The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. It consists of Title I and Title II. Title I describes health care access, portabilty and renewability. Title II describes the measures for administration to protect from fraud and abuse.
While the Technical Safegards section does not specify exact password criteria, it does suggest the use of strong authentication. Of course, biometrics are the only true way of ensuring a person's true identity. For most however, biometrics is not affordable or does not integrate well with existing systems. Increasing password strength by enforcing longer passwords, more complex passwords or rejecting common passwords goes a long way to ensure the uniqueness of an end-user.
Many hospitals and healthcare providers have adopted nFront Password Filter to help them ensure better data security by disallowing weak, easily hacked passwords. Some use dictionaries of common passwords that have been extended to over 2 million words common to the healthcare industry. Such measures ensure a much lower chance of an external password compromise. If passphrases (essentially a long sentences) are encouraged then there will be less of a chance of an end-user writing down a password so chances of internal hacking should not go up as a result of enforcing better passwords.