How to Comply with HIPAA Password Requirements

by | Feb 12, 2020

The HIPAA password requirements list the procedures must be established in order to successfully and safely create, amend and protect passwords unless a different, equally-effective security measure is put in place. We suggest the best way to adhere with the HIPAA password requirements is by using two factor authentication.

The HIPAA password requirements can be located in the Administrative Safeguards of the HIPAA Security Rule. Under the section linked to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must use “procedures for creating, changing and safeguarding passwords”.

Disagreement on Best HIPAA Compliance Password Policy

Although all security specialists are in agreement on the need for a strong password (the longest possible, including numbers, special characters, and a mix of upper and lower case letters), many cannot find common ground in relation to the best HIPAA compliance password policy, the frequency at which passwords should be amended (if at all) and the best way of securing them.

Whereas some specialists claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other specialists say the effort is a waste of time. A skilled hacker should be able to crack any user-generated password in less than ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).

There is more agreement between experts when it comes to protecting passwords. In respect of a best practice for a HIPAA compliance password policy, most recommend the use of password management tools. Although these tools can also be infiltrated, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable

One important point to remember when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be delayed to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In relation to the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if a different security measure can be implemented that accomplishes the same purpose as creating, changing and protecting passwords, the Covered Entity is in compliance with HIPAA.

Two-factor authentication meets this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database holding PHI also has to insert a PIN code to confirm who they are. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication Implemented by Many Medical Facilities

Interestingly, two factor authentication is already deployed in many medical facilities, but not to safeguard the confidentiality, integrity and security of PHI. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to adhere with the DEA´s Electronic Prescription for Controlled Substances Rules.

Healthcare IT specialists will be quick to stress that two factor authentication can slow workflows, but recent advances in the software make way for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only sends PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management tools. Effectively, Covered Entities never need amend a password again.

The only thing Covered Entities have to be conscious of before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be officially recorded. This will meet the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be reviewed as part of HHS´ HIPAA Audit Program.

Why a Different Option to the HIPAA Password Requirements should be Considered

It was referred to above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT specialists, but this tool on the ramdom-ize password generating website will give you an idea of how long it could take a determined hacker to find any password by brute force alone. Social engineering and phishing will likely cut this time even  more.

Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters obviously take more time to crack – but they are still crackable. They are also much more difficult for users to remember; and although secure password management tools exist to store passwords safely, if a user wants to access a password-protected account from another device, password management tools are ineffective. The only way for the user to log into the account is to have the password written down or saved on another device – such as an unsecured mobile phone.

Accessing password-protected accounts from secondary devices increases the danger that a data breach will occur due to keylogging malware. This type of malware runs unnoticed on computers and mobile devices, secretly recording every keystroke in a file for later retrieval by a hacker. As this is a foreseeable risk to the security of Protected Health Information, Covered Entities must either create policies to limit users to the devices from which they can access password-protected accounts, or find an alternative to the HIPAA password obligations.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy