HIPAA Security Rule · 45 CFR §164.312

After an incident or an OCR inquiry, you must prove access to ePHI is verified. Is MFA on the servers and admin paths that touch it?

HIPAA's Security Rule doesn't say "MFA" in those words, but its authentication and access-control standards — §164.312(d) person-or-entity authentication, §164.312(a)(2)(i) unique user identification, and §164.308(a)(4) information-access management — are exactly what an OCR investigator tests after a breach. Strong, verifiable authentication on the systems that store or transmit ePHI is the practical answer, and proposed updates push MFA toward mandatory. The exposure is rarely the EHR's web login; it's the database servers, the AD logons, and the remote access behind it. Authnull puts a factor on those paths and logs every one.

Talk to a compliance engineer

At a glance

FrameworkHIPAA Security Rule

Key controls§164.312(d) · 312(a)(2)(i) · 308(a)(4)

Applies toCovered entities & business associates

TimingBefore an OCR review

You walk away withAccess-control evidence for OCR

Mapped to specific controls — not a generic MFA checklist.

The line that put you here

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

— 45 CFR §164.312(d), Person or Entity Authentication

OCR investigations are triggered by breaches and complaints — you don't schedule them. When one lands, you have to show, with records, that access to ePHI systems was actually verified.

Requirement mapping

Requirement → Authnull

Control	What it requires	How Authnull covers it	Status
§164.312(d)	Verify the identity of any person or entity seeking access to ePHI.	MFA on AD logon, Windows / RDP, and SSH for every server and admin path that touches ePHI.	Covered
§312(a)(2)(i)	Assign a unique name / number for identifying and tracking user identity.	Every factor is bound to a named identity, so each access is attributable in the logs.	Covered
§308(a)(4)	Information-access management — authorize access to ePHI appropriately.	Per-system enforcement and group mapping ensure only authorized users clear the factor.	Covered
§164.312(b)	Audit controls — record and examine activity in systems with ePHI.	Per-login records with user, system, factor and result feed your audit-control evidence.	Covered

Why your IdP report isn't enough

The gap is always below the cloud login.

Your IdP already satisfies

EHR / cloud portal SSO

Email & collaboration apps

What it leaves for the audit

AD logon

Database & app servers with ePHI

Remote access / VPN

Linux SSH

Authnull enforces MFA on every path on the right — at the directory, OS, and RADIUS layer — so the column that fails the audit becomes the column that passes it.

Evidence

What you hand the assessor.

Access-control evidence

Show which ePHI systems require MFA — the documentation an OCR reviewer asks for after an incident.

Attributable audit trail

Unique-identity logging of every authentication supports §164.312(b) audit controls.

Stand up quickly

Agentless coverage on AD and servers means you close the gap without an EHR project.

Have the access-control evidence ready before OCR asks.

Put verifiable MFA on the systems that touch ePHI and log every access. Start free, or map your ePHI boundary with a compliance engineer.

Talk to a compliance engineer

Other deadlines we cover

All compliance pages

Cyber insurance renewalRemote · Privileged · Directory PCI DSS v4.08.4.2 · 8.4.1 · 8.4.3 · 8.5.1 CMMC 2.0 Level 2IA.L2-3.5.3 · 3.5.4 · AC.L2-3.1.12 NIS2 DirectiveArt. 21(2)(j) · 21(2)(d) · Art. 20 SOC 2 Type IICC6.1 · CC6.6 · CC6.7