HIPAA covered entities, including employer-sponsored health plans, are required to comply with the HIPAA security rule if they handle electronic protected health information (ePHI).ย In practice, this will include virtually all self-insured health plans and at least some fully insured health plans.
One requirement of the security rule obligates plans to adopt policies and practices designed to ensure that only authorized individuals can access ePHI.ย โAuthenticationโ is a term used for the process by which a health plan corroborates that an individual seeking such access is the person he or she claims to be.ย A planโs authentication process needs to be documented as part of its security policy.
There are three ways or factors that individuals can use to corroborate their identity.ย They can use:
Some plans may use a single factor (typically a password or PIN) for their authentication process.ย Recent commentary from the Office of Civil Rights (OCR) suggests that plans should consider requiring individuals to use two of the three factors (โmulti-factor authenticationโ or MFA) in order to gain access to ePHI.
The OCR is the government agency tasked with enforcement of the HIPAA security rule.ย In its June 2023 Cybersecurity Newsletter, the OCR discusses the adequacy of single-factor authentication for purposes of compliance with the security rule.ย It briefly surveys some cases in which single-factor authentication facilitated security breaches and suggests that those breaches may not have occurred if the affected entities had multi-factor authentication in place.
The security rule does not specifically prescribe the use of MFA. It does require plans to continually reassess security risks and revise their security policies as needed in response to those reassessments.ย The OCRโs Newsletter makes it clear that in the view of the OCR, consideration of the use MFA needs to be part of that risk analysis. Doing so, in the words of the Newsletter, is a โbest practiceโ.ย ย It notes that different policies may apply to different individuals; for example:
As always, documentation is the key to proving compliance.ย Plans must record the details of their risk assessment and the rationale supporting the policies adopted in response to that assessment.
