This question has come up multiple times over the past few weeks, especially with the HeartBleed issue a few weeks ago. Are password management programs HIPAA compliant?
Password Management programs like Dashlane, 1Password, LastPass, etc., help with the inconvenience of having to come up with a new password every few months and then remember them. These programs will generate unique passwords for you, store them and allow you to recall them across devices.
Here’s an article from the Wall Street Journal reviewing these programs.
On to the most important question: Are these HIPAA compliant? Well, luckily password management programs aren’t storing Protected Health Information (PHI), so you don’t have to worry about HIPAA compliance with these programs. This means no Business Associate Agreement or Business Associate Subcontractor Agreement is needed… But, it behooves you to do a little research about what reputable companies are out there. Be sure it has two-step authentication and remember to change your master password regularly!
Most importantly, talk to your IT professional before you install one of these programs. They may or may not allow this on your system, or they may have a preferred program. Do your research and use these programs wisely. They can be a great convenience, but can be problematic since there is one access point for all your passwords. This means your master password becomes the gateway for all your information
What ever you do to manage your passwords, remember change them frequently, and make them complicated! We’re talking uppercase, lowercase, special characters, numbers, folks, and lots of them. No writing these down. Don’t give them to anyone — and we mean anyone!
Stay HIPAA Compliant, Friends!
