Corporate Compliance

Screen saver regulations

Compliance Monitor, February 2, 2007

Q: What is the amount of time that employees who work on computers, such as admissions, coding, billing, etc., have before their screen savers need to kick in and/or they need to sign in again?  We have employees who state they are wasting too much time signing in all the time as it kicks them out after 1.5 minutes. Can this be switched to 15 minutes?

A: Under 54 CFR 164.312(a), automatic log off is an "addressable" standard.  In other words, the security regulations do not require that covered entities implement automatic log off controls.  Instead the Covered Entity must assess whether and to what extent auto log off is reasonable in the Covered Entity's environment.  Where it is reasonable, then the Covered Entity must implement the safeguard.  Assessing reasonableness  involves analyzing whether auto log off will be effective in preventing a reasonably anticipated threat to the Covered Entity's EPHI and EPHI systems.  If the Covered Entity chooses not to implement auto log off , then it is required to document the reasons that it determined that implementation was not appropriate.  If another safeguard is reasonable to address the risk, then the Covered Entity must implement that safeguard. 

There is a significant amount of flexibility built in to the HIPAA security regulations in addressing security risks.  This is especially the case for addressable standards.  The regulations do not establish any specific time frame for auto log off, so its up to each covered entity to determine what is reasonable.  Part of this analysis is setting a log off time that both reduces the opportunity for unauthorized access to EPHI systems, and that does not unreasonably interfere with appropriate use of the EPHI systems. The standard should be established with reference to both the level of threat and the need for access.  For example, computer work stations that are accessed more commonly by non-employees (such as such as nursing stations, waiting rooms or treatment rooms) may need shorter log off standards then work stations in "lower traffic" areas, such as offices to which the public cannot access.

Thanks to Stephen A. Miller, JD, chief compliance and privacy officer with Capital Health System in New Brunswick, NJ for answering this question.

Most Popular