470 A Practical Guide to Security Assessments
Physical Security questionnaire in these appendices should be referenced for other
relevant questions.
1. For any given facility, are the “security-related components” identified
so that changes can be appropriately documented?
Guidance: To ensure that this HIPAA requirement is met, the specific se-
curity components should be identified. Ideally, all significant changes
(regardless of whether related to security components or not) should be
documented, and these records should be securely kept.
Client Response:
WORKSTATION-RELATED REQUIREMENTS
The next two requirements deal with the use and security of workstations. Before
going into the actual requirements, it is worth clarifying the definition of “work-
station” as stated in the Federal Register:
Workstation — An electronic computing device, for example, a laptop or desktop
computer, or any other device that performs similar functions, and electronic media
stored in its immediate environment.
This definition and terminology were a result of comments that the previous
terminology “Secure workstation location” (used in the initial drafts of the HIPAA
Security regulations) was vague. With the current definition of workstation, this
could mean items such as personal digital assistants and other devices.
2. STANDARD — WORKSTATION USE (REQUIRED)
“Implement policies and procedures that specify the proper functions to be performed,
the manner in which those functions are to be performed, and the physical attributes
of the surroundings of a specific workstation or class of workstation that can access
electronic protected health information.”
38
This specification is meant to ensure that personnel use their workstations in a secure
manner.
1. Identify what workstations as well as other devices can be used to access
electronic protected health information.
Guidance: Because of the definition of workstation, other computing de-
vices such as personal digital assistants and other wireless devices can be
AU1706_book.fm Page 470 Tuesday, August 17, 2004 11:02 AM