Question: Our information systems department has asked that all workstations be set to automatically log users off after five minutes of inactivity. However, our clinical staff is complaining that this is not feasible. Does the security rule demand that we adhere to a five-minute logoff standard?
North Carolina subscriber
Answer: "No," says Raj Patel, the manager for security assurance and consulting at Plante & Moran in Southfield, MI. The security rule makes automatic logoffs an addressable - not required - standard, he points out.
Setting your system automatically to log out users after five minutes of inactivity could cause more problems than it solves. Rather, set your automatic log off for 15 minutes, Patel suggests.
Note: You don't have to set one timeframe for everyone in your organization. Determine how much time each department might need and then base your policy on that. Example: Your clerical staff may need 15 minutes, while billing staff can be logged out after 10, Patel offers.
The Bottom Line: Automatic logoff is very useful in curbing the chances that an unauthorized user will view or manipulate your patients' PHI. Be sure to document your decision process in determining how automatic logoffs will work for your organization, Patel tells Eli.