• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Access Control: Automatic Logoff-What to Do and How to Do It

June 5, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is addressable. Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

How to Do It

A covered entity should activate a password-protected screensaver that automatically prevents unauthorized users from viewing or accessing electronic protected health information from unattended electronic information system devices. This is an addressable implementation specification, so timeouts and logoff features will relate to size of covered entity and degree of access to electronic information system devices. As a benchmark, establish a 10-minute timeout period before the logoff capability locks the device and makes information inaccessible. Devices in high-traffic areas might have a timeout of 2 to 3 minutes. Devices in protected areas with controlled, limited access, such as a lab or isolated office, could have longer timeout periods. A log off would require the authorized user to re-enter a password to gain access to electronic protected health information.

A covered entity without a logoff feature should consult its software vendor to build timeouts into all of its electronic information systems. Timeout settings will be suggested by the risk analysis, based on size of facility, and location and accessibility of electronic information system devices. The covered entity should pay particular attention to the growing use of handheld devices that can be moved from one part of a covered entity to another as it considers its timeout strategy.

Tags: 20092010access controladdressableAmerican Recovery and Reinvestment ActARRAautomatic logoffbusiness associatecovered entityelectronic information system devicesFebruary 17handheld deviceHIPAA Administrative SimplificationHIPAA Security RuleHITECH Actimplementation specificationlogoffpasswordPresident ObamaRisk Analysisscreensaversoftware vendorstandardTechnical Safeguardtimeoutunauthorized users
No Comments
Share
0

You also might be interested in

Time to Review Your Security Risk Assessment

Feb 13, 2009

With the March 17, 2009 effective dates for the new[...]

Accountability Key Privacy/Security Principle of Meaningful Use 2011 Objectives

Jul 6, 2009

On December 15, 2008, the Office of the National Coordinator[...]

HIPAA Final Rule: Business Associates–Permitted and Required Uses & Disclosures

Mar 5, 2013

March 5, 2013.  Today, we continue going through the HIPAA[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next