What are the HIPAA Security Rule Physical Safeguards? Workstation Use Controls

Modified on Wed, 23 Jul at 1:21 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

The HIPAA Security Rule requires covered entities and business associates to develop and implement a series of administrative, technical, and physical safeguards to protect ePHI. The required physical safeguards consist of four standards. These standards include:

1. Facility Access Controls

2. Workstation Use

3. Workstation Security
4. Device and Media Control

This article covers the second of these four standards, "Workstation Use." 


What is the HIPAA Workstation Use Standard?

The Workstation Use standard requires covered entities and business associates to "Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information."

What is a Workstation?

As HHS guidance notes, The Security Rule has defined the word "workstation." A workstation is defined as "An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate vicinity."

What Does the Workstation Use Standard Require?

The standard requires organizations to develop written instructions/procedures that describe how to properly use a workstation. More specifically, how to properly use a workstation so as not to create a security risk. The workstation use standard requires the implementation of policies and procedures to ensure workstations are appropriately used and protected.

HHS gives an example of a "proper workstation use procedure": Before you can leave a workstation unattended, log off. When a user logs off, the screen turns blank. This measure protects the workstation while the user is away.


Other workstation use procedures - measures to ensure workstations are properly used and protected - can include:

1. Instructing employees on how to adequately shield observable ePHI from computer screens.
2. Training employees as to where to place and position computers to only allow viewing by authorized individuals. This training will result in the protection of the workstation.
3. Requiring workforce members working in facilities that are not part of the organization to maintain awareness of their surroundings, to ensure that ePHI is protected - not left unattended.
4. Requiring workforce members who travel to different locations during the workday to collect or to transmit ePHI, to not leave ePHI unlocked or visible in their vehicles. Rather, devices containing ePHI should be locked and stored out of sight (such as in the trunk).
6. Requiring members of the workforce to not store ePHI on non-approved devices or equipment. In smaller environments, this can mean prohibiting the use of any devices not included in the Guard's device inventory. Implementing zero trust or network access control solutions can be used to ensure that ePHI is not stored on non-approved devices or equipment.
7. Prohibiting members of the workforce from copying or transmitting ePHI onto non-approved devices or equipment, or from printing it. In smaller/simpler environments, this can be managed through policies, procedures, and training. In higher-risk environments, data classification and control solutions may be implemented to physically prevent the transfer of data to unapproved locations.
8. Requiring remote access to ePHI (whether by a workforce member who works from home, is traveling, or is working at another facility), be through secure channels only. To ensure access is through secure channels only, an organization can require the use of a virtual private network (VPN) and adherence to a Remote Workforce Member Policy.
9. Prohibiting members of the workforce from storing unencrypted ePHI on portable electronic devices, including laptops.

10. Continuously updating antimalware and antivirus software.

 

In general, safeguards required for office workstations should also be applied to workstations located off site.





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article