American Health Law Association, “Does HIPAA Require Unique Passwords? The Issue of Credential Stuffing,” by Christopher Tellner, Esq., Abbye Alexander, Esq. and Henry Norwood, Esq., 6-6-2026

Kaufman Dolowich’s Abbye Alexander and Christopher Tellner, Co-Chairs of the Healthcare/Managed Care Practice Group, and Henry Norwood, San Francisco Of Counsel, analyze what the Health Insurance Portability and Accountability Act (HIPAA) requires regarding member website password complexity in light of a recent investigation and settlement by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Read the full article below: 

The Health Insurance Portability and Accountability Act (HIPAA) requires that protected health information (PHI) be protected from disclosure by covered entities without a patient’s consent. In today’s world, most PHI is maintained electronically in digital form, which carries advantages and risks. The foremost threat to electronic PHI is exposure to unauthorized third parties due to cyber hacking. To defend against this threat, covered entities employ measures to protect the PHI in their possession and the HIPAA Security Rule imposes certain requirements on covered entities to protect electronic PHI, including requirements regarding password-protected member websites. A recent investigation and settlement by the Department of Health and Human Services Office for Civil Rights (OCR) have called into question what exactly HIPAA requires when it comes to member website password complexity. Understanding OCR’s findings is critical to all covered entities with an online presence to ensure compliance with the requirements of the HIPAA Security Rule.

HIPAA and Passwords
The HIPAA Security Rule requires covered entities to implement measures that lower their risk of an unauthorized disclosure of PHI.[1] When it comes to electronic PHI (ePHI) specifically, covered entities must have processes in place to verify the identity of a person seeking access to ePHI.[2] Generally, there are three compliant methods for a person to verify their identity when seeking access to ePHI: (1) by using a password or similar code requiring personal knowledge; (2) by using an object possessed by the specific person (e.g., an identification card); or (3) by using the person’s unique characteristics to access the information (e.g., a fingerprint).[3] In addition, covered entities must maintain procedures regarding the entities’ website or portal for creating, modifying, and protecting passwords, as well as monitoring a person’s login attempts.

Aside from these requirements, HIPAA has little to say regarding password requirements for covered entities. This leads to questions such as: how frequently passwords must be changed and whether passwords must satisfy any complexity requirements. Recently, OCR has weighed in, though not through direct, published guidance, on the question of whether passwords used by individuals on the websites or portals of covered entities must be different from the passwords the individuals are using on other websites. That is, whether passwords used on sites operated by covered entities must be unique.

Cyber Threat to Health Information and Password Complexity
Because health information is predominantly stored in electronic form, it can be compromised by cybercriminals. Cybercrime involving PHI threatens to undermine the level of trust between patients and the health organizations maintaining their information. The growing market for health data ensures health data will be shared with an increasing number of parties, spanning far from the original party with whom the individual’s health information was shared—likely, the individual’s health care provider. This increased sharing leads to a larger threat that the shared data will be compromised through a cyberattack as cybersecurity safeguards and measures will not be uniformly stringent among the multiple actors possessing valuable health data.

One form of cyberattack is referred to as “credential stuffing.” Credential stuffing occurs when hackers obtain an individual’s login credentials from one website and attempt to use these same credentials for a number of other websites, hoping the individual used the same credentials for multiple websites. One method that can be helpful in preventing credential stuffing hacks is by requiring the use of unique passwords, such as passwords requiring complex combinations of letters, numbers, symbols, and lower/uppercase letters. This lowers the likelihood of a user choosing the same password used on multiple sites.

Does HIPAA Require Unique Passwords?
While no statute or regulation directly requires covered entities to impose unique password requirements, covered entities are required to maintain procedures to lower the risk of unauthorized disclosures and to protect login passwords. A recent OCR investigation and settlement suggest OCR may interpret these requirements as imposing a duty on covered entities to require unique passwords.

The OCR investigation arose from an incident involving credential stuffing of a member website operated by an eyewear company (a covered entity). An unknown hacking group obtained the login credentials of numerous individuals used on websites other than the eyewear company. The group then attempted to use the credentials to login to other sites, including the eyewear company’s member site. Because these members used the same login credentials for the member website as they did on other, compromised sites, the hackers were able to login to the member site and access PHI.

OCR investigated the breach and found that the eyewear company had violated the HIPAA Security Rule as a result of this incident. This is significant because the hackers were only able to breach the covered entity’s website after hacking other, possibly less secure websites. This appears to impose an affirmative duty on covered entities to ensure members’ passwords are sufficiently complex to avoid similar credential stuffing attacks. OCR reached a settlement with the eyewear company, including a $1,500,000 settlement payment.

Conclusion
It is unclear whether HIPAA requires unique passwords for sites operated by covered entities, but the OCR investigation and resulting settlement send a clear warning to covered entities. Rather than wait for clear guidance on the issue, covered entities should affirmatively impose password requirements including complex combinations. Covered entities may also consider posting a notice on their sites warning users of the risk of using passwords frequently used on other sites. Such measures could be helpful as evidence demonstrating the covered entity’s implementation of reasonable measures to protect user passwords and lower the risk of unauthorized disclosures.

About the Authors
Chris Tellner and Abbye Alexander are Co-Chairs of the Health Care/Managed Care practice group of Kaufman Dolowich LLP and Henry Norwood is Of Counsel within the group. They represent health care professionals, organizations, including health plans and administrators, patients, and facilities, including long-term care facilities, assisted living facilities, rehabilitation centers and doctors in professional liability defense matters.

Copyright 2026, American Health Law Association, Washington, DC. Reprint permission granted.