If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.

Complying with HIPAA Policies While it has been established that passwords should be a minimum of 8 characters, include upper and lower case letters, numbers, and special characters, this practice has been challenged in recent years, as has the practice of enforcing changes to passwords regularly.

HIPAA regulations require healthcare entities to enact procedures for creating, changing, and safeguarding passwords, but they don’t specify the details or the required complexity of the passwords. They also recommend that a temporary password be changed on its first use, and enforcing password expiration.

Jo O’Reilly, deputy editor at ProPrivacy.com told Business Insider, “Experts recommend that people should try to update their passwords at least every three months. This ensures that if a password is compromised, the time that a cybercriminal remains inside the hacked account is relatively short.”

Although two-factor authentication is not required for HIPAA, it can help pave the way to HIPAA compliance. The traditional login process with a username and password is insufficient in an increasingly hostile healthcare data environment. Two-factor authentication (2FA) has become increasingly important.

However, single sign-on (SSO) technology can simplify HIPAA compliance, but many solutions are difficult to implement and maintain, causing them to be costly to deploy and manage.

As we’ve demonstrated in this post, password-protected PDF documents are not a sign of HIPAA compliance.