HHS has not established a specific time measurement for HIPAA screensaver timeout requirements. However, it is fair to say that a screensaver should be enabled fairly quickly after a workstation has been left unattended, especially if the workspace in which the computer is stationed is accessible to the public, such as a doctor’s waiting room area. In theory, best practices would be for an employee to log off their workstation when leaving it unattended, but it is unrealistic to expect an employee to remember to do so every time they leave their workstation.
We recommend that organizations should set their HIPAA automatic logoff time for computers that have access to ePHI within 10 minutes of the workstation being left unattended.
For more information on HHS technical safeguard requirements, including HIPAA automatic logoff procedures, please click here.
Compliancy Group’s HIPAA Screensaver
Compliancy Group’s screensaver was specifically designed with HIPAA in mind. Our HIPAA screensaver states, “This device may create, maintain, transmit, or receive confidential information, including patient information protected by federal and state privacy laws. Use of this device is limited to authorized employees, in accordance with company policy. By using this device, all users hereby accept the security policy of the organization.”
By displaying our screensaver on your organization’s computers, unauthorized users are alerted that they are prohibited from accessing equipment containing ePHI. This prevents unauthorized access or disclosure of PHI breaches.