Does HIPAA require two-factor authentication?

12. Does HIPAA require two-factor authentication?

Answer: “Does HIPAA require two-factor authentication” is a common question received by our clients, so let’s put this topic to rest, once and for all. While the HIPAA Security Rule does not specifically state that two-factor authentication must be in place, there are numerous provisions within the HIPAA Security Rule subparts (164.308 to 164.314) that discuss the need for strong authentication and access controls, such as the following:

  • 164.308 (a)(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
  • 164.312(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).


Think about it – if you’re a Covered Entity (CE) or Business Associate (BA) providing remote access – or access outside a trusted network – and such access is being used for working with Protected Health Information (PHI), then using two-factor authentication becomes highly essential – mandatory, that is. Having only a single layer of authentication, such as using a password, is considered deficient in terms of meeting compliance with many of the HIPAA Security Rule subparts contained within 164.308 to 164.314.

So does HIPAA require two-factor authentication? In our professional judgment it does, and we highly recommend that all Covered Entities (CE) and Business Associates (BA) implement it for helping ensure the safety and security of Protected Health Information (PHI). Numerous other compliance mandates actually mandate the use of two-factor authentication – such as the PCI DSS standards – for which many healthcare organizations have to comply with because they store, process, and or transmit cardholder data. Flat Iron Technologies recommends the following two-factor authentication software solutions (Note: We are not a paid sponsor of any products):


Download HIPAA Policies and Toolkits Today also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policy documentation, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting today.