Q&A: HIPAA rules for password retention
Q: I'm unfamiliar with this, but do you know if offices have any tablets or computers people can use in which they might log into an account? If so, are there rules governing password retention or auto logouts they need to consider?
A: When it comes to patients and workforce members, there are offices that assign tablets and computers to employees, permit the use of personally owned mobile devices, and make tablets and workstations available to patients for certain purposes. There aren’t requirements regarding password retention, but there are requirements for implementing sound password management practices. It’s more about the frequency of when passwords need to be changed versus retaining a password for an extended period, whether it’s the patient’s or the employee’s password.
When it comes to auto logouts, that is a HIPAA Security Rule requirement. The HIPAA Security Rule is more geared toward what the workforce and a CE’s vendors need to do, so it may be a stretch to say HIPAA requires the same safeguards be implemented for a patient’s use of a tablet or workstation. It is a very good idea, though, to set up a screen lock or auto logout even for tablets and computers used by patients, unless the tablet or workstation was for educational purposes (i.e., wasn’t used to store or access PHI).
There’s much more to securing workstations and tablets than password management and auto logout. Workstations and tablets that are used to store or access PHI should be encrypted, have anti-malware installed, and be set up so they can be remotely wiped. In the end, from a sound security standpoint, if PHI is accessed or stored on tablets and workstations, the applicable administrative, physical, and technical safeguards need to be in place whether the person using the device is a patient or a workforce member.
Editor’s note: Chris Apgar is president of Apgar & Associates LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.