HIPAA Password Requirements

The HIPAA password requirements are designed to help covered entities and business associates more easily manage access to systems containing Protected Health Information (PHI) and ensure that audit trails and events logs accurately reflect who has accessed systems, databases, and individual records. To support compliance with the HIPAA password managements, NIST recommends implementing a password manager.

Like many requirements of the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA password requirements are written in a way that covers many different present and future scenarios. Consequently, the requirements can be a source of confusion for Covered Entities and Business Associates. This article aims to bring clarity to the HIPAA password requirements.

One of the objectives of HIPAA is to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure. When Protected Health Information is stored on electronic devices (ePHI), it is subject to the safeguards of the HIPAA Security Rule, within which it is possible to determine the HIPAA password requirements.

However, to best understand the HIPAA password requirements, it is helpful to first understand the HIPAA Security Standards and the difference between “required implementation specifications” and “addressable implementation specifications” as these factors may help determine whether or not a Covered Entity or Business Associate has to comply with the HIPAA password requirements.

The HIPAA Security Standards and Implementation Specifications

The HIPAA Security Rule consists of twenty Security Standards. Some of the Security Standards are straightforward inasmuch as they require Covered Entities and Business Associates to take a specific course of action for which there is only one option. For example, the Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”.

Other Security Standards include a range of implementation specifications – some of which are “required”, while others are “addressable”. The difference between the two is that “required” means the implementation specification is mandatory, while “addressable” means the implementation specification is mandatory unless the Covered Entity implements one or more alternate security measures that accomplish the same purpose or can demonstrate the implementation specification is unreasonable or inappropriate.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Business Email *

Name *

First

Last

Number *

Company Name *

Download Free Checklist

Immediate Access

Privacy Policy

In the context of §164.312(d) above, the Department of Health and Human Services acknowledges there is more than one way to verify that a person or entity seeking access to ePHI is the one claimed. In the agency´s Guide to the Technical Security Standards, it is suggested Covered Entities can comply with this Security Standard by implementing authentication measures that:

• Require something only known to that individual, such as a password or PIN,
• Require something that the individual possesses, such as a smart card or key, or
• Require something unique to the individual such as a fingerprint or iris pattern.

This guidance implies passwords are not necessarily a requirement of HIPAA if Covered Entities can verify a person´s identity using an alternate authentication method. However, under the Security Standard relating to access controls (§164.312(a)) it is a required implementation specification that Covered Entities assign a unique name and/or number for identifying and tracking user identity (e.g., a username), while under the Security Standard relating to Security Awareness and Training (§164.308(5)), addressable implementation specifications include procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.

Consequently, Covered Entities and Business Associates don´t have to use passwords to verify a person´s identity. Any authentication method that meets the Security Standard for access controls (i.e., includes a unique name and/or number) will suffice. However, if Covered Entities and Business Associates do use passwords to verify a person´s identity, they must implement procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords – unless an alternative security measure is implemented that accomplishes the same purpose or it can be demonstrated password security is unreasonable or inappropriate.

Best Practices to Comply with the HIPAA Password Requirements

As authentication measures such as smart cards, keys, and biometrics are expensive to implement and difficult to manage, most Covered Entities and Business Associates use username and password combinations to verify a person´s identity. However, neither the text of HIPAA nor the Department of Health and Human Services stipulates minimum HIPAA password requirements – the Department´s Guide to the Administrative Security Standards only advising Covered Entities should:

• Establish guidelines for creating passwords and changing them during periodic change cycles (*).
• Develop policies to prevent workforce members sharing passwords with others.
• Ensure passwords are not written down or left in areas that are visible to others.

(*) The Guide was published before NIST revised its guidance relating to periodic password changes.

Nonetheless, as one of the objectives of HIPAA is to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure, the failure to apply password best practices could be considered negligent if a Covered Entity or Business Associate experienced a data breach due to a weak, re-used, or shared password. So, what are the best practices to comply with the HIPAA password requirements?

Due to the continuously-evolving threat landscape, the HIPAA password requirements are also continuously evolving. Therefore, Covered Entities and Business Associates should review the latest guidance issued by the National Institute of Standards and Technology (NIST) – the most recent publication relating to passwords being NIST Special Publication 800-63B. In the most recent guidance, NIST recommends:

• • Passwords should be a minimum of eight characters in length – although the longer the password is, the harder it becomes to crack in a brute force attack.
  • Enforcing the use of complex passwords requiring a mix of upper- and lower-case letters, numbers, and special characters.
  • Alternatively, organizations can allow the use of long passphrases to eliminate the issue of remembering complex passwords without compromising security.
  • Blocking the use of single dictionary words, commonly-used weak passwords, and password hints as the answers to the hints can often be found on social media.
  • Enabling two-step login (multi-factor authentication) to add an additional layer of security to accounts and reduce the need to change compromised passwords.
  • Educating users on good password hygiene such as changing default passwords, not sharing passwords, and not reusing passwords for different accounts.
  • Implementing a password manager to enforce strong password policies, store login credentials securely, and prevent the same password being used for multiple accounts.

HIPAA Password Requirements FAQs