As per the HIPAA password requirements, there should be steps for making, modifying and protecting passwords except if there’s another secure method that is just as effective. The best option to satisfying the HIPAA password requirements is through two-factor authentication. The facts on HIPAA password requirements is talked about in the Administrative Safeguards of the HIPAA Security Rule in the Security Awareness and Training Section §164.308(a)(5).
Generally, strong passwords consist of numbers, a mix of lower and upper case letters and special symbols. Longer passwords are better. But experts are not unanimous concerning the most effective HIPAA compliance password policy. They have not agreed on how often passwords must be changed or how best to safeguard them. There are those who say that passwords must be changed every 60 or 90 days. Still others think it is simply wasting time. A skilled hacker could unravel the security password anyway. With regards to protecting passwords, many agree that the HIPAA compliance password policy calls for the use of password management tools. But such tools could be hacked also. Use encrypted passwords which the hacker is not able to hack.
HIPAA password requirements are addressable. Covered entities can choose one or more ways to address the HIPAA password requirements. If the objective is to restrict unwanted or unacceptable access to PHI, the covered entity could use a security measure like two-factor authentication to do so. A person will need a username and password to sign into his account but he additionally needs a PIN code, which he receives via SMS or push notification. Inputting the PIN confirm his identity. This system makes it harder for hacker to get account access. Using this method allows the covered entity to be HIPAA-compliant.
A lot of medical establishments already utilize two factor authentication when accepting credit card payments, which is also needed to comply with the Payment Card Industry Data Security Standard and the DEA’s Electronic Prescription for Controlled Substances Rules. Two factor authentication may hold up work flow, but to satisfy the HIPAA Password requirements, it is an easier solution compared to frequently changing passwords. No matter what solution is used, covered entities must be sure to document it just in case an investigation or audit is needed down the road.