HIPA-10

Does your application require user and system administrator password changes at a frequency no greater than 90 days?

Explanation

This question is asking whether your application enforces password rotation policies for both regular users and system administrators at least every 90 days. In the context of HIPAA (Health Insurance Portability and Accountability Act) compliance, this relates to the Security Rule's requirements for access controls and authentication mechanisms to protect electronic Protected Health Information (ePHI). Regular password changes are traditionally considered a security best practice to limit the window of opportunity if credentials are compromised. The question specifically asks if your application requires password changes at a frequency "no greater than 90 days" - meaning passwords must be changed at least every 90 days or more frequently (such as every 30 or 60 days). It's worth noting that while this question reflects traditional password security guidance, more recent NIST guidelines (NIST SP 800-63B) have moved away from mandatory periodic password changes, instead recommending password changes only when there's evidence of compromise. However, many compliance frameworks, including some HIPAA implementations, still require periodic password rotation. When answering this question, you should be honest about your application's password rotation capabilities. If your application can enforce password rotation policies, explain how this is configured and managed. If not, explain any compensating controls you have in place to protect credentials.

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our application enforces mandatory password changes for both regular users and system administrators every 90 days by default This is configurable by the organization administrator down to a minimum of 30 days if more frequent rotation is desired The system notifies users 14 days before their password expires and provides daily reminders as the expiration date approaches Password history is maintained to prevent the reuse of the previous 24 passwords These controls are applied consistently across all user types, including system administrators, to maintain strong authentication practices for all accounts that may access PHI.

Example Response 2

Yes, our application requires password changes every 60 days for all users, including system administrators This is a system-wide setting that cannot be modified by customers to ensure consistent security practices across our platform Our password policy also enforces complexity requirements (minimum 12 characters with a mix of character types) and maintains a password history of the last 10 passwords to prevent immediate reuse For additional security, we also support multi-factor authentication which provides an extra layer of protection beyond password-based authentication alone.

Example Response 3

No, our application does not currently enforce automatic password expiration or rotation Instead, we follow the more recent NIST guidelines (SP 800-63B) which recommend against mandatory periodic password changes and focus on other security measures We implement compensating controls including: required multi-factor authentication for all users, real-time monitoring for suspicious login attempts, automatic account lockout after failed authentication attempts, and immediate forced password resets if compromise is suspected While we understand this doesn't meet the traditional 90-day rotation requirement, we believe our comprehensive approach to authentication security provides stronger protection against credential-based attacks without the usability challenges of frequent password changes.

Context

Tab: Case-Specific
Category: HIPAA Compliance