HIPAA Password Requirements
For behavioral health professionals, HIPAA password requirements are an important part of keeping your sensitive health data safe and avoiding HIPAA fines.
But what does HIPAA regulation have to say about implementing secure passwords?
HIPAA regulation is broken up into several different rules governing the use and integrity of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, dates of birth, Social Security numbers, telephone numbers, full facial photos, insurance ID numbers, and health care data, to name a few.
Under the HIPAA Security Rule, there are specific Physical, Technical, and Administrative standards that must be in place to ensure that PHI is kept safe.
HIPAA password requirements fall under the Administrative requirements of the HIPAA Security Rule. The HIPAA Security Rule is a federally required regulation for all health care professionals and vendors, and includes other standards in regards to keeping PHI and electronic PHI (ePHI) secure.
In addition to the HIPAA requirements, behavioral health professionals should also adhere to NIST standards (National Institute of Standards and Technology). NIST is a regulatory body that releases guidance on the industry best practices for the use of technology.
Below, we discuss the NIST and HIPAA password requirements that all behavioral health professionals should keep in mind. These are easy steps you can take right now to work on your HIPAA compliance program, and ensure that patient data is not subject to the growing risk of data breaches and malware.
NIST and HIPAA password requirements include:
- Using a minimum of eight characters: if the password is protecting particularly sensitive data, NIST also suggests using passwords up to 64 characters in length.
- Avoiding the use of password hints: when you create a password and you’re prompted to create a hint in case you forget, NIST suggests you should avoid this entirely. Using hints like such as “my son’s name” or “my address” can easily compromise even the strongest passwords.
- Creating passwords you’ll remember: even though you may have heard that long and randomized passwords are more secure, NIST no longer suggests these complicated passwords. In the long run, they may be no more secure than something you’ll remember.
- Don’t put your password on a post-it note: as we recently saw with the false alarm in Hawaii, you should not keep a physical reminder of your password anywhere near your computer.
- Running passwords against a list of weaker options: NIST suggests that all passwords within your organization should be vetted against a list of commonly chosen, insecure options (such as “123456789,” “password,” “ChangeMe!,” and so on). You can run this test with the help of your IT firm.
At the end of the day, these are easy steps you can take right now to start to develop a HIPAA compliance program in your practice, all while addressing your HIPAA password requirements. Don’t forget to address the many other federally mandated regulatory requirements necessary for total HIPAA compliance! Implementing an effective HIPAA compliance program is one of the easiest ways to keep patients’ data safe and protect your practice.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including all HIPAA security measures and Security Risk Assessments.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.