graphic of a dude using a key to unlock his computer monitor, symbolizing password complexity and security

When it comes to protecting ePHI, one of the first lines of defense is a strong password policy for all systems that house sensitive information. HIPAA has set out guidelines for creating, changing and protecting passwords. It’s critical that covered entities follow these guidelines to ensure their patients’ data is secure and remain HIPAA compliant.

Complying with HIPAA Policies

Under the HIPAA Security Rule, covered entities must adhere to specific Physical, Technical and Administrative standards to keep PHI and ePHI safe.

Password requirements fall under the Administrative requirements, but they’re intentionally vague in certain respects to allow flexibility for covered entities of different sizes and practices.

Organizations of any size must show a “good faith effort” to adhere to the regulations with a “commercially reasonable best effort.” Since HIPAA applies equally to enterprise hospital systems and single-doctor practices, the scope of appropriate security and privacy measures will differ.

Even though HIPAA doesn’t outline specifics for password requirements, federal agencies like the National Institute of Standards and Technology (NIST) regularly release guidelines that highlight industry best practices for password creation.

Password Guidelines

  • Use a minimum of 8 characters: NIST advises passwords up to 64 characters long for systems with particularly sensitive data.
  • Use a combination of characters: Lowercase and uppercase letters, numbers and special characters make it harder for hackers to crack your password.
  • Use memorable passwords: Overly complicated passwords are more likely to be written down and put into the wrong hands. NIST suggests longer passphrases with multiple, easily remembered words.
  • Avoid password hints: NIST advises against using any sort of password hint if prompted for one when creating your password. Hints significantly decrease password security, even for stronger ones.

MAXtech Can Help You

Don’t let weak passwords put your patients’ health information at risk. MAXtech specializes in helping healthcare professionals remain HIPAA compliant. Schedule a free HIPAA assessment with us to see how we can help you.