Skip to page content


HIPAA Quick Reference Guide For Employees


Previous  |  Table of Contents  |  Next


21.0 Computer Passwords


bullet
What can I do to help prevent other people from getting information that they should not?
  1. Never share your password.  Your account is assigned to you.  You will be held responsible for the activities of the account.  We do see cases where people will use someone else's e-mail account to send harassing e-mail messages.  Don't let this happen to you.  There is never a real need to share your password.  The IT systems have been designed to allow delegation of resources to multiple people without sharing passwords.  Do you need to access someone's calendar?  We can delegate those privileges; all we need is permission from the user.  The same applies to file sharing, applications, websites, etc.  Don't share your password.
  2. Never write down a password.  Passwords that are written down can be easily stolen.  While receiving a new password you may wish to write down your password until you have a chance to memorize it.  If you do this, you should take extreme care not to lose the paper you have written it on.  You should destroy the paper (e.g. tear it to shreds) once you have learned the password. 
  3. If you MUST write down your password - never store it near your computer.  Don't write your password down and stick it on your monitor!  Some users have upwards of ten different passwords.  That's a lot to memorize.  Write them down and store them in your wallet.  Never store them in your office, with your laptop or under your keyboard.  You wouldn't store your ATM PIN with your debit card - would you?
  4. Change your password with some frequency.  The longer you have used your password, the more likely it is that someone else will manage to figure it out.  Just how frequently you should change your password depends on how frequently you use it and what you are protecting with it.  For example, you may wish to change a password used to give access to patients' financial information more frequently than one to give access to read the news on a web page.
  5. Never store your password in a program.  Many e-mail clients, web browsers, and web services will offer to store your password for you so that you don't need to type it in each time you want to use it.  This is a bad idea - it is generally easy for people to recover your password from inside one of these programs if they have access to your computer (and sometimes even if they don't).  It is also possible for some computer viruses to recover your password from your computer and e-mail them to random people or post them publicly on the Internet.  Such viruses may even distribute the password before anti-virus software is able to locate and remove the virus.
  6. Create complex but easy to remember passwords.  The more complex a password the more difficult it is to crack.  A password based on a dictionary word can be cracked in less than five minutes by a determined hacker with the proper tools.  By contrast a complex password (i.e. longer than eight characters with upper and lower case letters, numbers and symbols), increases the time needed to crack a password to months.  An easy way to create a password is to think of a sentence and use the first letter of each word in the sentence, leaving in the punctuation.  For example, "I have three kids named John, Michael and Sarah!" becomes "Ih3knJ,MaS!".
For information on choosing a good password and keeping track of the passwords you have, please click here.


Previous  |  Table of Contents  |  Next


Quick Links:

Accounting of Disclosures

HIPAA Privacy Review

HIPAA Reference Sheet

Quick Reference Guide

Useful Links

HPO@bsd.uchicago.edu