hipaa-ps-2 Medium priority Physical Safeguards / Workstation Use

Specify the proper functions to be performed by workstations that access ePHI and the manner in which those functions are to be performed

Workstations used to access ePHI should have clearly defined, documented uses and restrictions. Personal use, installation of unauthorized software, and access from uncontrolled locations all increase the risk of ePHI exposure. HIPAA requires covered entities to specify what functions workstations are to perform and how they should be used. This includes defining appropriate use, restricting personal activities on clinical or administrative workstations, and ensuring workstations are positioned and used in ways that prevent unauthorized viewing of ePHI.

4h estimated effort

hipaa workstation physical-security acceptable-use

Implementation steps

1

Define acceptable use policies for workstations

Document a workstation use policy that specifies what activities are and are not permitted on workstations that access ePHI. Address personal use restrictions, installation of unauthorized software, and requirements for screen locking when unattended. Train all workforce members on the policy.

confluence
2

Address physical positioning and screen visibility

Ensure workstations in clinical or shared spaces are positioned so that ePHI on screen is not visible to unauthorized individuals such as patients, visitors, or non-clinical staff. Consider privacy screens for workstations in high-traffic areas. Establish clean desk practices.
3

Enforce automatic screen lock

Configure all workstations to lock automatically after a defined period of inactivity (typically 5 to 15 minutes for clinical environments). Require a password or PIN to unlock. This prevents unauthorized access when a workforce member steps away from a workstation that has ePHI on screen.

intune microsoft-endpoint-manager jamf