Skip to Content

HIPAA - Password Management 164.308(a)(5)(ii)(D)

451  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Procedures for creating, changing, and safeguarding passwords.


Action Items:
1) Obtain and review password management procedures and training (or other vehicle) for creating, changing, and safeguarding passwords. Elements to review may include but are not limited to: Workforce members' roles and responsibilities in the procedures for creating, changing, and safeguarding passwords; Identify how passwords should be created, changed, and safeguarded; Action(s) to be taken in response to a compromised password or other authentication credential
2) Obtain and review documentation demonstrating that procedures for creating, changing, and safeguarding passwords are in place. Evaluate and determine whether such procedures are in accordance with the creating, changing, and safeguarding passwords procedures incorporated into the training material.
3) Obtain and review documentation of workforce members and role types of who should be trained on creating, changing, and safeguarding passwords. Obtain and review documentation of the workforce members who were trained on the procedures for creating, changing, and safeguarding passwords. Evaluate and determine if appropriate workforce members are being trained on the procedures for creating, changing, and safeguarding passwords.


Related Documents:
1) Password management procedures and training (or other vehicle) for creating, changing, and safeguarding passwords.
2) Documentation demonstrating that procedures for creating, changing, and safeguarding passwords are in place.
3) Documentation of workforce members and role types of who should be trained on creating, changing, and safeguarding passwords.


Additional Guidance:
In addition to providing a password for access, entities must ensure that workforce members are trained on how to safeguard the information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.


Sample questions for covered entities to consider:
- Are there policies in place that prevent workforce members from sharing passwords with others?
- Is the workforce advised to commit their passwords to memory?
- Are common sense precautions taken, such as not writing passwords down and leaving them in areas that are visible or accessible to others?
Not Rated
Secure Code