HIPAA - Automatic Logoff 164.312(a)(2)(iii)

Overview:
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Action Items:
1) Obtain and review policies and procedures regarding automatic logoff. Evaluate the content in relation to the specified criteria to determine whether it specifies that an electronic session is terminated after a predetermined time of inactivity.
2) Obtain and review documentation (e.g., screenshots, system settings, etc.) demonstrating the implementation of automatic logoff. Evaluate and determine if automatic logoff settings are implemented in accordance with related policies and procedures.

Related Documents:
1) Policies and procedures regarding automatic logoff.
2) Documentation (e.g., screenshots, system settings, etc.) demonstrating the implementation of automatic logoff.

Additional Guidance:
As a general practice, users should logoff the system they are working on when their workstation is unattended. However, there will be times when workers may not have the time, or will not remember, to log off a workstation. Automatic logoff is an effective way to prevent unauthorized users from accessing EPHI on a workstation when it is left unattended for a period of time. Many applications have configuration settings for automatic logoff. After a predetermined period of inactivity the application will automatically logoff the user. Some systems that may have more limited capabilities may activate an operating system screen saver that is password protected after a period of system inactivity. In either case, the information that was displayed on the screen is no longer accessible to unauthorized users.

Sample questions for covered entities to consider:
- Do current information systems have an automatic logoff capability?
- Is the automatic logoff feature activated on all workstations with access to EPHI?