The Health Insurance Portability and Accountability Act (HIPAA) was passed by the US Congress in 1996 to enact procedures that ensure the confidentiality, integrity, and availability of protected health information which is stored on electronic devices (ePHI). Any organization that creates, receives, maintains, interacts with, stores, or transmits ePHI must adhere to the mandated HIPAA regulations.
HIPAA aims to protect individuals' medical records and other personal health and payment information against unauthorized access, theft, or loss. The mandates of HIPAA are applicable to all healthcare institutions, organizations, and business entities handling ePHI.
A password—being the basic securing means for digital information—is normally used by organizations to safeguard ePHI. HIPAA addresses password requirements as a part of its regulations to indicate the level of security that organizations should practice to protect ePHI from potential threats. Without unified password mandates, organizations would follow different standards for securing their ePHI, which might put some data more at risk than others.
Section § 164.308(a)(5)(ii)(D) of HIPAA mandates that admins must enforce:
Procedures for creating, changing, and safeguarding passwords [Password management (addressable requirement)].
This HIPAA Security Rule has always been a point of debate as it gives no specific details on password complexity and deems password management as "addressable." It is believed that this technology-neutral description of password management is intentional to permit flexibility as security best practices keep evolving with time. Many healthcare organizations use passwords as their first and sometimes only line of defense against cyberattacks.
Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) looks to the National Institute of Standards and Technology (NIST) for guidance, so it's prudent that other healthcare organizations do the same. A NIST-compliant password should:
ADSelfService Plus offers advanced password policy settings that help your organization comply with all the above requirements. You can create a custom password policy that meets HIPAA's requirements and enforce it on all or specific AD users based on their domain, OU, or group memberships. Below are some of the settings that ADSelfService Plus' password policy enforcer offers:
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.