§164.312(a)(2)(iii): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Audit Inquiry
Does the entity have policies and procedures in place to automatically terminates an electronic session after a predetermined time of inactivity?
Does the entity automatically terminates an electronic session after a predetermined time of inactivity?
Obtain and review policies and procedures regarding automatic logoff. Evaluate the content in relation to the specified criteria to determine whether it specifies that an electronic session is terminated after a predetermined time of inactivity.
Obtain and review documentation (e.g., screenshots, system settings, etc.) demonstrating the implementation of automatic logoff. Evaluate and determine if automatic logoff settings are implemented in accordance with related policies and procedures.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review documentation of why it was determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate the documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable