The Ultimate Guide to ePHI Workstation Security (164.310(c))

The Ultimate Guide to ePHI Workstation Security (164.310(c))

Understand hipaa workstation security requirements under 164.310(c), with remote-work safeguards, implementation steps, a checklist, and FAQs.

LakeRidge Team
July 17, 2026
9 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

HIPAA workstation security requirements under 45 CFR § 164.310(c) require covered entities and business associates to implement physical safeguards for every workstation that accesses ePHI, restricting use to authorized users. For a remote or hybrid workforce, that means documenting which devices can access ePHI and combining secure locations, screen privacy, device custody, authentication, encryption, and enforcement processes so an employee’s laptop is not exposed to family members, visitors, thieves, or unauthorized coworkers.

For an MSSP analyst, the practical objective is not to prove that every customer owns a locked server room. It is to help each SMB customer apply reasonable, risk-based physical protections to the actual devices and locations where users open an EHR, patient portal, shared drive, billing application, or remote desktop session containing ePHI.

What do hipaa workstation security requirements cover under 164.310(c)?

Section 164.310(c), Workstation Security, requires physical safeguards for all workstations that access ePHI. A workstation can include a desktop, laptop, thin client, virtual desktop endpoint, shared clinical terminal, home-office computer, or mobile device when it is used to access ePHI. The control is concerned with preventing unauthorized physical access or viewing, not merely blocking malware.

Workstation Security works alongside, but does not replace, related HIPAA Security Rule safeguards:

  • 164.310(b), Workstation Use: defines permitted workstation functions, locations, and operating expectations.
  • 164.312(a), Access Control: supports unique user identification, automatic logoff, emergency access, and access restrictions.
  • 164.312(a)(2)(iv), Encryption and Decryption: protects ePHI if a device or storage medium is lost.
  • 164.308(a)(1), Risk Analysis and Risk Management: establishes the risk-based rationale for the safeguards selected.
  • 164.308(a)(5), Security Awareness and Training: ensures staff understand screen locking, travel, secure storage, and incident reporting expectations.

A common compliance gap is treating endpoint management as the entire answer. Mobile device management, endpoint detection and response, and multi-factor authentication are valuable technical controls, but they do not eliminate physical risks such as an unlocked laptop at a reception desk, a visible screen in a shared home office, or a device left in a vehicle.

Which workstations and locations should be in scope?

Start with the access path, not the hardware purchase record. If a device can display, create, receive, transmit, or store ePHI, it belongs in scope. This includes devices that access ePHI through a browser, VPN, Citrix, Microsoft Remote Desktop, Microsoft 365, Google Workspace, or a cloud-hosted practice-management system.

Workstation type Typical ePHI exposure Physical safeguard priority
Front-desk desktop Scheduling, demographics, insurance details, clinical messages Position screen away from visitors, use privacy filters where needed, lock desk or room after hours
Clinician laptop EHR access, telehealth, documentation, reports Cable lock or locked storage when unattended, encrypted drive, secure travel procedures
Shared nursing-station terminal High-volume EHR access by multiple authorized users Short automatic lock, screen positioning, badge-controlled area, no shared accounts
Home-office laptop Remote EHR, email, files, virtual desktop access Private work area, screen privacy, secured storage, no household use, no unattended access
BYOD mobile device Secure messaging, email, patient communications MDM enrollment, device passcode, remote wipe, approved application container, personal-use limits

Document devices in an endpoint inventory with an owner, asset identifier, operating system, management status, location type, ePHI access method, and encryption status. For remote staff, “home office” is sufficiently useful as a location category; do not collect unnecessary residential details unless a risk assessment identifies a legitimate operational need.

What physical safeguards matter for remote and hybrid workers?

Remote work does not exempt an organization from the HIPAA Security Rule. It changes the physical environment from one the customer controls directly to one governed through policy, employee acknowledgement, technical enforcement, and periodic validation.

  • Require employees to work from a location where household members, roommates, visitors, or the public cannot view ePHI on screen or overhear patient discussions.
  • Require users to lock the screen whenever they step away, even briefly, and configure automatic locking to support that behavior.
  • Prohibit shared use of company-issued workstations and prohibit family members from using a device that can access ePHI.
  • Require secure storage in a locked room, locking cabinet, or other controlled location when a laptop is not in use.
  • Prohibit leaving ePHI workstations unattended in vehicles; if travel is unavoidable, require the device to remain out of sight and be removed at the earliest opportunity.
  • Use privacy screens or controlled screen positioning when remote staff work in shared offices, co-working spaces, temporary locations, or patient-facing areas.
  • Define an immediate reporting process for loss, theft, suspected viewing, or unauthorized use of a device.

For SMB customers, avoid policies that promise impossible inspection rights over every employee home. Instead, define objective expectations, require annual acknowledgement, use managed devices for ePHI access where feasible, and investigate exceptions through the risk management process.

How should an MSSP implement workstation security step by step?

  1. Map ePHI access. Identify applications, remote access tools, shared folders, email workflows, and virtual desktops that expose ePHI. Match each access route to device types and user groups.
  2. Build and reconcile the endpoint inventory. Compare the RMM, MDM, identity provider, EDR console, and application user lists. Investigate unmanaged devices, former employees, and devices without an assigned owner.
  3. Set an approved-device standard. Determine whether ePHI may be accessed only from company-managed endpoints or whether BYOD is allowed under defined controls. For most SMBs, managed-device-only access is easier to defend and monitor.
  4. Deploy a measurable baseline. Use Intune, Jamf Pro, NinjaOne, Datto RMM, or another managed platform to enforce encryption, screen lock, supported operating systems, endpoint protection, and remote-wipe capability.
  5. Write location and custody rules. Update the remote/hybrid workforce policy with requirements for private work areas, screen protection, secure storage, travel, shared spaces, visitor access, and incident reporting.
  6. Handle exceptions deliberately. Document exceptions such as a shared clinical workstation, a contractor’s approved device, or a staff member without a private home office. Record compensating safeguards, an approver, and a review date.
  7. Collect evidence continuously. Retain policy versions, training acknowledgements, asset inventory exports, encryption reports, MDM compliance reports, tickets for lost devices, and periodic review records.
  8. Test and improve. Sample endpoints quarterly. Confirm they are encrypted, managed, assigned to active personnel, configured to lock, and consistent with the approved use and location policy.

Which endpoint settings provide a defensible workstation baseline?

Physical workstation safeguards should be supported by enforceable configuration settings. The following baseline gives an MSSP analyst concrete evidence to review while recognizing that each customer’s risk analysis may justify stricter settings.

Control area Recommended setting Example evidence
Windows encryption Enable BitLocker with TPM protection and escrow recovery keys to Microsoft Entra ID or Intune Intune device encryption compliance report
macOS encryption Enable FileVault and escrow recovery keys through Jamf Pro or Intune Jamf FileVault inventory status
Automatic locking Require screen lock after 10 minutes or less of inactivity; require password on wake Configuration profile or device compliance policy
Endpoint protection Deploy Microsoft Defender for Endpoint, SentinelOne, or CrowdStrike Falcon with tamper protection enabled EDR console showing active sensor and current policy
Identity protection Require MFA for EHR, VPN, email, and remote administration access Microsoft Entra Conditional Access policy export
Remote response Enable device location where appropriate, remote lock, and remote wipe for managed laptops and mobile devices MDM action logs and tested incident procedure

Do not represent a 10-minute lock timer as a standalone compliance solution. A workstation that automatically locks but is used by family members, stored openly, or accessed through a shared local account still presents a physical access risk.

What is the 164.310(c) workstation security compliance checklist?

  • Identify every workstation and mobile endpoint that can access, display, transmit, or store ePHI.
  • Assign each in-scope device to an accountable owner and record its management and encryption status.
  • Document approved device types, approved locations, and prohibited uses in the workstation use and remote-work policies.
  • Require company-managed devices for ePHI access or document controls for approved BYOD exceptions.
  • Configure automatic screen lock and password-required unlock on all managed endpoints.
  • Enable full-disk encryption and retain recovery-key escrow evidence.
  • Require MFA for systems that provide access to ePHI.
  • Require privacy protections for screens in reception areas, shared offices, telehealth locations, and home offices.
  • Prohibit unauthorized users, including household members, from using ePHI-capable workstations.
  • Define secure storage, travel, lost-device, theft, and suspected unauthorized-viewing procedures.
  • Train workforce members and collect policy acknowledgements before remote ePHI access is granted.
  • Review endpoint compliance, device inventory, and exceptions at least quarterly.

Frequently asked questions about HIPAA workstation security

Is 164.310(c) only about computers located in a medical office?

No. The requirement applies to all workstations that access ePHI, including laptops used at home, remote desktops, shared terminals, and managed mobile devices used for work. The safeguard should reflect the device, location, user role, and likelihood of unauthorized physical access.

Does full-disk encryption satisfy HIPAA workstation security requirements?

No. Encryption helps protect ePHI when a device is lost or stolen, but it does not prevent an unauthorized person from viewing an unlocked screen, using an active session, or accessing a device left in a shared area. Encryption is one supporting control within a broader workstation security program.

Can employees use personal laptops to access ePHI from home?

They can only if the organization permits it after risk analysis and applies appropriate safeguards. Many SMBs reduce risk by limiting ePHI access to managed, encrypted endpoints with MDM, MFA, endpoint protection, remote wipe, and a signed remote-work agreement. A personal laptop without management and enforceable controls is difficult to monitor and defend.

What evidence should an MSSP provide for a HIPAA workstation security review?

Useful evidence includes the workstation security policy, remote/hybrid workforce policy, endpoint inventory, MDM and encryption reports, screen-lock configuration reports, EDR deployment status, training records, exception approvals, and incident tickets for lost or stolen devices. Evidence should show both the control design and that it operates over time.

How often should workstation security controls be reviewed?

Review them at least annually and whenever material changes occur, such as adopting a new EHR, allowing remote work, adding BYOD, opening a new location, or experiencing a lost-device incident. Operationally, quarterly endpoint compliance sampling is a practical cadence for most managed SMB environments.

Next step: Build a customer-by-customer ePHI endpoint inventory and use it to prioritize managed-device enrollment, remote-work policy acknowledgements, and quarterly workstation security evidence reviews.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.