Ask the Expert

HIPAA password policy: Managing Windows stored usernames and passwords

Would a decision to collect and store Windows domain usernames and passwords of all employees (IT inclusive) in a company bound by HIPAA regulations constitute a potential violation of those regulations? All employees have access to HIPAA-sensitive information.

    Requires Free Membership to View

Before jumping into the HIPAA arena, let's begin by stating these foundational security principles:

  1. Deny access by default.

  2. Only give access to those with a demonstrated need to know.

As the second sentence of your question states that all employees have access to HIPAA-sensitive information, the first step in this process is to examine if that is necessarily the case.

Essentially, going back to the foundational principles I noted above, my question is: Why do all these employees need access to HIPAA-sensitive information? Secondly, if they do, what are the policies, procedures and expectations for the employees surrounding their access to this information? Essentially, how can you be sure you are protecting the company from any abuse of this access by way of administrative, logical and physical controls?

Back to your question, I would need to have a better understanding of the surrounding circumstances. For instance, your Active Directory program definitely maintains domain usernames for all users, so part of the information in question is already stored.

So, the question becomes: Why is there a need to store user passwords? If an employee forgets his or her password, there should be an established process to allow for controlled reset, rather than a spreadsheet of sensitive credentials.

So, I'm not sure that collecting the passwords and usernames is necessarily a violation of HIPAA; however, when considering HIPAA password policy best practices, having username/password combinations stored together could be a violation, or could lead to a violation if such information fell into the wrong hands. This should be reviewed immediately by your security officer and possibly by legal counsel (i.e., your expert HIPAA attorney).

This was first published in March 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: