HIPA-15

If the application is institution-hosted, can all service level and administrative account passwords be changed by the institution?

Explanation

This question is asking whether your institution has the ability to change all service level and administrative account passwords for an application that is hosted within your institution's environment (as opposed to being hosted by a vendor or in the cloud). In the context of HIPAA compliance, this question relates to access controls and security management. HIPAA requires covered entities to implement technical safeguards to protect electronic Protected Health Information (ePHI), including access controls that restrict who can access sensitive data. Service level and administrative accounts typically have elevated privileges in systems that may process, store, or transmit ePHI. These accounts can often access, modify, or delete sensitive patient data. If your institution cannot change these passwords, it creates several security risks: 1. You may be unable to revoke access when an administrator leaves 2. You cannot enforce your password policies on these accounts 3. You cannot rotate credentials according to your security requirements 4. You may be dependent on the vendor for access changes, creating delays The ability to control these passwords is essential for maintaining proper access controls as required by the HIPAA Security Rule's technical safeguards. It allows your institution to maintain accountability and quickly respond to security incidents by changing credentials when needed. When answering this question, you should be specific about which accounts you can control, any exceptions, and any dependencies on vendors for certain password changes. If there are any administrative accounts that your institution cannot control, you should explain why and what compensating controls are in place.

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our institution has full control over all service level and administrative account passwords for our locally-hosted application This includes the ability to change database administrator accounts, application administrator accounts, service accounts, and any other privileged accounts within the system We maintain these passwords in our enterprise password management system and rotate them according to our institutional password policy (minimum 90-day rotation for administrative accounts) This control allows us to immediately revoke access when needed and maintain compliance with our security requirements.

Example Response 2

Yes, our institution can change most service level and administrative account passwords for the application We have full control over application administrator accounts, database accounts, and most service accounts However, there is one system account used for background processing that requires vendor assistance to change For this exception, we have implemented a compensating control where the account has very limited permissions, and all actions are logged and monitored We have documented procedures with the vendor to change this password within 4 hours if needed for security purposes.

Example Response 3

No, our application uses several hard-coded service accounts with passwords that cannot be changed by our institution While we host the application infrastructure on our servers, the application was developed by a third party that maintains exclusive control over these administrative credentials They perform quarterly password rotations according to their security policy, but our institution cannot directly change these passwords when needed This creates a dependency on the vendor for access management and potential delays in responding to security incidents We recognize this as a compliance gap and are working with the vendor to implement a solution that gives us control over all credentials by Q3 of this year.

Context

Tab: Case-Specific
Category: HIPAA Compliance