Using a business password manager to share ePHI in compliance with HIPAA is a viable alternative to other secure forms of communication if your organization implements a business password manager and the vendor is willing to sign a Business Associate Agreement.
One of the most challenging requirements of HIPAA compliance is communicating ePHI in compliance with the Security Rule safeguards. Familiar channels of communication such as SMS, email, and Instant Messaging lack the controls necessary to comply with HIPAA; and, while convenient alternatives exist, these can cost up to $10 per user per month.
For half the cost of a secure messaging or email encryption solution, organizations can take advantage of the secure sharing capabilities of a business password manager. These capabilities allow authorized users to send encrypted messages by any channel to any recipient and have the necessary mechanisms in place to comply with access, audit, and event logging requirements.
Additionally, organizations can take advantage of the more traditional capabilities of a business password manager – for example, system admins can apply and enforce strong password policies, and check for weak, re-used, and compromised passwords. Many business password managers also integrate seamlessly with existing identity providers to minimize the management overhead.
Using a Business Password Manager to Share ePHI in Compliance with HIPAA
Different password managers – and different apps and browser extensions – work in slightly different ways. Consequently, in order to demonstrate using a business password manager to share ePHI in compliance with HIPAA, we have selected the Bitwarden password manager and are showing the secure sharing process from the web vault perspective as this is accessible from any device.
- From the navigation bar, users select “Create New Send”
- The user then selects whether to send a text message or a file.
- If a text, the user types or pastes the content of the message.
- If a file, the user selects which file they want to send.
- The user can then attach security features to the message such as:
- A deletion date
- An expiration date
- A maximum number of times the message can be accessed
- A password the recipient will need to open the message
Once saved, the message is encrypted and sent to Bitwarden´s servers. The user selects the “Copy Send Link” to save a link to the message to their clipboard. The link to the encrypted message can then be sent to a recipient – or multiple recipients – via any channel of communication (including SMS, email, and IM) and, when the recipient clicks on the link, the message opens on their device.
Importantly, the recipient does not have to have a Bitwarden account to receive the link and open the message. This make using a business password manager to share ePHI in compliance with HIPAA suitable for communications between remote healthcare providers, with Business Associates, and with patients if they are concerned about ePHI being communicated over unsecure networks.
Is The Secure Sharing Process HIPAA Compliant?
The secure sharing process is HIPAA compliant because the password manager has all the necessary features to fulfil the requirements of the Security Rule – for example, access controls, automatic logoff, encryption, event logging, audit controls, etc. Provided the secure sharing feature is not used to use or disclose ePHI impermissibly, the process is fully HIPAA compliant.
Where compliance issues exist, these relate to some vendors of password managers refusing to sign a Business Associate Agreement. The problem is that most business password managers are built on zero knowledge architectures and some password manager vendors believe that, because they cannot see the content of user vaults, they are not responsible for the security of ePHI.
This is not the case according to an FAQ published by HHS. As providers of a cloud service, password managers have “persistent access” to ePHI, and therefore “even if the [provider] cannot view the ePHI because it is encrypted and the [provider] does not have the decryption key” vendors of password managers are classified as Business Associates and organizations must enter into a Business Associate Agreement before using a business password manager to share ePHI.
Which Vendors will Enter Into a Business Associate Agreement?
Despite most of the top-ranked business password managers claiming to be HIPAA-compliant, few will enter into a Business Associate Agreement. Many follow the examples of 1Password and Keeper by claiming they do not qualify as Business Associates because they cannot see the content of user vaults, while LastPass claims HIPAA doesn´t apply because LastPass is not a Covered Entity.
It is clear that vendors are Business Associates when customers are using a business password manager to share ePHI, so organizations are best advised to opt for vendors such as Bitwarden and Zoho Vault that are willing to enter into a Business Associate Agreement. The alternative is not to use a business password manager to share ePHI – but only to create, save, and autofill passwords – and pay twice as much as the cost of the password manager for an alternative solution.