HIPAA Password Requirements & Policy

Healthcare is a high value target for hackers given the nature of the data and its poor security stance – ranking the sixth lowest, in security performance across industries. Passwords are the first line of security against cyberattacks, and a password that is badly chosen might lead to unwanted access. The Health Insurance Portability and Accountability Act (HIPAA) was created to guard against illegal access to medical records.

While there are no explicit requirements for user passwords in the HIPAA Privacy Rules, there is a heavy emphasis on the preservation and control of electronic protected health information (ePHI). When applicable, sections 164.308(a)(5)(i) and 164.308(a)(5)(ii)(D) mandate the implementation of the following plan:

Although HIPAA is confusing, healthcare organizations are subject to all of its provisions. It is up to healthcare information technology to figure out how to put these into effect.

Dictionary passwords should be avoided. Dictionary attacks will continue to work as long as users utilize common passwords. Create password typically more than 20 characters longer.


Despite the fact that HIPAA does not require password expiration, NIST, NCSC, and Microsoft now advise against mandating password expiration without cause. You should change your passwords more often. If employees are discussing passwords or publishing them on workstations, or if you fear a password has been hacked, force a password change immediately.



Users and healthcare professionals should be educated. Ensure that everyone who comes into touch with PHI understands good password hygiene, which includes changing default passwords as soon as a new application is assigned, not sharing passwords with anybody, not reusing passwords across systems, and changing passwords anytime they are compromised.


Contact Us

Get in Touch