Access Control: Automatic Logoff-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is addressable. Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

How to Do It

A covered entity should activate a password-protected screensaver that automatically prevents unauthorized users from viewing or accessing electronic protected health information from unattended electronic information system devices. This is an addressable implementation specification, so timeouts and logoff features will relate to size of covered entity and degree of access to electronic information system devices. As a benchmark, establish a 10-minute timeout period before the logoff capability locks the device and makes information inaccessible. Devices in high-traffic areas might have a timeout of 2 to 3 minutes. Devices in protected areas with controlled, limited access, such as a lab or isolated office, could have longer timeout periods. A log off would require the authorized user to re-enter a password to gain access to electronic protected health information.

A covered entity without a logoff feature should consult its software vendor to build timeouts into all of its electronic information systems. Timeout settings will be suggested by the risk analysis, based on size of facility, and location and accessibility of electronic information system devices. The covered entity should pay particular attention to the growing use of handheld devices that can be moved from one part of a covered entity to another as it considers its timeout strategy.