HIPAA multi-factor authentication (MFA) requirement

HIPAA sets federal standards around protecting electronic Protected Health Information (ePHI). While HIPAA does not explicitly mandate multi-factor authentication (MFA), a proposed 2026 update to the HIPAA Privacy Rule would for the first time explicitly require MFA for HIPAA-covered entities.

The proposed updates to HIPAA's MFA requirement aim to mandate two factors of authentication to verify the identity of all users accessing systems that handle ePHI. This extra security layer protects sensitive healthcare data if login credentials are ever stolen or compromised.

While HIPAA doesn't explicitly require MFA today, HIPAA compliance does require strict controls on who can access sensitive ePHI. By verifying identity, MFA helps ensure only the right people gain access.

A key HIPPA Technical Safeguard is Person or Entity Authentication, which seeks to do just that by verifying identity. While not yet an official HIPAA requirement, MFA is important to preventing unauthorized access to ePHI.

We often think of user credentials (username and password) to help confirm identity, but credential compromise is frequent.

Strong two-factor authentication (2FA) for healthcare provides an additional layer of verification to secure access to personal information and medical records.

HIPAA MFA follows guidelines from the National Institute of Standards and Technology (NIST) on authentication, which splits authentication factors into three groups:

1. Something you know: A password, a PIN, or an answer to a security question.

2. Something you have: Physical objects such as a hardware key, token or a smartphone authentication app.

3. Something you are: A fingerprint or facial recognition (like Apple's FaceID).

This additional layer of HIPAA security helps prevent unauthorized access to data. Even if an unauthorized user has a valid username and password, they can’t access protected health information (PHI) without a valid second factor.

It sounds straightforward, but in on-prem and hybrid Active Directory environments, implementing this policy can require rewiring identity architecture or adding management overhead. For setups that are primarily on-prem, UserLock can support HIPAA MFA requirements without adding complexity.

According to the HIPAA Journal, unauthorized access incidents spiked in 2025, even as the overall number of large healthcare breaches dropped slightly from the year before.

And full medical records are a treasure trove of critical identifying information: full name, date and place of birth, social security number, physical and email addresses, and credit card information. Complete records can net as much as $1,000, making healthcare systems enticing targets.

IBM's 2025 Cost of a Data Breach Report indicates that healthcare organizations take longer to detect a data breach: 213 days compared to 194 in other industries.

Last and worst of all, the impact on the business’s bottom line is catastrophic. The average cost of a healthcare data breach is $10.93 million, compared to $4.4 million across industries.

In addition to authenticating a user’s identity, there are other important steps to take to meet HIPAA technical safeguards. Several of the main areas of oversight fall under the broader umbrella of HIPAA Access Control Policy, which includes Unique User Identification and Automatic Logoff.

Unique User IDs are special names or numbers that are assigned to identify and track individual users. These are often called a “Logon Name” or “User ID.” These unique credentials help ensure that a person is whom they say they are, and that they are allowed to access the data they’re seeking.

This helps secure data by eliminating shared logins and passwords, thus ensuring correct user identification. It also prevents logins from being compromised by threat actors, either internally or externally.

Security solutions like UserLock can be set up to allow or deny access based on contextual factors, such as location, workstation, device, and time. This prevents unauthorized users from circumventing the system to gain access to sensitive health information.

When a system has Automatic Logoff enabled, it terminates a user’s session after a set amount of time. IS Decisions research has shown that 62% of healthcare workers aren’t automatically logged off of the network after a set period of inactivity. It’s compelling evidence that logoff procedures should not be left to the user to remember.

Automatic logoff effectively ensures data security by shutting down access on an inactive workstation or device. With UserLock, IT admins can ensure both Unique User Identification as well as Automatic Logoff to enhance data security.

Audit Controls exist to record and examine activity related to electronically protected health information. For example, UserLock records, centralizes, and audits network logons. In the unfortunate case of a breach, this type of oversight is useful because logs can be reviewed after an event to support IT forensics.

In addition, HIPAA Audit Controls help manage user access by confirming a user’s identity and making them accountable for malicious activity.