Back to Blog

How to Stay Compliant with HIPAA Password Requirements

January 05 2023 | Teresa Rothaar

Share this blog

The Health Insurance Portability and Accountability Act (HIPAA) is U.S. legislation that sets national privacy and security standards to protect the privacy of patient health information and prevent data breaches. In addition to doctors, hospitals, other healthcare providers, health insurance companies and “business associates” of healthcare organizations fall under HIPAA regulations. These include medical billing companies, law firms that handle PHI and even IT providers with clients in the healthcare industry.

In this article, we’ll discuss HIPAA password requirements and best practices to maintain compliance.

What Is HIPPA, and What Are HIPAA Password Requirements?

HIPAA outlines rules and penalties for breaches of Protected Health Information (PHI). These rules aim to prevent cybercriminals and other unauthorized parties from accessing PHI.

HIPAA consists of five sections, or titles. HIPAA Title II, the Administrative Simplification provisions, is what most IT and security professionals are referring to when they speak of “HIPAA compliance.” HIPAA Title II is further broken down into five rules. For the purposes of this article, we’ll focus on the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Breach Notification Rule.

Privacy Rule

The HIPAA Privacy Rule was designed to make it as easy as possible for healthcare providers, healthcare clearinghouses and health insurance companies to share PHI while ensuring that the sharing is being done appropriately and securely. It establishes national standards to protect PHI in all forms – electronic, oral and written – and requires organizations that handle PHI to implement security procedures and ensure that all employees are trained on them.

Common violations of the HIPAA Privacy Rule include:

Loss of devices that contain PHI
Unauthorized access of PHI by employees; PHI must be protected by least-privilege access
Improper disposal of documents containing PHI
Sharing patient information after authorization expires

Security Rule

In contrast with the Privacy Rule, which covers PHI in all forms, the Security Rule focuses specifically on electronic health records, or ePHI. It establishes national standards to protect ePHI and requires entities to implement certain administrative, physical and technical safeguards, including password security procedures.

Breach Notification Rule

The HIPAA Breach Notification rule requires organizations to notify the Secretary of Health and Human Services (HHS) in the event of a breach of PHI. Breach notification obligations differ based on whether the breach affects fewer than 500 individuals or 500 or more. If the organization isn’t sure how many individuals were impacted, they should provide an estimate, then update their report later as needed.

Benefits of Having a HIPAA Password Policy

In addition to being required by law, HIPAA password requirements ensure that organizations are properly protecting the privacy, integrity and confidentiality of PHI belonging to the patients who’ve entrusted them with their care.

HIPAA guidelines also benefit organizations directly, by helping them reduce attack surfaces and minimize the risk of healthcare data breaches, which have doubled over the past three years. In addition to subjecting healthcare organizations and business associates to lawsuits and fines that could run into the millions of dollars, breaches of PHI erode patient trust and severely damage organizations’ reputation.

Does NIST Cover HIPAA?

From a strictly legal standpoint, NIST doesn’t draft regulations to cover HIPAA. However, in July 2022, NIST released a new draft publication, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2), which provides organizations with guidance on complying with the HIPAA Security Rule, including password requirements.

Best Practices to Maintain Compliance with HIPAA Password Requirements

Here are some credential security practices that align with NIST’s guidance on HIPAA password requirements:

Password complexity: While HIPAA has no specific password complexity requirements, NIST recommends that employees be trained on how to select strong, unique passwords, as well as how to secure them.
Offboarding procedures: Organizations should have specific offboarding procedures to disable user passwords/access to PHI when employees or contractors leave the company or change positions. NIST recommends having different procedures for voluntary and involuntary terminations.
Password rotation/expiration: Currently, there are no HIPAA password change requirements, and NIST doesn’t recommend requiring employees to change passwords at arbitrary intervals. However, passwords should be changed immediately if there is evidence that they may have been compromised.
Multi-factor authentication: NIST recommends that Multi-Factor Authentication (MFA) be enabled whenever it is available. This ensures that even if a threat actor gets hold of a working password, they’ll be unable to use it without the additional authentication factor(s).
Prohibit password-sharing: While HIPAA doesn’t address password-sharing specifically, NIST recommends prohibiting users from sharing passwords to systems and data that contain ePHI.
Monitoring and logging: Healthcare IT admins and security personnel should monitor user login activity and investigate anomalous activity, such as a user trying to log in from an unusual location or attempting to access records or systems that aren’t relevant to their jobs.

Use a HIPAA-Compliant Password Manager

Password managers such as Keeper are a great option for organizations that need to comply with HIPAA password requirements.

Keeper enables users to automatically generate unique, complex passwords and store them in a secure digital password vault that they can access from any device. Users can also store MFA codes in their Keeper vault, which greatly simplifies the process of logging into sites and systems that use MFA.

Further, Keeper enables IT administrators to set up and enforce Role-Based Access Controls (RBAC) and least-privileged access throughout the organization, and easily adjust access levels or disable accounts if users switch job duties or leave the organization. Keeper’s compliance reporting solution also takes the pain out of compliance audits, with on-demand visibility and reporting in a zero-trust and zero-knowledge environment.

Want a password manager that simplifies HIPAA password compliance? Sign up for a Keeper free trial today.

Teresa Rothaar

Teresa Rothaar is a governance, risk, and compliance (GRC) analyst at Keeper Security. In this role, she spearheads employee cybersecurity awareness training; maintains the company’s RFP response library; creates and maintains internal security policies; develops automated GRC processes to achieve robust risk management and compliance results; performs external vendor risk assessments; and facilitates third-party certification audits. Prior to joining Keeper, she spent six years as a cybersecurity copywriter, where she produced hundreds of blogs and ghostwritten articles, dozens of whitepapers and case studies, and other thought leadership content for cybersecurity firms ranging from small startups to multinational corporations. She holds an MBA and an M.S. in management information systems from Wilmington University, and a B.S. in mathematics and computer science from Temple University.

Get the latest cybersecurity news and updates sent straight to your inbox