I am about to publish a HIPAA Q & A on this topic but here is a short version: having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard. The exclusive use of usernames and passwords, by far the most common and standard practice in health care, is characterized by a lot of problems and issues. The rules don’t specifically disallow this approach but I would love to see the industry move to more secure and, surprisingly, easier approaches such as the wide adoption of two-factor authentication. Stay tuned for a future blog post on this topic.