Under the HIPAA Security Rule, covered entities (CEs) and business associates (BAs) are required to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule technical safeguards contain a series of standards whose requirements CEs and BAs must meet. Under the first of these standards, the Access Control standard, covered entities and business associates must, to the extent it is reasonable and appropriate to do so, implement automatic logoff procedures. Such automatic logoff procedures can prevent unauthorized users from accessing ePHI on a workstation when that workstation is left unattended.
What Specific Automatic Logoff Methods Should I Implement?
As a general practice, users should log off of the system they are working on when their workstation is not attended. However, a user may not have the time to log off, or may forget to do so. Therefore, to the extent it is reasonable and appropriate to do so, covered entities and business associates should implement log-out or log-off procedures that automatically terminate, or automatically log a user out of, an electronic session after a predetermined period of inactivity.
Specific automatic logoff measures and procedures should describe:
- How to configure application and information system automatic logoff settings. Logoff settings should be configured such that electronic sessions on systems containing ePHI are terminated after a specified period of inactivity. For example, you can develop a procedure under which an electronic session will be automatically terminated after 30 minutes of inactivity.
- Note that the amount of time of inactivity may differ depending on user role. While 30 minutes of inactivity may be appropriate for individuals whose roles do not involve ePHI access, creation, or maintenance, a lesser period of inactivity (e.g., 10 minutes) may be appropriate for data stewards, data custodians, and others who regularly come into contact with ePHI.
- Who must approve automatic logoff times. Your organization’s designated HIPAA Security Official (also known as “Security Officer’), along with other appropriate management designated by the Security Official, should determine what period of time should transpire before access is automatically terminated.
Compliancy Group Simplifies HIPAA Compliance
Covered entities can address their obligations under the HIPAA Security Rule by working with Compliancy Group to develop required Security Rule safeguards, including technical safeguards.
Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address HIPAA Security Rule standards, so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!
Need Help with HIPAA?
Let our complete HIPAA solution handle it.