HIPAA Regulation Reference: Regulation: § 142.308 (4)
Policy and guidelines on workstation use (documented instructions/procedures delineating the proper functions to be performed,
the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific computer
terminal site or type of site. Dependent upon the sensitivity of the information accessed from that site).
Section II: Requirement
Policy/Guidelines on workstation use
Secure workstation location
Security awareness Training
Section III: Approaches/Solutions
• Develop policies and procedures for workstation security, and PHI disposal
• Provide awareness training to all employees on workstation security.
• Develop a mechanism for monitoring the security of employee workstations. Have managers
responsible for auditing employee workstation security.
• Conduct risk assessment/gap analysis of physical locations and positioning of workstations.
• Use assessment/analysis to determine changes that are needed to provide a more secure
environment for sensitive information.
Return To Top
Section IV: Policy & Procedure
The security workstation policy is a requirement of your organization's HIPAA compliance program.
Each organization has the responsibility to ensure that PHI and all sensitive information at employee
workstations are protected from unauthorized access. Reasonable efforts must be made to safeguard
individual workstations against unauthorized access to information accessed from each site.
Examples of physical safeguards include: locating a workstation in a locked room restricting
access to authorized employees only, locking doors to offices when not in use, securing workstations
so they can't be removed without special tools, not leaving items that contain PHI on desks in
cubicles when not in attendance, locking file cabinets, and removing sensitive information from
the fax machine and printer promptly.
Examples of workstation security include; automatic shutdown of workstation, screen savers, and
security covers so information can only be viewed directly in front of screen.
If you have an Information Technology Department, obtain their policies on screen savers, moving
and relocating equipment, loading of software, and the use of personal equipment and incorporate
these policies into your security plan.
Develop a policy and procedure for the secure disposal of all PHI. The recommended method of
disposal of PHI is by shredding and/or burning.
Media security - all of an organization's sensitive information must be destroyed or concealed i.e.,
degaussed, demagnetized, wiped, or 'zero-ized' before it is disposed of. If your organization has
an Information Technology Department, it would be their responsibility to assure that this is done.
If you are a small entity without this resource, there are commercial software utilities that can
perform one of these functions.
Minimum Requirements - Best Practice:
• Gap analysis to determine where security can be tightened.
• Locked cabinets
• Awareness training
• Proper PHI disposal methods
• Screen savers and automatic shut off of computers when not in use
• Locked/secured workstation environments
• Information Systems policy/procedures
• Awareness training/monitoring
• Proper PHI disposal methods
Section V: Web Sites of Interest
http://aspe.hhs.gov/admnsimp/nprm/secnprm.pdf
- Security Regulations
http://www.nitc.state.ne.us/tp/workgroups/security/index.htm
- State of Nebraska Information
Systems Security Computer User's Security Template
Return To Top
