The Password Party

March 4, 2002

Draw attention to new policies needed for HIPAA Privacy Compliance

Complying with the HIPAA Privacy regulations represents a large change. What you and your people do has to change. How you think has to change. We believe that as both a practical and a symbolic matter, an event should take place that represents the transition from the old way to the new way. I'll describe to you what I call the "Password Party".

Start by sending a memo: On all passwords for network access must be changed. All user accounts will be removed unless the user contacts and requests continued access. From that date forward any passwords found written down and left within view of anyone else will be subject to disciplinary action. Sharing of passwords in any way will be absolutely forbidden. You will be responsible for changing your password immediately and notifying the security officer is there is even the slightest chance that someone else has discovered your password. Within two years this agency must comply with strict new regulations regarding privacy. These steps are all necessary to avoid fines of $25,000 to $250,000 under the new law. We realize this is a large change we need to all make, but it is absolutely necessary.

On the day of the password party, have staff read your agency's new privacy policy. Ask each several questions to make sure that they understand it. Next have them sign a memorandum of understanding. Then and only then you can give them a new password that must be changed within one day to a password of their choice that conforms to any password guidelines that have been set. Since computers can be programmed to try every word in the dictionary, or even a list of first or last names it is best to require a combination of letters and numbers.

Leading up to that day, people who work with computers must make a concerted effort to discover and delete, secure, or encrypt all files or documents on the network that contain personally identifiable health information.

You need the three weeks to allow the inevitable protests of the impossibility of working this way. Doctors and other clinicians will object that they absolutely must allow secretaries to view and sign documents for them. They will believe, because they are key personnel and have told you that the new policy is unacceptable, that the new policy does not apply to them. You must reply to each complaint, repeating the policy each time.

No I'm sorry, it's not impossible, it's only difficult, and we have no choice. You may gather that the security officer will not be a terribly popular person during the transition. This is entirely possible. A person of integrity with a great deal of earned respect among his or her peers is the likeliest to be successful in this position.

Finally you need to be extremely responsive in verifying identity and granting replacement passwords to staff that forget them. If they are unable to complete their work due to a forgotten password, the post-it notes will start to go back up on the monitors and you will have to start the education process all over again.