Does HIPAA require multi-factor authentication?

The Security Rule does not name MFA explicitly, but it requires person or entity authentication and access controls, and a risk analysis will often make MFA the reasonable and appropriate safeguard for ePHI.

The HHS Office for Civil Rights (OCR) investigates complaints, conducts audits, and imposes penalties for HIPAA Privacy, Security, and Breach Notification Rule violations.

Are business associates directly liable under HIPAA?

Yes. Since the HITECH Act and Omnibus Rule, business associates are directly liable for compliance with applicable HIPAA Security Rule and certain Privacy Rule requirements.

🇺🇸 United States · Healthcare / privacy

HIPAA

Health Insurance Portability and Accountability Act

HIPAA sets U.S. national standards for protecting individuals' health information. Its Privacy Rule governs use and disclosure of protected health information, and its Security Rule requires administrative, physical, and technical safeguards for electronic protected health information (ePHI).

Jurisdiction:🇺🇸 United States

Type:Healthcare / privacy

In effect:1996

Authority:U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR)

Who it applies to

Covered entities such as health plans, health care clearinghouses, and most health care providers, along with their business associates that handle ePHI on their behalf.

Identity requirements

Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed (person or entity authentication)
Establish technical policies that allow access to ePHI only to authorized persons or software, including unique user identification
Implement audit controls to record and examine activity in systems that contain or use ePHI
Apply administrative safeguards including workforce access authorization, supervision, and termination procedures
Conduct an accurate and thorough risk analysis of threats to ePHI and manage identified risks
Provide automatic logoff and, where reasonable and appropriate, encryption to protect ePHI access

How it impacts identity systems

Identity area	Impact
Authentication & MFA	Entities must verify the identity of anyone seeking access to ePHI, driving strong authentication on clinical and administrative systems.
Identity governance (IGA)	Access to ePHI must be limited to authorized users via documented authorization, review, and termination procedures.
Privileged access (PAM)	Administrative and technical safeguards require tight control over elevated access to systems holding ePHI.
Audit, logging & accountability	Audit controls must record and allow examination of activity in systems that contain or use ePHI.
Breach notification	The Breach Notification Rule requires notifying affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.

Penalties

Civil monetary penalties are tiered by culpability and can reach into the millions of dollars per violation category per year, with potential criminal penalties for knowing misuse of PHI.

Official source

https://www.hhs.gov/hipaa/for-professionals/security/index.html

HIPAA: frequently asked questions

Does HIPAA require multi-factor authentication?: The Security Rule does not name MFA explicitly, but it requires person or entity authentication and access controls, and a risk analysis will often make MFA the reasonable and appropriate safeguard for ePHI.
Who enforces HIPAA?: The HHS Office for Civil Rights (OCR) investigates complaints, conducts audits, and imposes penalties for HIPAA Privacy, Security, and Breach Notification Rule violations.
Are business associates directly liable under HIPAA?: Yes. Since the HITECH Act and Omnibus Rule, business associates are directly liable for compliance with applicable HIPAA Security Rule and certain Privacy Rule requirements.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all United States regulations or the full country index.