How To Comply With the HIPAA Password Requirements

Encryption concept with key, 3D rendering

According to the HIPAA password requirements, there must be procedures for creating, changing and safeguarding passwords except when there’s an alternative security measure that is equally effective. The best way to comply with the HIPAA password requirements is by means of two-factor authentication. The information on HIPAA password requirements is mentioned in the Administrative Safeguards of the HIPAA Security Rule under the Security Awareness and Training Section §164.308(a)(5).

In general, strong passwords include numbers, a combination of upper and lower case letters and special characters. The longer the password, the better it is. However, many experts do not have a unanimous opinion on the best HIPAA compliance password policy. There’s no agreement on the frequency of changing passwords or the best way of safeguarding them. Some say it’s best to change passwords every 60 or 90 days. But others say it is just a waste of time. A competent hacker can crack the password anyway. When it comes to safeguarding passwords, the majority agree that the best practice for HIPAA compliance password policy is to use password management tools. These tools can be hacked as well. But with the use of encrypted passwords, the hacker cannot use them.

HIPAA password requirements are addressable requirements. This means that covered entities can implement one or more alternatives to accomplish the purpose. If the purpose is to limit unnecessary or inappropriate access to PHI, the covered entity can implement alternative security measures to address this purpose. Doing so makes the entity HIPAA-compliant. Two-factor authentication is one alternative security measure that can be implemented. A person using a username and password to log into a database also needs to enter a PIN code sent via SMS or push notification to confirm their identity. This system makes it harder for a hacker to get access.

Many medical facilities already use the two factor authentication not for safeguarding PHI but for accepting credit card payments. This is to comply with the DEA’s Electronic Prescription for Controlled Substances Rules or the Payment Card Industry Data Security Standard.  Although some healthcare professionals say that the two factor authentication slows down work flow, it is still a far easier solution for complying with the HIPAA Password requirements compared to frequently changing passwords. Covered entities just need to remember to document the alternative solutions they implement. This is to address the need for investigation or audit later on.