Pricing  Get Quote

HIPAA password requirements

HIPAA password requirements

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by the US Congress in 1996 to enact procedures that ensure the confidentiality, integrity, and availability of protected health information which is stored on electronic devices (ePHI). Any organization that creates, receives, maintains, interacts with, stores, or transmits ePHI must adhere to the mandated HIPAA regulations.

HIPAA aims to protect individuals' medical records and other personal health and payment information against unauthorized access, theft, or loss. The mandates of HIPAA are applicable to all healthcare institutions, organizations, and business entities handling ePHI.

Why does HIPAA include password requirements?

A password—being the basic securing means for digital information—is normally used by organizations to safeguard ePHI. HIPAA addresses password requirements as a part of its regulations to indicate the level of security that organizations should practice to protect ePHI from potential threats. Without unified password mandates, organizations would follow different standards for securing their ePHI, which might put some data more at risk than others.

What are the HIPAA password requirements?

Section § 164.308(a)(5)(ii)(D) of HIPAA mandates that admins must enforce:

Procedures for creating, changing, and safeguarding passwords [Password management (addressable requirement)].

This HIPAA Security Rule has always been a point of debate as it gives no specific details on password complexity and deems password management as "addressable." It is believed that this technology-neutral description of password management is intentional to permit flexibility as security best practices keep evolving with time. Many healthcare organizations use passwords as their first and sometimes only line of defense against cyberattacks.

Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) looks to the National Institute of Standards and Technology (NIST) for guidance, so it's prudent that other healthcare organizations do the same. A NIST-compliant password should:

  1. Include American Standard Code for Information Interchange (ASCII) characters.
  2. Be a minimum of 8 and a maximum of 64 characters.
  3. Not be easy to guess like "Password@123" or easily compromised from data hoarding sites. Learn more about compromised passwords.
  4. Not be identical to the previous ten passwords.
  5. Not be prompted to users with the help of password hints.
  6. Include other authentication methods and not be the only guarding factor of ePHI.
  7. Be reset only if it's compromised or forgotten.

Make your organization HIPAA-compliant with ADSelfService Plus

ADSelfService Plus offers advanced password policy settings that help your organization comply with all the above requirements. You can create a custom password policy that meets HIPAA's requirements and enforce it on all or specific AD users based on their domain, OU, or group memberships. Below are some of the settings that ADSelfService Plus' password policy enforcer offers:

Password policy enforcer

  1. Ban weak passwords: Blacklist leaked or weak AD passwords, patterns, and palindromes.
  2. Set a custom password length: Enforce longer passwords by specifying the minimum password length.
  3. Enforce password history: Ensure password strength by enforcing password history rules during native password resets in the Active Directory Users and Computers (ADUC) console.
  4. Ensure password complexity: Allow users to use Unicode characters in their passwords besides uppercase, lowercase, special, and numeric characters.

Benefits of using ADSelfService Plus to comply with HIPAA mandates

  1. Increased password security: Enforce passphrases and restrict consecutively repeated characters and common character types from passwords. Enable the password strength meter to give users instant visual feedback on password strength when they change or reset their AD passwords.
  2. Fine-grained flexibility: Create different password policies for different types of users in the organization according to their role and level of access to sensitive data.
  3. Compliance with regulatory standards: Ensure that your organization complies not only with HIPAA standards, but also with NIST SP 800-63B, the PCI DSS, Essential Eight, CJIS, SOX, and the GDPR compliance mandates.

Blacklist weak or compromised passwords with ADSelfService Plus.

  • Please enter a business email id
    By clicking 'Get your free trial ', you agree to processing of personal data according to the Privacy Policy.


Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here


Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management