Run VAWA Confidentiality and Records Compliance Audit — Free

Audit Scope and Program Identification

Program name, site, and audit date recorded

Document the victim services program, location, and date of inspection.

Audit scope confirms VAWA-funded victim services records review

Confirm the review covers confidentiality, release of information, HMIS exemptions, file access controls, and staff training.

Records custodian or program manager identified

Record the responsible manager or records custodian for follow-up actions.

Release of Information and Consent Controls

Written consent is obtained before disclosure of protected victim information critical (required)

Verify disclosures are made only with written consent unless disclosure is otherwise required by law.

Yes No N/A

Consent forms specify what information may be shared, with whom, and for what purpose

Review whether release forms are specific enough to support informed consent.

Yes No N/A

Expired or revoked consents are not used for disclosure critical (required)

Yes No N/A

Disclosures required by law are documented with the legal basis and minimum necessary information

Verify that any legally required disclosures are documented and limited to the minimum necessary information.

Yes No N/A

Release of information log is current and complete

Check that disclosures are logged with date, recipient, information shared, and authorization basis.

Yes No N/A

HMIS Exemptions and Data Sharing Boundaries

Program HMIS exemption status is documented where applicable critical (required)

Confirm the program's HMIS exemption or alternative confidentiality arrangement is documented and current.

Yes No N/A

HMIS participation is limited to authorized data elements and approved users

Verify that only approved information is entered or shared through HMIS and access is limited to authorized users.

Yes No N/A

Client identifiers are excluded from shared reports when not authorized

Check that reports and exports suppress direct identifiers unless disclosure is permitted.

Yes No N/A

Data-sharing agreements reflect confidentiality restrictions and permitted uses

Review agreements for limits on redisclosure, retention, and access controls.

Yes No N/A

File Access Controls and Record Security

Paper files are stored in locked cabinets or secured rooms with restricted access critical (required)

Verify physical records are protected from unauthorized viewing or removal.

Yes No N/A

Electronic records use role-based access controls critical (required)

Confirm access is limited to staff with a legitimate program need.

Yes No N/A

Shared passwords or generic user accounts are not used for records access critical (required)

Yes No N/A

Screens, printers, and workstations prevent unauthorized viewing of client information

Check for privacy screens, automatic lock settings, and secure print release where needed.

Yes No N/A

Retention and destruction practices protect confidentiality during disposal

Verify shredding, secure deletion, or approved destruction procedures are followed.

Yes No N/A

Staff Training and Workforce Awareness

Staff have completed confidentiality training within the required cycle critical (required)

Confirm training completion for staff with access to victim records.

Yes No N/A

Training covers written consent, permitted disclosures, and minimum necessary sharing

Review training content for core confidentiality requirements.

Yes No N/A

Staff can describe how to respond to an unauthorized disclosure or privacy incident

Assess staff awareness of escalation, documentation, and corrective action procedures.

Confidentiality reminders or refresher communications are documented

Check for periodic reminders, policy updates, or refresher training records.

Yes No N/A

Findings, Corrective Actions, and Sign-Off

Deficiencies and non-conformances are documented with corrective actions critical (required)

Summarize all deficiencies, responsible parties, and target completion dates.

Inspector signature

Inspector signs to confirm the audit findings.

Program manager acknowledgment

Program manager acknowledges receipt of findings and corrective actions.

Get your results

Enter your email — we'll send you a PDF of your filled-out template, plus the occasional MangoScoop newsletter (templates, workflow tips, product updates). Unsubscribe anytime — link is in every email.

Email (required)

Your name (optional)

Run: VAWA Confidentiality and Records Compliance Audit

Audit Scope and Program Identification

Release of Information and Consent Controls

HMIS Exemptions and Data Sharing Boundaries

File Access Controls and Record Security

Staff Training and Workforce Awareness

Findings, Corrective Actions, and Sign-Off

Get your results