Password Managers and HIPAA
Password managers are effective tools to support HIPAA compliance subject to them having the capabilities to comply with the safeguards of the Security Rule and – if used to store or transmit PHI – subject to the vendor signing a Business Associate Agreement.
Considering the importance of data security, password management is only mentioned once in HIPAA – and then only as an addressable standard requiring Covered Entities and Business Associates to implement “Procedures for creating, changing, and safeguarding passwords.”
There are other standards to which password managers could be relevant – for example, those relating to the security management process, workforce security, and unique user authentication – but given the Security Rule´s “flexibility of approach” clause, other solutions could also be used.
However, as password managers “tick the box” for a number of standards, they are an option for supporting HIPAA compliance – provided they have technical capabilities such as automatic logoff, event logs, and emergency access. It is important to be aware that not all have these capabilities.
No Password Manager is HIPAA Compliant
When evaluating password managers, many vendors claim their software is HIPAA compliant. It´s not. No software is HIPAA-compliant. It is how the software is configured and used that determines compliance. This is one of the reasons why HIPAA is often described as “technology neutral”.
Therefore, the important elements to consider when evaluating a password manager are whether it has the capabilities to comply with the Security Rule safeguards, and how simple it is to configure and use. The second element is as important as the first because:
- If a password manager is too difficult to configure correctly, there could be issues in providing, managing, and removing user access.
- If a password manager is too complicated to use, workforce members will find alternate, unsecure methods of saving weak passwords.
The ease of use consideration is as important as any other because one of the primary reasons for data breaches in healthcare is the use and re-use of weak passwords that are easy to crack using brute force algorithms. Password sharing is also an issue that a password manager can resolve.
The Issue of Business Associate Agreements
There may also be a further issue with vendors signing Business Associate Agreements if the password manager is to be used to keep notes about patients, set reminders about patients, or transmit any individually identifiable health information via an included secure messaging service.
Some vendors claim that, as their password managers are built on a zero-knowledge architecture, they have no access to PHI and are therefore not Business Associates under HIPAA. However, HHS Office for Civil Rights has stated (the following quote is abridged for brevity):
“Cloud Service Providers that provide cloud services […] that involve creating, receiving, or maintaining ePHI meet the definition of a Business Associate even if the Service Provider cannot view the ePHI because it is encrypted and the Service Provider does not have the decryption key”.
Consequently, Covered Entities and Business Associates either have to implement a policy prohibiting the use of the password manager for storing and transmitting PHI (which may be hard to enforce), or enter into a Business Associate Agreement with the vendor of the password manager.
Which Vendors Will Sign Business Associate Agreements?
This is where the issue of password managers gets complicated, for although the vendors of the two most popular password managers – Google Chrome and Apple Keychain – are willing to sign Business Associate Agreements, managing passwords across multiple devices is complicated by the Chrome password manager being browser-specific and the Keychain password manager being OS-specific.
Vault-based password managers that work across all devices, browsers, and operating systems overcome this issue, but many of the leading vendors (Keeper, 1Password, LastPass, Dashlane, etc.) will not sign a Business Associate Agreement. Others (i.e., NordPass and Password Boss) claim to be HIPAA compliant, but there is no indication on their websites about whether they will enter into a Business Associate Agreement.
This leaves a small selection of password managers that publicly state they are willing to enter into a Business Associate Agreement. Among them, Bitwarden is the most cost-effective and customizable. The password manager has the capabilities required to comply with the safeguards of the Security Rule and includes a free Family Plan for all users in its Enterprise Plan to encourage workforce members to apply password best practices in their personal lives as well as in their professional roles.