HIPAA Password Sharing Policy

A HIPAA password sharing policy should prohibit Covered Entities, Business Associates, and employees from sharing passwords that provide access to electronic Protected Health Information (ePHI). There is also a good case for prohibiting caregivers from accessing patient portals with shared passwords.

In 2017, a survey of healthcare professionals found that 73% of respondents had used a colleague´s login credentials to access medical data. While the majority of respondents were students or interns who had not yet been given their own login credentials, the fact that a colleague had provided the credentials demonstrates poor password security.

In the United States, such poor password security in the healthcare industry would be a breach of HIPAA. Under the Technical Safeguards of the HIPAA Security Rule (45 CFR § 164.312), Covered Entities are required to implement procedures to verify a person accessing ePHI is who they claim to be and assign a unique name or number for identifying and tracking user identity.

These regulations effectively stipulate that password sharing is a violation of HIPAA because if one healthcare professional shares their login credentials with another, it is impossible for Covered Entities to track user identity. In theory, it could be anybody – not necessarily another healthcare professional – accessing ePHI without authorization.

What HIPAA Says about Passwords

Because HIPAA legislation is technology neutral, the Act says very little about passwords, password sharing, and policies for password sharing. In fact, the only mention of passwords in the Act appears in the Administrative Safeguards of the HIPAA Security Rule in the section covering Security Awareness and Training (45 CFR § 164.312).

Under this section, Covered Entities are required to implement “procedures for creating, changing, and safeguarding passwords”. In the context of a HIPAA password sharing policy, the requirement to safeguard passwords more than implies they are not to be shared. When coupled with the Technical Safeguards mentioned above, password sharing to access ePHI is a clear violation of HIPAA.

There are circumstances in which it is appropriate to share passwords in a healthcare facility. For example, when marketing teams share passwords for corporate social media accounts. In these circumstances it is a best practice to safeguard shared passwords with a password manager. However, sharing passwords to access ePHI is never permitted under HIPAA.

Policies for Sharing Passwords with Caregivers

A more recent survey investigated the percentage of U.S. hospitals that provide proxy accounts for caregivers so they can access information relating to the patients they are caring for. Proxy accounts are supposed to eliminate the need for patients to share passwords for patient portals and provide sufficient information to caregivers to fulfil their roles without raising privacy issues.

The survey found that 68% of hospitals provided a proxy account service, but only 19% of hospitals with capability to provide proxy accounts offered controls that enabled patients to restrict access to caregivers. Without these controls, the potential exists for data breaches and identity fraud, and for mistakes to be made if healthcare professionals do not know with whom they are communicating.

Patient portals and proxy accounts are not covered by HIPAA because, for a caregiver to access patient data through either of these channels, the patient is assumed to have given their consent (i.e., by sharing a password). However, the security of patient portals is something that healthcare organizations may wish to consider when developing a HIPAA password sharing policy.

HIPAA Password Sharing Policy Q&As

How does a password manager such as Bitwarden prevent noncompliant password sharing?

The Bitwarden platform can be configured so that passwords for EHRs, computer systems, and other healthcare accounts are auto-filled and hidden from the user. As the user has no knowledge of what the passwords are, it is impossible for them to share passwords with any other user or disclose them unintentionally in a phishing scam.

Does Bitwarden support the Administrative Safeguards of the HIPAA Security Rule?

Bitwarden provides Covered Entities with an easy-to-use solution for creating strong and unique passwords for each account and changing them effortlessly whenever necessary. With regards to safeguarding passwords, Bitwarden use AES-CBC 256-bit encryption to secure passwords – the same level of encryption as used by government agencies.

Could Bitwarden be used to secure data other than passwords?

Bitwarden can be used to secure credit cards details (i.e., for auto-filling online payments), personal and corporate profiles (i.e., for auto-filling names and addresses), and plaintext notes, files, and attachments. However, it should not be used as a channel for storing or sharing ePHI, as this would be a breach of the HIPAA Technical Safeguards.

In scenarios in which password sharing is allowed, how does Bitwarden facilitate this?

If, for example, multiple members of a marketing team require access to login credentials for a social media account, the team leader creates a group of team members and shares the credentials with the group. Whenever one of the group visits the social media account, the login credentials are filled automatically without any user interaction.