Q&A: Password reset schedules

Q. Are we required to have employees change their passwords on a regular schedule? If so, how often should we reset passwords?

A. Yes, it is sound security practice to require employees to periodically change their passwords. It is recommended that passwords be updated at least every 90 days. This can represent a challenge and there will likely be pushback from healthcare practitioners. There is no set regulatory requirement to periodically change passwords but there is a requirement to implement sound password management. That would include requiring strong passwords, the requirement to change passwords at least every 90 days or when it’s believed that the password has been compromised, and not permitting employees to use the same password for at least five iterations or times the password is changed.

Editor's note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.