HIPAA Password Sharing Policy

HIPAA Password Sharing Policy

A Password Sharing Policy that is compliant with HIPAA should explicitly forbid Covered Entities, Business Associates, and their staff members from sharing passwords that grant access to electronic Protected Health Information (ePHI). Additionally, it is highly recommended to disallow caregivers from using shared passwords to access patient portals.

Join our newsletter:

The concern for password sharing arises from a survey conducted in 2017, which revealed that 73% of healthcare professionals admitted to utilizing a colleague's login credentials to access medical data. Though the majority of these individuals were students or interns who had not yet received their own login credentials, the fact that fellow professionals were providing access illustrates poor password security. In the United States, this type of laxity poses a breach of HIPAA regulations. According to the Technical Safeguards outlined in the HIPAA Security Rule (45 CFR § 164.312), Covered Entities must institute procedures to verify the identity of individuals accessing ePHI and assign unique names or numbers to track user identity. As a consequence, sharing login credentials becomes a direct violation of HIPAA, as it inhibits the Covered Entities' ability to accurately track the identities of those accessing ePHI. Essentially, anyone could potentially gain unauthorized access to ePHI, regardless of their profession, simply by utilizing another healthcare professional's login credentials.

HIPAA's Guidelines on Passwords

The HIPAA legislation, being technology neutral, does not extensively address passwords and their sharing policies. The Act only mentions passwords in the Administrative Safeguards of the HIPAA Security Rule, specifically in relation to Security Awareness and Training (45 CFR § 164.312). According to this section, Covered Entities must establish procedures for creating, changing, and protecting passwords. The requirement to safeguard passwords strongly implies that they should not be shared, particularly when combined with the Technical Safeguards mentioned earlier. Therefore, sharing passwords to access electronic Protected Health Information (ePHI) is a clear violation of HIPAA. However, there are situations in healthcare facilities where password sharing is appropriate. For instance, marketing teams may share passwords for corporate social media accounts. In such cases, it is advisable to use a password manager to securely store shared passwords. Nevertheless, under no circumstances is sharing passwords to access ePHI allowed according to HIPAA regulations.

Guidelines on Safely Sharing Passwords with Caregivers

According to a recent survey, researchers examined the number of U.S. hospitals that offer proxy accounts to caregivers, allowing them to access patient information without the need for password sharing. These proxy accounts aim to facilitate caregivers' roles while addressing privacy concerns. The survey discovered that 68% of hospitals currently offer proxy account services. However, a mere 19% of hospitals with this capability incorporate controls that enable patients to restrict access for caregivers. The absence of such controls poses the risk of data breaches, identity fraud, and potential errors in communication between healthcare professionals and caregivers. It's worth noting that patient portals and proxy accounts are not protected by the Health Insurance Portability and Accountability Act (HIPAA) since consent is assumed when a caregiver accesses patient data using these channels (usually by sharing a password). Nonetheless, healthcare organizations should prioritize the security of patient portals and consider developing HIPAA-compliant policies regarding password sharing.


Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.