When dissecting the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, you may come across a standard titled “Workstation Use.” Located in §164.310(b), this standard plays a key role in compliance. So whether you are a doctor, dentist, chiropractor, or any other covered entity, you should familiarize yourself with the Workstation Use standard and its respective requirements.
First and foremost, it's important to understand what exactly a workstation is. According to the HIPAA Security Rule, it is defined as “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.”
In other words, a workstation may consist of desktop computers, laptops, tablets or even smartphones, assuming it is used to store Electronic Protected Health Information (EPHI). If the device is not being used to store EPHI, the HIPAA Workstation Use standard does not apply to it.
Among the most notable requirements of the Workstation Use standard is to specify proper functions which are performed by the devices. Covered entities must create written policies and procedures that detail the types of functions performed by their workstations, how those functions are performed, the data stored on those workstations, as well as the physical attributes surrounding the workstations.
Covered entities must inspect and analyze the environment around their workstations to determine whether or not it poses a risk for data breach. Broken door locks, see-through windows, etc. are just a few elements that can increase the risk of data breach.
Of course, workstations must have certain safeguards in place to protect against unauthorized access or usage. This includes physical, administrative, and technical safeguards. Physical safeguards consist of tangible security measures like locked doors and privacy screens; administrative safeguards consist of policies and procedures to protect against data breach; and technical safeguards consists of digital security measures like firewalls, unique user IDs, and automatic log off.
What About Off-Site Workstations?
The HIPAA Security Rule Workstation Use standard applies to all workstations, both on-site and off-site. If an employee works from home, for instance, his or her computer must also adhere to this standard. The Office for Civil Rights (OCR) says that all safeguards for on-site workstations must also be applied to off-site workstations.