custodian or program manager identified
  Record the responsible manager or records custodian for follow-up actions.

Release of Information and Consent Controls

• Written consent is obtained before disclosure of protected victim information
  Verify disclosures are made only with written consent unless disclosure is otherwise required by law.
• Consent forms specify what information may be shared, with whom, and for what purpose
  Review whether release forms are specific enough to support informed consent.
• Expired or revoked consents are not used for disclosure
• Disclosures required by law are documented with the legal basis and minimum necessary information
  Verify that any legally required disclosures are documented and limited to the minimum necessary information.
• Release of information log is current and complete
  Check that disclosures are logged with date, recipient, information shared, and authorization basis.

HMIS Exemptions and Data Sharing Boundaries

• Program HMIS exemption status is documented where applicable
  Confirm the program's HMIS exemption or alternative confidentiality arrangement is documented and current.
• HMIS participation is limited to authorized data elements and approved users
  Verify that only approved information is entered or shared through HMIS and access is limited to authorized users.
• Client identifiers are excluded from shared reports when not authorized
  Check that reports and exports suppress direct identifiers unless disclosure is permitted.
• Data-sharing agreements reflect confidentiality restrictions and permitted uses
  Review agreements for limits on redisclosure, retention, and access controls.

File Access Controls and Record Security

• Paper files are stored in locked cabinets or secured rooms with restricted access
  Verify physical records are protected from unauthorized viewing or removal.
• Electronic records use role-based access controls
  Confirm access is limited to staff with a legitimate program need.
• Shared passwords or generic user accounts are not used for records access
• Screens, printers, and workstations prevent unauthorized viewing of client information
  Check for privacy screens, automatic lock settings, and secure print release where needed.
• Retention and destruction practices protect confidentiality during disposal
  Verify shredding, secure deletion, or approved destruction procedures are followed.

Staff Training and Workforce Awareness

• Staff have completed confidentiality training within the required cycle
  Confirm training completion for staff with access to victim records.
• Training covers written consent, permitted disclosures, and minimum necessary sharing
  Review training content for core confidentiality requirements.
• Staff can describe how to respond to an unauthorized disclosure or privacy incident
  Assess staff awareness of escalation, documentation, and corrective action procedures.
• Confidentiality reminders or refresher communications are documented
  Check for periodic reminders, policy updates, or refresher training records.

Findings, Corrective Actions, and Sign-Off

• Deficiencies and non-conformances are documented with corrective actions
  Summarize all deficiencies, responsible parties, and target completion dates.
• Inspector signature
  Inspector signs to confirm the audit findings.
• Program manager acknowledgment
  Program manager acknowledges receipt of findings and corrective actions.