(2) Implementation specifications:

(iii) Automatic logoff (Addressable).  Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Tell Me More:

The Automatic Logoff implementation specification requires covered entities to address implementing electronic procedures that terminate an electronic session after a predetermined time of inactivity. This is an addressable specification.

Workforce members often walk away from workstations without logging off. This can be a security concern, particularly in areas with public access. Automatic log-off procedures can be implemented to minimize the likelihood that an unauthorized individual may access the workstation.

Such mechanisms might include a password-protected screen saver or configuring the operating system or other application to terminate a session after being idle for more than a few minutes.

complete set of HIPAA Security Policies and Procedures may be purchased here.

 

Questions to consider:

  • Do the technical systems support automatic log-offs?
  • Does the organization want to implement automatic log-offs? While addressable, it is likely that automatic log-offs will need to be implemented to reduce the risk of a security breach. Remember to monitor the use of log-offs and to minimize the ability of workforce members to override the automatic log-offs.

 

References:

Series Navigation<< 164.312(d) Technical safeguards – Standard: Person or entity authentication164.308(a)(2) Administrative safeguards – Standard: Assigned security responsibility >>