HIPAA Privacy - Login password or USB Access key?

[Phloogy]

I have a HIPAA privacy question. I have a medical device that stores very little patient information, just the Patient Name, DOB, and previous treatments.

This medical device currently requires a USB Access key connected to a USB port in order for it to work. Is this sufficient to protect the patient's privacy? If the clinician leaves the Access key connected and patient info is compromised, it's their fault.

However, per HIPAA's addressable actions, they recommend a username/password to login to the system. This can also be compromised if the clinician does not logoff.

Is a login system a must? Are there alternatives? Is the Access key sufficient?

Thanks!

 

[JJ_FDA]

I am not sure if the regulatory authorities care whose fault it is that the USB key is left plugged in.

If using username/password, is it possible for the system to automatically lock or log out the user after some pre-determined amount of idle time (10 minutes?).

 

[isoalchemist]

My quick notes do not call out a requirement for UN/Password only (162.312)

"Assign a unique name and/or number for identifying and tracking user identity."

Also

"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."


Everyone appears to address the requirement with UN/Pass, but a card could work if you could log it out after inactivity. Nothing prevents biometrics either if the inactivity can be addressed

The goal is they want to make sure only credential individuals have access. They don't define exactly how, but .....

 

[Phloogy]

Thanks for the responses! Yes it would be possible to implement a time-out session. That might be the best way to go in conjunction with a username / password.