Implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be
Authentication is the technical mechanism for verifying identity before granting access to ePHI. Username and password alone is insufficient in the current threat environment: credentials are stolen through phishing, credential stuffing, and social engineering constantly. HIPAA requires covered entities to implement authentication procedures. While the rule does not mandate multi-factor authentication explicitly, MFA is the industry standard and is expected by regulators, cyber insurers, and HHS OCR investigators reviewing breach causes.
Implementation steps
- 1
Implement multi-factor authentication for ePHI access
Require multi-factor authentication for all access to systems containing ePHI. This applies to EHR access, administrative portals, email, VPN, cloud services, and any other system where ePHI is accessible. Prioritize remote access and administrative accounts first. Use authenticator apps (TOTP) or hardware tokens rather than SMS when possible.
okta azure-ad-mfa duo microsoft-authenticator - 2
Enforce strong password policies
Require passwords that meet minimum complexity and length requirements on all systems with access to ePHI. Prohibit password reuse. Consider passwordless authentication (passkeys, certificate-based) for higher-security environments. Implement account lockout after repeated failed authentication attempts to resist brute force attacks.
okta azure-ad microsoft-active-directory - 3
Authenticate system-to-system access
When software systems or applications access ePHI without a human user, implement service account authentication using strong credentials and certificates. Rotate service account credentials regularly. Restrict service account privileges to only what is needed for the specific application function.
aws-iam azure-managed-identity okta
Evidence required
MFA enrollment records
Evidence that MFA is required and enrolled for ePHI system access.
- - MFA policy configuration
- - MFA enrollment report showing all users enrolled
- - Conditional access policy requiring MFA for ePHI systems
Password policy configuration
Evidence of password requirements for ePHI systems.
- - Active Directory or identity provider password policy settings
- - Password policy document
Related controls
Implement technical policies and procedures to allow access to ePHI only to authorized persons or software programs
Access Control
Implement hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI
Audit Controls
Implement policies and procedures to protect ePHI from improper alteration or destruction
Integrity
Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks
Transmission Security