Securing Your HIPAA Controlled Computer Workstations

I’ve been working on some of our HIPAA policies and I started to create a list of things that should be done to all of our workstations to ensure HIPAA compliance. Here’s the list that I started. I’m sure I’m missing something, but take a look:

-Password enabled screen savers

-Disclosure Notice at Windows Login

-Logged off after 25 minutes


-Windows Update

-Updated virus software

· Weekly workstation scans of local hard drives;

· Daily checks for updates to their virus definition files.

Anyone have suggestions for things that I’m missing? I think there are a ton of other Windows options that I’d like to have done but aren’t necessarily HIPAA requirements. I just need some more time to do some more research into what you have to do to the workstation to make the Windows policies persist across users. In my counseling center I found the options for disabling the recycle bin and the automatic logoff also.

Also, does anyone have a good disclosure notice that they use when the computer starts up? Is it even necessary? They seem mostly useless, but all the HIPAA documents I’ve seen suggest it. Is it a legal requirement because they could argue you never told them not to use it?

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • My organization is struggling with setting the time out on work stations. How did you come to the 25 minute recommendation?

  • We struggle with it too. It’s such an arbitrary number really. I think we got 25 minutes from some HIPAA template we found. I think we want to get to 15 minutes, but I’m not sure our clinicians can handle that short.

    Ideally, we’ll be doing biometric facial recognition within the next couple months. With facial recognition we can set the timeout to 5 seconds. Then, this really becomes a non issue. I should have a post about my implementation of facial recognition soon.

  • We have a 15 minute network time out on work stations that are in “non-secure areas”, the providers hate it. Feel it is much too short and the definition of “non-secure” is too rigid. I will be interested to hear how the biometric devices work. We have tried proximity devices and pulled them out. If you require a PIN to entered you don’t gain much and there were a lot of other problems.

  • You guys need a security geek, by the hour….

    Workstations in public areas are a problem. If you password-protect the screensaver, and the original user gets locked out by the timeout, then only that user, or an admin, can unlock that workstation (because admin rights are required to force logoff another user). If Suzie walks away, and Charlie needs to use the workstation, Charlie is locked out. Unless you make everyone an admin, which is even more horrible an idea.

    Set the screensaver to 5-10 minutes, and don’t password-protect it. Train staff to “politely” guard workstations; also train them to minimize apps when not in use. If you have public workstations that are not in areas normally frequented or occupied by staff (which would be very unusual), then your users are going to have to log on, use the workstation, then log off. And yes, they are going to hate you for it. The alternative is for some passerby to find out that someone else is HIV positive…

    I am still looking for a biometric solution to this that integrates well with Active Directory AND alleviates the admin / user issue. By the way, to the original starter of this thread, Windows Active Directory and Group Policies make a great deal of HIPAA security measures possible.

  • Stonewall,
    The biometric facial recognition solution that I talked about integrates fully with Windows Active Directory and Group Policy. You should check it out. They have two ways to do it. You can extend the active directory schema or you can use the existing objects. I agree that any biometric solution needs to integrate with active directory. The biometric footprint needs to be available for all workstations or it would be misery.

  • The 25 minute time out is ridiculous…it is not enough time..I can be in the middle of a patient exam in an exam room, turn away for a minute to complete exam, obtain vital signs,etc. and all of a sudden I am logged out. I am in the middle of taking a history and get interrupted to ask if I want to stay logged in to the record..yes!!!! I want to stay logged into the f…. record. I am in the middle of something. I never walk away from my computer when I am in a patient record. Getting logged out when I am not looking, I lose information that hasn’t “been saved”. It is annoying, cumbersome, and makes EMR. The idiot that came up with the 25 minute time limit has obviously not used EMR. I am beginning to hate EMR. I am so glad that I am at the end of my career..I EMR does nothing to improve paatient care..two more years from retirement…thank God.

  • Dr. Harrison,
    Good thing you’re not at a clinic that has a 5 minute lock. Although, it sounds like you have a poor EMR vendor, because you should be able to have it lock and then when you log back in be right where you were before it locked with no lost information.

  • Thank you for your comments. I wrote the above at the end of a long day when I was just trying to finish my notes. I had to log on multiple times, or confirm that I wanted to stay logged in even when I was in the middle of typing a note. Obviously, if I am actively using it, I want to stay logged in. I will print this and send the info on to my EMR provider…they have many bugs to work out..this is just one of them. There should be a way that the system knows that it is being used. To log off after 25 minutes of no activity is one thing, to be asked repeatedly when you are using it if you still want to stay logged in, is quite another!

  • I am a family medicine doc. We have Vitera/Intergy EMR, and I have my own laptop (just for the office that I carry from room-to-room.) I complained yesterday about the “Timeout” period being only 3 minutes, so I have to sign back in multiple times when I am in the room with the patient! I complained to our office manager and she stated it is a HIPPA requirement that it log off after 3 minutes fo inactivity. That’s worse than the 25mins listed above, and I find highly unlikely to be true. What is the actual rule for laptops that we do not leave in the room with the patient?
    Thank you.

  • There is some flexibility with HIPAA. It talks about things like reasonable safeguards. In many ways you can choose what you consider to be a reasonable safeguard. Of course, some court will look and see if they agree with you if it ever came to that.

    Full Disclosure: I’m not a lawyer.

Click here to post a comment