Are password managers HIPAA compliant?

There is no such thing as a HIPAA compliant password manager, but “HIPAA compliance is determined by how the password manager is used, not by the application alone,” says the Compliancy Group. So what should users consider to ensure that their use of password managers is in line with HIPAA regulations?

Criteria for HIPAA compliance in password managers

For a password manager to be considered HIPAA compliant, it must adhere to the following requirements:

• Encryption: The password manager must use strong encryption methods to protect data both at rest and in transit. 
• Access controls: It must provide robust access controls, including multi-factor authentication (MFA), to ensure only authorized users can access passwords.
• Audit controls: The password manager should have the capability to log and monitor access to passwords, providing audit trails that show who accessed the data and when.
• Business associate agreement (BAA): If the password manager company will potentially have access to PHI, it must sign a business associate agreement. This agreement ensures that the password manager understands and agrees to comply with HIPAA regulations regarding the handling of PHI.
• Security policies and procedures: The password manager company must have and enforce comprehensive security policies and procedures that align with HIPAA requirements.

Related: Guide to HIPAA compliant password requirements

Choosing a HIPAA compliant password manager

When selecting a password manager for use in a HIPAA-regulated environment, consider the following:

• Vendor reputation: Choose a vendor known for high security standards and experience with healthcare clients.
• Features: Ensure the password manager includes features like encryption, robust access controls, and detailed audit logs.
• BAA availability: Confirm that the vendor is willing to sign a BAA and understands its obligations under HIPAA.
• Compliance certification: While there is no official HIPAA certification, vendors that advertise HIPAA compliance should be able to demonstrate how their product meets HIPAA requirements.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a business associate agreement (BAA), and why is it important?

A BAA is a contract between a HIPAA-covered entity and a business associate that handles PHI. It ensures that the business associate will safeguard PHI according to HIPAA standards. Without a BAA, using a password manager would not be HIPAA compliant.

What happens if a password manager vendor breaches HIPAA rules?

If a password manager vendor breaches HIPAA rules, both the vendor and the covered entity (e.g., the healthcare provider) may face significant fines and legal consequences. This demonstrates the importance of selecting a reputable vendor and having a signed BAA in place.

Learn more: What are the penalties for breaching HIPAA?

Can I use a free password manager for HIPAA compliance?

Generally, free password managers may not offer the necessary features and assurances required for HIPAA compliance. Paid versions typically provide more robust security features, support, and the option to sign a BAA.