DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
The HIPAA Security Rule requires covered entities and business associates to develop and implement a series of administrative, technical, and physical safeguards to protect ePHI. The required physical safeguards consist of four standards. These standards include:
1. Facility Access Controls
2. Workstation Use
3. Workstation Security
4. Device and Media Controls
This article covers the third of these four standards, "Workstation Security." The Workstation Security standard requires covered entities and business associates to "Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users." The standard covers both facilities as well as offsite workstations that can access ePHI, including teleworker workstations.
How Can the Workstation Security Standard be Implemented?
The Workstation Security standard is similar to the Workstation Use standard. Both require the protection of workstations. However, while the Workstation Use standard addresses the policies and procedures for how workstations should be used and protected, the Workstation Security standard requires the workstation to be physically protected from unauthorized users.
Covered entities and business associates may implement a variety of strategies to restrict access to workstations with ePHI to prevent unauthorized use One way may be to completely restrict physical access to a secure room where only authorized personnel work. This action physically protects the workstations from unauthorized users.
Per HHS guidance, workstation security measures, including offsite worksite security measures (e.g., measures for telecommuters), can include the following:
1. Using privacy screens to prevent someone from viewing computer screens.
2. Using cable locks to deter theft.
3. Installing port and device locks that physically restrict access to USB ports or devices such as CD/DVD drives.
This third measure is of particular importance, as unrestricted access to USB ports and removable media devices can facilitate the unauthorized copying of data to removable media. Unrestricted access to removable media devices means access to devices that might be infected with malicious software that can propagate.
4. Positioning workstation screens away from areas from which they could be viewed.
5. Keeping electronic equipment and media in secured areas, including locked rooms.
6. Deploying HIPAA-compliant security cameras, and posting signs accordingly.
7. Using security guards.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article