MFA (Multi-Factor Authentication)
Multi-Factor Authentication
Authentication requiring two or more independent factors — something you know, have, or are.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Acronym for
- Multi-Factor Authentication
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
NIST SP 800-63B defines authenticator assurance levels and the cryptographic requirements for MFA. The HIPAA Security Rule does not name MFA, but practice-level risk analysis almost always points to it as a reasonable and appropriate control under 45 CFR 164.312(d).
How it shows up in your practice
Enable MFA on every administrative and remote-access account. SMS is acceptable but weak; prefer authenticator apps or hardware keys. Document the decision and exceptions in your risk register.
Sources
- 45 CFR 164.312 — Technical safeguardshttps://www.ecfr.gov/current/title-45/section-164.312
- NIST SP 800-63B — Digital Identity Guidelineshttps://pages.nist.gov/800-63-3/sp800-63b.html
Document authentication controls in the Compliance Binder
Open compliance binder →Related terms
- SecurityAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- SecurityTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- SecuritySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- SecurityRole-Based Access Control (RBAC)An access control model that grants permissions based on the workforce member's role rather than to each individual.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- GlossaryRole-Based Access Control (RBAC)An access control model that grants permissions based on the workforce member's role rather than to each individual.
- GlossaryTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- GlossarySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- GlossaryAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- GlossaryEmail Encryption GatewayA system that automatically encrypts outbound email containing PHI based on content rules or recipient address.
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- RegulationNIST SP 800-63B: Digital Identity Guidelines (Authentication and Lifecycle Management)Federal authentication framework defining three Authenticator Assurance Levels (AAL1, AAL2, AAL3), authenticator types, and lifecycle requirements.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.