Passwords and Passphrases

Why Does It Matter?

The Administrative Safeguards of the HIPAA Security Rule requires Covered Entities (CEs) and Business Associates(BAs) to:

Implement procedures for creating, changing and safeguarding passwords [For details see: Security Awareness and Training, §164.308(a)(5)].

Make sure you create and regularly use strong passwords (i.e. usually 10 characters or more and includes uppercase and lowercase letters, numbers, and special characters like #$&*).

When creating your passwords, consider using unique “passphrases,” which are sentences may be easier to remember than a very complex password (e.g. “I got A new bike for my 8th birthday!” would be ItAwkry8b!).

Do NOT use passwords or phrases that would be easy to guess, such as a pet’s name or your birth date.

This might surprise you but some actually fell for it:

Password Signup Sheet


Maintaining strong and unique passwords will decreases the risk of password guessing based on commonly used passwords, information about you that might be publicly available, or password cracking tools that hackers use.

Are You Using the Same Password for All Users?

Does the HIPAA Security Rule permit a CE or BA to assign the same log-on ID or user ID to multiple employees?



Under the HIPAA Security Rule, CEs and BAs, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.”

A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the HIPAA Security Rule requires CEs and BAs to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (ePHI), so that system access and activity can be identified and tracked by user.

This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.

Over the past years, the healthcare sector has been one of the biggest targets of cyber crimes resulting in breaches due to weak authentication.

Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility.

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy!

Why are you leaving yourself wide open to such risks?

Passwords and Passphrases



For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.