What are the HIPAA Password Expiration Requirements?

According to the Administrative Guidelines of the HIPAA Security Rule, Covered Entities and Business Associates must create procedures for “creating, changing, and safeguarding passwords” (45 CFR § 164.308). The inclusion of the word “changing” implies passwords only have a certain lifecycle. But is that really the case? And, if so, what are the HIPAA password expiration requirements?

The concept of HIPAA password expiration requirements goes back to the early 2000s when, within a short time of each other, the Department of Health and Human Services (HHS) issued the HIPAA Final Security Rule (2003) and the National Institute of Standards and Technology (NIST) issued “Special Publication 800-63” (2004), which included a section on password best practices.

At the time “Special Publication 800-63 Appendix A” was issued, Covered Entities were preparing to meet the compliance requirements of the Security Rule by the 2006 deadline. However, the language of the Security Rule is deliberately flexible to cover as many different types of Covered Entity as possible, open to interpretation, and technology neutral.

Consequently, when it came to interpreting the Administrative Guidelines of the Security Rule relating to HIPAA Password expiration requirements, many Covered Entities referred to NIST´s password best practices, which – in 2004 – recommended passwords were changed regularly at least every 90 days. The best practice was widely adopted; and, in many cases, baked into the mindsets of IT security professionals.

ONC Guide Cements Perception of HIPAA Password Expiration Requirements

In 2010, the Office of the National Coordinator for Health Information Technology (ONC) – a branch of HHS – released a guide to cybersecurity for small healthcare environments (PDF) which included a checklist for protecting EHRs against unauthorized access. Among many useful best practices for protecting EHRs, the guide suggests “systems should be configured so that passwords must be changed on a regular basis”.

While the guide itself does not stipulate what “a regular basis” is, under the password checklist in the appendix, it is stated “[passwords] should be changed frequently, at least quarterly” which aligns with the NIST recommendations at the time. The guide has never been revised to reflect subsequently amended password security best practices and it is still used as a source for some HIPAA training courses – cementing the perception of HIPAA password expiration requirements.

NIST Changes its Recommendations

In 2017, NIST issued “Special Publication 800-63b” which radically revised the original password best practices recommended in Appendix A. In the context of HIPAA password expiration requirements, NIST completely reversed its 90 day recommendation for changing passwords and stated password policies should not require employees to change memorized secrets (passwords) on a regular basis.

Explaining the rationale behind the decision, NIST said: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password” (i.e., passwordfor2020 to passwordfor2021).

NIST claimed that the practice of changing a password to a similar password provided employees (and, in many cases, the Covered Entities they worked for) with a false sense of security. If, NIST explained, a previous password had been compromised by a hacker, the hacker could apply a common transformation such as changing a number in the password to easily compromise the new password.

When Passwords Should be Changed

It is not wrong to change passwords every ninety days or less – provided new passwords are strong, unique, and distinctive from previous passwords. Furthermore, although there were never any specific HIPAA password expiration requirements Covered Entities and Business Associates had to comply with, it is possible that a risk analysis found good reasons to change passwords on a frequent basis.

However, although there is no regulatory requirement to change passwords periodically, there are some occasions when passwords should be changed as a best practice:

  • When weak or reused passwords are identified and need to be replaced with strong, unique passwords.
  • When there is evidence to suggest a password has been compromised – for example, if it appears on a data breach list.
  • When employees who have access to a shared password leave or work on remote systems which do not log shared password usage.

Note: sharing passwords to systems containing ePHI is a breach of HIPAA because, under the Technical Safeguards of the HIPAA Security Rule (45 CFR § 164.312), Covered Entities are required to  “implement procedures to verify that a person or entity seeking access to ePHI is the one claimed”. Without each user being assigned unique login credentials, it would be impossible for a Covered Entity to comply with this clause. However, there may be some scenarios (i.e., marketing, legal, finance, etc.) in which there is a legitimate case for sharing passwords.

How Passwords Should be Changed

With potentially tens of thousands of passwords in use within a healthcare facility it is impossible to manually identify which passwords are weak, which have been compromised, or which are being shared to access ePHI in violation of HIPAA. The way to overcome this issue is with a password manager with health check capabilities that can flag, weak, compromised, shared, or reused passwords so threats to data security can be addressed.

With regards to changing legitimately shared passwords when an employee leaves or works remotely, many password managers now have the capability to replace group passwords with the click of a mouse and work across multiple platforms so shared password usage can be logged. Therefore, although it is not a requirement of HIPAA to set password expiration dates, a fully-featured password manager can help Covered Entities comply with other areas of HIPAA legislation.

HIPAA Password Expiration Requirements FAQs

What procedures should Covered Entities implement for creating passwords?

In most healthcare environments, user passwords are assigned by the IT department and therefore controls should be implemented that ensure all passwords created and assigned by the IT department are strong, unique, and complex, and ideally comply with the Digital Identity Guidelines recommended by NIST in Special Publication 800-63B.

What best practices can be used by Covered Entities to safeguard complex passwords?

Because it is difficult for users to remember multiple complex passwords, Covered Entities can provide password managers that safeguard complex passwords in encrypted format. Users then only have to remember one password (to the password manager) to get access to all the passwords assigned to them. This eliminates the risk that users will write down passwords and leave the password in a place that can be found by others.

How do hackers compromise weak passwords?

The simplest way for a hacker to compromise weak passwords is through brute force attacks – a process in which software attempts thousands of username and password combinations per minute. More complex attacks involve attempting to log in with names or dates connected to the user (i.e., a partner´s name or date of birth that can acquired from a user´s social media account), or by sending the user a phishing email to trick them into revealing their credentials inadvertently.

How does a password manager mitigate the risk from phishing?

Password managers store login credentials by URL, and when a user visits a website with a matching URL, the password manager will autofill the user´s login credentials. If a phishing email contains a link to a website that does not have a matching URL, the password manager will not have stored the login credentials for that website. With sufficient awareness training, the user should know something is wrong and report the phishing email and destination website to the IT department.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.