• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Physical Safeguard Standard, Workstation Security-What to Do and How to Do It

May 14, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the third Physical Safeguard Standard, Workstation Security.  The implementation specification for this standard is defined by the standard title, and is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity must implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

How to Do It

A covered entity is required to secure workstations in such a manner that access is restricted to authorized users.  The solution is “dependent on the [covered] entity’s risk analysis and risk management process,” and may involve controlled access to the workstation or controls on the workstation that restrict access of unauthorized users.  [68 Federal Register 8354]  As with many of the implementation specifications for the Security Rule standards, the solution depends on the outcomes of the covered entity’s risk analysis.

An example of an appropriate workstation security requirement would be a policy that workforce members log off before leaving electronic media unattended.  Another example, for a workstation in a controlled access environment, would be a policy requiring automatic logoff after a defined period of inactivity, say, ten minutes or less.  A final example would be to control access to the Internet while working with electronic protected health information, in an effort to minimize unauthorized access by an outsider to such information.  This is especially important as mobile devices such as personal data assistants (PDAs) with browser access proliferate in the healthcare community.

Finally, a covered entity also must pay particular attention to electronic media devices used by receptionists.  This pertains primarily to healthcare providers, but also may pertain to any receptionist in a covered entity that handles overflow processing of healthcare matters involving electronic protected health information.  A receptionist position is a highly vulnerable point of unauthorized access and should be addressed specifically in a covered entity’s risk analysis.  Any workstation, in a controlled access environment or not, should be shielded physically from view by passersby who are not authorized to have access to electronic protected health information.

A covered entity’s Security Official should establish and implement policies and procedures to protect workstations and restrict access to authorized users.

Tags: 20092010American Recovery and Reinvestment ActARRAauthorized userbrowserbusiness associatecontrolled accesscovered entityelectronic mediaelectronic protected health informationFebruary 17Federal Registerhealthcare providerHIPAA Administrative SimplificationHITECH Actimplementation specificationInternetlogoffmobile devicesPDAphysical safeguard standardPresident ObamareceptionistrequiredRisk Analysisrisk managementSecurity OfficialSecurity Ruleunauthorized uservulnerableworkforce memberworkstation security
No Comments
Share
0

You also might be interested in

HHS’s HIT Policy Committee Releases Draft Recommendations on Meaningful Use for Public Comment

Jun 22, 2009

The HITECH Act of the American Recovery and Reinvestment Act[...]

HIPAA Final Rule: Enforcement: Willful Neglect

Feb 20, 2013

February 20, 2013.  Today, we begin examination of HITECH Act[...]

200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

Dec 6, 2010

December 2, 2010.M Under the Health Information Technology for Economic[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next