DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule requires covered entities and business associates to implement password management. Password management is defined as "Procedures for creating, changing, and safeguarding passwords." The HIPAA regulations do not contain specific requirements for passwords - for how many characters passwords should contain, for whether special symbols should be used (or should not be used), and so forth. The federal agency known as NIST has published a document entitled "Digital Identity Guidelines" (NIST Special Publication 800-63B). This publication contains password guidelines that are regarded as "best practices" for creating a strong password. Covered entities and business associates should create strong passwords.
NIST recommends the following password standards for creating strong passwords:
- Use a minimum of eight (8) characters, with longer passwords being more secure
- Disallow or do not use sequences or repetitive characters, such as “12345” or “aaaaa”
- Disallow or do not use context-specific passwords, like the name of the site or company
- Disallow or do not use commonly used passwords, such as “password123” and “12345678”
- Disallow or do not use single dictionary words
- Disallow or do not use passwords that have been compromised previously.
In addition to following these guidelines for creating strong passwords, covered entities and business associates should follow these best practices:
- Workforce members should not share passwords with others
- If a workforce member suspects that their password has been compromised, the workforce member should change their password immediately and report the incident
- Workforce members should not reveal passwords over the phone or via email.
Additional password best practices include:
- Do not provide password hints
- Do not use another user’s username and password
- Do not write down usernames and passwords
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article