HIPAA Security Rule -- Technical Safeguard

HIPAA Person or Entity Authentication

Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.

45 CFR § 164.312(d)

What the safeguard requires

The HIPAA Person or Entity Authentication is defined at 45 CFR § 164.312(d) of the HIPAA Security Rule. It is one of the core standards that every covered entity and business associate must address in a documented, defensible way. Petronella Technology Group interprets the requirement below exactly as written in the rule, without paraphrasing past what the regulation actually says.

Authentication (Required)

Verify the identity of every user, system, or process requesting access to ePHI. This is a required specification -- no 'addressable' wiggle room.

Why it matters

Credential theft is the leading breach vector in healthcare. A phished password on a non-MFA account is a direct path from a phishing email to hundreds of thousands of exposed records. Authentication is where most breaches begin, and most preventions live.

Enforcement context is important. The Office for Civil Rights (OCR) publishes settlement agreements that cite exactly which Security Rule standards were violated. Repeat findings in recent years include missing or stale risk analyses, insufficient access controls, unencrypted devices, and weak workforce training. Treating each safeguard -- including this one -- as a living program rather than a one-time checkbox is the defensible posture.

How Petronella Technology Group implements it

Petronella Technology Group has supported HIPAA compliance programs since 2002. Our team -- led by Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180) and staffed with CMMC-RP certified engineers -- applies the same rigor to HIPAA Security Rule safeguards that we apply to defense-industrial-base compliance. The practical implementation usually looks like this:

Phishing-resistant MFA

FIDO2 security keys, certificate-based authentication, or Microsoft Authenticator number matching -- not just SMS.

Conditional access

Risk-based access policies that block logins from impossible travel, unknown devices, or anonymous VPNs.

Password hygiene aligned with NIST SP 800-63B

Length over complexity, breached-password checks, and elimination of forced rotations that do more harm than good.

Service account management

Rotation, vaulting, and scope reduction for non-human identities, including machine-to-machine interfaces with EHRs and clearinghouses.

Session management

Timeouts, re-authentication on high-risk actions, and clear logout paths.

Common pitfalls

These are the gaps we see most often when taking over a HIPAA environment from another provider or during initial risk-analysis engagements. Each one is a documented OCR finding in at least one public settlement:

  • SMS-based MFA treated as sufficient -- SIM swapping is now common enough that OCR and NIST both discourage it for high-value accounts.
  • Service accounts with passwords unchanged since installation in 2017.
  • Shared clinical accounts 'just for the weekend shift.'
  • No re-authentication on privileged actions.
  • Authentication on the EHR but not on the underlying database used by reporting tools.

Compliance evidence and documentation

HIPAA compliance is ultimately a documentation exercise. OCR investigators ask for evidence, not explanations. For this safeguard, the artifacts auditors typically expect include:

  • Authentication policy
  • MFA enrollment reports and coverage metrics
  • Conditional access configuration
  • Password policy aligned with current NIST guidance
  • Service account inventory with owner and rotation schedule

All documentation must be retained for six years from creation or last effective date under 45 CFR § 164.316(b)(2).

Related HIPAA Security Rule controls

This safeguard works alongside several other standards. In a well-run program they reinforce each other; gaps in one almost always surface as findings in the others:

Access Control Information Access Management Audit Controls Cybersecurity Services

Frequently asked questions

Is MFA required by HIPAA?
HIPAA does not name MFA, but authentication is a required specification. Given the threat landscape, OCR and every major auditor treat MFA on ePHI-facing accounts as the practical minimum. Not having MFA triggers a question you have to answer in writing.
Is SMS MFA good enough?
SMS is better than nothing but not preferred for accounts with access to sensitive ePHI. NIST SP 800-63B discourages SMS as an authenticator for higher assurance levels, and OCR follows suit.
Do we need MFA on service accounts?
Where possible, use certificate-based or key-based authentication plus vaulting. Traditional MFA is not feasible on most service accounts, but compensating controls (rotation, scoping, monitoring) are expected.
What about biometrics?
Biometrics can be a strong authentication factor. The Security Rule does not require them, but for clinical workstation unlock and high-risk actions they are increasingly common.

Need help with this HIPAA safeguard?

Petronella Technology Group has helped practices, hospitals, health-tech companies, and business associates implement HIPAA Security Rule safeguards since 2002. BBB A+ accredited, headquartered at 5540 Centerview Dr in Raleigh, NC. Talk with our team about a documented risk analysis, Virtual CISO engagement, or targeted remediation.

Schedule a Compliance Consultation