Like many requirements of the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA password requirements are written in a way that covers many different present and future scenarios. Consequently, the requirements can be a source of confusion for Covered Entities and Business Associates. This article aims to bring clarity to the HIPAA password requirements.
One of the objectives of HIPAA is to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure. When Protected Health Information is stored on electronic devices (ePHI), it is subject to the safeguards of the HIPAA Security Rule, within which it is possible to determine the HIPAA password requirements.
However, to best understand the HIPAA password requirements, it is helpful to first understand the HIPAA Security Standards and the difference between “required implementation specifications” and “addressable implementation specifications” as these factors may help determine whether or not a Covered Entity or Business Associate has to comply with the HIPAA password requirements.
The HIPAA Security Rule consists of twenty Security Standards. Some of the Security Standards are straightforward inasmuch as they require Covered Entities and Business Associates to take a specific course of action for which there is only one option. For example, the Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”.
Other Security Standards include a range of implementation specifications – some of which are “required”, while others are “addressable”. The difference between the two is that “required” means the implementation specification is mandatory, while “addressable” means the implementation specification is mandatory unless the Covered Entity implements one or more alternate security measures that accomplish the same purpose or can demonstrate the implementation specification is unreasonable or inappropriate.
In the context of §164.312(d) above, the Department of Health and Human Services acknowledges there is more than one way to verify that a person or entity seeking access to ePHI is the one claimed. In the agency´s Guide to the Technical Security Standards, it is suggested Covered Entities can comply with this Security Standard by implementing authentication measures that:
This guidance implies passwords are not necessarily a requirement of HIPAA if Covered Entities can verify a person´s identity using an alternate authentication method. However, under the Security Standard relating to access controls (§164.312(a)) it is a required implementation specification that Covered Entities assign a unique name and/or number for identifying and tracking user identity (e.g., a username), while under the Security Standard relating to Security Awareness and Training (§164.308(5)), addressable implementation specifications include procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.
Consequently, Covered Entities and Business Associates don´t have to use passwords to verify a person´s identity. Any authentication method that meets the Security Standard for access controls (i.e., includes a unique name and/or number) will suffice. However, if Covered Entities and Business Associates do use passwords to verify a person´s identity, they must implement procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords – unless an alternative security measure is implemented that accomplishes the same purpose or it can be demonstrated password security is unreasonable or inappropriate.
As authentication measures such as smart cards, keys, and biometrics are expensive to implement and difficult to manage, most Covered Entities and Business Associates use username and password combinations to verify a person´s identity. However, neither the text of HIPAA nor the Department of Health and Human Services stipulates minimum HIPAA password requirements – the Department´s Guide to the Administrative Security Standards only advising Covered Entities should:
(*) The Guide was published before NIST revised its guidance relating to periodic password changes.
Nonetheless, as one of the objectives of HIPAA is to protect individuals´ medical records and other personal health and payment information against theft, loss, and unauthorized disclosure, the failure to apply password best practices could be considered negligent if a Covered Entity or Business Associate experienced a data breach due to a weak, re-used, or shared password. So, what are the best practices to comply with the HIPAA password requirements?
Due to the continuously-evolving threat landscape, the HIPAA password requirements are also continuously evolving. Therefore, Covered Entities and Business Associates should review the latest guidance issued by the National Institute of Standards and Technology (NIST) – the most recent publication relating to passwords being NIST Special Publication 800-63B. In the most recent guidance, NIST recommends:
No. When NIST announced the revised guidelines, it noted that enforced periodic password changes often resulted in users making minimal changes to their passwords (i.e., “pass2020” to “pass2021”). It was considered that, if the original password had been compromised, there was a strong likelihood the changed password would be as well. The current guidance is that passwords only require changing (to something completely different) when there is evidence of compromise.
There are multiple tools available on the Internet that can sweep directories to compare login credentials against databases of commonly-used weak passwords. Alternatively, Covered Entities and Business Associates can implement a password manager with Health Check capabilities that performs a similar sweep and alerts users to weak, re-used, or compromised passwords.
It depends on the reason why passwords are being shared. If – for example – marketing teams use the same social media accounts, there is a justifiable reason for passwords being shared. However, there are no circumstances in which passwords to systems containing ePHI should be shared and if – for example – healthcare professionals are sharing passwords to EHRs, this is a violation of the HIPAA password sharing policy.
The advice to avoid dictionary words in passwords applies to single dictionary words – for example, “hello”, “shopping”, or “computer”. If you use a long passphrase with three unconnected words (i.e., “bottle-penguin-theater”) the passphrase is unguessable and would take centuries to crack using current hacking algorithms.
Commercial password managers such as Bitwarden can be configured to prevent users creating login credentials with passwords that are already in existence within the organization. If a user attempts to create more than one account with the same password – either deliberately or by accident – they will be advised to use another password.