During a recent conversation I had with a group of healthcare professionals it came to light that not everyone shuts all their work computer programs off when they’re done for the day. This seemed to be happening as a time saving measure for the individuals.
Obviously the first thing I thought of was HIPAA and how unsecure this is. During the conversation I was not able to present my case well enough to really make everyone understand.
If programs are not closed that are able to access PHI, anyone who uses the computer has a chance of accessing this information. Also, if inappropriate retrieval of PHI is performed, the HIPAA trail will point to the person who is logged in.
What about remote employees? There is even more vulnerability there. One of the questions on your HIPAA security audit should be “Do we have our programs set up to automatically log out which will prevent this from happening?”
Often as administrators we get the complaints from those who have to follow the procedures of required password changes and programs logging out. We need to balance what is reasonable for our employees with what is required to ensure HIPAA compliance.
Now might be a good time to revisit the security of your system and your policy and procedure manual to make sure these issues are addresses. A good rule of thumb is to shut down your computer when you are done for the day.
No related posts.