• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Physical Safeguard Standard, Workstation Use-What to Do and How to Do It

May 13, 2009 Health IT and HITECH No Comments

In our series on the HIPAA Administrative Simplification Security Rule, Workstation Use is the second Physical Safeguard Standard.  There is no defined implementation specification for this standard.  Implementation of policies and procedures pertaining to this standard are required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What is Required

A covered entity must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation that can access electronic protected health information.

What to Do

Identify how workstations are used and where authorized workforce members access the workstations in the covered entity.

How to Do It

This physical safeguard standard requires covered entities to develop and implement policies and procedures pertaining to the use of workstations that can access electronic protected health information in a covered entity.  The standard requires that the covered entity ensure appropriate workstation uses, how such uses are to be performed, and in what physical environment access to workstations that process electronic protected health information is permitted.  Workstations include, but are not limited to, desktop computers, laptop computers, tablet computers, and personal data assistants (PDAs) that transmit, receive, or store electronic protected health information.  Examples of policies are:

» Automatic logoff protocols in the absence of activity, including definition of appropriate length of time to trigger automatic logoff.
» Controls on Internet access when workforce members are working with electronic protected health information.
» Frequency of password changes, as defined and controlled by a covered entity’s Security Official.
» Controls on display of passwords on or near workstations.
» Controls on sharing of passwords among workforce members.
» Controls on access of business associates to workstations containing electronic protected health information, as defined in a business associate agreement.
» Controls on workstations that contain or have access to electronic protected health information and that are taken offsite of the covered entity by an authorized user.
» Compliance with software licensing and copyright laws.
» Ensuring that antivirus and other software and database security tools are deployed on each workstation.

Tags: 20092010American Recovery and Reinvestment ActantivirusARRAautomatic logoffbusiness associate agreementbusiness associatescopyright lawcovered entitiesdatabase securitydesktopelectronic protected health informationFebruary 17HIPAA Administrative SimplificationHITECH Actimplementation specificationlaptoplogoffpasswordPDAphysical safeguard standardpolicies and proceduresPresident ObamarequiredSecurity OfficialSecurity Rulesoftware licensingtabletworkstation use
No Comments
Share
0

You also might be interested in

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

Jun 7, 2013

June 7, 2013.  Today, HHS published in the Federal Register[...]

HIPAA Final Rule: Business Associates–Permitted and Required Uses & Disclosures

Mar 5, 2013

March 5, 2013.  Today, we continue going through the HIPAA[...]

Facility Access Controls: What This HIPAA Security Rule Physical Safeguard Standard Means

Apr 23, 2009

This is the first Physical Safeguard Standard of the HIPAA[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next