 | Does HIPAA Require Two-Factor? |
We had a great webcast with Healthcare IT News last week on Achieving a Successful Two-Factor Implementation in Your Hospital. Attendance was high, and we were overwhelmed by the number of questions. One question that we weren’t able to really address during the webcast was about whether HIPAA (Health Insurance Portability and Accountability Act) explicitly requires two-factor authentication.
HIPAA does not explicitly require the use of “two-factor” authentication yet, but it’s clearly making an appeal to industry best practices. Two-factor authentication is certainly a part of that. HIPAA is congressional legislation, so it’s not surprising that a specific technology is not named. The fact is, this stuff is intentionally left up to interpretation by the relevant enforcement agencies and by the industry at large. There is an absolutely clear one-way street moving in the direction of two-factor authentication, which is why virtually every significant healthcare institution we’ve dealt with has had *some* strong authentication in place already.
As a pragmatic issue, you’re not ensuring “unauthorized uses or disclosures of the information” if you’re not using two-factor authentication.
Note that a bank is currently being sued for failing to provide two-factor authentication to its customers, and the judge in the case has let the matter proceed to trial. There has been very limited legal enforcement of HIPAA in this area to date, but with the current national focus on healthcare technology, I expect that to change in the coming years.
- Steve
Subscribe in a reader.
Leave a Reply