|
workstation
use (HIPAA)
Workstation use
must be addressed as part of the physical
safeguards of the covered entity. This standard (which
has no subsidiary implementation
specifications) requires:
... policies
and procedures that specify the proper functions to be performed,
the manner in which those functions are to be performed,
and the physical attributes of the surroundings of a specific
workstation or class of workstation that can access electronic
protected health
information [PHI]."
Workstation is
defined as "an electronic computing device, for example,
a laptop or desktop computer, or any other device that performs
similar functions, and electronic media stored in its immediate
environment." (164.304) Thus PDAs, tablet computers,
and other portable/wireless devices are included. (DHHS noted
specifically in its Final Rule commentary that the standards
are not to be interpreted as limited to "fixed location
devices." Final Rule, p.122)
The critical variable
is not the particulars of the device itself, but whether it
can access or store PHI. If it can, formal, documented policies
and procedures must be in place, and the covered entity must
take reasonable, appropriate steps to assure that the policies
and procedures are followed.
For a conventional
desktop computing device, these could include requirements
to log-off before leaving a workstation unattended. For a
portable device that can leave the covered entity's premises,
they might include limits on what can be stored. The particular
rules would be determined by, among other things, results
from the covered entity's risk analysis and risk management
efforts, required as part of the security
management process standard.
See also:
|
