Standard for HIPAA Workstation Use

Purpose

Ohio University, is a Health Insurance Portability and Accountability Act (HIPAA) Hybrid Entity. As such, Ohio University will provide HIPAA training to all members of the workforce in a covered entity unit, including employees, temporary workers, students, and volunteers. Additionally, due to the number of students that participate in training programs through outside entities subject to HIPAA, Ohio University will also make HIPAA training available to those students that need to complete it as part of their preparation for course study.

Scope

This standard will apply to all Ohio University operating units that store, process, or transmit protected health information, and all units that actively train students for roles within healthcare fields of study.

Standard

When accessing, processing, transmitting, or storing sensitive information, including protected health information (PHI), users must take appropriate measures to ensure the confidentiality, integrity and availability of such information.

Ohio University faculty, staff, and students shall ensure that sensitive information, including PHI, is only accessed by authorized users.

Ohio University covered entity units will implement appropriate safeguards for all workstations that access protected health information. Such safeguards must, at minimum include:

  • Restricting physical access to workstations to only authorized personnel. For example, workstations accessing PHI will not be physically located in public areas.
  • Users must set a screen lock or logout of a given workstation prior to leaving that workstation unattended.
  • All workstations must have a password-protected screen saver with a timeout period for inactivity of no more than ten (10) minutes. Such password must comply with the University Credentials Policy (91.004).
  • Workstations will be used for authorized business purposes only.
  • No unauthorized software may be installed on workstations accessing PHI.
  • The installation of software must be limited to those individuals with administrative privileges and such privileges must be limited to appropriate workforce members.
  • All workstations within covered entity units must be encrypted in accordance with the OIT Information Security Encryption Standard.
  • The storage of sensitive information, including protected health information (PHI) must adhere to the OIT Information Security Standards and corresponding guidance for OIT Storing Data by Type.
  • Laptops and other portable devices must be secured via cable locks to or by locking them in drawers or cabinets when not in use.
  • Workstations must be positioned in such a way that screens are not visible to unauthorized individuals. In the event that a computer cannot be positioned in such a manner, a privacy screen filter must be utilized on the workstation.
  • Workstations must be joined to the Ohio University active directory and restarted when necessary to facilitate software updates.
  • Workstations should be connected to power via a surge protector or a battery backup.

Definitions

Workstation. A workstation is a computer that is used to access PHI by Ohio University faculty, staff, students, or third-party vendors.

References

Governance

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.