The HIPAA Security Rule overhaul, which strengthens electronic protected health information (ePHI) through multi-factor authentication (MFA), is nearing finalization in the coming weeks.
These updates to the HIPAA Security Rule are meant to strengthen identity verification requirements under 45 CFR § 164.312 (Authentication) to better protect against credential-based attacks and unauthorized access.
Organizations (covered entities and business associates) would be on the hook to implement MFA to better protect confidentiality, integrity, and availability of ePHI. MFA uses at least two of the following:
Are you confident your onboarding flow will meet the tightened HIPAA Security Rule requirements?
Once final action is in place, the Department of Health and Human Services (HHS) is likely giving organizations only 60 days from when the HIPAA Security Rule updates are approved, and a standard compliance date 180 days after the effective date, which means compliance and security teams should treat this as design work that starts now, not after the final rule lands.
Today’s HIPAA Security Rule already requires organizations to verify that a person or entity seeking access to ePHI is who it claims to be, but the updates would make that expectation much more explicit.
Regulated entities would be required to deploy MFA across all technology assets in relevant electronic information systems and for any action that changes user privileges in a way that could affect the confidentiality, integrity, or availability of ePHI.
In multi-factor authentication, a password and number alone don’t meet requirements for two different factor categories.
What are proactive healthcare security teams doing now to prepare?
HHS’s proposed MFA definition is also broader than many teams assume: It includes knowledge, possession, and physical or behavioral characteristics, which means healthcare teams should evaluate workflow-friendly options beyond basic text codes and phone prompts.
HHS is allowing exceptions for those with a plan in place, proposing:
Additionally, HHS proposes annual written verification of technical safeguards from business associates, making these requirements an issue of governance, architecture, and vendor-management.
MFA is only as strong as the identity behind the credential enrollment, account recovery, or other high-risk access event. Vouched’s Identity Verification platform is built to address this potential weakness.
Our workflows combine government ID verification, biometric selfie comparison, liveness checks, and real-time fraud detection to confirm that the person on the other end is present and matches the credential. The platform can return results in seconds behind the scenes, integrating into digital onboarding flows.
For healthcare organizations, the fit is especially strong in patient onboarding, portal enrollment, and account recovery – exactly where weak identity proofing can quietly undermine an otherwise solid MFA program.
Additionally, Vouched is now available in the Epic Toolbox for identity verification. This gives health systems standards-based, consumer-grade identity proofing alternative for MyChart account creation and recovery.
Already stretched support teams can achieve stronger identity assurance without adding friction for patients.
The identity-proofing solutions provided by Vouched close gaps left open by many MFA rollouts, which may only be discovered downstream: Proving who the person really is at enrollment. Effective identity-proofing is becoming a legitimate compliance advantage as HIPAA moves toward explicit MFA requirements.
See how Vouched in the Epic Toolbox helps health systems meet the new HIPAA MFA requirements.