What are the HIPAA Security Rule Physical Safeguards? Workstation Use Controls

Modified on Mon, 30 Sep at 4:43 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The HIPAA Security Rule requires covered entities and business associates to develop and implement a series of administrative, technical, and physical safeguards to protect ePHI. The required physical safeguards consist of four standards. These standards include:

1. Facility Access Controls

2. Workstation Use

3. Workstation Security
4. Device and Media Control

This article covers the second of these four standards, "Workstation Use." The Workstation Use standard requires covered entities and business associates to "Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information."

Translating this sentence into English presents some difficulty. Fortunately, HHS guidance breaks down the language into an understandable form.

As the guidance notes, The Security Rule has defined the word "workstation." A workstation is defined as "An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate vicinity."

The standard requires organizations to develop written instructions/procedures that describe how to properly use a workstation. More specifically, how to properly use a workstation so as not to create a security risk. The workstation use standard requires the implementation of policies and procedures to ensure workstations are appropriately used and protected.

HHS gives an example of a "proper workstation use procedure": Before you can leave a workstation unattended, log off. When a user logs off, the screen turns blank. This measure protects the workstation while the user is away.

The workstation use standard requires a description listing of proper (as opposed to improper) functions - activities - to be performed: "Log off when you step away from the computer."

The standard also requires that an organization describe "the manner in which [the proper activities] are to be performed." We can apply this quoted phrase to the activity of logging off. "In what manner is logging off to be performed" means. "What steps must a user take to ensure proper logoff?" "What steps must a user take to ensure the workstation is appropriately used and protected?" A proper logoff is sufficient in type (type of logofff) and length. A best practice is to utilize a session lock for workstations. A session can lock after, a maximum of 15 minutes of inactivity (best practice: 5 minutes). A session lock blocks further access until the workforce member using a workstation logs back in using the identification and authentication processes required by the Security Rule.


Other workstation use procedures - measures to ensure workstations are properly used and protected - can include:

1. Instructing employees on how to adequately shield observable ePHI from computer screens.
2. Training employees as to where to place and position computers to only allow viewing by authorized individuals. This training will result in the protection of the workstation.
3. Requiring workforce members working in facilities that are not part of the organization to maintain awareness of their surroundings, to ensure that ePHI is protected - not left unattended. 
4. Requiring workforce members who travel to different locations during the workday to collect or to transmit ePHI, to not leave ePHI unlocked or visible in their vehicles. Rather, devices containing ePHI should be locked and stored out of sight (such as in the trunk).  
6. Requiring members of the workforce to not store ePHI on non-approved devices or equipment. In smaller environments, this can mean prohibiting the use of any devices not included in the Guard's device inventory. Implementing zero trust or network access control solutions can be used to ensure that ePHI is not stored on non-approved devices or equipment. 
7. Prohibiting members of the workforce from copying or transmitting ePHI onto non-approved devices or equipment, or from printing it. In smaller/simpler environments, this can be managed through policies, procedures, and training. In higher-risk environments, data classification and control solutions may be implemented to physically prevent the transfer of data to unapproved locations. 
8. Requiring remote access to ePHI (whether by a workforce member who works from home, is traveling, or is working at another facility), be through secure channels only. To ensure access is through secure channels only, an organization can require the use of a virtual private network (VPN) and adherence to a Remote Workforce Member Policy.  
9. Prohibiting members of the workforce from storing unencrypted ePHI on portable electronic devices, including laptops.

 








Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article