HIPAA Compliant Passwords

HIPAA was introduced in 1996 to provide security and data privacy guidelines for health care professionals to help keep patient medical information safe, secure and confidential. With the increase in data theft especially around the health care field, HIPAA sets out guidelines for creating, changing, and protecting passwords.

The regulations were set by HIPAA as a part of the administrative safeguards of the HIPAA Security Rule. These regulations lay down the section on Security Awareness and Training and say that covered entities must have broad policies and measures for creating, storing and changing passwords.

HIPAA Password Requirements

The HIPAA Security Rule section says that health care organizations need to use proper administrative, physical and technical measures to make sure they keep confidentiality, integrity and security of patient’s data. The one of the first IT related need is, “Procedures for creating, changing and safeguarding passwords.”

How to Make Your Passwords HIPAA Compliant

There are many best methods that companies of any size can keep in mind while trying to stick to HIPAA password requirements. In actual, HIPAA does not lay down any codes or guidelines that an organization can have in place to ensure your passwords are safe, there are federal regulatory entities that do lay down password guidance. NIST (National Institute of Standards and Technology) is one such federal regulatory entity that sets security regulations on an ongoing basis that spotlight business best practices for companies of all kind. National Institute of Standards and Technology also regularly issues new regulations on password creation, which serve to keep your information safe.

Below we have listed few of the measures that you can put in place to keep your passwords relevant with NIST and HIPAA requirements.

  • Use a minimum of 8 characters: According to NIST, passwords can be up to 64 characters if organization is protecting sensitive data.
  • Avoid password hints: Always avoid password hints as they can seriously compromise the integrity of your passwords.
  • Create memorable passwords: The passwords should be sufficiently unique but you should not create unnecessarily complicated or obtuse passwords.
  • Vet passwords against a list of common/weak options: According to NIST (National Institute of Standards and Technology), the passwords should be vetted against a list of common passwords. Examples are “password”, “Hackme”, ”Iloveyou”, “1234567” and so on.


According to HIPAA, user data security is very important and that is the reason why health care companies should rely on powerful password policy in place that not only secures but enforces good security.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

© All Right Reserved by HIPAA Data Retention