This entry is part 38 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Tell Me More:

The Password Management implementation specification requires covered entities to address implementing procedures for creating, changing, and safeguarding passwords.  Each covered entity should consider development of a policy and training mechanism to assure that every employee understands they are responsible for their password, the facility’s policies and procedures regarding passwords, and the ramifications if they give out a password. New employees should be given an overview at orientation of the general dos and don’ts, e.g., don’t tape your password to your computer or share with others for any purpose. This may occur as part of HIPAA training. In addition, passwords should not be easily guessed. Two recommendations include not allowing dictionary or common names, and forcing users to use a combination of number and letters. Passwords should be as difficult as possible, but not so difficult that staff cannot remember them.

Passwords are simply secret words or phrases and they are generally not very secure. Passwords are used to authenticate users or systems.  They can be compromised in many ways:

  • Users may write them down or share them, so that they are no longer really secret.
  • Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
  • Passwords may be transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext.
  • Passwords may be stored on a workstation, server or backup media in plaintext or encoded in a way which can be readily converted back to plaintext.

Each of these vulnerabilities make it easier for someone to acquire the password value and consequently pose as the user whose identity the password protects.

Conversely, if passwords are managed securely by users and if password systems are constructed so as to prevent brute-force attacks and inspection or decryption of passwords in transit and in storage, then passwords can actually be quite secure. This document will describe some of the mechanisms for securing passwords.

Questions to consider:

  • Do you have an effective password management program? If you are not sure, additional work may be needed.
  • Are workforce members required to change passwords on a regular basis, e.g., every 60 or 90 days? The shorter the better from a security perspective (as long as workforce members can remember the passwords).
  • Are workforce members required to use passwords that are not easily guessed, e.g., no names and passwords that include letters and digits? The more complex the passwords, the greater the security (as long as workforce members can remember the passwords).
  • Are workforce members trained to understand the appropriate use of passwords and the need to keep passwords private? Consider making this part of HIPAA training.


Series Navigation<< 164.310(d)(2)(i) Standard: Device and media controls – Disposal164.308(b)(4) Standard: Business associate contracts – Written contract or other arrangement >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.