What provision of HIPAA does this actually violate?
Its clearly a bad practice (and obviously increase the risk of a breach, which, if it occurs, becomes an issue under HIPAA and related laws), but AFAIK neither HIPAA and subsequent modifying statutes nor the regulations adopted thereunder actually mandate particular password handling practices. Or is there something addressing that in the "guidance" issued under the HITECH act (I remember that establishing, by reference, some standards for encryption, and it wouldn't have been out of place for it to establish password-handling practices)?
Covered entities must "[protect] against any reasonably anticipated threats or hazards to the security or integrity of such [electronic protected health information the covered entity creates, receives, maintains, or transmits]" (45 C.F.R. § 164.306(a), http://www.law.cornell.edu/cfr/text/45/164.306). Storing passwords in the clear "obviously increase [sic] the risk of a breach", hence this is a reasonably anticipated threat.
HIPAA and similar laws don't codify whatever we think is good computing practice today. Down that path lies madness. Congress would have to re-write the law any time GCPs change, or else the law would become a hindrance to the very goals its trying to achieve (in this case, healthcare-related information security). Instead, the law is written more generally, with "reasonable" being the keyword that lets the legal system refer to current practice.
> Covered entities must "[protect] against any reasonably anticipated threats or hazards to the security or integrity of such [electronic protected health information the covered entity creates, receives, maintains, or transmits]" (45 C.F.R. § 164.306(a), http://www.law.cornell.edu/cfr/text/45/164.306).
But they also have freedom to select the particular security measures to use, considering: "(i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information." 45 C.F.R. § 164.306(b)
> HIPAA and similar laws don't codify whatever we think is good computing practice today.
No, but that's what implementing regulations usually do. HIPAA regs mostly don't include minimum technical standards (most of the security minimum standards are procedural).
> Congress would have to re-write the law any time GCPs change
Well, sure, if the minimum standards were written into the statute, which is why they are usually in the much-easier-to-change implementing regulations. The guidance under the HITECH act in effect did some of this for HIPAA PHI, as it created minimum standards for PHI to be considered "secured". But, generally, there's not much there, and its very difficult to make a solid case that any particular technical practice is necessarily a violation of the HIPAA Security Rule.
What provision of HIPAA does this actually violate?
Its clearly a bad practice (and obviously increase the risk of a breach, which, if it occurs, becomes an issue under HIPAA and related laws), but AFAIK neither HIPAA and subsequent modifying statutes nor the regulations adopted thereunder actually mandate particular password handling practices. Or is there something addressing that in the "guidance" issued under the HITECH act (I remember that establishing, by reference, some standards for encryption, and it wouldn't have been out of place for it to establish password-handling practices)?