Best HIPAA-Compliant Password Managers for Clinics

A password manager is table stakes, not optional

45 CFR 164.312(a) requires technical access control on systems that handle ePHI. In practice, that means unique credentials per workforce member, rotation on offboarding, and audit of who accesses what. A shared login for the EHR or the practice-management system fails this on day one. A password manager is how small clinics actually meet the requirement without an IT team.

Password managers do not store PHI directly. They store credentials that open systems containing PHI, along with occasional secure notes and attachments. The vendor’s HIPAA posture and BAA availability still matter.

The four vendors clinics actually evaluate

1Password Business. 1Password provides a HIPAA guidance page and will enter a BAA with customers on qualifying business plans. Strong admin controls, recovery model, and SSO. Widely used in small-to-mid clinics.

Bitwarden Teams and Enterprise. Bitwarden states they will sign a BAA with customers on paid plans and provides HIPAA-oriented guidance. Open-source core, self-host option for clinics with strict data-residency preferences. Often cheaper per seat.

Keeper Enterprise. Keeper offers HIPAA-compliant configurations and a BAA on qualifying plans. Strong audit log and role-based access. Popular in larger organizations with compliance programs already in place.

LastPass Business. LastPass offers HIPAA support and a BAA on qualifying plans. In 2022, LastPass disclosed a data breach in which encrypted password vaults were exfiltrated along with customer account metadata. Many clinics evaluated alternatives following the breach. Clinics already on LastPass should verify current encryption and incident response posture before renewing.

The comparison that actually matters

Vendor	BAA	SSO	Access audit	Offboarding	Pricing model
1Password Business	On qualifying plans	Yes	Yes	Per-user deprovision	Per-user
Bitwarden Teams/Enterprise	On paid plans	Enterprise plan	Yes	Per-user deprovision	Per-user
Keeper Enterprise	On qualifying plans	Yes	Yes	Per-user deprovision	Per-user
LastPass Business	On qualifying plans	Yes	Yes	Per-user deprovision	Per-user

All four use per-user pricing. That is standard for the category and, in this specific case, defensible: every workforce member with access to PHI systems needs their own vault.

What to check before you sign

• The BAA is available on the plan you are buying, not only the top-tier enterprise plan.
• SSO is included at the tier you can actually afford; some vendors gate SSO to higher tiers, which fragments access control.
• The access audit log is queryable and retained long enough to support a breach investigation.
• Offboarding actually revokes access to shared vaults, not just the user’s personal vault.
• Emergency recovery does not rely on a single person who could leave the clinic.

Policy is where clinics win or lose

Deploying a password manager without a policy is half the job. The workforce policy should specify:

• No credentials for PHI systems outside the password manager.
• No shared logins for EHR, billing, or patient-communication platforms.
• Offboarding procedure when a workforce member leaves, with a recurring task to verify.
• MFA requirement for the password manager account itself and for any system storing PHI.

These policies belong in the same policy library and attestation system as the rest of your HIPAA program.

What the password manager does not cover

Credentials are one control. The compliance program still needs policy, training, BAA register, incident log, and access reviews. For that operating layer see PHIGuard pricing or the full HIPAA software comparison. For the access-control rules, see HIPAA basics. Clinics also hardening their video and messaging stack should see our best HIPAA-compliant video conferencing roundup.

If your practice still has a shared Post-it under the front-desk monitor, the first fix is not a vendor. It is a policy and the tool to enforce it.