Under the HIPAA Security Rule, covered entities (CEs) and business associates (BAs) are required to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule technical safeguards contain a series of standards whose requirements CEs and BAs must meet.
Under the first of these standards, the Access Control standard, covered entities and business associates must, to the extent it is reasonable and appropriate to do so, implement automatic logoff procedures. A workstation security policy, such as automatic logoff procedures can prevent unauthorized users from accessing ePHI on a workstation when that workstation is left unattended.
What Workforce Security Methods Should I Implement?
Workforce security, as a general practice, requires users to log off of the system they are working on when their workstation is not attended. However, a user may not have the time to log off, or may forget to do so. Therefore, to the extent it is reasonable and appropriate to do so, covered entities and business associates should implement a workstation security policy that includes settings that automatically log a user out of an electronic session, after a predetermined period of inactivity.
Workstation Security Policy: Automatic Logoff Measures and Procedures
- How to configure application and information system automatic logoff settings. Logoff settings should be configured such that electronic sessions on systems containing ePHI are terminated after a specified period of inactivity. For example, you can develop a procedure under which an electronic session will be automatically terminated after 30 minutes of inactivity.
- Note that the amount of time of inactivity may differ depending on user role. While 30 minutes of inactivity may be appropriate for individuals whose roles do not involve ePHI access, creation, or maintenance, a lesser period of inactivity (e.g., 10 minutes) may be appropriate for data stewards, data custodians, and others who regularly come into contact with ePHI.
- Who must approve automatic logoff times. Your organization’s designated HIPAA Security Official (also known as “Security Officer’), along with other appropriate management designated by the Security Official, should determine what period of time should transpire before access is automatically terminated.
Workforce security, through a workstation security policy that includes automatic logoff procedures, ensures that accidental disclosure of PHI is limited. Organizations that fail to implement a workstation security policy, put patients’ PHI at risk.
Compliancy Group Simplifies HIPAA Compliance
Covered entities can address their obligations for automatic logoff procedures under the HIPAA Security Rule by working with Compliancy Group to develop required Security Rule safeguards, including technical safeguards.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards, so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!