Five people share one login. Which one accessed that patient record?

"It saves money on subscriptions."

I heard this last week from a medical practice owner. They had one login for their practice management system shared across the entire front office. Five people, one username, one password.

When something goes wrong — a record gets changed, data gets deleted, something gets accessed that shouldn't have been — who did it?

With a shared login, the answer is: "We don't know. Could have been anyone."

That's not a defensible answer for HIPAA, your insurance carrier, or a patient asking why their records were accessed.

What Are Shared Logins?

Shared logins occur when multiple employees use the same username and password to access a software system. Instead of unique credentials, everyone logs in with a single "office" account.

Medical practices commonly share logins for practice management systems, EHR/EMR platforms, billing software, and cloud storage — usually to avoid per-user license fees or for convenience.

Are Shared Logins a HIPAA Violation?

Yes. Shared logins violate the HIPAA Security Rule.

The HIPAA Security Rule requires Unique User Identification under §164.312(a)(2)(i), mandating covered entities "assign a unique name and/or number for identifying and tracking user identity."

When audit logs show "FrontDesk" accessed a patient record but five people use that account, you cannot comply with this requirement.

What Are the Penalties for HIPAA Access Control Violations?

Tier Description Penalty Range

Tier 1 Lack of knowledge $100 - $50,000 per violation

Tier 2 Reasonable cause $1,000 - $50,000 per violation

Tier 3 Willful neglect (corrected) $10,000 - $50,000 per violation

Tier 4 Willful neglect (not corrected) $50,000+ per violation

Annual maximums reach $1.5 million per violation category. "We were saving money on licenses" isn't a mitigating factor.

How Do Shared Logins Affect Cyber Insurance Claims?

Shared logins can result in denied claims and policy cancellations.

What Do Cyber Insurance Applications Ask About User Access?

• "Do you have unique user accounts for all employees?"

• "Do you maintain audit logs of user access?"

• "Can you identify which user performed specific actions?"

Why Do Carriers Deny Claims Related to Shared Logins?

If you answer "yes" but share logins: You've made a material misrepresentation. Carriers may deny claims when they discover shared logins during investigation.

If you answer "no" honestly: Expect higher premiums, coverage exclusions, or denial.

When investigating incidents, carriers ask: "Who accessed the compromised account?" If your answer is "We don't know — five people use that login," you've demonstrated lack of basic controls and potential misrepresentation.

What Are the Security Risks of Shared Logins?

How Do Shared Logins Prevent Accountability?

Unauthorized Access: A staff member looks up records of a neighbor or ex-spouse. With unique logins, you identify who did it. With shared logins, you can't prove anything.

Departing Employees: Someone leaves on bad terms and accesses records they shouldn't. With unique logins, you revoke their access and audit activity. With shared logins, you change everyone's password and can't determine what they accessed.

External Breaches: Attackers compromise credentials through phishing. With unique logins and MFA, abnormal behavior triggers alerts. With shared logins, there's no baseline — five people use the account differently.

Why Can't You Detect Breaches With Shared Logins?

Security monitoring relies on baseline behavior patterns. When multiple people share one account, login times vary unpredictably, access patterns have no consistency, and distinguishing normal from abnormal activity becomes impossible.

How Much Do Shared Logins Really Cost?

The "Savings"

• 5 users × $50/month = $250/month avoided

• Annual "savings" = $3,000

The Potential Costs

Risk Potential Cost HIPAA fine (per violation) $100 - $50,000

HIPAA fine (annual max) Up to $1.5 million

Denied insurance claim $50,000 - $500,000+

Patient lawsuit $10,000 - $250,000+

Breach remediation $5,000 - $50,000+

The real math: You're betting $3,000 against six-figure losses.

What Compliance Frameworks Require Unique User Identification?

Framework Requirement

HIPAA Security Rule §164.312(a)(2)(i) Unique User Identification

CIS Controls v8.1 Control 5: Account Management

NIST CSF 2.0 PR.AC -1: Identities and credentials managed

PCI DSS 4.0 Requirement 8: Unique ID for each person

SOC 2 CC6.1: Logical access with unique identification

Every major framework requires identifying who did what, and when.

How Do You Eliminate Shared Logins?

Step 1: Audit Your Systems

Inventory every system containing sensitive data. Document how many accounts exist versus how many people use the system. Fewer accounts than users means shared logins.

Step 2: Create Individual Accounts

Work with vendors to set up unique accounts for every user. Ask about per-user pricing and audit logging capabilities. Budget for licenses — this is compliance, not optional.

Step 3: Enable Audit Logging

Enable logging on all systems with sensitive data. Capture who logged in, when, what they accessed, and changes made. HIPAA requires minimum 6-year retention.

Step 4: Add Multi-Factor Authentication

Enable MFA on EHR/EMR, practice management, email, cloud storage, and remote access. MFA ties authentication to something the individual has, making sharing harder.

Step 5: Document Policies

Create written policies prohibiting shared accounts. Include processes for account requests, access removal, and audit procedures. HIPAA requires written policies.

Step 6: Review Regularly

Activity Frequency Remove departed employee access Within 24 hours Review user accounts Monthly Audit log review Monthly Full access audit Quarterly

Frequently Asked Questions

Can small practices share logins?

No. Practice size doesn't change HIPAA requirements. A two-person practice has the same obligations as a 200-person hospital.

What if our software doesn't support multiple users?

Replace it. Software that doesn't support individual accounts with audit logging doesn't meet basic compliance requirements.

Is sharing okay for non-clinical systems?

It depends. If the system contains PHI, PII, or financial data, you need individual accounts. When in doubt, use individual accounts.

What about temporary staff?

They need individual accounts too. Every person accessing sensitive data needs unique credentials, regardless of employment status.

The Bottom Line

"It saves money on subscriptions" is one of the most expensive decisions a practice can make.

The subscription fees you're avoiding are nothing compared to a HIPAA fine you can't fight, a denied insurance claim, or a patient lawsuit you can't defend.

Every user needs their own login. No exceptions.

Keep IT Simple. One person, one login.

If your practice uses shared logins and you're not sure where to start, that's exactly the conversation we have with Michigan practices every week. Happy to point you in the right direction.