Health Information Management

Are there existing standards on inactivity timeouts we can reference?

HIM-HIPAA Insider, September 6, 2004

Our doctors complain that the 15-minute inactivity timeout is too short. They want us to change it to 30 minutes. Are there existing standards we can reference?

No universally accepted standard exists for how quickly an inactive session should time out. A CMS publication titled Information Security Acceptable Risk Safeguards calls for a 15-minute timeout. But there are problems with this.

It is important to understand that the risk of an "open" connection on an unattended workstation largely depends on the physical surroundings. On an open floor in a hospital or in a busy emergency room accessible to the public, the risk is high and the timeout should be shorter than 15 minutes.

In a private office or other secure location off limits to unattended visitors, it's reasonable to make the inactivity timeout longer. Unfortunately, few application vendors provide a timeout feature a provider can set by location. Organizations should press vendors for this flexibility to better address risk and avoid unnecessarily short timeouts that irk users.

Editor's Note: Kate Borten, CISSP, CISM, is president and founder of The Marblehead Group, Inc., a national consulting firm focusing on the healthcare industry. This is not legal advice. Please consult your attorney for legal matters.

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular