Pricing  Get Quote
 
 

HIPAA password requirements

HIPAA password requirements

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by the U.S. Congress in 1996 to enact procedures that ensure the confidentiality, integrity, and availability of protected health information that is stored on electronic devices (ePHI). Any organization that creates, receives, maintains, interacts with, stores, or transmits ePHI must adhere to the HIPAA regulations.

HIPAA aims to protect individuals' medical records and other personal health and payment information against unauthorized access, theft, or loss. These mandates are applicable to all healthcare institutions, organizations, and business entities handling ePHI.

Why does HIPAA include password requirements?

A password—being the basic securing means for digital information—is normally used by organizations to safeguard ePHI. HIPAA addresses password requirements as a part of its regulations to indicate the level of security that organizations should practice to protect ePHI from potential threats. Without unified password mandates, organizations would follow different standards for securing their ePHI, which might put some data more at risk than others.

What are the HIPAA password requirements?

The following table explains the HIPAA password and authentication requirements mentioned in the HIPAA Security Rule and how ADSelfService Plus helps your organization comply with them.

HIPAA requirement Requirement description How ADSelfService Plus helps meet the requirement
Section § 164.308(a)(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.

With ADSelfService Plus, you can configure stringent MFA settings based on AD OUs and groups, ensuring that only authorized users can access sensitive ePHI after successful identity verification. The configured MFA methods block unauthorized users from accessing this information.

ADSelfService Plus also allows you to enforce high-assurance MFA methods, such as FIDO passkeys, biometrics, and YubiKey, for high-risk users, i.e., users who have access to ePHI with higher levels of sensitivity.

Section § 164.308(a)(3)(ii)(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Section § 164.308(a)(5)(ii)(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. ADSelfService Plus provides detailed reports to track user logins to machines and healthcare applications when MFA is enabled. These reports help IT administrators audit users' MFA attempts, along with timestamps, and the outcome of each attempt. Based on the outcome, admins can take immediate action if suspicious activity is detected.
Section § 164.308(a)(5)(ii)(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. ADSelfService Plus provides strong password policies with settings pertaining to password length, special character usage, character repetition, and common pattern restriction. These settings are enforced during every end-user password change and reset action, which is secured using strong MFA methods.
Section § 164.312(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. ADSelfService Plus provides strong, adaptive MFA with 20 different authentication factors, including FIDO passkeys and biometrics, to safeguard access to ePHI. It allows you to configure two or more MFA factors, and the success of all factors is mandatory before access is granted.

The HIPAA Security Rule has always been a point of debate as it gives no specific details on password complexity and deems password management as "addressable." It is believed that this technology-neutral description of password management is intentional to permit flexibility as security best practices keep evolving with time. Many healthcare organizations use passwords as their first and sometimes only line of defense against cyberattacks.

Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) looks to the password requirements specified by the National Institute of Standards and Technology (NIST) in the Special Publication 800-63B, so it's prudent that other healthcare organizations do the same.

Make your organization HIPAA-compliant with ADSelfService Plus

ADSelfService Plus offers robust password policy and MFA settings to help your organization comply with the HIPAA requirements. You can create a custom password policy that meets HIPAA's requirements and enforce it for all or specific AD users based on their domain, OU, or group memberships. Below are some of the settings that ADSelfService Plus offers:

  1. Ban weak passwords: Block leaked or weak AD passwords, patterns, and palindromes.
  2. Set a custom password length: Enforce longer passwords by specifying the minimum password length.
  3. Enforce password history: Ensure password strength by enforcing password history rules during native password resets in the Active Directory Users and Computers (ADUC) console.
  4. Ensure password complexity: Mandate the use of unicode characters in passwords besides uppercase, lowercase, special, and numeric characters.
  5. Deploy robust MFA: Secure user access to ePHI by enabling MFA for machines, applications, VPNs, RDPs, and OWA. Choose from a range of 20 different MFA authenticators to verify users' identities.
  • Password Policy Enforcer
  • MFA
1
 

Satisfy the HIPAA password requirements by configuring the minimum password length and the inclusion of alpha-numeric characters in passwords.

2
 

Restrict users from re-using their previous passwords during password creation.

3
 

Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.

Password Policy Enforcer

Satisfy the HIPAA password requirements by configuring the minimum password length and the inclusion of alpha-numeric characters in passwords.
Restrict users from re-using their previous passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.

1
 

Satisfy the HIPAA requirements by securing all endpoints in your network using MFA.

1
 

Choose from 20 different authenticators to verify your users' identities.

Multi-factor authentication

Satisfy the HIPAA requirements by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.

  1.  
  2.  

Benefits of using ADSelfService Plus to comply with HIPAA

  1. Increased password security: Enforce passphrases and restrict consecutively repeated characters and common character types from passwords. Enable the password strength meter to give users instant visual feedback on password strength when they change or reset their AD passwords.
  2. Fine-grained flexibility: Create different password policies for different types of users in the organization according to their role and level of access to sensitive data.
  3. Compliance with regulatory standards: Ensure that your organization complies not only with HIPAA standards, but also with NIST SP 800-63B, PCI DSS, Essential Eight, CJIS, SOX, and GDPR compliance mandates.

Block weak and compromised passwords with ADSelfService Plus

Get your free trial  
Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by