A study conducted in 2014 and 2015 suggests that the sharing of access credentials may actually be a fairly large and widespread HIPAA compliance issue.

The study was conducted online through a Google-Forms based survey.  It specifically targeted medical and para-medical personnel.  Approximately 2,500 people were notified of the survey and 299 responded.  To receive better responses, the researchers asked questions in a manner that did not place the blame on respondents; for example: “Has anyone ever shared access credentials with you?”

Of the 299 people who responded, 220 said they had been given access credentials of at least one other medical or para-medical employee.  Many of the respondents were students who claimed that the other user’s access credentials were necessary for them to complete their job duties.  With this, many stated that their own accounts’ permissions were not sufficient for them to complete their assigned tasks.

One of HIPAAgps’ risk analysts recalls credential-sharing being a common occurrence while working at a regional hospital.  The analyst said that due to the time it took to gain access to the EHR and the need to be a fully functioning employee, credentials were often shared or used in ways they shouldn’t have been in order to keep up with duties.

With workloads getting ever larger, this is an issue that will likely become much more serious.

Sharing access credentials increases the risk of a breach.  It could lead to an employee misusing access from that shared account, or a hacker intercepting login information that’s been sent through email.

Sharing these credentials also makes it harder for teams that review audits to determine who may have accessed information they shouldn’t have.  It’s also important for employees to know that by sharing their credentials, they increase the risk of inappropriate activity being performed under their account, and if that happens, they will be held responsible whether they had any part of it or not.

Employees should be trained to not share access credentials, and organizations should also work hard to ensure that employees have the proper access for their job.  This could include requiring employees to come to managers when access is insufficient.


Use HIPAAgps’ training to help your employees understand why sharing access credentials is a bad idea.