Password requirements to maintain HIPAA compliance are intentionally technology neutral – learn exactly what you need to know to stay compliant.
In our digital age, healthcare organizations and covered entities, as well as their business associates need to have a full understanding the HIPAA password requirements. These are important to avoid data breaches of any kind, as the consequences are detrimental.
Best Practices for HIPAA Compliance
So, what are top-performing organizations doing to remain in compliance? A good reference to follow, in addition to the HIPAA Standards, is the National Institute of Standards and Technology (NIST) guidelines, specifically the Digital Identity Guidelines in publication 800-63B. In the most recent version, NIST recommends the following as best practices:
- Passwords should be a minimum of 8 characters in length. Note that the longer the password is, the more difficult it becomes to hack.
- Passwords should be required to have a mix of upper and lower-case letters, numbers, and special characters.
- As an alternative to difficult-to-remember passwords, organizations can allow the use of long passphrases.
- Prohibit the use of single dictionary words and commonly used weak passwords (i.e. “password” or “name12345”), and password hints that have answers that can often be found on social media.
- Enable two-step login (multi-factor authentication) to add an additional layer of security to accounts and reduce the need to change compromised passwords.
- Educate users on good password practices – such as changing default passwords, not sharing passwords, and not reusing passwords for multiple accounts.
- Implementing a password manager to enforce strong password policies, store login credentials securely, and prevent the same password being used for several accounts.
The technology landscape is continuously changing and advancing, making periodic updates to NIST and HIPAA standards necessary. As those standards change, it is important for covered entities to review their policies and procedure to ensure continued compliance, as well as best practices for maintaining cybersecurity in a heavily targeted industry. Annual risk assessments and review of standards is recommended.
While two-factor authentication (or multi-factor authentication) is not a requirement to meet HIPAA standards, it is considered an industry standard. Covered entities who do not use two-factor authentication are increasing their risk of a data breach, and should seriously consider it. Most personal accounts of any type – from financial to video gaming – require this type of setup.
FormDr is a trusted source for HIPAA-compliant digital intake forms, using the most recent guidance. As a trusted partner for healthcare organizations and clinics across the nation, we place priority in protecting medical records and ePHI. With FormDr you never have the added worry of a transmitting unsecure ePHI.