In order to comply with the HIPAA password requirements, it is best to understand what they are so you can determine whether they apply to your organization. This is because if an organization uses HIPAA compliant authentication methods other than usernames and passwords to control access to ePHI the HIPAA Password requirements may not apply.
To clear up any confusion about compliance with the HIPAA password requirements, a good place to start is clause §164.312(d) of the Security Rule Technical Safeguards. This clause stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
While this clause could be assumed to mean usernames and passwords are mandatory in HIPAA, a Guide to the Technical Safeguards published by the Department of Health and Human Services (HHS) suggests usernames and passwords are only one of several authentication methods organizations can use to comply with this clause. HHS offers three alternatives:
- An authentication method that requires something only known to the individual (i.e., a password or PIN),
- An authentication method that requires something the individual possesses (i.e., a smart card or key), or
- An authentication method that requires something unique to the individual (i.e., a fingerprint or facial image).
However, although passwords might not be mandatory, usernames are. Clause §164.312(a) of the Technical Safeguards requires Covered Entities to assign a unique name and/or number for identifying and tracking user activity. Therefore, provided a username or number is assigned to each employee, organizations can use passwords, PINs, smart cards, keys, or biometrics for verification.
There is Also a Clause Directly Mentioning Passwords
In addition to the clauses of the Technical Requirements relating to access controls, there is also a clause in the Administrative Safeguards that directly mentions passwords. This clause (§164.308(5)) requires Covered Entities to implement procedures for creating, changing, and safeguarding passwords. However, this clause is an “addressable” implementation specification.
An addressable implementation specification means Covered Entities must either (a) implement the specification, (b) implement an alternate measure that achieves the same purpose, or (c) not implement the specification or an alternative if it can be proven the specification is not necessary – for example if a Covered Entity verified user identities with a retina scan.
Realistically, passwords are more commonly used than any other type of authentication method, so Covered Entities would be required to implement procedures for creating, changing, and safeguarding passwords, and these procedures would develop into a Covered Entity´s HIPAA compliant password policy – or, as far as users are concerned, HIPAA password requirements.
What Should HIPAA Compliant Password Policies Include?
Neither HIPAA nor HHS offer any advice about the contents of a HIPAA compliant password policy. However, widely-adopted best practices can be found in the Digital Identity Guidelines published by the National Institute of Standards and Technology (NIST). The latest guidelines can be found in NIST Special Publication 800-63B and include:
- Enforce a minimum password length of 8 characters.
- Require the use of complex passwords that combine upper- and lower-case letters, numbers, and special characters.
- Prohibit the use of single dictionary words, names, and dates of birth as these are easy to hack in a brute force attack.
- Enable the use of long passphrases to use as an alternative to complex passwords without compromising security.
- Avoid the use of password hints as the answers to password hints can often be found on social media, making passwords less secure.
- Enable multi-factor authentication for all accounts to add an extra layer of security to password-protected accounts and systems.
To enforce HIPAA compliant password policies – and ensure users comply with the HIPAA password requirements – Covered Entities should implement a password manager such as Bitwarden that supports HIPAA compliance through Security Rule audits, end-to-end encryption, and custom management roles.
HIPAA-compliant password managers empower users to create complex passwords or long passphrases that comply with the password policy, can be configured to alert users to weak, reused, or compromised passwords, and support multi-factor authentication via time-based, one-time PIN numbers (TOTPs), authenticator apps, and biometric software.
HIPAA Password Requirements – FAQs
Is it better for a HIPAA compliant password policy to require complex passwords or long passphrases?
Many cybersecurity experts believe long passphrases are more resilient to brute force attacks than shorter complex passwords. However, if users are susceptible to phishing attacks, it is more likely they will disclose easy-to-remember passphrases than complex passwords. Covered Entities should conduct a risk assessment to establish the best format to include in their HIPAA compliant password policy; and, if the conclusion is that complex passwords are more secure, implement a password manager with credential autofill capabilities so users do not have to remember their passwords.
The HIPAA Administrative Safeguards state procedures should be implemented for changing passwords, but NIST recommends against forced password changes. Which is right?
At the time the Administrative Safeguards were enacted, NIST was recommending passwords should be forcibly changed every sixty to ninety days. However, the agency subsequently revised its advice when it was found users were regularly amending only one character every password change – an unsafe practice if the original password is ever compromised. The current guidance is that passwords are only changed if there is evidence of compromise – which aligns with the Administrative Safeguards because the text of the clause doesn´t require forced periodic password changes.
If multi-factor authentication can add an extra layer of security to password-protected accounts and systems, why isn´t it a requirement of HIPAA?
When HIPPA was written, it was deliberately technology-neutral to remain relevant as technology advances. Therefore, HIPAA – in this case the Technical Safeguards of the Security Rule – mandates that verification and authentication measures are put in place, but doesn´t specify which ones to use. However, if a Covered Entity identifies a vulnerability in an access control measure that could be resolved by multi-factor authentication, and fails to implement it, HHS will be interested to know why MFA was not implemented if the Covered Entity subsequently experiences a data breach.
How is it possible to tell if a password has been compromised?
There are multiple databases on the Internet that list the most common passwords compromised in brute force attacks and some password managers integrate these databases into their solutions so users can perform health checks on their passwords. The health checks not only alert users to compromised passwords, but also those that are weak or re-used for other accounts. The health checks can also identify when username and password combinations are being used on unsecure websites or when an Internet account provides the option to add MFA.
Is it a violation of HIPAA if passwords are shared?
It is a violation of HIPAA if an employee of a Covered Entity or a Business Associate shares login credentials to systems containing ePHI because of the requirement “to verify a person or entity seeking access to ePHI is the one claimed”. However, there are circumstances in which passwords can be shared – provided they are not login credentials to systems containing ePHI. For example, marketing teams might share the passwords to corporate social media accounts, IT teams might share the passwords of cloud computing accounts, and finance teams share online banking logins.