HIPAA Allows Choice in Password Security, But Use Caution

March 1, 2018 Gary Nelson

Password security for electronic protected health information (ePHI) is a fundamental part of any HIPAA compliance program, but there is no one right way. HIPAA allows a great deal of choice in how to secure data with passwords, but one must choose carefully to ensure the information is protected from both casual snooping and sophisticated hacking.

HIPAA password management requirements are quite open-ended, only specifying that one must institute “procedures for creating, changing, and safeguarding passwords,” notes Gary Nelson, healthcare practice leader with Schellman & Company, a security and privacy compliance assessor based in Tampa, FL.

To properly determine sufficiency for password protection, organizations should perform risk assessments for the systems or services that use or house ePHI, Nelson says. While HIPAA itself does not specify minimally defined requirements, the risk assessment could be paired with password or authentication requirements from standards such as NIST, PCI, or HITRUST to help address the HIPAA safeguard and also define what would serve as optimal for the organization.

Read more: www.ahcmedia.com

About the Author

Gary Nelson

Gary Nelson is a Principal at Schellman. Gary currently helps lead Schellman’s HITRUST and DEA EPCS practices and has been a leading expert of both HITRUST for healthcare service organizations and DEA EPCS for providers of electronic prescription and electronic pharmacy applications. Having completed over 500 service audits, Gary is one of the most experienced service auditors in the United States.

More Content by Gary Nelson
Previous Article
The New Rules for Protecting Unstructured Data
The New Rules for Protecting Unstructured Data

How many places do you store work-focused unstructured data? For many people, handwritten notes,...

Next Article
GDPR: What is the Right to Erasure?
GDPR: What is the Right to Erasure?

The other week, Chris Lippert, Privacy Technical Lead at Schellman, wrote an excellent blog post...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!