By Iseman Cunningham Riester & Hyde LLP
Covered Entities must implement electronic procedures that terminate an electronic session after a predetermined period of inactivity – known as an “automatic logoff.” Automatic logoff is an “addressable” requirement, which means the Covered Entity must implement the standard unless it is inappropriate or unreasonable and cannot be met through an alternative measure. For all but the smallest health care providers, an automatic logoff standard is reasonable and must be implemented. This standard is part of the “technical safeguards” required by HIPAA.
The amount of time that should trigger an automatic logoff will vary widely depending on a number of circumstances. Access points located in public or semi-public areas may require stricter timeframes, while terminals in private offices may need less restrictive timeframes. Administrators should also consider the sensitivity of the data protected by the logoff process in relation to the anticipated inconvenience to the user of relogging in after short periods of inactivity.
Consider combining the logoff process with a half-step such as a locked screen saver. A terminal accessed periodically but on a time sensitive basis (such as one located in an emergency department) might benefit from a screen saver that locks after two minutes but does not logoff fully until thirty minutes of inactivity have elapsed. A nurse returning to the terminal after a brief period could pick up where he or she left off by entering a password, while unusually long periods would require reauthentication through the full login process.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.