HIPAA Password Sharing Policy

The concern for password sharing arises from a survey conducted in 2017, which revealed that 73% of healthcare professionals admitted to utilizing a colleague's login credentials to access medical data. Though the majority of these individuals were students or interns who had not yet received their own login credentials, the fact that fellow professionals were providing access illustrates poor password security. In the United States, this type of laxity poses a breach of HIPAA regulations. According to the Technical Safeguards outlined in the HIPAA Security Rule (45 CFR § 164.312), Covered Entities must institute procedures to verify the identity of individuals accessing ePHI and assign unique names or numbers to track user identity. As a consequence, sharing login credentials becomes a direct violation of HIPAA, as it inhibits the Covered Entities' ability to accurately track the identities of those accessing ePHI. Essentially, anyone could potentially gain unauthorized access to ePHI, regardless of their profession, simply by utilizing another healthcare professional's login credentials.

HIPAA's Guidelines on Passwords

The HIPAA legislation, being technology neutral, does not extensively address passwords and their sharing policies. The Act only mentions passwords in the Administrative Safeguards of the HIPAA Security Rule, specifically in relation to Security Awareness and Training (45 CFR § 164.312). According to this section, Covered Entities must establish procedures for creating, changing, and protecting passwords. The requirement to safeguard passwords strongly implies that they should not be shared, particularly when combined with the Technical Safeguards mentioned earlier. Therefore, sharing passwords to access electronic Protected Health Information (ePHI) is a clear violation of HIPAA. However, there are situations in healthcare facilities where password sharing is appropriate. For instance, marketing teams may share passwords for corporate social media accounts. In such cases, it is advisable to use a password manager to securely store shared passwords. Nevertheless, under no circumstances is sharing passwords to access ePHI allowed according to HIPAA regulations.

Guidelines on Safely Sharing Passwords with Caregivers

According to a recent survey, researchers examined the number of U.S. hospitals that offer proxy accounts to caregivers, allowing them to access patient information without the need for password sharing. These proxy accounts aim to facilitate caregivers' roles while addressing privacy concerns. The survey discovered that 68% of hospitals currently offer proxy account services. However, a mere 19% of hospitals with this capability incorporate controls that enable patients to restrict access for caregivers. The absence of such controls poses the risk of data breaches, identity fraud, and potential errors in communication between healthcare professionals and caregivers. It's worth noting that patient portals and proxy accounts are not protected by the Health Insurance Portability and Accountability Act (HIPAA) since consent is assumed when a caregiver accesses patient data using these channels (usually by sharing a password). Nonetheless, healthcare organizations should prioritize the security of patient portals and consider developing HIPAA-compliant policies regarding password sharing.