Workstation Security

The HIPAA workstation security requirement means you must put physical safeguards in place for every workstation that can access ePHI so only authorized users can access it. Operationalize it by inventorying ePHI-capable endpoints, defining workstation “secure use” rules by location and role, and enforcing them with facility controls, endpoint configurations, and auditable procedures tied to access authorization. (45 CFR Parts 160, 162, 164)

Key takeaways:

• Scope is every workstation that can access ePHI, including shared and remotely used devices. (45 CFR Parts 160, 162, 164)
• “Workstation security” is physical access control and secure placement, not just passwords and MFA. (45 CFR Parts 160, 162, 164)
• Auditors look for consistency: written standards, implemented controls, and proof they are followed.

“Workstation Security” in HIPAA is a physical safeguards requirement focused on preventing unauthorized viewing or use of ePHI on endpoints. The regulation is short, but the operational surface area is large: nursing stations, front desks, call centers, back-office desktops, laptops in conference rooms, home offices, shared workstations, and even “temporary” devices in clinics during peak periods can all become ePHI access points.

Compliance teams usually run into trouble in two places. First, scope control: teams secure corporate desktops but miss shared workstations, contractor endpoints, or devices in semi-public areas. Second, proof: teams “do the right things” informally but cannot show a repeatable standard, training/awareness, and evidence that controls are actually deployed.

This page gives requirement-level implementation guidance you can execute quickly: what the requirement means, who it applies to, what to build, what evidence to retain, and how auditors typically test it. The goal is simple and testable: a person who is not authorized should not be able to physically access a workstation and view, copy, or manipulate ePHI. (45 CFR Parts 160, 162, 164)

Regulatory text

Requirement (excerpt): “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.” (45 CFR Parts 160, 162, 164)

Operator interpretation (plain English)

If a workstation can access ePHI, you must control the physical environment and the way the workstation is placed/used so unauthorized people cannot access ePHI. This includes preventing shoulder-surfing, walk-up access to logged-in sessions, and unauthorized physical access to the device itself. (45 CFR Parts 160, 162, 164)

What this requirement is (and is not)

• Is: Physical safeguards for workstations: secure placement, facility controls, device handling rules, and work area practices that restrict access to authorized users. (45 CFR Parts 160, 162, 164)
• Is not: Only a technical authentication control. Passwords help, but they do not replace physical protections around where and how the workstation is accessible. (45 CFR Parts 160, 162, 164)

Who it applies to

In-scope entities

• Covered Entities and Business Associates under HIPAA. (45 CFR Parts 160, 162, 164)

In-scope operational contexts (what “workstation” means in practice)

Treat “workstation” as any endpoint used to access ePHI, including:

• Fixed desktops in offices, clinics, and hospitals
• Shared workstations (nursing stations, check-in desks, exam room PCs)
• Laptops used in facilities, while traveling, or at home
• Workstations used by third parties (contracted staff, managed service providers) where they access your ePHI environment

If you cannot confidently say whether a device can access ePHI, assume it can until you prove it cannot.

What you actually need to do (step-by-step)

Step 1: Define and document your workstation security standard

Create a short, enforceable “Workstation Security Standard” that answers:

• Where workstations may be placed (public vs semi-public vs restricted areas)
• Who may use them (roles, badge access, escort requirements for visitors)
• What must happen when a user steps away (lock screen expectations, clean desk expectations)
• How shared workstations must be configured and monitored (unique user access, no shared accounts, session lock behavior)
• How remote/home workstations must be secured (private room expectations, screen privacy expectations, no unattended use in public spaces)

Write it so a clinic manager can implement it without interpretation. Keep exceptions explicit: what’s allowed, who approves, and what compensating controls are required.

Step 2: Inventory and classify workstations that can access ePHI

Build a workstation inventory with enough detail to apply physical safeguards:

• Asset identifier, type (desktop/laptop/shared kiosk)
• Location category (restricted clinical area, front desk, open office, home/remote)
• Primary users/roles and whether shared use occurs
• How ePHI is accessed (EHR, VDI, web portal, local app)
• Physical risk flags (public-facing, high foot traffic, after-hours exposure)

Practical tip: start with endpoints managed in your IT asset system, then reconcile against EHR access logs and badge-accessed areas to find “forgotten” workstations.

Step 3: Map physical safeguards to location risk

Use a simple control matrix so implementation is consistent:

Location / scenario	Minimum physical safeguards you should implement
Public-facing areas (reception, waiting-adjacent)	Position screens away from public view; use privacy screens where needed; restrict walk-up access; keep devices anchored or secured; require staff presence.
Semi-public internal areas (open office, shared pods)	Desk placement to reduce shoulder-surfing; clear visitor escort rules; lock screen expectation; secure storage for portable devices after hours.
Restricted areas (clinician-only, back office with access control)	Badge/door access control; “no tailgating” expectations; locked cabinets for spare devices; controlled after-hours access.
Shared workstations (nursing stations)	Rules for never leaving sessions unattended; local device hardening; physical layout protections; clear signage for staff behaviors; heightened spot checks.
Remote/home workstations	Private workspace requirement; avoid use in public spaces; device storage expectations; prevent family/roommate access; secure transport rules.

Keep the matrix in your policy set, then point training and audits at it.

Step 4: Implement facility and workstation-area controls

Coordinate Security/Facilities/Operations:

• Controlled access to areas with ePHI workstations (doors, badges, visitor logs, escorts)
• Signage for restricted areas and “authorized users only”
• Placement changes: rotate monitors, move desks, add privacy filters, relocate printers that output sensitive material near workstations

This is where many programs fail: endpoint security is strong, but the workstation sits facing a waiting room.

Step 5: Implement endpoint behaviors that support physical safeguards

Workstation security is physical, but endpoint configuration makes the physical standard enforceable:

• Require screen locks when unattended and prohibit bypass practices
• Configure session timeouts appropriate for high-traffic shared areas
• Enforce unique user access, especially on shared devices (avoid shared logins)
• Restrict local storage and removable media where it increases exposure

If your environment uses VDI or EHR thin clients, align the physical rules with the actual session behavior (for example, VDI disconnect vs lock vs logoff) so staff don’t invent unsafe workarounds.

Step 6: Train users and make managers accountable

Add role-based training that is blunt and operational:

• How to position screens
• What to do before stepping away
• How to challenge tailgating and manage visitors near workstations
• What is prohibited (sharing credentials, leaving sessions active)

Then assign ownership: clinic managers or department leads should attest that their areas comply and remediate issues.

Step 7: Test and monitor

Pick testing methods you can sustain:

• Walkthrough inspections (spot checks) in high-risk areas
• Photos (where appropriate) documenting placement and safeguards
• Exception tracking with remediation dates
• Follow-up checks after remodels, relocations, and clinic expansions

If you use Daydream to manage compliance work, track each location as a control owner with tasks for walkthroughs, exception approvals, and evidence uploads so audits do not become a scramble.

Required evidence and artifacts to retain

Auditors typically want “show me” evidence tied to the requirement. Keep:

• Workstation Security policy/standard and the control matrix by location type (45 CFR Parts 160, 162, 164)
• Workstation inventory identifying devices that can access ePHI, including shared workstation list
• Facility controls documentation for restricted areas (visitor procedures, escort rules, access control descriptions)
• Training materials and completion records for workforce members who use ePHI workstations
• Inspection logs (walkthrough checklists, findings, remediation tickets)
• Exception register (what deviates, who approved, compensating controls, review cadence)
• Decommission/relocation records for workstations moved between risk zones (example: from back office to front desk)

Common exam/audit questions and hangups

Expect these lines of questioning:

• “Show me your list of workstations that access ePHI and where they are located.”
• “How do you prevent patients/visitors from viewing ePHI on screens in public-facing areas?”
• “Describe controls for shared workstations. How do you prevent staff from leaving sessions open?”
• “What’s your remote/home workstation expectation, and how do you enforce it for workforce members and third parties?”
• “How do you identify and remediate workstation security exceptions after office moves or clinic renovations?”

Hangup to anticipate: teams hand over an endpoint policy (passwords, patching) and miss the physical safeguards angle. Your evidence should explicitly tie to physical placement and physical access restriction. (45 CFR Parts 160, 162, 164)

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating this as an IT-only control.
   Fix: Put Facilities and site leadership on the hook for area controls, layout, and visitor management.

2. Mistake: Ignoring shared workstations.
   Fix: Create a shared workstation register with stricter expectations and targeted inspections.

3. Mistake: No defined standard for “semi-public” spaces.
   Fix: Create location categories and apply minimum safeguards by category, not by individual preference.

4. Mistake: Remote work is handled informally.
   Fix: Publish explicit remote workstation rules (private space, secure storage, no public use) and train to them.

5. Mistake: Evidence is scattered.
   Fix: Centralize artifacts in your GRC system. Daydream can hold the control, evidence requests, inspection logs, and exception approvals in one audit-ready record.

Enforcement context and risk implications

No public enforcement sources were provided for this page, so this section focuses on the risk the requirement targets: unauthorized physical access to a workstation is a direct path to ePHI exposure. Workstation security failures often look mundane (a screen facing a public area, an unlocked session, a laptop left in an accessible room) but can create reportable incidents depending on what was accessible and by whom. Tie this control to incident response by defining what to do if unauthorized viewing is suspected.

Practical 30/60/90-day execution plan

Use phases rather than date promises. The sequence matters more than speed.

First 30 days (Immediate)

• Publish a workstation security standard with location categories and minimum safeguards. (45 CFR Parts 160, 162, 164)
• Identify high-risk areas: public-facing desks, shared workstations, and any workstation visible to visitors.
• Start a workstation inventory focused on “can access ePHI” and location.

Days 31–60 (Near-term)

• Remediate obvious physical layout issues (monitor orientation, desk placement, restricted area signage).
• Implement or tighten visitor/escort procedures for areas with ePHI workstations.
• Roll out targeted training for high-risk teams (front desk, clinical floors, call center).
• Start walkthrough inspections and track findings to closure.

Days 61–90 (Stabilize and make auditable)

• Complete inventory coverage across sites and remote roles.
• Formalize exception handling (approval workflow, compensating controls, review triggers like renovations).
• Produce an audit packet: policy, inventory, inspection logs, training records, and sample remediation tickets.
• Move to steady-state monitoring with assigned owners per location.

Frequently Asked Questions

Does “workstation security” include laptops and home offices?

Yes, if the device can access ePHI, it is in scope for physical safeguards. Your standard should define how remote workstations are protected from unauthorized household or public access. (45 CFR Parts 160, 162, 164)

Are privacy screens required?

The regulation requires physical safeguards to restrict access, but it does not prescribe specific tools. Use privacy screens where screen visibility to unauthorized people is a realistic risk, and document the rationale in your location control matrix. (45 CFR Parts 160, 162, 164)

What about shared workstations in clinical areas where staff move quickly?

Shared workstations are high-risk because unattended sessions happen. Set stricter local rules, train to them, and validate through regular walkthroughs and manager accountability.

How do we handle third parties (contractors, temps) who use our workstations?

Treat them as workforce members for purposes of access restriction and onsite behavior. Require authorization, training/acknowledgment of workstation rules, and supervision consistent with the area risk category. (45 CFR Parts 160, 162, 164)

What evidence is most persuasive in an audit?

A written workstation security standard plus proof it’s implemented: location-based inspections, remediation records, and a complete inventory of ePHI-capable workstations. Tie each artifact back to restricting access to authorized users. (45 CFR Parts 160, 162, 164)

We have strong MFA. Do we still need physical safeguards?

Yes. MFA addresses logical access, but the requirement is explicitly about physical safeguards for workstations. You need both when a workstation sits in an area accessible to unauthorized people. (45 CFR Parts 160, 162, 164)