HIPAA workstation security requirements under 45 CFR § 164.310(c) require covered entities and business associates to implement physical safeguards for every workstation that accesses ePHI, restricting use to authorized users. For a remote or hybrid workforce, that means documenting which devices can access ePHI and combining secure locations, screen privacy, device custody, authentication, encryption, and enforcement processes so an employee’s laptop is not exposed to family members, visitors, thieves, or unauthorized coworkers.
For an MSSP analyst, the practical objective is not to prove that every customer owns a locked server room. It is to help each SMB customer apply reasonable, risk-based physical protections to the actual devices and locations where users open an EHR, patient portal, shared drive, billing application, or remote desktop session containing ePHI.
What do hipaa workstation security requirements cover under 164.310(c)?
Section 164.310(c), Workstation Security, requires physical safeguards for all workstations that access ePHI. A workstation can include a desktop, laptop, thin client, virtual desktop endpoint, shared clinical terminal, home-office computer, or mobile device when it is used to access ePHI. The control is concerned with preventing unauthorized physical access or viewing, not merely blocking malware.
Workstation Security works alongside, but does not replace, related HIPAA Security Rule safeguards:
- 164.310(b), Workstation Use: defines permitted workstation functions, locations, and operating expectations.
- 164.312(a), Access Control: supports unique user identification, automatic logoff, emergency access, and access restrictions.
- 164.312(a)(2)(iv), Encryption and Decryption: protects ePHI if a device or storage medium is lost.
- 164.308(a)(1), Risk Analysis and Risk Management: establishes the risk-based rationale for the safeguards selected.
- 164.308(a)(5), Security Awareness and Training: ensures staff understand screen locking, travel, secure storage, and incident reporting expectations.
A common compliance gap is treating endpoint management as the entire answer. Mobile device management, endpoint detection and response, and multi-factor authentication are valuable technical controls, but they do not eliminate physical risks such as an unlocked laptop at a reception desk, a visible screen in a shared home office, or a device left in a vehicle.
Which workstations and locations should be in scope?
Start with the access path, not the hardware purchase record. If a device can display, create, receive, transmit, or store ePHI, it belongs in scope. This includes devices that access ePHI through a browser, VPN, Citrix, Microsoft Remote Desktop, Microsoft 365, Google Workspace, or a cloud-hosted practice-management system.
| Workstation type | Typical ePHI exposure | Physical safeguard priority |
|---|---|---|
| Front-desk desktop | Scheduling, demographics, insurance details, clinical messages | Position screen away from visitors, use privacy filters where needed, lock desk or room after hours |
| Clinician laptop | EHR access, telehealth, documentation, reports | Cable lock or locked storage when unattended, encrypted drive, secure travel procedures |
| Shared nursing-station terminal | High-volume EHR access by multiple authorized users | Short automatic lock, screen positioning, badge-controlled area, no shared accounts |
| Home-office laptop | Remote EHR, email, files, virtual desktop access | Private work area, screen privacy, secured storage, no household use, no unattended access |
| BYOD mobile device | Secure messaging, email, patient communications | MDM enrollment, device passcode, remote wipe, approved application container, personal-use limits |
Document devices in an endpoint inventory with an owner, asset identifier, operating system, management status, location type, ePHI access method, and encryption status. For remote staff, “home office” is sufficiently useful as a location category; do not collect unnecessary residential details unless a risk assessment identifies a legitimate operational need.
What physical safeguards matter for remote and hybrid workers?
Remote work does not exempt an organization from the HIPAA Security Rule. It changes the physical environment from one the customer controls directly to one governed through policy, employee acknowledgement, technical enforcement, and periodic validation.
- Require employees to work from a location where household members, roommates, visitors, or the public cannot view ePHI on screen or overhear patient discussions.
- Require users to lock the screen whenever they step away, even briefly, and configure automatic locking to support that behavior.
- Prohibit shared use of company-issued workstations and prohibit family members from using a device that can access ePHI.
- Require secure storage in a locked room, locking cabinet, or other controlled location when a laptop is not in use.
- Prohibit leaving ePHI workstations unattended in vehicles; if travel is unavoidable, require the device to remain out of sight and be removed at the earliest opportunity.
- Use privacy screens or controlled screen positioning when remote staff work in shared offices, co-working spaces, temporary locations, or patient-facing areas.
- Define an immediate reporting process for loss, theft, suspected viewing, or unauthorized use of a device.
For SMB customers, avoid policies that promise impossible inspection rights over every employee home. Instead, define objective expectations, require annual acknowledgement, use managed devices for ePHI access where feasible, and investigate exceptions through the risk management process.
How should an MSSP implement workstation security step by step?
- Map ePHI access. Identify applications, remote access tools, shared folders, email workflows, and virtual desktops that expose ePHI. Match each access route to device types and user groups.
- Build and reconcile the endpoint inventory. Compare the RMM, MDM, identity provider, EDR console, and application user lists. Investigate unmanaged devices, former employees, and devices without an assigned owner.
- Set an approved-device standard. Determine whether ePHI may be accessed only from company-managed endpoints or whether BYOD is allowed under defined controls. For most SMBs, managed-device-only access is easier to defend and monitor.
- Deploy a measurable baseline. Use Intune, Jamf Pro, NinjaOne, Datto RMM, or another managed platform to enforce encryption, screen lock, supported operating systems, endpoint protection, and remote-wipe capability.
- Write location and custody rules. Update the remote/hybrid workforce policy with requirements for private work areas, screen protection, secure storage, travel, shared spaces, visitor access, and incident reporting.
- Handle exceptions deliberately. Document exceptions such as a shared clinical workstation, a contractor’s approved device, or a staff member without a private home office. Record compensating safeguards, an approver, and a review date.
- Collect evidence continuously. Retain policy versions, training acknowledgements, asset inventory exports, encryption reports, MDM compliance reports, tickets for lost devices, and periodic review records.
- Test and improve. Sample endpoints quarterly. Confirm they are encrypted, managed, assigned to active personnel, configured to lock, and consistent with the approved use and location policy.
Which endpoint settings provide a defensible workstation baseline?
Physical workstation safeguards should be supported by enforceable configuration settings. The following baseline gives an MSSP analyst concrete evidence to review while recognizing that each customer’s risk analysis may justify stricter settings.
| Control area | Recommended setting | Example evidence |
|---|---|---|
| Windows encryption | Enable BitLocker with TPM protection and escrow recovery keys to Microsoft Entra ID or Intune | Intune device encryption compliance report |
| macOS encryption | Enable FileVault and escrow recovery keys through Jamf Pro or Intune | Jamf FileVault inventory status |
| Automatic locking | Require screen lock after 10 minutes or less of inactivity; require password on wake | Configuration profile or device compliance policy |
| Endpoint protection | Deploy Microsoft Defender for Endpoint, SentinelOne, or CrowdStrike Falcon with tamper protection enabled | EDR console showing active sensor and current policy |
| Identity protection | Require MFA for EHR, VPN, email, and remote administration access | Microsoft Entra Conditional Access policy export |
| Remote response | Enable device location where appropriate, remote lock, and remote wipe for managed laptops and mobile devices | MDM action logs and tested incident procedure |
Do not represent a 10-minute lock timer as a standalone compliance solution. A workstation that automatically locks but is used by family members, stored openly, or accessed through a shared local account still presents a physical access risk.
What is the 164.310(c) workstation security compliance checklist?
- Identify every workstation and mobile endpoint that can access, display, transmit, or store ePHI.
- Assign each in-scope device to an accountable owner and record its management and encryption status.
- Document approved device types, approved locations, and prohibited uses in the workstation use and remote-work policies.
- Require company-managed devices for ePHI access or document controls for approved BYOD exceptions.
- Configure automatic screen lock and password-required unlock on all managed endpoints.
- Enable full-disk encryption and retain recovery-key escrow evidence.
- Require MFA for systems that provide access to ePHI.
- Require privacy protections for screens in reception areas, shared offices, telehealth locations, and home offices.
- Prohibit unauthorized users, including household members, from using ePHI-capable workstations.
- Define secure storage, travel, lost-device, theft, and suspected unauthorized-viewing procedures.
- Train workforce members and collect policy acknowledgements before remote ePHI access is granted.
- Review endpoint compliance, device inventory, and exceptions at least quarterly.
Frequently asked questions about HIPAA workstation security
Is 164.310(c) only about computers located in a medical office?
No. The requirement applies to all workstations that access ePHI, including laptops used at home, remote desktops, shared terminals, and managed mobile devices used for work. The safeguard should reflect the device, location, user role, and likelihood of unauthorized physical access.
Does full-disk encryption satisfy HIPAA workstation security requirements?
No. Encryption helps protect ePHI when a device is lost or stolen, but it does not prevent an unauthorized person from viewing an unlocked screen, using an active session, or accessing a device left in a shared area. Encryption is one supporting control within a broader workstation security program.
Can employees use personal laptops to access ePHI from home?
They can only if the organization permits it after risk analysis and applies appropriate safeguards. Many SMBs reduce risk by limiting ePHI access to managed, encrypted endpoints with MDM, MFA, endpoint protection, remote wipe, and a signed remote-work agreement. A personal laptop without management and enforceable controls is difficult to monitor and defend.
What evidence should an MSSP provide for a HIPAA workstation security review?
Useful evidence includes the workstation security policy, remote/hybrid workforce policy, endpoint inventory, MDM and encryption reports, screen-lock configuration reports, EDR deployment status, training records, exception approvals, and incident tickets for lost or stolen devices. Evidence should show both the control design and that it operates over time.
How often should workstation security controls be reviewed?
Review them at least annually and whenever material changes occur, such as adopting a new EHR, allowing remote work, adding BYOD, opening a new location, or experiencing a lost-device incident. Operationally, quarterly endpoint compliance sampling is a practical cadence for most managed SMB environments.
Next step: Build a customer-by-customer ePHI endpoint inventory and use it to prioritize managed-device enrollment, remote-work policy acknowledgements, and quarterly workstation security evidence reviews.