What does HIPAA require regarding user authentication?
Covered entities (hospitals, doctors, health insurance companies, HMOs, etc.) under the Health Insurance Portability and Accountability Act (HIPAA) must comply with requirements to protect the privacy and security of health information. Business associates (those who help covered entities carry out its health care activities and functions) must also comply with the same requirements.
One of the requirements under HIPAA is for covered entities and business associates to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed” (164.312d Technical Safeguards of the Security Standards for the Protection of EPHI, HHS.gov).
One possible risk management strategy specifically cited by the Department of Health and Human Services is to
“implement two-factor authentication for granting remote access to systems that contain EPHI”
(Remote Use, HIPAA Security Guidance, HHS.gov).