The Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive piece of legislation passed by the United States Congress. In 2003 a section was added known as the Security Rule, which establishes national standards for protecting the privacy of individuals who partake in electronic healthcare transactions. The HIPAA Security Rule also includes regulations for password management by the healthcare provider. The act gives database administrators flexibility in establishing password regulations, but it does require them to take certain basic steps.
Training
The act requires that administrators of healthcare databases train their employees in password management and create a strong password. The act does not make specific requirements on the length of the password that employees create.
Initial Passwords
When healthcare employees are originally given access to a password, the password must be randomly generated.
Changing Passwords
Employees must change their passwords every 90 to 120 days, and they also must change their passwords after they initially log in with the randomly generated password. Database administrators must clearly define to users the procedure for resetting passwords.
Oversight
Administrators must create a system that logs computer usage and automatically flags attempts to access healthcare databases. Additionally, even after logging in with their passwords, employees shall have no expectation of privacy when using a healthcare database.
Tags: their passwords, change their, change their passwords, healthcare databases, must change, must change their
