Written by Teresa Rothaar
The Health Insurance Portability and Accountability Act (HIPAA) is U.S. legislation that sets national privacy and security standards to protect the privacy of patient health information and prevent data breaches. In addition to doctors, hospitals, other healthcare providers, health insurance companies and “business associates” of healthcare organizations fall under HIPAA regulations. These include medical billing companies, law firms that handle PHI and even IT providers with clients in the healthcare industry.
In this article, we’ll discuss HIPAA password requirements and best practices to maintain compliance.
HIPAA outlines rules and penalties for breaches of Protected Health Information (PHI). These rules aim to prevent cybercriminals and other unauthorized parties from accessing PHI.
HIPAA consists of five sections, or titles. HIPAA Title II, the Administrative Simplification provisions, is what most IT and security professionals are referring to when they speak of “HIPAA compliance.” HIPAA Title II is further broken down into five rules. For the purposes of this article, we’ll focus on the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Breach Notification Rule.
The HIPAA Privacy Rule was designed to make it as easy as possible for healthcare providers, healthcare clearinghouses and health insurance companies to share PHI while ensuring that the sharing is being done appropriately and securely. It establishes national standards to protect PHI in all forms – electronic, oral and written – and requires organizations that handle PHI to implement security procedures and ensure that all employees are trained on them.
Common violations of the HIPAA Privacy Rule include:
In contrast with the Privacy Rule, which covers PHI in all forms, the Security Rule focuses specifically on electronic health records, or ePHI. It establishes national standards to protect ePHI and requires entities to implement certain administrative, physical and technical safeguards, including password security procedures.
The HIPAA Breach Notification rule requires organizations to notify the Secretary of Health and Human Services (HHS) in the event of a breach of PHI. Breach notification obligations differ based on whether the breach affects fewer than 500 individuals or 500 or more. If the organization isn’t sure how many individuals were impacted, they should provide an estimate, then update their report later as needed.
In addition to being required by law, HIPAA password requirements ensure that organizations are properly protecting the privacy, integrity and confidentiality of PHI belonging to the patients who’ve entrusted them with their care.
HIPAA guidelines also benefit organizations directly, by helping them reduce attack surfaces and minimize the risk of healthcare data breaches, which have doubled over the past three years. In addition to subjecting healthcare organizations and business associates to lawsuits and fines that could run into the millions of dollars, breaches of PHI erode patient trust and severely damage organizations’ reputation.
From a strictly legal standpoint, NIST doesn’t draft regulations to cover HIPAA. However, in July 2022, NIST released a new draft publication, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2), which provides organizations with guidance on complying with the HIPAA Security Rule, including password requirements.
Here are some credential security practices that align with NIST’s guidance on HIPAA password requirements:
Password managers such as Keeper are a great option for organizations that need to comply with HIPAA password requirements.
Keeper enables users to automatically generate unique, complex passwords and store them in a secure digital password vault that they can access from any device. Users can also store MFA codes in their Keeper vault, which greatly simplifies the process of logging into sites and systems that use MFA.
Further, Keeper enables IT administrators to set up and enforce Role-Based Access Controls (RBAC) and least-privileged access throughout the organization, and easily adjust access levels or disable accounts if users switch job duties or leave the organization. Keeper’s compliance reporting solution also takes the pain out of compliance audits, with on-demand visibility and reporting in a zero-trust and zero-knowledge environment.
Want a password manager that simplifies HIPAA password compliance? Sign up for a Keeper free trial today.
You May Also Like
There are several ways in which passkeys are different from passwords in terms of how they are created, how they are filled into websites and how they are secured. Passwords are user-generated whereas passkeys are automatically...
Choose Language