The History of Two Factor Authentication of the HIPAA Security Rule


Although the Health Insurance Portability and Accountability Act, which was established in 1996 and it was not always meant to ensure the privacy of electronic medical records. Originally HIPAA was created for paper medical records privacy, before HIPAA was no security standard practice to protect patient privacy. As time moves forward so the technology in the past decade, recent advances in health care technology industry created a need for a safer way to treat medical records.

With electronic medical records will be available at cost efficient rates healthcare facilities made the move to these types of documents. Also, a regulation mandating electronic medical records of security standards for the protection of Electronic Protected Health Information also known as the “Security Rule” was created and implemented. This new set of rules was created to ensure the privacy of patient medical information while being stored or transmitted electronically.

Two Factor Authentication, a process in which two separate factors authentication is used to authenticate the user, was not originally a necessary part of the security process specified in the HIPAA Security Rule. Over the years, this form of identification has grown to be a required piece of according to HIPAA.

Can back in October 2003 in PDF by the National Institute of Standards and Technology in multi-factor authentication was mentioned. The document titled “Guide to select information security products,” said the confirmation was not necessarily require the implementation of this type of security. Obviously with electronic medical records to be so new and not used in all facilities needed for a specific confirmation was not created or enforced.

In April 2006, a new document was released by NIST called “Electronic Authentication Guidelines” set out four levels of security, since some need strong authentication process. Using two-factor authentication was mentioned in level 3 which states the need for the sign to be required. This ID can either be soft / hard signs or one-time password. With more hospitals adopt Ehrs need for stronger safety guidelines up.

Although there were now regulations place is a need for the two factor authentication they were vague and did not specify the need for monitoring IT security. After the audit the Office of Inspector General found that the need for IT security control old NIST document was reviewed. The “Electronic Authentication Guidelines” drawn up in June 2011, a review of the issue that says more need for specific Two Factor Authentication including adequate species key.

We see a growing need for security in the healthcare industry, however, the need for monitoring compliance was not always necessary, but with all the change and government mandates put in place compliance guidelines have been improved. There seems to be of either a recent draft of NIST created in May 2011 called “Cloud Computing Recommendations” which speaks loosely of multi-factor authentication to access the cloud. This goes to show as technology moves forward and more ways in which to store / access to data created the need for regulation arises. This is especially true when health care and affection take advantage of this new technology more and more.


Leave a Reply

Your email address will not be published. Required fields are marked *