Physician Practice

Q&A: You’ve got questions! We’ve got answers!

Physician Practice Insider, March 7, 2017

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: Are we required to have employees change their passwords on a regular schedule? If so, how often should we reset passwords?

A: Yes, it is sound security practice to require employees to periodically change their passwords. It is recommended that passwords be updated at least every 90 days. This can be a challenge and there will likely be pushback from some staff. There is no set regulatory requirement to periodically change passwords but there is a requirement to implement sound password management. That would include requiring strong passwords, the requirement to change passwords at least every 90 days or when it’s believed that the password has been compromised, and not permitting employees to use the same password for at least five iterations or times the password is changed.

Editor’s note: This question was answered by Chris Apgar, CISSP, for Briefings on HIPAA. Apgar is the president and CEO of Apgar & Associates in Portland, Oregon. He is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your questions to Associate Editor Nicole Votta at

Most Popular