If you work in or around a healthcare practice, you may have noticed something unusual this week: EyeMed recently began requiring every user logging into its portal to have their own unique credentials, and more platforms are not far behind. Some practices are already feeling the effects of the enforcement. Over the next several months, expect the same change to roll out across the rest of the industry. No more shared passwords. No more one login for the whole front desk.
We have been watching this closely at Teem, and we want to give you the full picture, clearly, and grounded in facts, so you and your team can get ahead of it.
This is not new law. It is existing law being enforced. So is a shared login a HIPAA violation? Technically, yes, and it has been since 2003.
Here is the most important thing to understand: unique user identification has been a requirement under HIPAA’s Security Rule since the original rule was finalized in 2003. That means shared logins have technically been a compliance gap for over twenty years. What is changing right now is not the underlying rule, it is the enforcement of a rule that has been on the books since before most of today’s front desk staff started working in healthcare.
The federal citation is 45 CFR 164.312 (a)(2)(i), which requires covered entities and their business associates to “assign a unique name and/or number for identifying and tracking user identity” for any system that touches electronic protected health information (ePHI). Unique user identification is listed as a Required implementation specification; meaning practices never had the flexibility to opt out of it. That includes EHRs, billing platforms, insurance portals, and any other software your practice uses to access patient data.
One thing worth saying clearly: this applies to everyone. Front desk staff, billing teams, doctors, practice owners, if someone logs into a system that touches patient information, they need their own unique login. It does not matter if they are sitting at the front desk or logging in from home. The rule is the same for everyone.
Shared logins have been a compliance gap since 2003, not because of any new regulation, but because the old one was rarely enforced.
The regulatory timeline
Here is what the recent activity looks like when you put it in order:
Date |
Milestone |
2003 |
HIPAA Security Rule finalized |
Jan 2025 |
Proposed Security Rule update published |
Mar 2025 |
Public comment period closed |
May 2026 |
Final rule expected, not yet confirmed. Enforcement already underway across the industry |
The unique login requirement is just the most visible piece of a much larger shift. The proposed 2026 Security Rule overhaul would remove the old distinction between “required” and “addressable” safeguards entirely, adding mandatory multi-factor authentication, asset inventories, and network segmentation on top of what already exists. Unique logins are where enforcement starts.
Why this is actually good for your practice
We mean this genuinely. Unique logins are better for everyone:
- Better security. Each team member only accesses what they are supposed to access.
- Cleaner audit trails. If something ever goes wrong, you know exactly who did what.
- Reduced liability. Practices with proper individual credentials have a much cleaner compliance posture.
- Easier offboarding. When someone leaves, you revoke one login, not a shared one that affects the whole team.
What to do right now
The practices that come through this smoothly will be the ones that act before their software forces the change on them. Here is where to start:
- Make a list of every system your practice logs into that accesses PHI: EHR, billing, insurance portals, scheduling software, clearinghouses.
- Identify any shared logins still in use across those systems. This includes front desk staff sharing a single password to access insurance portals or your EHR, one of the most common situations we see across practices.
- Create a unique login for each team member in each platform before the system forces you to.
- Document who has access to what. This is good practice and good compliance.
If you want to read the requirement straight from the federal government, here are the official sources:
- Current HIPAA law on unique user identification, 45 CFR 164.312
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312 - HHS Office for Civil Rights guidance on Technical Safeguards
https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html - HHS Fact Sheet on the proposed 2026 update
https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html - Federal Register publication of the proposed rule
https://www.federalregister.gov/d/2024-30983
We want to be clear about where we stand. As a partner to the practices we work with, we believe this is a genuinely good move, for patients, practices, and for everyone working inside the system. Yes, it is required by law. But our support for it runs deeper than compliance. Healthcare deserves better security, and this is a step in the right direction.
At Teem, getting in front of change, with clarity and honesty, is one of the most valuable things we can do for the practices we work with. If you have questions about what this means for your practice, whether you are a customer or not, we are here to help.
