DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule requires covered entities and business associates to develop and implement a series of administrative, technical, and physical safeguards to protect ePHI. The required physical safeguards consist of four standards. These standards include:
1. Facility Access Controls
2. Workstation Use
3. Workstation Security
4. Device and Media Control
This article covers the third of these four standards, "Workstation Security." The Workstation Security standard requires covered entities and business associates to "Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users." The standard covers both facilities as well as offsite workstations that can access ePHI, including teleworker workstations.
The Workstation Security standard is similar to the Workstation Use standard. Both require the protection of workstations. However, while the Workstation Use standard addresses the policies and procedures for how workstations should be used and protected, the Workstation Security standard requires the workstation to be physically protected from unauthorized users.
Covered entities and business associates may implement a variety of strategies to restrict access to workstations with
ePHI to prevent unauthorized use One way may be to completely restrict physical access to a secure room where only authorized personnel work. This action physically protects the workstations from unauthorized users.
Per HHS guidance, workstation security measures, including offsite worksite security measures (e.g., measures for telecommuters), can include the following:
1. Using privacy screens to prevent someone from viewing computer screens.
2. Using cable locks to deter theft.
3. Installing port and device locks that physically restrict access to USB ports or devices such as CD/DVD drives.
The third measure is of particular importance, as unrestricted access to USB ports and removable media devices can facilitate the unauthorized copying of data to removable media. Unrestricted access to removable media devices means access to devices that might be infected with malicious software that can propagate.
4. Positioning workstation screens away from areas from which they could be viewed.
5. Keeping electronic equipment and media in secured areas, including locked rooms.
6. Deploy HIPAAS-compliant security cameras, and post signs accordingly.
7. Using access cards for employee entry into and exit from the facility.
8. Use security guards and alarm systems.
9. Instructing on-site workforce members and telecommuters to avoid disclosing log-in, password, and identification information to others.
10. Instructing on-site workforce members and teleworkers to immediately inform the Privacy or Security Officer (or other data security personnel) if laptops, other portable devices, or password ID information are stolen or otherwise compromised.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article