HIPAA Compliant Password Manager

As technology makes our lives easier, it brings the challenge of remembering all the various usernames and passwords required to access our data. Many of us take advantage of password management applications in our personal lives, but is there a way to bring that convenience into our work life? Does a HIPAA compliant password manager even exist?

We will look at what the HIPAA regulations say about passwords, what to consider when comparing your options, and give a brief overview of a few of the better-known applications on the market.

What Does the Law Say About a HIPAA Compliant Password Manager

The HIPAA regulations are especially vague on the topic of passwords or HIPAA compliant password managers. In fact, the word “password” appears only once. It’s found in the section covering Security Awareness and Training under the Administrative Safeguards of the HIPAA Security Rule. It states that covered entities must implement “procedures for creating, changing, and safeguarding passwords.”

Other areas appear to relate to passwords. The most relevant section can be found in the Technical Safeguards of the HIPAA Security Rule. Three essential requirements for covered entities are to:

  • implement technical procedures for systems that maintain electronic protected health information (ePHI) “to grant access to only those people who have been granted access rights”
  • “assign a unique name and/or number for identifying tracking user identity”
  • “implement procedures to verify that a person or entity seeking access to ePHI is the one claimed”

While passwords are not mentioned, it logically follows that using passwords is the best way to meet those requirements.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Challenges Using a HIPAA Compliant Password Manager

According to a recent report from IBM Security, compromised credentials, phishing scams, and compromised business email were responsible for 41% of all data breaches worldwide in 2021.

Organizations must have policies and procedures in place to address creating, changing, and safeguarding passwords in a HIPAA compliant way. These policies should focus on eliminating weak passwords, which can be overwhelmed by brute-force hacking attacks, reusing passwords across multiple accounts, and disclosing passwords to unauthorized parties.

The larger the organization, the greater the difficulty in managing passwords. There could be hundreds of password changes in a single day and thousands of passwords to protect. At scale, it’s virtually impossible for one person to manage passwords in a HIPAA compliant manner.

Another consideration is monitoring that access to ePHI is only granted to authorized users and that those users are who they claim to be. A 2017 survey of healthcare professionals reported that 73% had used a colleague’s login credentials to access medical data.

Things to Look for in a HIPAA Compliant Pa