(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Tell Me More:
The objective of the Workstation Use standard is to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI (EPHI).
The term “Workstation” refers to an electronic computing device, for example, a laptop, desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. This will also include some of the more recent devices such as tablet devices (e.g iPad, Smartphones etc.) though thse devices were not around a few years ago when the Final HIPAA Security Rule was issued
Workstation Use-related policies and procedures must accomplish the following:
- Document the actual function to be performed
- Document how that function is to be performed
- Document where that function is to be performed
Workstation use must include documented instructions and/or procedures that delineate the proper functions to be performed and the manner in which those functions are to be performed to maximize the security of health information. Each organization is required to put in place physical safeguards to restrict access to information. What constitutes an appropriate solution to a Covered Entity or Business Associate’s workstation security issues is dependent on the entity’s risk analysis and risk management process as well as its technical sophistication and complexity.
For the workforce, as well as contractors and agents on the organization’s premises, workstations are among the prime tools for accessing electronic PHI. It is therefore important to make workforce members aware of their responsibilities of properly using workstations, including laptops, and other such devices. In addition, the organization should provide sufficient physical protection of computers to reasonably safeguard against unauthorized access to electronic PHI.
These Workstation Use and Workstation Security standards are closely related. It is important that each covered entity have physical safeguards to protect access to workstations. Entities also need to restrict access to ePHI on each workstation based on the functions associated with that workstation. Ideally, workstations used to access ePHI should be located only in controlled areas. In some organizations this may be easy, e.g., a health plan where there is limited and controlled public access to the facility. In other organizations this may be difficult, e.g., in a hospital with public access to many areas of the facility. Keep in mind that even if an unauthorized person gains access to a workstation, the covered entity should have appropriate technical security – authentication – to prevent the individual from actually accessing the ePHI.
Each organization needs to develop and implement policies and procedures to protect access to workstations. These policies and procedures will be based in large part on other standards and implementation specifications, e.g., access authorization, access control, and person authentication.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Has the organization defined each workstation or class of workstations that can access ePHI?
- Does the organization have policies and procedures regarding proper Workstation Use which define what business or clinical functions can be performed at that workstation?
- Has the organization implemented procedures that indicate the manner in which workstations (or classes of workstations) accessing ePHI are located in physically secure areas and display screens are positioned or protected, in order to minimize the risk of access by unauthorized individuals and prevent unauthorized viewing of ePHI?
- Has the organization implemented procedures that ensure that workstations (e.g., desktop temporarily installed in a home or alternative office) removed from the organization’s facilities are protected with security controls equivalent to on-site workstations?
- Has the organization implemented procedures that ensure portable workstations (e.g., laptops, PDAs, portable medical equipment) that store EPHI removed from the organization’s facilities are protected with security controls equivalent to on-site?
- Are your workstations with access to ePHI located in controlled areas? If not, can they be moved to controlled areas?
- Are computer monitors that display ePHI properly positioned to avoid inadvertent or unauthorized viewing? Has the use of “privacy” screens been considered?
- Have you documented your policies and procedures related to workstation use and are they consistent with the Security Rule? If not, they need to be updated.
- NIST SP 800-12 chapter 15 & 16 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems