Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            What are the HIPAA Rules for Passwords?

            Modified on Tue, 13 Feb at 6:15 PM

            DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

            The HIPAA Security Rule requires covered entities and business associates to implement password management. Password management is defined as "Procedures for creating, changing, and safeguarding passwords."  The HIPAA regulations do not contain specific requirements for passwords - for how many characters passwords should contain, for whether special symbols should be used (or should not be used), and so forth. The federal agency known as NIST has published a document entitled  "Digital Identity Guidelines" (NIST Special Publication 800-63B). This publication contains password guidelines that are regarded as "best practices" for creating a strong password. Covered entities and business associates should create strong passwords.

            NIST recommends the following password standards for creating strong passwords:

            • Use a minimum of eight (8) characters, with longer passwords being more secure
            • Disallow or do not use sequences or repetitive characters, such as “12345” or “aaaaa”
            • Disallow or do not use context-specific passwords, like the name of the site or company
            • Disallow or do not use commonly used passwords, such as “password123” and “12345678”
            • Disallow or do not use single dictionary words
            • Disallow or do not use passwords that have been compromised previously.

            In addition to following these guidelines for creating strong passwords, covered entities and business associates should follow these best practices:

            • Workforce members should not share passwords with others
            • If a workforce member suspects that their password has been compromised, the workforce member should change their password immediately and report the incident
            • Workforce members should not reveal passwords over the phone or via email. 


            Additional password best practices include:

            • Do not provide password hints
            • Do not use another user’s username and password
            • Do not write down usernames and passwords


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0