Password security for electronic protected health information (ePHI) is a fundamental part of any HIPAA compliance program, but there is no one right way. HIPAA allows a great deal of choice in how to secure data with passwords, but one must choose carefully to ensure the information is protected from both casual snooping and sophisticated hacking.
HIPAA password management requirements are quite open-ended, only specifying that one must institute “procedures for creating, changing, and safeguarding passwords,” notes Gary Nelson, healthcare practice leader with Schellman & Company, a security and privacy compliance assessor based in Tampa, FL.
To properly determine sufficiency for password protection, organizations should perform risk assessments for the systems or services that use or house ePHI, Nelson says. While HIPAA itself does not specify minimally defined requirements, the risk assessment could be paired with password or authentication requirements from standards such as NIST, PCI, or HITRUST to help address the HIPAA safeguard and also define what would serve as optimal for the organization.
Read more: www.ahcmedia.com
