HIPAA password policy

HIPAA and your password policy – are you compliant?

HIPAA and your password.

Thanks to NIST, who in 2017 changed their recommended password policy in publication 800-63B, the change/do not change debate has been ongoing. If you aren't familiar with the publication, here's a short news video about it - https://www.cbsnews.com/news/bill-burr-passwords-guidance/

The problem with 90-day password change requirements is that we tend to create simple passwords and make minor changes when required. Consequently, if the previous password had been compromised, there was a strong likelihood the new password would be as well. The current NIST guidance is that passwords should only be changed when there is evidence of compromise. Our take, as you know as a reader, is password managers should be used by your organization, and complex passwords changed periodically, should be implemented and stored in them.

See our past reminders where we discuss password manager options by visiting our website or asking our team to forward you a copy.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top