Before jumping into the HIPAA arena, let's begin by stating these foundational security principles:
- Deny access by default.
- Only give access to those with a demonstrated need to know.
As the second sentence of your question states that all employees have access to HIPAA-sensitive information, the first step in this process is to examine if that is necessarily the case.
Essentially, going back to the foundational principles I noted above, my question is: Why do all these employees need access to HIPAA-sensitive information? Secondly, if they do, what are the policies, procedures and expectations for the employees surrounding their access to this information? Essentially, how can you be sure you are protecting the company from any abuse of this access by way of administrative, logical and physical controls?
Back to your question, I would need to have a better understanding of the surrounding circumstances. For instance, your Active Directory program definitely maintains domain usernames for all users, so part of the information in question is already stored.
So, the question becomes: Why is there a need to store user passwords? If an employee forgets his or her password, there should be an established process to allow for controlled reset, rather than a spreadsheet of sensitive credentials.
So, I'm not sure that collecting the passwords and usernames is necessarily a violation of HIPAA; however, when considering HIPAA password policy best practices, having username/password combinations stored together could be a violation, or could lead to a violation if such information fell into the wrong hands. This should be reviewed immediately by your security officer and possibly by legal counsel (i.e., your expert HIPAA attorney).
This was first published in March 2010