Skip to Content

HIPAA - Workstation Use 164.310(b)

468  Matthew Burdick September 29, 2022  Physical Safeguards

Overview:
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.


Action Items:
1) Obtain and review such policies and procedures related to workstation use. Evaluate the content in relation to the specified performance criteria for the proper functions to be performed by electronic computing devices. Elements to review may include but are not limited to: Process to identify workstations by type and location; Specify the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI (e.g. to prevent or preclude unauthorized access to an unattended workstation, limit the ability of unauthorized persons to view sensitive information as needed); Procedures related to the proper use and performance of workstations; Workforce members roles and responsibilities in the workstation use process
2) Obtain and review an inventory of the locations and types of workstations. Evaluate and determine if an inventory exists of workstation; when the inventory was last updated; and whether there is a documented process for updating the inventory. If available, review the inventory to see if it includes the types of EPHI data elements contained on the systems included in the inventory.
3) Obtain documentation demonstrating workstation classification. Evaluate and determine if each workstation is classified based on the specific workstation’s capabilities, connection, and allowable activities.
4) Obtain and review documentation demonstrating workstation use policies and procedures implemented. Evaluate if such implementation is in accordance with related policies and procedures.


Related Documents:
1) Policies and procedures related to workstation use.
2) Inventory of the locations and types of workstations.
3) Documentation demonstrating workstation classification.
4) Documentation demonstrating workstation use policies and procedures implemented.


Additional Guidance:
The Workstation Use standard requires covered entities to specify the proper functions to be performed by electronic computing devices. Inappropriate use of computer workstations can expose a covered entity to risks, such as virus attacks, compromise of information systems, and breaches of confidentiality. This standard has no implementation specifications, but like all standards must be implemented. The proper environment for workstations is another topic that this standard covers


Many covered entities may have existing policies and procedures that address appropriate business use of workstations. In these cases, it may be possible for them to update existing documentation to address security issues. Covered entities must assess their physical surroundings to ensure that any risks associated with a workstation’s surroundings are known and analyzed for a possible negative impact.


The Workstation Use standard also applies to covered entities with workforce members that work off site using workstations that can access EPHI. This includes employees who work from home, in satellite offices, or in another facility. Workstation policies and procedures must specify the proper functions to be performed, regardless of where the workstation is located.


Some common practices that may already be in place include logging off before leaving a workstation for an extended period of time, and using and continually updating antivirus software.


Sample questions for covered entities to consider:
- Are policies and procedures developed and implemented that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI?
- Do the policies and procedures identify workstations that access EPHI and those that do not?
- Do the policies and procedures specify where to place and position workstations to only allow viewing by authorized individuals?
- Do the policies and procedures specify the use of additional security measures to protect workstations with EPHI, such as using privacy screens, enabling password protected screen savers or logging off the workstation?
- Do the policies and procedures address workstation use for users that access EPHI from remote locations (i.e., satellite offices or telecommuters)?
Not Rated
Secure Code