HIPAA Workstation Security Policy

Version1.0.4 Last Updated2023-10-16 APPROVED

1. Purpose

The purpose of this policy is to provide guidance for workstation security for AccuCode AI Inc. workstations in order to ensure the security of information on the workstation and information the workstation may have access to. Additionally, the policy provides guidance to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310(c) are met.

2. Scope

This policy applies to all employees, contractors, workforce members, vendors and agents with an AccuCode AI Inc.-owned or personal-workstation connected to the AccuCode AI Inc. network.

3. Policy

Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users.

3.1 Workforce Members

Workforce members using workstations shall consider the sensitivity of the information, including protected health information (PHI) that may be accessed and minimize the possibility of unauthorized access.

3.2 Physical and Technical Safeguards

AccuCode AI Inc. will implement physical and technical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

3.3 Appropriate Measures

Appropriate measures include:

  1. Restricting physical access to workstations to only authorized personnel.
  2. Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
  3. Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected. The password must comply with AccuCode AI Inc. Password Policy.
  4. Complying with all applicable password policies and procedures. See Password Construction Guidelines for more details.
  5. Ensuring workstations are used for authorized business purposes only.
  6. Never installing unauthorized software on workstations.
  7. Storing all sensitive information, including protected health information (PHI) on network servers.
  8. Keeping food and drink away from workstations in order to avoid accidental spills.
  9. Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.
  10. Installing privacy screen filters or using other physical barriers to alleviate exposing data.
  11. Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
  12. Exit running applications and close open documents.
  13. Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
  14. If wireless network access is used, ensure access is secure by following the AccuCode AI Inc. Wireless Communication policy.

3.4 Remote Employees

Remote employees must adhere to the following additional measures:

  1. Ensure the workstation is used in a private, secure location to prevent unauthorized access to sensitive information.
  2. Use company-provided virtual private network (VPN) to securely access the AccuCode AI Inc. network and resources.
  3. Avoid using public Wi-Fi networks. If necessary, use the company-provided VPN to ensure secure connection.
  4. Ensure the workstation’s operating system, antivirus software, and other security software are up to date.
  5. Report any security incidents or suspected breaches immediately to the InfoSec team.

4. Policy Compliance

4.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

4.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.