News & Insights

Articles, Company Updates and More

The HIPAA Security Rule Access Control Standard Part 3: Automatic Logoff

December 13, 2023

By Kenneth E. Rhea, M.D., FASHRM, LAMMICO Physician Consultant

The HIPAA Security Rule Access Control Standard Part 3:  Automatic Logoff
SHARE :           

Under the HIPAA Access Control Standard, a covered entity (CE) is required to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.” The Access Control Standard has four implementation specifications in Technical Safeguards:

  1. Unique User Identification (Required specification)
  2. Emergency Access Procedures (Required specification)
  3. Automatic Logoff (Addressable specification)
  4. Encryption and Decryption (Addressable specification)

In the first two articles of this series, I discussed Unique User Identification and Emergency Access Procedures.

This article provides information on the third required specification - Automatic Logoff. This specification, and the fourth on encryption, is an “addressable” specification differing from a required specification. As a reminder, if a specification is “addressable,” a CE must:

  • Analyze the specification in relation to the extent it protects electronic protected health information (ePHI)
  • Assess if the implementation spec is a reasonable and appropriate safeguard in its environment
  • Determine whether the specification is applicable to the covered entity or business associate

If the implementation specification is determined to be reasonable and appropriate, do the implementation. If the implementation specification is not reasonable and appropriate, document why it is not and implement an “equivalent alternative measure” if that measure is reasonable and appropriate.

When reasonable and appropriate, the automatic logoff specification requires a covered entity (CE) to “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” 

In general, workforce users of computer systems should log off the system anytime their workstation is unattended. However, it is understandable that there might be time constraints not allowing time to log off, or the user does not remember to log off. HHS considers that having an automatic logoff is an effective way to prevent unauthorized users from accessing ePHI through a workstation left unattended for some time and open to access. Many software applications and systems have available settings for automatic logoff, and these should be used. If such a capability is not present, efforts should be made to implement such settings if possible. Evaluation steps are:

  • To determine if the software or system has automatic logoff setting capabilities
  • If capabilities are present:
    • Set an activity delay period which will log off the user at the end of the established time period
    • Ensure policies requiring activation of automatic logoff
  • If logoff capabilities are not present, determine if such settings can be implemented
  • If logoff settings cannot be implemented emphasize workforce training on required logoffs

It is assumed that a workforce member using a workstation to access a computer system with ePHI will be doing so as part of their job requirements. If ePHI information is visible on computer screens, access could be possible by unauthorized individuals when the workforce member leaves the workstation and does not log off the system. Automatic logoff will eliminate that potential problem. 

The visibility of ePHI on a computer screen by unauthorized individuals while the workforce member is present is a different situation. This problem can be addressed by:

  • Limiting physical access to the workstation area by unauthorized individuals,
  • Positioning workstations and computer screens away from office traffic, and
  • Limiting workforce member discussions at workstations unless the job responsibilities of everyone present allows ePHI access.

In the next article, I will discuss the fourth addressable Access Control Specification - Encryption and Decryption.

For further cybersecurity information on this subject and many others, LAMMICO offers policyholders complimentary access to the TMHCC CyberNET®, an advanced cyber risk management resource and education center. Log in as a Member to access the TMHCC CyberNET® portal. Provided in partnership with cyber risk experts, Tokio Marine HCC, this excellent resource is continually updated and well worth the time to review.

Annual Reports:

Receive Regular Updates: