How passwords are like toothbrushes
Brush up on USA Health policies and procedures regarding passwords to make sure that you comply with HIPAA.
Treat your computer password as you would your toothbrush. Choose a good one. Never share it. Change it often.
That’s the message from the USA Health office that oversees compliance with the HIPAA Privacy Rule. Part of the Health Insurance Portability and Accountability Act, the rule provides federal protection for personal health information.
“We hear a lot about having strong passwords for our computers, but keeping them secret is equally important,” said Linda Hudson, chief HIPAA compliance officer for USA Health. “Passwords confirm our digital identity and should be protected as much as a driver’s license or Social Security card. This means we don’t lend them to anyone.”
Noncompliance with HIPAA can result in fines for the institution as well as individual employees.
The following are USA Health’s policies and procedures for employee passwords:
- All USA Health workforce members are provided a unique username and password for access to USA Health computer systems. (Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the organization, is under the direct control of the organization, whether or not they are paid by the organization.)
- Workforce members must not allow another user or workforce member to use their unique user identification, password, or identification card to access any workstation or server that contains electronic protected health information (EPHI).
- Workforce members must ensure that their user identification is not documented, written or otherwise exposed in a manner that is not secure.
- Workforce members must reasonably ensure that their assigned usernames and passwords are appropriately protected and only used for legitimate access to workstations, networks, systems or applications.
- If a user or workforce member believes that their user identification has been compromised, they must report the security incident to their supervisor or program coordinator, and escalate the matter to the HIPAA security officer or divisional HIPAA designee.
- Users needing passwords changed or accounts reset must identify themselves in person or via phone to Health System Information Services (HSIS) using their full name, J number (Jag Number), date of birth and last four digits of their Social Security number to regain access.
- USA Health uses FairWarning® to track and audit accesses; any workforce member’s credentials used to inappropriately access, use or disclose PHI will be held accountable.
