HIPAA Password Requirements

Like many requirements of the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA password requirements are written in a way that covers many different present and future scenarios. Consequently, the requirements can be a source of confusion for Covered Entities and Business Associates. This article aims to bring clarity to the HIPAA password requirements.

One of the objectives of HIPAA is to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure. When Protected Health Information is stored on electronic devices (ePHI), it is subject to the safeguards of the HIPAA Security Rule, within which it is possible to determine the HIPAA password requirements.

However, to best understand the HIPAA password requirements, it is helpful to first understand the HIPAA Security Standards and the difference between “required implementation specifications” and “addressable implementation specifications” as these factors may help determine whether or not a Covered Entity or Business Associate has to comply with the HIPAA password requirements.

The HIPAA Security Standards and Implementation Specifications

The HIPAA Security Rule consists of twenty Security Standards. Some of the Security Standards are straightforward inasmuch as they require Covered Entities and Business Associates to take a specific course of action for which there is only one option. For example, the Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”.

Other Security Standards include a range of implementation specifications – some of which are “required”, while others are “addressable”. The difference between the two is that “required” means the implementation specification is mandatory, while “addressable” means the implementation specification is mandatory unless the Covered Entity implements one or more alternate security measures that accomplish the same purpose or can demonstrate the implementation specification is unreasonable or inappropriate.

In the context of §164.312(d) above, the Department of Health and Human Services acknowledges there is more than one way to verify that a person or entity seeking access to ePHI is the one claimed. In the agency´s Guide to the Technical Security Standards, it is suggested Covered Entities can comply with this Security Standard by implementing authentication measures that:

  • Require something only known to that individual, such as a password or PIN,
  • Require something that the individual possesses, such as a smart card or key, or
  • Require something unique to the individual such as a fingerprint or iris pattern.

This guidance implies passwords are not necessarily a requirement of HIPAA if Covered Entities can verify a person´s identity using an alternate authentication method. However, under the Security Standard relating to access controls (§164.312(a)) it is a required implementation specification that Covered Entities assign a unique name and/or number for identifying and tracking user identity (e.g., a username), while under the Security Standard relating to Security Awareness and Training (§164.308(5)), addressable implementation specifications include procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.

Consequently, Covered Entities and Business Associates don´t have to use passwords to verify a person´s identity. Any authentication method that meets the Security Standard for access controls (i.e., includes a unique name and/or number) will suffice. However, if Covered Entities and Business Associates do use passwords to verify a person´s identity, they must implement procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords – unless an alternative security measure is implemented that accomplishes the same purpose or it can be demonstrated password security is unreasonable or inappropriate.

Best Practices to Comply with the HIPAA Password Requirements

As authentication measures such as smart cards, keys, and biometrics are expensive to implement and difficult to manage, most Covered Entities and Business Associates use username and password combinations to verify a person´s identity. However, neither the text of HIPAA nor the Department of Health and Human Services stipulates minimum HIPAA password requirements – the Department´s Guide to the Administrative Security Standards only advising Covered Entities should:

  • Establish guidelines for creating passwords and changing them during periodic change cycles (*).
  • Develop policies to prevent workforce members sharing passwords with others.
  • Ensure passwords are not written down or left in areas that are visible to others.

(*) The Guide was published before NIST revised its guidance relating to periodic password changes.

Nonetheless, as one of the objectives of HIPAA is to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure, the failure to apply password best practices could be considered negligent if a Covered Entity or Business Associate experienced a data breach due to a weak, re-used, or shared password. So, what are the best practices to comply with the HIPAA password requirements?

Due to the continuously-evolving threat landscape, the HIPAA password requirements are also continuously evolving. Therefore, Covered Entities and Business Associates should review the latest guidance issued by the National Institute of Standards and Technology (NIST) – the most recent publication relating to passwords being NIST Special Publication 800-63B. In the most recent guidance, NIST recommends:

    • Passwords should be a minimum of eight characters in length – although the longer the password is, the harder it becomes to crack in a brute force attack.
    • Enforcing the use of complex passwords requiring a mix of upper- and lower-case letters, numbers, and special characters.
    • Alternatively, organizations can allow the use of long passphrases to eliminate the issue of remembering complex passwords without compromising security.
    • Blocking the use of single dictionary words, commonly-used weak passwords, and password hints as the answers to the hints can often be found on social media.
    • Enabling two-step login (multi-factor authentication) to add an additional layer of security to accounts and reduce the need to change compromised passwords.
    • Educating users on good password hygiene such as changing default passwords, not sharing passwords, and not reusing passwords for different accounts.
    • Implementing a password manager to enforce strong password policies, store login credentials securely, and prevent the same password being used for multiple accounts.

HIPAA Password Requirements FAQs

Following NIST´s revised guidance, is it still necessary to comply with the HIPAA password change requirements?

No. When NIST announced the revised guidelines, it noted that enforced periodic password changes often resulted in users making minimal changes to their passwords (i.e., “pass2020” to “pass2021”). It was considered that, if the original password had been compromised, there was a strong likelihood the changed password would be as well. The current guidance is that passwords only require changing (to something completely different) when there is evidence of compromise.

How is it possible to tell if a password is a commonly-used weak password?

There are multiple tools available on the Internet that can sweep directories to compare login credentials against databases of commonly-used weak passwords. Alternatively, Covered Entities and Business Associates can implement a password manager with Health Check capabilities that performs a similar sweep and alerts users to weak, re-used, or compromised passwords.

Many people in our organization share passwords. Is this a violation of the HIPAA password requirements?

It depends on the reason why passwords are being shared. If – for example – marketing teams use the same social media accounts, there is a justifiable reason for passwords being shared. However, there are no circumstances in which passwords to systems containing ePHI should be shared and if – for example – healthcare professionals are sharing passwords to EHRs, this is a violation of the HIPAA password sharing policy.

Is the advice to use long passphrases contradictory to the advice to avoid dictionary words in passwords?

The advice to avoid dictionary words in passwords applies to single dictionary words – for example, “hello”, “shopping”, or “computer”. If you use a long passphrase with three unconnected words (i.e., “bottle-penguin-theater”) the passphrase is unguessable and would take centuries to crack using current hacking algorithms.

How does a password manager prevent the same password being used for multiple accounts?

Commercial password managers such as Bitwarden can be configured to prevent users creating login credentials with passwords that are already in existence within the organization. If a user attempts to create more than one account with the same password – either deliberately or by accident – they will be advised to use another password.