HIPAA covered entities, including employer-sponsored health plans, are required to comply with the HIPAA security rule if they handle electronic protected health information (ePHI). In practice, this will include virtually all self-insured health plans and at least some fully insured health plans.
One requirement of the security rule obligates plans to adopt policies and practices designed to ensure that only authorized individuals can access ePHI. “Authentication” is a term used for the process by which a health plan corroborates that an individual seeking such access is the person he or she claims to be. A plan’s authentication process needs to be documented as part of its security policy.
There are three ways or factors that individuals can use to corroborate their identity. They can use:
-
- Something the individual knows such as a password or PIN;
- Something the individual has such as a smart ID card or token;
- Some characteristic of the individual such as fingerprint or other unique biometric data.
Some plans may use a single factor (typically a password or PIN) for their authentication process. Recent commentary from the Office of Civil Rights (OCR) suggests that plans should consider requiring individuals to use two of the three factors (“multi-factor authentication” or MFA) in order to gain access to ePHI.
The OCR is the government agency tasked with enforcement of the HIPAA security rule. In its June 2023 Cybersecurity Newsletter, the OCR discusses the adequacy of single-factor authentication for purposes of compliance with the security rule. It briefly surveys some cases in which single-factor authentication facilitated security breaches and suggests that those breaches may not have occurred if the affected entities had multi-factor authentication in place.
The security rule does not specifically prescribe the use of MFA. It does require plans to continually reassess security risks and revise their security policies as needed in response to those reassessments. The OCR’s Newsletter makes it clear that in the view of the OCR, consideration of the use MFA needs to be part of that risk analysis. Doing so, in the words of the Newsletter, is a “best practice”. It notes that different policies may apply to different individuals; for example:
-
- Persons with in-house access to ePHI versus persons with remote access.
- Persons with routine access to ePHI versus persons with elevated access rights such as system administrators or persons with access to tools that support a plan’s technology infrastructure.
As always, documentation is the key to proving compliance. Plans must record the details of their risk assessment and the rationale supporting the policies adopted in response to that assessment.