In this week’s “Know The Rules!,” I am diving into the second standard of Physical Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards: Workstation Use, 45 CFR § 164.310(b).
Physical security is an important component of the HIPAA Security Rule that is often overlooked. What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process.
A workstation is defined in the Rule as:
“an electronic computing device, for example, a laptop or desktop computer, or any other device (including mobile) that performs similar functions, and electronic media stored in its immediate environment.”
The Workstation Use standard requires Covered Entities (CEs) and Business Associates (BAs) specify the proper functions to be performed by electronic computing devices. Inappropriate use of computer workstations expose CEs and/or BAs to risks, such a virus attacks, malware, compromise of information systems, and possible breaches of confidentiality.
This standard does not have corresponding implementation specifications. However, compliance with the standard itself is required (R).
For this standard, CEs and BAs must:
“Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information (ePHI).”
Many CEs and BAs may have existing policies and procedures that address appropriate business use of workstations. In this case, it may be possible for you to update your existing documentation to address security issues.
CEs and BAs must assess their physical surroundings to ensure that any risks associated with a workstation’s surroundings are known and analyzed for any possible negative impacts.
The Workstation Use standard also applies to CEs and BAs with workforce members that work off-site using workstations that can access ePHI. This includes your workforce member who work from home, in satellite offices, or in another facility, don’t forget about your temporary and volunteer workforce members too!
Your workstation policies and procedures must specify the proper functions to be performed, regardless of where the workstation is located.
NOTE: The Workstation Use and Workstation Security standards have no implementation specifications, but like all standards must be implemented.
Some common practices that may already be in place include logging off or locking the workstation before leaving a workstation for an extended period of time, as well as using and continually updating antivirus software.
Sample questions for CEs and BAs to consider:
- Are policies and procedures developed and implemented specifying the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of specific workstations or class of workstation(s) that can access ePHI?
- Do your policies and procedures identify workstations that access ePHI and those that do not?
- Do your policies and procedures specify where (and how) to place and position workstations to only allow viewing by authorized individuals?
- Do your policies and procedures specify the use of additional security measures to protect workstations with ePHI, such as using privacy screens, enabling password protected screen savers, locking or logging off the workstations?
- Do your policies and procedures address workstation use for users that access ePHI from remote locations (i.e., satellite offices or telecommuters)?
- NOTE: At a minimum, all safeguards required for office workstations must also be applied to workstations located off-site.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.