Should You Have a HIPAA Compliant Password Manager?

We will look at what the HIPAA regulations say about passwords, what to consider when comparing your options, and give a brief overview of a few of the better-known applications on the market.

What Does the Law Say About a HIPAA Compliant Password Manager

The HIPAA regulations are especially vague on the topic of passwords or HIPAA compliant password managers. In fact, the word “password” appears only once. It’s found in the section covering Security Awareness and Training under the Administrative Safeguards of the HIPAA Security Rule. It states that covered entities must implement “procedures for creating, changing, and safeguarding passwords.”

Other areas appear to relate to passwords. The most relevant section can be found in the Technical Safeguards of the HIPAA Security Rule. Three essential requirements for covered entities are to:

• implement technical procedures for systems that maintain electronic protected health information (ePHI) “to grant access to only those people who have been granted access rights”
• “assign a unique name and/or number for identifying tracking user identity”
• “implement procedures to verify that a person or entity seeking access to ePHI is the one claimed”

While passwords are not mentioned, it logically follows that using passwords is the best way to meet those requirements.

Challenges Using a HIPAA Compliant Password Manager

According to a recent report from IBM Security, compromised credentials, phishing scams, and compromised business email were responsible for 41% of all data breaches worldwide in 2021.

Organizations must have policies and procedures in place to address creating, changing, and safeguarding passwords in a HIPAA compliant way. These policies should focus on eliminating weak passwords, which can be overwhelmed by brute-force hacking attacks, reusing passwords across multiple accounts, and disclosing passwords to unauthorized parties.

The larger the organization, the greater the difficulty in managing passwords. There could be hundreds of password changes in a single day and thousands of passwords to protect. At scale, it’s virtually impossible for one person to manage passwords in a HIPAA compliant manner.

Another consideration is monitoring that access to ePHI is only granted to authorized users and that those users are who they claim to be. A 2017 survey of healthcare professionals reported that 73% had used a colleague’s login credentials to access medical data.

Things to Look for in a HIPAA Compliant Password Manager

The first thing to realize is there is no such thing as a HIPAA compliant password manager. In this case, HIPAA compliance is determined by how the password manager is used, not by the application alone.

But there are standards required by HIPAA that must be present in a password manager to be compliant. A few of these are end-to-end encryption, automatic logoff, and audit logs to determine who has accessed password-protected accounts and when they were accessed. 

There is some disagreement about whether a business associate agreement (BAA) would be needed with a HIPAA compliant password manager. In a best practice use of these applications, there would not be any ePHI stored in the system, which theoretically negates the need for a BAA. 

If ePHI were stored in a password manager, it would be a violation of the HIPAA Technical Safeguards. If everything else is equal, it’s still a wise decision to choose a password manager willing to sign a BAA.

One last thing to keep in mind is that as applications are updated, or real-world incidents occur, security gaps in your password manager could arise. This could lead to a breach that would result in a HIPAA violation from an unauthorized release of ePHI. Like so many things surrounding HIPAA, it’s not a one-and-done solution. 

Who are the Contenders for Best HIPAA Compliant Password Manager

The list below is not exhaustive and does not imply any endorsement. This information is provided as a starting point in your search for a HIPAA compliant password manager. All password managers below are zero-knowledge solutions (meaning they cannot access your passwords); all offer 256-bit AES end-to-end encryption and have 2-factor authentication.

Bitwarden

• Open-Source code. Rated compliant in HIPAA Security Rule Assessment report performed by third party. 
• Will enter a BAA with HIPAA covered organization
• Works across all devices, operating systems, and the most commonly used browser
• Cloud-based or self-hosting options available
• Identifies exposed, weak, and reused passwords and checks breached password databases for compromised passwords

Cost: $3 or $5 per user, per month, based on organization size.

Dashlane

• Can be configured to store encrypted passwords locally
• Works across all Windows, Mac, iOS, and Android devices, and all major browsers
• Remote account deletion and dark web monitoring
• No mention of BAAs on their website
• Password changer allows users to update old and unsafe passwords at once

Cost: $5 or $8 per user per month based on organization size.

Keeper

• Allows for secure sharing of encrypted data across teams or individual users
• Multiple layers of encryption keys at the vault, shared folder and record levels
• Role-based access
• Version control and Record History
• Site claims they are HIPAA compliant, but did not mention BAAs

Cost $3.75 per user per month for basic level protection. Custom quotes must be requested for enterprises.

LastPass

• Instantly add and remove team member
• Single sign-on (SSO) only available for organizations over 50 employees
• Advanced SSO and MFA available as add-ons (additional $4 per user per month)
• Data is encrypted at the device level
• No mention of BAAs on their website

Cost $4 or $6 per user per month based on organization size.