Auto Logout

[cf7]

• Automatically logout users after inactivity for a specified amount of time

Do we know the typical HIPAA auto-logout time limit?

See Settings Issue #25 for user options to designate time limit

[bjohnson05]

Here's something I found on https://www.hhs.gov/hipaa:

Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI)?
Answer:

Yes. Covered entities that allow employees to telecommute or work out of home-based offices, and have access to e-PHI, must implement appropriate safeguards to protect the organization’s data. The automatic logoff implementation specification is addressable, and must therefore be implemented if, after an assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment. If the entity decides that the logoff implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. The information access management and access control standards, however, require the covered entity to implement policies and procedures for authorizing access to e-PHI and technical policies and procedures to allow access only to those persons or software programs that have been appropriately granted access rights.

What this means is, you can pick your own time-out limit. I would recommend something standard, like 10 minutes of inactivity. Most of the sites I have visited that implement this feature use either 10 minutes or 15 minutes, with banks and health-care providers being the shorter duration.

[cf7]

This is awesome! Thank you so much BJ!