hipaa-ps-2 Medium priority Physical Safeguards / Workstation Use

Specify the proper functions to be performed by workstations that access ePHI and the manner in which those functions are to be performed

Workstations used to access ePHI should have clearly defined, documented uses and restrictions. Personal use, installation of unauthorized software, and access from uncontrolled locations all increase the risk of ePHI exposure. HIPAA requires covered entities to specify what functions workstations are to perform and how they should be used. This includes defining appropriate use, restricting personal activities on clinical or administrative workstations, and ensuring workstations are positioned and used in ways that prevent unauthorized viewing of ePHI.

Implementation steps

  1. 1

    Define acceptable use policies for workstations

    Document a workstation use policy that specifies what activities are and are not permitted on workstations that access ePHI. Address personal use restrictions, installation of unauthorized software, and requirements for screen locking when unattended. Train all workforce members on the policy.

    confluence
  2. 2

    Address physical positioning and screen visibility

    Ensure workstations in clinical or shared spaces are positioned so that ePHI on screen is not visible to unauthorized individuals such as patients, visitors, or non-clinical staff. Consider privacy screens for workstations in high-traffic areas. Establish clean desk practices.

  3. 3

    Enforce automatic screen lock

    Configure all workstations to lock automatically after a defined period of inactivity (typically 5 to 15 minutes for clinical environments). Require a password or PIN to unlock. This prevents unauthorized access when a workforce member steps away from a workstation that has ePHI on screen.

    intune microsoft-endpoint-manager jamf

Evidence required

Workstation use policy

Written policy defining acceptable use of workstations accessing ePHI.

  • - Workstation use policy document
  • - Acceptable use policy

Screen lock configuration

Evidence that workstations lock automatically after inactivity.

  • - Group Policy or MDM configuration showing screen lock timeout
  • - Workstation configuration baseline

Related controls