Corporate Compliance

Tip: Use a layered approach for HIPAA security

Compliance Monitor, July 7, 2004

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

HIPAA defines "workstation" as an electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions and stores electronic media.

Security experts recommend a layered approach to workstation use and security, including the following:

  • Responsibility-the authority to use a workstation and rules of behavior associated with it. An organization has full control over the workstations it owns. However, it also has the authority and responsibility for workstations it doesn't own when it comes to accessing and storing ePHI. The authority to connect a workstation the organization does not own to the organization's network for the purpose of gaining access to ePHI should require a formal agreement and rules.
  • Physical layer-the protection of the workstation itself. For desktop PCs, this would include physical location, positioning, use of screensavers, and protection from theft, such as the use of cable locks, built-in cabinets, etc. For more portable workstations, physical protections include rules for how and where they may be carried, provisions for where they may be kept when not in use, physical identification, and potentially even a tracking mechanism.
  • Access layer-authentication of a user. Although this is actually a technical safeguard, the nature of the more portable workstations makes it an applicable topic to cover under physical security compliance assurance of workstations. For desktops, in addition to access controls that relate to the privileges each user is authorized to perform and the authentication mechanisms required to prove the user is the person claimed, the physical access layer should also include masking entry of the password and instructions on protection from stealing passwords or access codes by looking over peoples' shoulders as they type.

    This article was adapted from the book, Guide to HIPAA Auditing: Practical Tools and Tips to Ensure Compliance. Go to hcmarketplace.com for more information or to order.



    • Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

      Strategies for Health Care Compliance

    • Strategies for Health Care Compliance

      News and real-life examples to increase the effectiveness of your compliance program. Strategies for Health Care Compliance...

    • Compliance Monitor

      This HTML e-mail newsletter delivers news on Medicare and Medicaid fraud and abuse, as well as recent documents and targets...

    • Medicare Weekly Update

      Each issue of Medicare Weekly Update includes the latest CMS proposed and final rules, CMS manual revisions, and...

    • Medicare Update for Physician Services

      Medicare Update for Physician Services is a free, monthly e-zine that delivers news and information to help physician...

    Most Popular

    Related Articles