Does HIPAA Require Unique Passwords? The Issue of Credential Stuffing

• March 06, 2026

• Christopher J. Tellner , Kaufman Dolowich LLP
• Abbye E. Alexander , Kaufman Dolowich LLP
• Henry E. Norwood , Kaufman Dolowich LLP

The Health Insurance Portability and Accountability Act (HIPAA) requires that protected health information (PHI) be protected from disclosure by covered entities without a patient’s consent. In today’s world, most PHI is maintained electronically in digital form, which carries advantages and risks. The foremost threat to electronic PHI is exposure to unauthorized third parties due to cyber hacking. To defend against this threat, covered entities employ measures to protect the PHI in their possession and the HIPAA Security Rule imposes certain requirements on covered entities to protect electronic PHI, including requirements regarding password-protected member websites. A recent investigation and settlement by the Department of Health and Human Services Office for Civil Rights (OCR) have called into question what exactly HIPAA requires when it comes to member website password complexity. Understanding OCR’s findings is critical to all covered entities with an online presence to ensure compliance with the requirements of the HIPAA Security Rule.

ARTICLE TAGS

• Health Information