Are your passwords HIPAA compliant? HIPAA compliant password requirements are an often-overlooked component of an effective HIPAA compliance program. Along with a privacy and security program, strong passwords can go far in protecting sensitive health data.
If you are reading this, there’s a good chance that you (or one of your coworkers) has their passwords and login information on a Post-It note taped to their desk.
While displaying passwords out in the open is unfortunately common in most offices (even the Boston Red Sox are guilty) it leaves you open to data breaches and costly HIPAA violations.
HIPAA Password Requirements
Effective password management is an important part of your HIPAA compliance plan. In order for a password to be considered HIPAA complaint, it needs to meet the standards stated in the Administrative Safeguards section of the HIPAA Security Rule.
PASSWORD MANAGEMENT – § 164.308(a)(5)(ii)(D)
The last addressable specification in this standard is Password Management. Where this
implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must implement:
“Procedures for creating, changing, and safeguarding passwords.”
In addition to providing a password for access, entities must ensure that workforce
members are trained on how to safeguard the information. Covered entities must train all
users and establish guidelines for creating passwords and changing them during periodic
Sample questions for covered entities to consider:
Are there policies in place that prevent workforce members from sharing
passwords with others?
Is the workforce advised to commit their passwords to memory?
Are common sense precautions taken, such as not writing passwords down
and leaving them in areas that are visible or accessible to others?
The HIPAA Security rule mandates that you MUST have some kind of password plan in place but does not require a specific plan. This allows you to develop, with your technology service provider, a plan that meets the needs of your employees and your practice.
How To Create A Secure Password
Here are some basic Dos and Don’ts when it comes to passwords that are complex and HIPAA compliant.
- DO change your system-level passwords (Windows Administrator, application administer accounts, etc. ) on a quarterly basis
- DO change your user-level passwords (email, desktop computer, etc. ) at least every six months
- DO create passwords that meet at least three of the five following character classes:
- Lowercase characters
- Uppercase characters
- “special” characters (@, #, $, %, &, etc. )
- DO create passwords that are at least 8-15 alphanumeric characters
- DO use different passwords for your business accounts and your personal accounts
- DO create passwords that are easy to remember. One way to do this is to create a password based on a song title, affirmation, or another phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. (P.S. DON'T use either of these examples as your actual password!)
- DON’T share your business passwords with anyone. All passwords should be treated as sensitive and confidential information.
- DON’T write down or store your passwords online without encryption
- DON’T reveal a password in email, chat, or other electronic communication
- DON’T hint at the format of a password (“my family name”)
If you are feeling inspired to update your password plan and policies, please contact us for more information. You can also discover if your company data and passwords are available on the Dark Web with our free scan.