This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Workstation Use (Required)

Reference: 45 CFR § 164.310 (b)
Last Updated: July 5, 2023


Goal: Define what the organization should do to appropriately protect its workstations.

The purpose of this policy is to specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation.


Procedure: Authorized individuals who need access to computer equipment will be provided secure workstations containing computer terminals with physical safeguards to minimize the possibility of unauthorized observation or access to protected health information (PHI).In addition there may be a need for PHI/ePHI to be used in other place that the designated workstation in the office. While it is impossible to consider all the possible situations where such situation may take place, as a minimum all individuals accessing PHI/ePHI must follow the following policies:

  • Home office. Any member of the workforce who is authorized to work from a home office must assure that the home office complies with all applicable policies and procedures regarding the security and privacy of PHI, including these guidelines.
    • Records carried from one building to another.
      • When PHI is carried from one building to another, it must be signed out and signed in.
      • When a member of the workforce is transporting PHI from one building to another, it may not be left unattended unless it is in a locked vehicle, in an opaque, locked container. Locking the vehicle alone is not sufficient.
    • Record Storage:
      • Areas where records and other documents that contain PHI are stored must be secure.
      • Wherever reasonably possible, the PHI will be stored in locking cabinets.
      • Where locking cabinets are not available, the storage area must be locked when no member of the workforce is present to observe who enters and leaves and no unauthorized personnel may be left alone in such areas without supervision.
  • Personal digital assistants (PDAs) or Laptops. Privacy and security policies apply to any PHI that is stored on a PDA or Laptop. Users of PDAs and Laptops are responsible for assuring that the PHI on their devices is kept secure and private.
    • Any loss or theft of a PDA or Laptop thought to contain PHI must be reported to the Security Officer immediately.
    • Users of PDAs who store PHI on their devices will receive special training in the risks of this practice, and measures that they can take to reduce the risks (such as use of passwords).
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram