What Does Two-Factor Authentication Mean In The HIPAA Security Rule?
Although the Health Insurance Portability and Accountability Act was created in 1996, it was not always intended to protect the privacy of electronic medical records. Originally, HIPAA was created for the privacy of paper medical records, prior to HIPAA there was no security standard in place to protect patient privacy.
As time progresses, so does technology, and in the past decade, recent advances in healthcare industry technology created a need for a more secure way to handle medical records. With electronic medical records increasingly available at cost-effective rates, healthcare facilities moved to these types of documents.
In addition, with government regulation requiring electronic medical records, the security standards for the protection of electronic protected health information, also known as "the security rule," were created and enforced. You can get more details on HIPAA security controls, by browsing online.
This new set of regulations was created to ensure the privacy of patient medical information while it is stored or transmitted in its electronic form.
Two-factor authentication, a process in which two separate factors of authentication are used to identify a user, was not originally a necessary part of the security process established in the HIPAA security rule. Over the years, this form of authentication has become a mandatory piece of HIPAA compliance.
Back in October 2003 it was mentioned in a PDF published by the National Institute of Standards and Technology where multi-factor authentication is mentioned.
The document entitled "Guide to Selecting Information Technology Security Products" establishes what authentication is, but does not necessarily require the implementation of this type of security.
Obviously, since electronic medical records are so new and not used in every facility, the need for specific authentication was not created or enforced.