The HIPAA Password Requirements and the Best Way to Comply With Them

It is important that Covered Entities and Business Associates understand the HIPAA password requirements and the best way to comply with them because if a data breach is found to be attributable to a lack of compliance, the penalties could be significant.

However, understanding the HIPAA password requirements is not straightforward. HIPAA is intentionally technology-neutral; so whereas Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”, there is no indication what procedures should be implemented or even that user verification should be password-based.

Guidance published by the Department of Health and Human Services suggests there are three ways in which users can verify their identity:

  • With something only known to the user, such as a password or PIN,
  • With something the user possesses, such as a smart card or key, or
  • With something unique to the user, such as a fingerprint or facial image.

In addition to the above, a required implementation specification of the Access Controls Security Standard (§164.312(a)) stipulates that Covered Entities assign a unique name and/or number for identifying and tracking user identity. Again, this does not necessarily mean verification should be password-based, as a username with biometric authentication could satisfy this requirement.

So, are there HIPAA Password Requirements?

In the whole text of HIPAA, passwords are only mentioned once – in the Administrative Safeguards of the Security Rule under the Standard relating to Security Awareness and Training (§164.308(5)). This Standard includes implementation specifications relating to procedures for monitoring login attempts, and procedures for creating, changing, and safeguarding passwords.

However, these are “addressable” implementation specifications inasmuch as Covered Entities do not have to comply with the specification if alternate security measures are implemented that accomplish the same purpose – for example, a username with biometric authentication. In this scenario, procedures for creating, changing, and safeguarding passwords would be superfluous.

Therefore, the HIPAA password requirements only apply when Covered Entities and Business Associates are unable to verify user identities – and track user activities – by any means other than a username and password combination. In cases in which the HIPAA password requirements apply, Covered Entities and Business Associates should develop a HIPAA compliance password policy.

Experts Disagree on the Best HIPAA Compliance Password Policy

Although security experts agree on the need for login credentials to use a strong password, there is some disagreement about the best format for passwords (i.e., a mix of alpha-numeric and special characters or a more memorable three word passphrase) and the best HIPAA compliance password policy – including the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

Whereas some experts claim the best HIPAA compliant password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack most user-generated passwords within ten minutes using a combination of technical, sociological, or subversive methods (i.e., social engineering).

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Password managers generate long, complex, and difficult-to-crack passwords and overcome the issue of users having to remember their passwords by auto-filling login credentials when the user visits a website for which login credentials are stored.

Two Factor Authentication is Important for Improving Account Security

Two-factor authentication – or multi-factor authentication – is a method used to make accounts more secure. As the name suggests, it involves using more than one factor for user verification. So, in addition to entering a username and password, the user has to go through a further authentication stage in which they would enter a one-time code or PIN sent to their mobile device.

What this means for account security is that, in the event of login credentials being compromised in a phishing attack, for example, the username and password alone would not be sufficient to allow unauthorized access to an account. Two-factor authentication is therefore one of the best methods of protecting ePHI against phishing attacks.

Two-factor authentication is already used by many medical facilities, mostly in relation to credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by entities required to comply with the DEA´s Electronic Prescription for Controlled Substances Rules. Therefore, it would not cause a significant change in working practices if HIPAA two-factor authentication formed part of a HIPAA compliance password policy.

One of the problems with two-factor authentication is it can slow workflows, but advances in 2FA solutions have allowed LDAP integration and Single Sign-On between different healthcare systems which can eliminate the negative impact on workflows while greatly improving security. With this additional protection for passwords, there is less need for regular password changes.

Covered Entities should bear in mind that when decisions are made to comply with the HIPAA password requirements, those decisions must be documented along with the reasons why the decisions were made. In the event of a HIPAA audit, or a compliance or data breach investigation, Covered Entities must be able to show the rationale behind security decisions to meet the requirements of the HIPAA Security Rule.

Meeting HIPAA Password Requirements and Improving Security

It was mentioned above that most user-generated passwords can be cracked within minutes. That may seem an outrageous claim to some IT professionals, but this tool on the Bitwarden website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.

Randomized passwords containing alpha-numerical and special characters take a longer to crack but they are still crackable. They are also much harder for users to remember. In order to meet an organization’s password requirements for complexity, employees often write their passwords down or store them electronically on a different device, such as an unsecured smartphone.

Accessing password-protected accounts from secondary devices further increases the risk of a data breach. Secondary devices often lack appropriate security protections and can contain malware that logs keystrokes and captures passwords as they are entered. Covered Entities must either introduce policies to limit the devices that can be used to access password-protected accounts or find an alternative to the HIPAA password requirements.  Passwords are just one element of HIPAA security requirements – a more comprehensive HIPAA security guide is available here.

One of the ways to improve password security and stop employees from engaging in insecure practices such as writing passwords down is to use a password management tool. Password managers such as Bitwarden allow employees to generate highly complex passwords that are extremely difficult for hackers to crack and to create a unique password for all accounts.

Generated passwords are stored in an encrypted password vault, which can be accessed from multiple devices via a web or mobile app when a master password is entered.  Provided a very strong master password is created for the vault – a passphrase of 16 characters is ideal – these solutions are secure and ideal for improving password security in healthcare.

HIPAA Password Requirements FAQs

What are the HIPAA password change requirements?

Although the Security Awareness and Training Standard referenced above requires Covered Entities to implement procedures for creating, changing, and safeguarding passwords, this Standard was written prior to the National Institute of Standards and Technology (NIST) changing its recommendations for password best practices.

NIST noted that, when Covered Entities enforced HIPAA password expiration requirements, users would make minimal changes to passwords so they were easy to remember (i.e., “pass2020” to “pass2021”). Consequently, if the previous password had been compromised, there was a strong likelihood the new password would be as well. The current guidance is that passwords should only be changed when there is evidence of compromise.

Are there HIPAA account lockout requirements?

Under the technical safeguards of the HIPAA Security Rule (§164.312) there is an addressable implementation specification that Covered Entities should “implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” The purpose of this specification is to prevent the unauthorized disclosure of ePHI when a workstation or device is left unattended, but it is a security best practice to apply it to all workstation and devices.

The specification does not stipulate how long before a HIPAA timeout policy should be activated, but most security experts recommend no longer than two minutes of inactivity for systems containing ePHI and twenty minutes for other systems. The HIPAA account lockout requirements mean users will have to log in again when returning to their workstations, but this should be a quick and secure process if a password manager is being used to store login credentials.

Does HIPAA require 2FA?

Two-factor authentication (2FA) is not a requirement of HIPAA per se. However, if a Covered Entity or Business Associate conducts a risk assessment and identifies vulnerabilities that could be addressed with 2FA, it then becomes a “reasonable and appropriate” security measure that should be implemented to comply with Security Standards relating to Workforce Security and Information Access Management (§164.308(A)(3) and §164.308(A)(4))

Is It okay to use the same password for multiple different applications, provided the password is complex enough?

Generally, no – and certainly not when applications collect, store, process, or transmit ePHI. Although there are circumstances in which workforce members can share passwords for certain applications (i.e., a marketing team might share the password for a corporate social media account), re-using passwords for multiple applications means that, if one gets hacked, they all get hacked.

Where is the best place to find HIPAA-compliant password guidelines?

The standard for HIPAA-compliant password guidelines is NIST Special Publication 800-63B – “Digital Identity Guidelines”. Although not published specifically for HIPAA Covered Entities and Business Associates, the Guidelines cover everything from password best practices to identifying threats and concludes with an appendix discussing the merits of password length vs. password complexity.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.