Securing Your HIPAA Controlled Computer Workstations

Posted on November 7, 2006 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been working on some of our HIPAA policies and I started to create a list of things that should be done to all of our workstations to ensure HIPAA compliance. Here’s the list that I started. I’m sure I’m missing something, but take a look:

-Password enabled screen savers

-Disclosure Notice at Windows Login

-Logged off after 25 minutes


-Windows Update

-Updated virus software

· Weekly workstation scans of local hard drives;

· Daily checks for updates to their virus definition files.

Anyone have suggestions for things that I’m missing? I think there are a ton of other Windows options that I’d like to have done but aren’t necessarily HIPAA requirements. I just need some more time to do some more research into what you have to do to the workstation to make the Windows policies persist across users. In my counseling center I found the options for disabling the recycle bin and the automatic logoff also.

Also, does anyone have a good disclosure notice that they use when the computer starts up? Is it even necessary? They seem mostly useless, but all the HIPAA documents I’ve seen suggest it. Is it a legal requirement because they could argue you never told them not to use it?