Workstation Use & Security Policy

5. Procedures

1. WORKSTATION USE STANDARDS

1.1 Workstations shall be used only for authorized business purposes. Personal use of practice workstations is [PROHIBITED/LIMITED TO INCIDENTAL USE AS DESCRIBED IN THE ACCEPTABLE USE POLICY].

1.2 Workforce members shall not install unauthorized software on practice workstations. All software installations must be approved by the IT Manager.

1.3 Workforce members shall not disable or circumvent security features on workstations, including antivirus software, firewalls, automatic updates, or auto-lock settings.

1.4 Workforce members shall not store ePHI on the local hard drive of any workstation unless the drive is encrypted. ePHI should be stored on approved network drives or cloud-based systems.

1.5 Workforce members shall not use public Wi-Fi networks to access ePHI systems unless connected through an approved VPN.

2. PHYSICAL SECURITY OF WORKSTATIONS

2.1 Screen Positioning: Workstation screens that display ePHI shall be positioned so that the screen is not visible to unauthorized persons, including patients, visitors, and passersby. Privacy screens/filters shall be used where screen positioning alone is insufficient.

2.2 Auto-Lock: All workstations shall be configured to automatically lock after [NUMBER — e.g., 2, 5, 10] minutes of inactivity. Workforce members shall also manually lock their workstation (Windows: Win+L; Mac: Ctrl+Cmd+Q) whenever stepping away, even briefly.

2.3 Physical Securing: Portable workstations (laptops, tablets) that contain or can access ePHI shall be physically secured when not in use using cable locks, locked drawers, or locked offices. Portable devices shall never be left unattended in vehicles, public areas, or unsecured locations.

2.4 Clean Desk: At the end of each workday and when leaving a workstation unattended, workforce members shall ensure that no printed PHI is visible on the desk or surrounding area. Printed PHI shall be placed in a locked drawer or shredded.

2.5 Peripheral Security: Printers, fax machines, and copiers that output PHI shall be located in restricted areas and not accessible to patients or visitors. Printed output shall be retrieved promptly.

3. WORKSTATION INVENTORY

3.1 The IT Manager shall maintain a Workstation Inventory documenting: device type and model, serial number or asset tag, assigned user, physical location, operating system and encryption status, and date of last security configuration review.

3.2 The inventory shall be updated when devices are added, reassigned, or retired.

4. REMOTE WORKSTATIONS

4.1 Workforce members authorized to access ePHI remotely shall: use only practice-approved devices or devices that meet practice security standards, connect through an approved VPN or secure remote access solution, ensure that the remote environment provides the same level of physical security (no unauthorized persons viewing the screen), and comply with all other provisions of this policy.

4.2 Remote access authorization shall be documented in the workforce member's access authorization record.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Defines workstation use and security standards. Conducts periodic walk-through assessments of physical workstation security. Reviews and approves remote access requests.

IT Manager/Vendor ([IT CONTACT NAME]): Maintains the Workstation Inventory. Configures auto-lock and encryption settings on all devices. Installs and maintains security software. Provides privacy screens and cable locks. Manages the VPN and remote access infrastructure.

Supervisors: Ensure their staff follow workstation use and security procedures. Report non-compliance to the Security Officer.

All Workforce Members: Follow all workstation use and security procedures. Lock workstations when stepping away. Practice clean desk procedures. Report lost or stolen devices immediately.

7. Review Schedule

This policy shall be reviewed at least annually and whenever changes to the practice's technology environment or work arrangements (e.g., expansion of remote work) warrant an update. The Security Officer shall conduct quarterly physical walk-through assessments to verify compliance.

8. Documentation

This policy and its supporting records (the Workstation Inventory, physical walk-through assessment findings, remote access authorizations, and any exception or alternative-measure determinations) shall be maintained in written form and retained for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later, as required by 45 CFR § 164.316(b)(2)(i). Documentation shall be made available to those responsible for implementing the procedures and shall be reviewed and updated periodically in response to environmental or operational changes affecting the security of ePHI, per 45 CFR § 164.316(b)(2)(ii)–(iii).

9. Regulatory References

45 CFR § 164.310(b) — Workstation use (Required) 45 CFR § 164.310(c) — Workstation security (Required) 45 CFR § 164.312(a)(2)(iii) — Automatic logoff (Addressable) 45 CFR § 164.312(a)(2)(iv) — Encryption and decryption (Addressable) 45 CFR § 164.316 — Documentation (written policies retained for 6 years)