Question: Our IT department wants to require that each workstation's password-protected screensaver come on after one minute of inactivity. However, our clinic staff believes this will impede their work. Does this security rule require that screensavers launch this quickly?
New Mexico subscriber
Answer: "No," the security rule leaves it up to you to decide how you'll protect patient information on computer screens, says C. Jon Burke, a security expert with Toshiba America Medical Systems in California.
Try this: Observe how often staff members are away from their workstations. If the average time spent away is three minutes, you must determine how likely it is that in those three minutes an unauthorized viewer could access that machine, Burke notes. In a high traffic area, three minutes might be plenty of time for someone to get their hands on patient data; in a low traffic area, it could be much harder.
You can set different timeframes for those in the high-risk areas than those in the low-risk areas, Burke suggests. Or, you could settle upon a more convenient length of idle time before the password-protected screensaver comes on, such as two minutes.
The Bottom Line: As with all aspects of the security rule, your risk assessment will determine what policies and procedures you use to protect patients' PHI. And, you may decide that you are willing to accept the risk posed by allowing staffers to set their screensavers to launch after a period more convenient for their job function, Burke says.