The Real Talk article series includes real customer questions and our answers. Since these are questions directly from actual clinics, practices, hospitals, and businesses, we thought you might have these questions too. We hope that you find this format helpful. Stay tuned for more Real Talk - your question might even be featured!
Question: What are the HIPAA rules on password sharing?
Answer: Password sharing for systems that contain protected health information (PHI) is not permitted under HIPAA. This is addressed under the regulation for Security Awareness and Training 164.308(a)(5).
There are two implementation specifications here that are relevant:
- Log in monitoring which states that you have a procedure for monitoring log-in attempts and reporting discrepancies. Account and password sharing would be in violation of this specification; and
- Password management which outlines procedures for creating, changing, and safeguarding passwords. Sharing passwords would be in violation of this specification.
Read more on this here: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf