In our series on the HIPAA Administrative Simplification Security Rule, Workstation Use is the second Physical Safeguard Standard. There is no defined implementation specification for this standard. Implementation of policies and procedures pertaining to this standard are required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What is Required
A covered entity must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation that can access electronic protected health information.
What to Do
Identify how workstations are used and where authorized workforce members access the workstations in the covered entity.
How to Do It
This physical safeguard standard requires covered entities to develop and implement policies and procedures pertaining to the use of workstations that can access electronic protected health information in a covered entity. The standard requires that the covered entity ensure appropriate workstation uses, how such uses are to be performed, and in what physical environment access to workstations that process electronic protected health information is permitted. Workstations include, but are not limited to, desktop computers, laptop computers, tablet computers, and personal data assistants (PDAs) that transmit, receive, or store electronic protected health information. Examples of policies are:
» Automatic logoff protocols in the absence of activity, including definition of appropriate length of time to trigger automatic logoff.
» Controls on Internet access when workforce members are working with electronic protected health information.
» Frequency of password changes, as defined and controlled by a covered entity’s Security Official.
» Controls on display of passwords on or near workstations.
» Controls on sharing of passwords among workforce members.
» Controls on access of business associates to workstations containing electronic protected health information, as defined in a business associate agreement.
» Controls on workstations that contain or have access to electronic protected health information and that are taken offsite of the covered entity by an authorized user.
» Compliance with software licensing and copyright laws.
» Ensuring that antivirus and other software and database security tools are deployed on each workstation.