Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Workstation Security
Policy Number: IS-11 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To identify the steps Drexel University (DU) has taken to protect the security of all Workstations that can access electronic protected health information (e-PHI) and access to such Workstation areas.
Workstations and all other electronic assets including, but not limited to, mobile devices, laptops/notebook computers, scanners, servers, and printers, are to be used exclusively for DU operations. All Windows-based computer assets must be members of the DU domain. Non-Windows-based assets must be made to participate in the DU domain using methods and technologies provided by DU Information Technology (IT). DU requires each user with system access to maintain the security of all Workstation and mobile digital resources assigned. Each user should minimize risk by protecting each desktop, laptop, Mobile Devices, portable memory and storage media (CDs, DVDs, Hard Drives) from unauthorized access, viewing or use. DU has implemented security rights and policies within the computer infrastructure to protect against malicious attempts on the system. Workstation access is restricted to authorized users, and the Security Officer works with the Facilities Department to secure DU facilities. DU will have secure work areas containing Workstations with physical safeguards to minimize the possibility of unauthorized observation or access to PHI. Areas where sensitive information is regularly entered or utilized will be secured using barriers to prevent public viewing of PHI.
Printers and fax machines, copy machines and shredders will be located in the most secure areas available, and will not be located in or near areas frequented by members or the public. DU will also provide appropriate security measures for portable Workstations containing PHI.
DU shall take the following steps to protect Workstations:
- Workstations that are used to access e-PHI are located in secure areas that have physical protections, including locks, key pad alarm systems, unique magnetic swipe ID card systems or similar devices to identify who is in the building.
- The DU facility is continuously monitored during business hours and securely locked and alarmed at other times.
- Workforce Members shall position monitors away from outside windows, public hallways, and patient areas. When Workstations or work areas are located in public areas, Workforce Members are to position their monitors away from unauthorized users and patients by placing monitors behind petitions or similar barriers, installing blinds, covers or enclosures about monitors, or other similar approved methods.
- Workforce Members are to use passwords when logging on/off their terminals. Each terminal has a password protected screen saver that is activated when the station becomes idle or is left unattended.
- Workforce Members are to secure the area in which the Workstation is situated. Workforce Members are expected to be particularly careful when utilizing mobile computing resources such as laptops and Mobile Devices, etc.
- Workforce Members are expected to review all email before opening and report spam. They may do so by clicking on the "Report Spam" icon at the top right message banner of the email that is spam.
- Any Violations of this Policy should be reported, and ongoing or intentional Violations of these policies shall be grounds for discipline under the Performance Improvement Process Human Resources Policy HR-43 and the Sanction Policy (Policy IS-09) of the HIPAA Privacy and Security Program.
45 CFR § 164.310(b), (c) and 164.530(c)
Cross References: IT-7, Email Policy; IT-1, Acceptable Use Policy
Back to Top