Rx2000HIPAA Digest, Volume 20 #1 From: anichols@fast.net Subject: HIPAA Confidentiality/Privacy #2 From: dtefft@mchs.com Subject: RE: HIPAA Confidentiality/Privacy #3 From: jeanace@hotmail.com Subject: Re: HIPAA Confidentiality/Privacy #4 From: brider@jhmi.edu Subject: Re: HIPAA Confidentiality/Privacy #5 From: Mary.Cooley@rsacompanies.com Subject: RE: HIPAA Confidentiality/Privacy #6 From: medimage@voicenet.com Subject: Re: HIPAA Confidentiality/Privacy #7 From: HUGGINS.GEORGE@IHS.GOV Subject: Reply to: HIPAA Confidentiality/Privacy #8 From: jsanford@emh.org Subject: RE: HIPAA Confidentiality/Privacy - Automatic Logoff ********** Message #1 ********** From: anichols@fast.net To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy Date: Thu, 18 May 2000 20:44:51 -0400 With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #2 ********** From: dtefft@mchs.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 11:54:52 -0400 Our formal policy is not set in stone yet, but it looks like we will have several standards. The most restrictive will be auto log off after 15 minutes of inactivity. The most generous will be auto log off after 60 minutes of inactivity. The defining factor will be the location of the work station. Those in restricted areas with only physician/direct caregiver access will be the 60 minute variety, the ones with more access will be the shorter time. We are also looking at "proximity keys" which blank the screen if the user moves more than 10 feet away from the workstation. My thoughts only. David Tefft -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Thursday, May 18, 2000 8:45 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #3 ********** From: jeanace@hotmail.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 09:08:41 PDT For our clinical messenger and EDI functionality, we use a default of 15 minutes. This decision was made after many discussions with others in the healthcare internet space. The user has the ability to set this for a shorter period of time if so desired. Jean Acevedo ----Original Message Follows---- From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy Date: Thu, 18 May 2000 20:44:51 -0400 With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #4 ********** From: brider@jhmi.edu To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 13:12:43 -0400 I would base the auto logoff feature more on the physical=20 location of the work station than on the time threshold. If the work station is in a public area there is more of a=20 risk than in a closed office or in a restricted clinical area. Also, the screen saver/password protect is a great option to use if the station is unattended frequently for short durations. Bill Rider Mgr, Info Security/DR Johns Hopkins Hospital (410) 955-1691 05/18/00 08:44PM >>> With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #5 ********** From: Mary.Cooley@rsacompanies.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 11:33:17 -0600 Do you really logout rather than use a screen saver with a password block? Seems like that would be a better option and you can make the timeframe very short (i.e. 2-5 minutes) which is as long as I have ever allowed my users to leave a screen up. The overhead in user time and impact to the server is also lower with this technology. Mary Cooley Manager Healthcare Initiatives RSA Companies Strategic Solutions -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, May 18, 2000 6:45 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #6 ********** From: medimage@voicenet.com To: Subject: Re: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 13:29:58 -0400 Biosecurity before leaving it unattended? Swipe a card or a fingerprint and then walk away. ----- Original Message ----- From: To: Sent: Thursday, May 18, 2000 8:44 PM Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #7 ********** From: HUGGINS.GEORGE@IHS.GOV To: Rx2000HIPAA@RX2000.ORG Subject: Reply to: HIPAA Confidentiality/Privacy Date: 19 May 2000 11:59 MST The default for new users that get added into our HIS is 5 minutes. ********** Message #8 ********** From: jsanford@emh.org To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA Confidentiality/Privacy - Automatic Logoff Date: Fri, 19 May 2000 15:30:25 -0400 Our standard for shared workstations is 5 minutes. Fortunately, for our EMR they can return to where they left off by enter their password. This makes the 5 minutes more acceptable. Exceptions are made where workflow is effected and the physical environment allows longer log-off times to not present increased risk. These are rare and are handled on a case by case basis. For example, we have a Pre-Admission Test group that utilizes our EMR. The use assigned workstations. During their workflow, they were often being automatically logged off in the middle of the interview process. This made the process disjointed. Their automatic log-off times were increased to 15 minutes to accommodate their workflow. Because they used assigned workstations and spend most of their time at their desk, this presented very little risk. This is one of only three exceptions that has been granted. Jeff Sanford Eastern Maine Healthcare/Eastern Maine Medical Center HIPAA Project Manager Jsanford@emh.org -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, May 18, 2000 8:45 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols