Must Medical Practices Require Patients to Use Unique Passwords on Websites and Portals?

There are many advantages to providing patients with access to their medical records via a website or portal.  Patients can access their records quickly, the practice can reduce the administrative task of responding to requests for records, and patients might be less likely to claim they were improperly blocked from accessing their records.  However, the online availability of patients’ electronic protected health information (ePHI)¹ means that patients’ ePHI is also susceptible to hackers.  This might leave practices wondering what steps are required by HIPAA to protect patients’ ePHI, and specifically, whether HIPAA establishes any requirements for patient passwords used on the practice’s website or portal. 

Although HIPAA does not establish any specific requirements regarding patient passwords, a 2024 investigation by the federal agency tasked with enforcing HIPAA suggests that the agency might interpret the HIPAA Security Rule as requiring patients to use unique passwords.  Knowing what the HIPAA Security Rule requires regarding patient passwords will not only help practices maintain HIPAA compliance, it will also help practices identify ways to protect patients’ ePHI. 

What is the HIPAA Security Rule? 

The portion of HIPAA known as the HIPAA Security Rule includes the standards with which covered entities²—including medical practices—must comply regarding the security and protection of patients’ ePHI.   

The Security Rule establishes the security standards that covered entities must meet regarding securing ePHI.  In particular, the Security Rule requires covered entities to “[p]rotect against any reasonably anticipated threats or hazards to the security or integrity” of ePHI.   

The Security Rule also establishes the administrative, physical, and technical safeguards that covered entities must implement to meet the security standards.  Although the Security Rule includes many safeguards, the following administrative and technical safeguards are most relevant to protecting patient passwords: 

• • Covered entities must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;³
    
    
  • Covered entities must implement procedures for monitoring log-in attempts and for creating, changing, and safeguarding passwords;⁴
    
    
  • Covered entities must implement procedures for verifying the identity of a person or entity seeking access to ePHI;⁵ and
    
    
  • Covered entities must implement security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network.⁶ 

Guidance published by the U.S. Department of Health & Human Services (HHS) suggests that covered entities can usually require any of the following to verify the identity of a person seeking access to ePHI:  

1. Something known only to that individual, like a password or PIN;
   
   
2. Something only that individual possesses, like a token or key; or
   
   
3. Something unique to the individual, including fingerprints or facial patterns.⁷ 

Beyond these security standards and safeguards, the HIPAA Security Rule does not discuss specific requirements for passwords.  However, because the HHS Office for Civil Rights (OCR) enforces the HIPAA Security Rule, OCR investigations provide insight into how OCR interprets the requirements of the Security Rule.  A notable OCR investigation from 2024 suggests that OCR might interpret the Security Rule as requiring covered entities to take affirmative steps—including requiring the use of unique passwords—to prevent a type of cyberattack known as “credential stuffing.”    

Why Did OCR Fine a Covered Entity $1.5 Million After a Breach Involving “Credential Stuffing”? 

In December of 2018, the covered entity—an eyewear company—filed a HIPAA breach report with OCR.  The report explained that in November of 2018, the company became aware of unusual, attempted log-in activities on its website.  According to the report, between September 25, 2018 and November 30, 2018, unauthorized third parties gained access to the company’s website through “credential stuffing”.  Credential stuffing is a type of cyberattack in which hackers steal usernames and passwords from one site and then try the stolen login credentials on other sites to see where else the credentials might work.  Credential stuffing is most effective when people reuse the same login credentials on multiple websites.   

Nearly two years later, the eyewear company amended its December 2018 breach report to add that 197,986 individuals were affected by the breach.  Patient ePHI affected by the breach included names, mailing addresses, email addresses, payment information, and eyewear prescription information.   

In September of 2019, OCR notified the company that it initiated an investigation into the breach and the company’s compliance with HIPAA, including the Security Rule.  By June of 2022, the company experienced four additional credential stuffing attacks, impacting the ePHI of an additional 484 patients. 

After completing its investigation, OCR found the company violated the HIPAA Security Rule by failing to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, among other violations. 

OCR’s decision in this investigation is of particular importance, because OCR found that the company failed to comply with the Security Rule even though the hackers were only able to access the company’s ePHI after hacking a different website.  As a result, OCR’s decision suggests that it interprets the Security Rule as requiring covered entities to take affirmative steps to avoid credential stuffing by requiring patients to use unique passwords. 

What Steps Should Practices Take to Align with OCR’s Decision? 

Based on OCR’s decision, practices hoping to increase compliance with the Security Rule and to reduce their risk of a credential stuffing attack should consider the following strategies. 

• • Impose strong password requirements.  Requiring patients to use passwords with upper and lowercase letters, numbers, and special characters reduces the likelihood that the patient used the same password on another website.
    
    
  • Require periodic password updates.  Requiring patients to update their password regularly also reduces the likelihood that the patient used the same password somewhere else.
    
    
  • Use multi-factor authentication.  This serves as an additional method of verifying the identity of the person seeking access to the ePHI.
    
    
  • Monitor for unusual login attempts and patterns.  This can include requesting audit logs and access reports from the practice’s electronic medical record vendor.
    
    
  • Notify patients of the risk of reusing login credentials.  This might include posting a notice on the practice’s website or patient portal recommending that patients use a password not used on other sites. 

Practices interested in reading more about the OCR investigation should read the following materials: 

• September 5, 2024 OCR Notice of Proposed Determination 

• December 11, 2024 OCR Notice of Final Determination

<sup>[1] 45 C.F.R. § 160.103 generally defines “electronic protected health information” as individually identifiable health information that is transmitted by electronic media or maintained in electronic media. “Individually identifiable health information” is generally defined as information created or received by a health care provider related to the past, present, or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care; that either identifies the individual or can likely be used to identify the individual.

[2] 45 C.F.R. § 160.103 defines “covered entity” as a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by Subchapter C, Subtitle A, Title 45 of the U.S Code of Federal Regulations.

[3] See 45 C.F.R. § 164.308(a)(1)(ii)(B).

[4] See 45 C.F.R. § 164.308(a)(5)(ii)(C)-(D).

[5] See 45 C.F.R. § 164.312(d).

[6] See 45 C.F.R. § 164.312(e)(1).

[7] See U.S. Dep't of Health and Human Servs. HIPAA Security Series, Security Standards: Technical Safeguards (rev. Mar. 2007)..</sup>