HIPAA Password Requirements
What you need to know to keep yourself compliant.
When it comes to HIPAA compliance, there are many factors and areas that you must update, monitor and maintain. One of the most straight forward and first HIPAA computer requirements is the creation and deployment of an effective password structure and program.
HIPAA password requirements are an often overlooked component of an effective HIPAA compliance program. Along with a robust privacy and security program, strong passwords can go far to protect the sensitive health data you store.
But what can health care providers and vendors like you do to start implementing HIPAA password requirements right now?
What are HIPAA Password Requirements?
HIPAA regulation sets strict national privacy and security standards. These standards are absolutely fundamental to protecting your organization from data breaches and hefty HIPAA violation fines. Each HIPAA standard corresponds to a policy or procedure that health care organizations must have in place.
Under the HIPAA Security Rule, there are three main categories of HIPAA standards:
- Technical: These security standards address safeguards that must be in place to protect infrastructure that can access, handle, or store electronic protected health information (ePHI). Examples include having anti-virus software, data encryption, and firewalls.
- Physical: These security standards address safeguards that must be in place to protect the physical premises of an organization. Examples include having locks on doors, placing screen protectors on computers, and ensuring that papers containing protected health information (PHI) are not publicly viewable.
- Administrative: These security standards address safeguards that must be in place to guide staff on the actions they should take to maintain the security and integrity of PHI. Examples include authorization of access to PHI, employee training, and password management.
Under the HIPAA Security Rule, passwords are regulated under the Administrative provisions, as outlined above. The regulation, however, is vague. 45 CFR 164.308 § (a)(5)(ii)(D) states that HIPAA-beholden organizations must have “Procedures for creating, changing, and safeguarding passwords.” But other than this vague statement, no further guidance is given for health care professionals to implement HIPAA compliant passwords.
So how can you tell if you’re fulfilling HIPAA password requirements?
How to Make Your Passwords HIPAA Compliant
HIPAA regulation is intentionally vague in certain respects in order to allow flexibility for organizations of different sizes and means. The rule of thumb is that organizations must demonstrate their “good faith effort” to follow the regulation using a “commercially reasonable best effort.” Because HIPAA applies equally to single-doctor practices and enterprise hospital systems alike, organizational needs will change depending on the scope of appropriate security and privacy measures.
Yet there are still some best practices that organizations of any size can keep in mind while trying to adhere to HIPAA password requirements. Even though HIPAA does not list specifics that your organization can have in place to ensure your passwords are secure, there are federal regulatory bodies that do release password guidance. One such organization is called NIST (National Institute of Standards and Technology). NIST releases security guidance on an ongoing basis that highlights industry best practices for organizations of all kind. NIST also routinely issues new guidance on password creation, which serve to keep your data safe.
Below, we discuss a few of the measures you can put in place to keep passwords coherent with NIST and HIPAA requirements.
- Use a minimum of 8 characters: NIST also says that passwords can be up to 64 characters long if it’s protecting particularly sensitive data.
- Avoid password hints: creating hints such as “my last name” or “my anniversary” can seriously compromise the integrity of your passwords. Avoid these at all cost!
- Create memorable passwords: NIST no longer suggests unnecessarily complicated or obtuse passwords. These can actually lead to weaker passwords in the long run. Your password should be sufficiently unique and memorable so as to avoid the dreaded post-it note on the computer monitor.
- Vet passwords against a list of common/weak options: NIST guidance suggests that passwords should be vetted against a list of common passwords (such as “password,” “123456789,” “ChangeMe,” and so on). This can be executed by an IT or security firm.
Once you’ve addressed your HIPAA password requirements, be sure to get the rest of your HIPAA compliance program in check! HIPAA Privacy and Security standards are absolutely essential to protecting your practice against data breaches and federal fines.