Person or Entity Authentication 45 CFR 164.312(d)

There is no separate implementation specification under this standard - the requirement is authentication itself. Modern HHS guidance and the proposed 2025 NPRM strongly point toward phishing-resistant MFA on every account that touches ePHI.

Implementation specifications

Every Petronella HIPAA engagement maps 45 CFR 164.312(d) to documented evidence in your environment. This is what that looks like in practice for the person or entity authentication standard:

• Phishing-resistant MFA (FIDO2 hardware keys, Windows Hello, platform passkeys) on every account with ePHI access, especially privileged and remote.
• Conditional access policies that block legacy authentication and high-risk sign-ins.
• Service account hardening - certificate-based authentication, Managed Service Accounts, no shared service passwords.
• Vendor / business-associate access through federated SSO with logging back into your SIEM.

Built on top of ComplianceArmor for documentation, training records, and BAA inventory, with optional HIPAA managed IT services for the technical safeguard layer and vCISO services for the named Security Official role.

OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under 45 CFR 164.312(d). We surface these before they become a finding.

• MFA is on for VPN but not for email or EHR - leaving the path attackers actually use.
• SMS-based MFA used as the primary factor for privileged accounts (NIST has deprecated SMS for high-assurance use cases since 2017).
• MFA bypass policies for "trusted" IP ranges that include home offices and coffee shops.
• Service accounts with passwords that have not changed since the EHR was installed.

Person or Entity Authentication interacts with several other Security Rule standards. Cover them together for a defensible program.