In order to understand the HIPAA password requirements, it is first necessary to understand whether or not HIPAA requires the use of passwords to prevent unauthorized access to ePHI. For although the Administrative Safeguards of the HIPAA Security Rule stipulate Covered Entities are required to develop and implement procedures for creating, changing, and safeguarding passwords, this is an “addressable” implementation specification, rather than a “required” one.
An “addressable” implementation specification means a Covered Entity must either (a) implement the specification, (b) implement an alternate measure that achieves the same purpose, or (c) not implement the specification or an alternative if it can be proven the specification is unreasonable or inappropriate. If (c), the Covered Entity has to document why the implementation is unreasonable or inappropriate and support the reason with the results of a risk analysis.
Does HIPAA Require the Use of Passwords?
In the context whether or not HIPAA requires the use of passwords, it is important to note the Technical Safeguards of the HIPAA Security Rule stipulates Covered Entities must implement an authentication method to verify a person or entity seeking access to ePHI is the one claimed and also that users are assigned a unique name and/or number for identifying and tracking user activity. Both of these implementation specifications are “required”.
However, although these required implementation specifications exist, they do not need to be complied with using passwords. In its Guide to the Technical Safeguards of the Security Rule, the Department of Health and Human Services suggests there are three ways in which Covered Entities can comply with these implementation specifications:
- By implementing an authentication method that requires something only known to the individual (i.e., a password or PIN),
- By implementing an authentication method that requires something the individual possesses (i.e., a smart card or key), or
- By implementing an authentication method that requires something unique to the individual (i.e., a fingerprint or facial image).
In most cases, Covered Entities comply with the Technical Safeguards implementation specifications with username and password combinations because the alternative options are more expensive and have a high management overhead. This implies they are also required to comply with the addressable Administrative Safeguards of the Security Rule and implement HIPAA password policies for the compliant creation, changing, and safeguarding of passwords.
What Should HIPAA Password Policies Consist Of?
Beyond the implementation specifications mentioned previously, there is no further information within the text of HIPAA regarding password requirements or what HIPAA password policies should consist of. However, it is a recognized best practice to ensure a minimum of 8 characters are used when creating passwords, that passwords should not be dictionary words, and should combine upper- and lower-case letters, at least one number, and a special character.
Consequently, policies should be developed that stipulate how passwords are created, changed, and safeguarded. HIPAA password policies should require passwords to be changed when they are identified as being weak, reused, shared with an unauthorized third party, or compromised in a cyberattack. Policies for safeguarding passwords should stipulate passwords are encrypted when they are saved to a device and never stored in plain text.
Best Practices for Creating, Changing, and Safeguarding Passwords
When an organization uses passwords to protect ePHI from unauthorized disclosure, loss, or theft, the HIPAA password requirements essentially require recognized password best practices to be followed. The best approach to take is to base a HIPAA password policy on the latest advice from the National Institute of Standards and Technology (NIST).
NIST publishes security guidance on password use and management and the guidance is regularly updated. The latest NIST password guidance can be found in NIST Special Publication 800-63B. By creating a password policy based on current NIST guidance, healthcare organizations will be able to meet the HIPAA password requirements and keep accounts and data secure.
- Set a minimum password length of 8 characters – NIST recommends a maximum length of 64 characters.
- Enforce the use of complex passwords requiring a mix of upper- and lower-case letters, numbers, and special characters.
- NIST recommends creating memorable passwords. Enable the use of long passphrases to eliminate password complexity requirements without compromising security.
- Block the use of commonly used weak passwords and dictionary words.
- Avoid the use of password hints as they can make passwords less secure.
- Enable multi-factor authentication for all accounts to eliminate the need to regularly change passwords.
Use a HIPAA-Compliant Password Manager
One of the easiest ways to ensure strong, complex passwords are created that meet NIST standards and HIPAA password requirements is to use a password manager like Bitwarden that supports HIPAA compliance and uses end-to-end “zero knowledge” encryption so nobody outside the Covered Entity has access to the passwords or the ePHI they protect.
Password managers empower employee best practices for creating, changing, and safeguarding passwords, and many can support OTP PIN numbers and biometric logins if the Covered Entity opts for an alternative authentication method other than username and password combinations. Consequently, password managers can also be used when multi-factor authentication (MFA) is considered appropriate to safeguard access to privileged accounts.
HIPAA Password Requirements – FAQs
How could a Covered Entity tell if a password is weak, reused, shared with an unauthorized third party, or compromised in a cyberattack?
Many password managers have a health check capability that enable Covered Entities to test for weak, reused, and compromised passwords. If a password has been shared with an unauthorized third party, it should be reported by the individual who shared the password as sharing login credentials to systems containing ePHI is a violation of HIPAA.
Is it ever allowable to share passwords in a healthcare environment?
While it is a violation of HIPAA to share login credentials to systems containing ePHI (because of the requirement “to verify a person or entity seeking access to ePHI is the one claimed”), there are circumstances in which marketing, legal, finance, or IT teams may share passwords in order to access shared password-protected accounts (i.e., social media marketing accounts).
What are the HIPAA password change requirements?
Although the Administrative Safeguards stipulate Covered Entities should implement procedures for creating, changing, and safeguarding passwords, this addressable requirement was issued prior to NIST changing its recommendations for password best practices. The current guidance is that passwords should only be changed when there is evidence of compromise.
Are there HIPAA account lockout requirements?
Under the Technical Safeguards there is an addressable implementation specification that Covered Entities should “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” The purpose of this specification is to prevent the unauthorized disclosure of ePHI when a workstation or device is left unattended.
Does HIPAA require multi-factor authentication?
Multi-factor authentication (MFA) is an option for complying with HIPAA; but, as HIPAA is technology-neutral, it is not a requirement. However, if a Covered Entity conducts a risk assessment that identifies a weakness in their access controls that could be addressed by MFA, then it should be used as an appropriate security measure to address the weaknesses.
