Manage Learn to apply best practices and optimize your operations.

HIPAA password policy: Managing Windows stored usernames and passwords

Under HIPAA, is it allowable to store Windows usernames and passwords? In this expert response, Ernie Hayden discusses managing access for companies that must be HIPAA compliant.

Would a decision to collect and store Windows domain usernames and passwords of all employees (IT inclusive) in...

a company bound by HIPAA regulations constitute a potential violation of those regulations? All employees have access to HIPAA-sensitive information.

Before jumping into the HIPAA arena, let's begin by stating these foundational security principles:

  1. Deny access by default.
  2. Only give access to those with a demonstrated need to know.

As the second sentence of your question states that all employees have access to HIPAA-sensitive information, the first step in this process is to examine if that is necessarily the case.

Essentially, going back to the foundational principles I noted above, my question is: Why do all these employees need access to HIPAA-sensitive information? Secondly, if they do, what are the policies, procedures and expectations for the employees surrounding their access to this information? Essentially, how can you be sure you are protecting the company from any abuse of this access by way of administrative, logical and physical controls?

Back to your question, I would need to have a better understanding of the surrounding circumstances. For instance, your Active Directory program definitely maintains domain usernames for all users, so part of the information in question is already stored.

So, the question becomes: Why is there a need to store user passwords? If an employee forgets his or her password, there should be an established process to allow for controlled reset, rather than a spreadsheet of sensitive credentials.

So, I'm not sure that collecting the passwords and usernames is necessarily a violation of HIPAA; however, when considering HIPAA password policy best practices, having username/password combinations stored together could be a violation, or could lead to a violation if such information fell into the wrong hands. This should be reviewed immediately by your security officer and possibly by legal counsel (i.e., your expert HIPAA attorney).

This was last published in March 2010

Dig Deeper on Password management and policy

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.