Workstation Use

§164.310(b): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Audit Inquiry

Does the entity have policies and procedures in place that specifies the proper functions to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI?

Does the entity specify the proper functions to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI?

Obtain and review such policies and procedures related to workstation use. Evaluate the content in relation to the specified performance criteria for the proper functions to be performed by electronic computing devices.

Elements to review may include but are not limited to:
• Process to identify workstations by type and location
• Specify the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI (e.g. to prevent or preclude unauthorized access to an unattended workstation, limit the ability of unauthorized persons to view sensitive information as needed)
• Procedures related to the proper use and performance of workstations
• Workforce members roles and responsibilities in the workstation use process

Obtain and review an inventory of the locations and types of workstations. Evaluate and determine if an inventory exists of workstation; when the inventory was last updated; and whether there is a documented process for updating the inventory. If available, review the inventory to see if it includes the types of ePHI data elements contained on the systems included in the inventory.

Obtain documentation demonstrating workstation classification. Evaluate and determine if each workstation is classified based on the specific workstation’s capabilities, connection, and allowable activities.

Obtain and review documentation demonstrating workstation use policies and procedures implemented. Evaluate if such implementation is in accordance with related policies and procedures.

Required/Addressable

Required