Rx2000HIPAA Digest, Volume 21 #1 From: mzwhiz1@yahoo.com Subject: Re: HIPAA Confidentiality/Privacy #2 From: BurtJR@integris-health.com Subject: RE: HIPAA Confidentiality/Privacy #3 From: pmountain@vhs.dst.ca.us Subject: Re: HIPAA Confidentiality/Privacy #4 From: JBlon-Waller@ButteCounty.net Subject: RE: HIPAA Confidentiality/Privacy #5 From: dtefft@mchs.com Subject: RE: HIPAA Confidentiality/Privacy #6 From: tnewton@carilion.com Subject: Re: HIPAA Confidentiality/Privacy #7 From: klawans@famvid.com Subject: Re: HIPAA Confidentiality/Privacy #8 From: Steve.W.Gray@kp.org Subject: Re: HIPAA Confidentiality/Privacy ********** Message #1 ********** From: mzwhiz1@yahoo.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 12:53:46 -0700 (PDT) We use 60 minutes. --- Rx2000HIPAA@rx2000.org wrote: With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #2 ********** From: BurtJR@integris-health.com To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA Confidentiality/Privacy Date: Mon, 22 May 2000 07:40:47 -0500 "Proximity keys"???? Do you have more info??? This might be interesting.... --==jb==-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- John Burton Project Lead, Sr INTEGRIS Health Information Technology Voice (405)951-8613 Fax (405)951-9832 -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Friday, May 19, 2000 10:55 AM To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA Confidentiality/Privacy Our formal policy is not set in stone yet, but it looks like we will have several standards. The most restrictive will be auto log off after 15 minutes of inactivity. The most generous will be auto log off after 60 minutes of inactivity. The defining factor will be the location of the work station. Those in restricted areas with only physician/direct caregiver access will be the 60 minute variety, the ones with more access will be the shorter time. We are also looking at "proximity keys" which blank the screen if the user moves more than 10 feet away from the workstation. My thoughts only. David Tefft -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Thursday, May 18, 2000 8:45 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #3 ********** From: pmountain@vhs.dst.ca.us To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy Date: Mon, 22 May 2000 10:00:35 -0700 Where can more information be found on "proximity keys" that David Tefft mentioned? Thank you P.E. Mountain Valley Health System pmountain@vhs.dst.ca.us Rx2000HIPAA@rx2000.org wrote: Our formal policy is not set in stone yet, but it looks like we will have several standards. The most restrictive will be auto log off after 15 minutes of inactivity. The most generous will be auto log off after 60 minutes of inactivity. The defining factor will be the location of the work station. Those in restricted areas with only physician/direct caregiver access will be the 60 minute variety, the ones with more access will be the shorter time. We are also looking at "proximity keys" which blank the screen if the user moves more than 10 feet away from the workstation. My thoughts only. David Tefft -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Thursday, May 18, 2000 8:45 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #4 ********** From: JBlon-Waller@ButteCounty.net To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA Confidentiality/Privacy Date: Mon, 22 May 2000 10:06:05 -0700 In our organization, we are required to "lock" our workstations anytime we are out of sight of our terminals. This should be common practice for anyone who has any data entry capabilities to CYA. If a terminal is left open, ANYONE could data entry to cause problems. If we are going to be away from our desks for hours, we then log out completely. If I were an employee, I would want to make sure my work is protected at all times. Automatic logoffs should happen according to job locations. If you work in a heavy multi-user environment, a five minute automatic logoff would be necessary. If you work at a station that is primarily used by you only, a 15 minute automatic logoff would be acceptable. However, the first rule of thumb would be to "lock" your station whenever you go anywhere you would lose sight of your machine. Julie Blon-Waller -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Friday, May 19, 2000 12:54 PM To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy We use 60 minutes. --- Rx2000HIPAA@rx2000.org wrote: With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #5 ********** From: dtefft@mchs.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA Confidentiality/Privacy Date: Tue, 23 May 2000 11:50:57 -0400 There are several vendors of "proximity keys" on the market. I have selected 3 vendors "just for fun" and do NOT have any ties to any of them nor am I recommending one over the other. All of these devices/applications would still have to be used with an additional method of initial log in to specific applications (such as initial password, biometrics, etc.) The three vendors are (and in now particular order): XYLOC: http://www.ensuretech.com/cgi-bin/dp/framesethome.dt/ Vicinity access cards: http://www.access-1.com/html/products.html RFIDEAS http://www.rfideas.com/index.html Hope this helps. My opinions only David Tefft -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Monday, May 22, 2000 1:01 PM To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy Where can more information be found on "proximity keys" that David Tefft mentioned? Thank you P.E. Mountain Valley Health System pmountain@vhs.dst.ca.us Rx2000HIPAA@rx2000.org wrote: Our formal policy is not set in stone yet, but it looks like we will have several standards. The most restrictive will be auto log off after 15 minutes of inactivity. The most generous will be auto log off after 60 minutes of inactivity. The defining factor will be the location of the work station. Those in restricted areas with only physician/direct caregiver access will be the 60 minute variety, the ones with more access will be the shorter time. We are also looking at "proximity keys" which blank the screen if the user moves more than 10 feet away from the workstation. My thoughts only. David Tefft -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Thursday, May 18, 2000 8:45 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA Confidentiality/Privacy With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #6 ********** From: tnewton@carilion.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Confidentiality/Privacy Date: Fri, 19 May 2000 14:22:21 -0400 Al: We are not going to try to set a specific automatic log off time for every system or application. Instead, the default time will be determined by how critical the system is and impact on patient care. Some applications may have a default time of 5 minutes where others may default to 30 minutes or more. Each instance must be weighted on patient care impact. Our first system to add a default time was 12 minutes. We let the client pick the time and they are happy with it. However, we reserved the right to adjust the time if needed. Tom Newton Carilion Health System tnewton@carilion.com >>> 05/18 8:44 PM >>> With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols ********** Message #7 ********** From: klawans@famvid.com To: Subject: Re: HIPAA Confidentiality/Privacy Date: Wed, 24 May 2000 09:13:28 -0500 This is a multi-part message in MIME format. ------=_NextPart_000_004D_01BFC560.527513C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: HIPAA Confidentiality/PrivacyWhat about a workstation that is = shared? It seems that automatic logout, rather than screen = saver/password protection, is the answer. Someone using a shared = workstation really shouldn't leave the workstation "mid-task". Chuck Klawans Director, IS Audit Hospital Sisters Health System ----- Original Message -----=20 From: Rx2000HIPAA@rx2000.org=20 To: Rx2000HIPAA@rx2000.org=20 Sent: Friday, May 19, 2000 12:33 PM Subject: RE: HIPAA Confidentiality/Privacy Do you really logout rather than use a screen saver with a password = block? Seems like that would be a better option and you can make the = timeframe very short (i.e. 2-5 minutes) which is as long as I have ever = allowed my users to leave a screen up. The overhead in user time and = impact to the server is also lower with this technology. Mary Cooley=20 Manager Healthcare Initiatives=20 RSA Companies=20 Strategic Solutions=20 =20 -----Original Message-----=20 From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org]=20 Sent: Thursday, May 18, 2000 6:45 PM=20 To: Rx2000HIPAA@rx2000.org=20 Subject: HIPAA Confidentiality/Privacy=20 With all the concerns related to confidentiality and privacy that = HIPAA=20 presents, there is one issue that I would appreciate receiving info on = from other organizations. The issue centers around the automatic=20 logoff/logout of unattended workstations/terminals. The adoption of=20 this process throughout our healthcare system has resulted in a major=20 debate among various departments.=20 What is the default length of time others have before this process is=20 executed? 10 minutes, 15 minutes, etc. Any replies would be greatly=20 appreciated.=20 Al Nichols=20 ********** Message #8 ********** From: Steve.W.Gray@kp.org To: Rx2000HIPAA Subject: Re: HIPAA Confidentiality/Privacy Date: 24 May 2000 14:19:34 -0700 The log-off time needs to fit the situation. If the terminal is accessible to others, especially the patient or the public, then "instantaneous" log-off may be necessary in order to prevent either disclosure of confidential information or unauthorized functions. "Instantaneous" may mean a preset 10 seconds or it may mean using a secondary device in addition to a access code and password. One such secondary device is the use of an encoded access card that must be inserted in the terminal for any access. The access card is tied to the user via a coiled, elastic lanyard. If the user moves away from the terminal the session is logged-off, or at least the a screen-saver that requires a password to clear, is activated. The access card mentioned above would be encoded to correspond to the user's access code and password. Another concept, usually meant for preventing unauthorized functions, is to require entry of a "function" password/code or re-entry of the personal access coded/password that is tied to specific authorized functions. For example, a physician or his/her agent may "create" an order but to actually "authorize/send" it to fhe fulfillment department (e.g. pharmacy) the physician must enter his/her personal access code/password within 15 seconds before sending the order. Rx2000HIPAA@rx2000.org on 05/23/2000 06:39:00 PM To: Rx2000HIPAA@rx2000.org@Internet cc: (bcc: Steve W Gray/CA/KAIPERM) Subject: Re: HIPAA Confidentiality/Privacy Al: We are not going to try to set a specific automatic log off time for every system or application. Instead, the default time will be determined by how critical the system is and impact on patient care. Some applications may have a default time of 5 minutes where others may default to 30 minutes or more. Each instance must be weighted on patient care impact. Our first system to add a default time was 12 minutes. We let the client pick the time and they are happy with it. However, we reserved the right to adjust the time if needed. Tom Newton Carilion Health System tnewton@carilion.com >>> 05/18 8:44 PM >>> With all the concerns related to confidentiality and privacy that HIPAA presents, there is one issue that I would appreciate receiving info on from other organizations. The issue centers around the automatic logoff/logout of unattended workstations/terminals. The adoption of this process throughout our healthcare system has resulted in a major debate among various departments. What is the default length of time others have before this process is executed? 10 minutes, 15 minutes, etc. Any replies would be greatly appreciated. Al Nichols