Passwords – an integral part of HIPAA and Compliance

I was reading an article the other day on passwords.  The author was doing his best to articulate a stern admonition on the potential exposure when one does not change their passwords at least every 90 days.  If you’re like me, you’ve got lots of usernames and passwords to track (I have over 100 of them and it’s going up daily!).  Plus, with HIPAA and the HIPAA privacy requirements, the responsibility to maintain privacy in the health care industry is especially important.  Most of us know that we should have strong passwords and that we should change them periodically.  Look, tracking all those usernames and passwords, much less changing all those passwords is simply a pain in the…well, you get the idea.

Whether you’re in hospital administration or physican practice management or any area of health care, you are keenly aware of regulatory compliance.  But with the hustle and bustle of our daily lives, how can we practically manage our passwords?

HIPAA security rules demand proper password protection!

I used to utilize Excel to store and manage all my usernames and passwords.  Unfortunately, the database is not encrypted and the program is not designed to securely store sensitive data.  So, after some research and experimentation, I settled in on a password management program called KeePass.  Some of the attractive features are:

  1. The program is free and open source.
  2. The database is encrypted with AES or Twofish symmetric ciphers.  (Sounds impressive doesn’t it?  I don’t know what it means either but our IT guy says that they are among the highest advanced encryption standards.)
  3. The user can generate random passwords (you can specify parameters such as letters, numbers, special symbols and even the length of the password) so the user doesn’t have to think too hard.

Also, it has a nice “copy and paste” function that allows me to easily place my long and complex usernames and passwords (I emphasize this for the sake our IT person!!!) into the required dialog boxes.  Consequently, I don’t fret over the length and complexity of my passwords.  If you’re interested in checking out KeePass, feel free to visit their site and see if it might work for you.

As health care professionals, we all know that we have a tremendous responsibility to comply with HIPAA privacy rules and that passwords are a solid part of that process.  Make your life easier by utilizing a password management program.

How do you manage all those usernames and passwords?  Leave a comment and share your experience!

When you need proven expertise and performance

Craig Fukushima, NHA, MBA

Mr. Craig T. Fukushima’s health care experience spans more than 35 years with special expertise in the long term care sector, including implementation of innovative health care projects in domestic and international locations.

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

One thought on “Passwords – an integral part of HIPAA and Compliance

  1. Craig, very good points on HIPAA passwords and it’s why Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes. I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant. Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.

    Also, what’s really missing when it comes to healthcare and HIPAA compliance is security awareness training and there’s really no excuse for this. There are actually hundreds of free and cost-effective solutions online, but time and time again, I see Covered Entities and Business Associates failing to implement basic training. As a HIPAA security specialist, it’s somewhat upsetting to see this because something that’s so vital to an organization and that is so easy and cost-effective to obtain is many times never done.