How to Comply with HIPAA Password Requirements

HIPAA stands for Health Insurance Portability and Accountability Act. This was first introduced in 1996 in U.S with the purpose of protecting the PHI data of individuals.

The law states that health care organizations, covered entities and business associates must keep patient’s medical information safe, secure and confidential. In this digital world where every information and data is stored online, HIPAA sets out guidelines for creating, changing, and protecting passwords.

The regulations were set by HIPAA as a part of the administrative safeguards of the HIPAA Security Rule. HIPAA password requirements are an important part of keeping your sensitive health data safe and avoiding HIPAA fines.

HIPAA Password Requirements

The HIPAA Security Rule section says that health care organizations, covered entities and business associates must use administrative, physical and technical measures to make sure they keep confidentiality, integrity and security of patient’s data. HIPAA password requirements fall under the Administrative requirements of the HIPAA Security Rule. This security rule requires covered entities to keep PHI and electronic PHI (ePHI) secure.

How to Make Your Passwords HIPAA Compliant

HIPAA does not lay down any guidelines or specifications that covered entities or business associates must follow to ensure your passwords are safe and secure but there are other federal regulatory entities that do lay down password guidance. NIST (National Institute of Standards and Technology) is one such federal regulatory entity that sets security regulations on an ongoing basis that highlights business best practices for companies of all kind. NIST also regularly issues new regulations on password creation, which serve to keep your information safe.

Below we have listed few of the measures that you can put in place to keep your passwords relevant with NIST and HIPAA requirements.

  • Use a minimum of 8 characters: According to NIST, passwords can be up to 64 characters if organization is protecting sensitive data.
  • Avoid using password hints: NIST suggests you should entirely avoid using password hits because they can seriously compromise the integrity of your passwords.
  • Create memorable passwords: NIST no longer suggests the use of complicated passwords. Though it says that passwords should be unique but keeping a memorable password is more secure way. 
  • Vet passwords against a list of weak options: According to NIST (National Institute of Standards and Technology), the passwords should be vetted against a list of common passwords.


With few easy steps you can start to develop a HIPAA compliance program in your practice, all while addressing your HIPAA password requirements.