This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Password Management: Essential Security Training Guide

Reference: 45 CFR § 164.308(a)(6)
Last Updated: February 12, 2024


Goal: Implement procedures to create, change and safeguard passwords.

The purpose of this policy is to describe what the organization should do to maintain an effective process for appropriately creating, changing, and safeguarding passwords.


Procedure: In order to allow access and maintain an individual user's accountability on the system, each user must be uniquely and positively identified and authenticated to the system.

    • Each Userid is to be assigned to only one person at a time. No one is to share the same Userid with another.
    • Userids are to be a minimum of 5 characters.
    • A record of the user-id assignment must be kept for a minimum of 12 months after the user access has been terminated.
    • Before reusing of a user-id, all previous access authorizations and their associated directories and files must be removed.
    • A user-id must be invalidated (suspended) by a responsible individual (e.g., System Manager, Security Manager) for any of the following reasons:
      • Termination of employment or contract
      • Nonuse of account for 12 consecutive months
      • Notification of security violation (By management direction)
    • When logging into the system, the user should be given three chances to enter the correct user-id and password.
    • Each user must acknowledge receipt of a user-ID and Password by signing a statement that details his/her responsibility for protecting this information.
    • System password files should be protected as sensitive data.
    • Passwords should never be stored in clear text.
    • The maximum lifetime for all passwords should be no greater than 90 days. The System Manager is to set expiration dates, if possible, to enforce this requirement.
    • Users must understand the sensitivity of their passwords and follow the subsequent procedures:
      • At a minimum, passwords are to be 8 alpha-numeric characters in length. Three of four classes of characters shall comprise the password:
        1. Uppercase Letter
        2. Lowercase Letter
        3. Numbers
        4. Special characters

Use at least two numbers in your password.

    • All users must be made aware of the private nature of their password. It is the responsibility of the Security Manager to inform the user that disclosure of a password is prohibited. It is the responsibility of the user to inform the Security Manager if such disclosure is suspected.
    • Where possible, user-ids and passwords will be transmitted to the user in person. Both user-id and password in clear text may not be sent to a user via the same email or facsimile transmission.
    • The initial password provided to a first-time user shall expire upon its first use and force the user to select a new password. This limits any exposure to risks in password distribution.
    • Prompt notification must be given to the System Manager when a Userid must be removed from the system.
    • Do not use words found in a dictionary.
    • Do not repeat a single character more than 2 times
    • Avoid passwords that incorporate personal data elements (e.g., user's name, child's name, date of birth, address, telephone number, etc.).
    • Passwords must not be posted on terminals, blackboards, bulletin boards, or in any other location where they may be disclosed.
    • If a password has been seen, guessed or compromised, it must be changed immediately.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram