|
|
|
|
|
|
by twunde
1577 days ago
|
|
|
Strictly speaking, having passwords in plaintext is legal but not secure since the HIPAA Security Rule is about protecting PHI. It's also possible that the passwords in their system aren't in plaintext, but customer service has to change the password and they need some way to send you the password. It sucks. So how do get the company to change this? Your best bet is to contact the executive(s) in charge of compliance and security about this (you'll likely need to do some Googling and/or LinkedIn stalking). The argument that you want to present to them is that the HIPAA Security Rule requires that a covered entity
`Identify and protect against reasonably anticipated threats to the security or integrity of the information` and that in this day and age having passwords in plain text is a reasonably anticipated threat. Reference: https://www.hhs.gov/hipaa/for-professionals/security/laws-re... |
|
|