With so many things to consider regarding HIPAA compliance, passwords are often overlooked. HIPAA password requirements are among the most important and easiest patient-protection measures healthcare professionals use to prevent access to protected health information (PHI). Using a HIPAA-compliant password manager can be considered an integral component of maintaining your compliance. In general, healthcare-specific password managers are developed to securely store and access HIPAA-related data. For individual clinicians and companies that handle PHI, password manager software, also called password vaults, are software applications that store and organize usernames and passwords at both the individual clinician level and, in some cases, for the company. Some password managers can generate complex passwords unique to each digital account by relying on strong encryption formulas. They can improve overall security while increasing staff productivity by preventing the unnecessary delays caused by the frequently laborious efforts needed to organize, manage and reset passwords.
What Are HIPAA Password Requirements?
There are certain areas in which HIPAA does not indicate what is required; passwords are one such area. In this matter, HIPAA password requirements defer to the National Institute of Standards and Technology (NIST) guidance. This group regularly releases security guidance highlighting best practices for healthcare organizations. The NIST best practices for strong passwords state:
- Passwords should contain a minimum of 8 characters. (Combinations of upper and lower case digitals, and in some cases, symbols (including empty spaces) can be optimal.
- Use sufficiently unique but memorable passwords. Randomly generated passwords are safer but can be challenging to recall.
- Vet passwords against common or weak passwords. Avoid obvious passwords such as “admin,” “let me in,” etc.
- Don’t use password hints as they compromise the integrity of your passwords.
Following NIST guidance satisfies password requirements. Another thing to consider is whether your passwords will remain secure.
Creating a HIPAA Password Policy
Creating a secure password and just letting it sit isn’t enough to meet HIPAA requirements. That’s why it is essential to develop a HIPAA password policy; the HIPAA Security Rule points to the need to do so, stating that healthcare organizations must have “Procedures for creating, changing, and safeguarding passwords.” See TBHI’s previous article HIPAA Password Requirements for more information.
Although HIPAA is not explicit on what should be in a password policy, there are commonsense principles that you can use to create yours.
- Each employee should have unique login credentials to access sensitive information.
- Passwords should never be shared with a coworker, supervisor, family member, or anyone else.
- Passwords should not be written down.
- Passwords should be periodically updated (every 3-6 months).
- Passwords should be reset in the event of a hacking or cybersecurity incident.
- Passwords previously involved in a breach should not be reused.
- Do not click on password reset links in emails unless you request the password reset link.
Implementing a HIPAA password policy ensures adherence to HIPAA password requirements; however, tracking passwords can be complicated when utilizing multiple platforms, each requiring a unique password. Using a password manager eases this process, but you must ensure the use of a HIPAA-compliant password manager.
What to Expect From a HIPAA Compliant Password Manager
Since password managers store the login credentials that healthcare workers use to access PHI patient records, it is crucial to use a HIPAA-compliant password manager. The first thing to look at is whether or not the platform is secure. Secure password managers implement end-to-end encryption, automatic logoff, and audit logs.
The other thing to look for is whether or not the platform will enter into a business associate agreement (BAA) with its users. Even the most secure software cannot be considered HIPAA compliant if they will not sign a BAA. Although the requirement for a BAA is debatable since password managers don’t store PHI, it is always a good idea to use software platforms that will enter into a BAA.
Here are some password managers examples that meet security requirements and will enter into a BAA:
- Open-Source code. Rated compliant in HIPAA Security Rule Assessment report performed by a third party.
- Will enter a BAA with HIPAA covered organization.
- Works across all devices, operating systems, and the most commonly used browsers.
- Cloud-based or self-hosting options are available
- Identifies exposed, weak, and reused passwords and checks breached password databases for compromised passwords
- Allows for secure sharing of encrypted data across teams or individual users
- Multiple layers of encryption keys at the vault, shared folder and record levels
- Role-based access
- Version control and Record History
- Site claims they are HIPAA compliant, but did not mention BAAs. (Speak to their sales department if interested.)
This Article is Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!