HIPAA Password Sharing

Password sharing in healthcare may contribute to productivity in certain situations, however, it is crucial to maintain strict control over this practice and never allow it for accessing electronic protected health information (ePHI), a HIPAA violation.

Join our newsletter:

Shared passwords in healthcare can sometimes boost productivity, but stringent control is essential to safeguard access to electronic protected health information (ePHI). Violating the standards set by the Health Insurance Portability and Accountability Act (HIPAA), healthcare professionals must not share passwords that grant access to ePHI. Companies may endorse password sharing to encourage collaboration, delegate work, cut costs, or allow colleagues to access accounts when someone is absent, working remotely, or on sick leave. Some employees, when unable to recall their own credentials, employ their colleagues' login information to lessen the load on the IT Helpdesk. Unfortunately, the methods employed to share passwords often lack security measures.

Exploring the Applications of Password Sharing in the Healthcare Industry

Despite the increasing focus on online security within the healthcare industry, it may seem strange that healthcare organizations allow password sharing. However, this practice is generally limited to specific situations and when it is properly monitored and controlled, it can actually enhance productivity in certain areas. For example, the marketing department may share passwords for company social media accounts, the finance department may share passwords for company bank accounts, and the IT department may share passwords for cloud computing accounts.Nevertheless, there is one circumstance in the healthcare industry where password sharing should never be allowed, and that is when accessing electronic Protected Health Information (ePHI). The reason for this is that complying with the Technical Safeguards of the HIPAA Security Rule requires regular monitoring and logging of ePHI access. This ensures that any unauthorized disclosure, alteration, or deletion of ePHI can be traced back to the person responsible. Under 45 CFR § 164.312, Covered Entities are obligated to establish procedures that confirm the identity of individuals accessing ePHI and assign them a unique identifier (i.e., a password) to track their activities. Furthermore, according to 45 CFR § 164.312, Covered Entities must implement procedures to create, modify, and protect passwords, with the term "safeguarding" indicating that passwords should not be shared.

A Guide to Ensuring Secure Password Sharing:

When healthcare providers allow for password sharing, it is important to do so securely. Sharing passwords carelessly can lead to inaccurate health advice being spread on social media platforms. While the consequences of a hacked bank account are typically financial, companies have suffered significant financial losses due to hackers infiltrating cloud accounts and mining cryptocurrencies. In order to minimize the risk of compromised accounts, healthcare organizations should consider implementing password managers that offer secure password sharing features. These solutions allow for controlled access to corporate passwords, whether they are being shared or not, and ensure that the passwords used are strong, complex, random, and not duplicated elsewhere within the organization. Additionally, password managers with secure password sharing capabilities can assist in sharing passwords with remote workers, as long as appropriate controls are in place to guarantee the secure transmission of login credentials. This includes features such as cross-platform compatibility (e.g. PC, mobile, web), flexible integrations, and top-notch encryption practices to protect data while in transit.


Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.