Technical Safeguards (164.312)

Authentication Policy

Name: Authentication Policy - HIPAA Policy Template
Brand: D3rx
Availability: InStock

45 CFR § 164.312(d)

Requires procedures to verify the identity of any person or entity seeking access to ePHI. Covers multi-factor authentication requirements, password standards, biometric options, and token-based authentication for your practice.

What's Included

Policy document
Password standards reference card
MFA implementation guide
Implementation checklist
Annual review template

2 pages · ~917 words · 8 sectionsEstimated customization: ~10 minutesLast updated May 2026

Sample Preview

Technical Safeguards (164.312)Page 1 of 2

Authentication Policy

Version 1.0·Effective [EFFECTIVE DATE]·Approved by [PRIVACY/SECURITY OFFICER NAME]

1. Purpose

This policy establishes the requirements for verifying the identity of any person or entity seeking access to ePHI at [PRACTICE NAME]. Strong authentication is a critical control that prevents unauthorized access by ensuring that only verified individuals can access patient data and clinical systems.

2. Scope

This policy applies to all systems, applications, and network resources that contain, process, or transmit ePHI. It covers all authentication events, including local login, remote access, application authentication, and inter-system authentication. All workforce members, business associates with system access, and third-party vendors connecting to [PRACTICE NAME]'s systems are subject to this policy.

3. Policy Statement

[PRACTICE NAME] shall implement procedures to verify that a person or entity seeking access to ePHI is the one claimed, as required by 45 CFR § 164.312(d). Authentication shall be based on one or more of the following factors: something the user knows (password, PIN), something the user has (token, smart card, mobile device), or something the user is (biometric identifier). Multi-factor authentication shall be required for remote access and high-risk systems.

4. Definitions

Authentication: The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Multi-Factor Authentication (MFA): An authentication mechanism that requires two or more distinct factors to verify a user's identity. The factors must be from different categories (knowledge, possession, inherence).

Single Sign-On (SSO): An authentication scheme that allows a user to log in once and gain access to multiple connected systems without being prompted to log in again.

Password Manager: A software application that securely stores and manages passwords, enabling the use of strong, unique passwords for each system.

Brute-Force Attack: An attack method that systematically attempts all possible passwords or passphrases until the correct one is found.

5. Procedures

1. PASSWORD STANDARDS

1.1 All passwords for systems containing ePHI shall meet the following minimum requirements: - Minimum length: [NUMBER — recommended 12+] characters - Complexity: Must include at least three of the four character types (uppercase letters, lowercase letters, numbers, special characters) - Passwords shall not be based on dictionary words, the user's name, username, or other easily guessable information - Passwords shall not be reused within the last [NUMBER — recommended 12-24] password cycles

1.2 Password Expiration: Passwords shall be changed every [NUMBER — recommended 90-365] days. Note: NIST SP 800-63B recommends against arbitrary time-based password expiration if passwords are long and MFA is enforced. [PRACTICE NAME] shall follow [NIST GUIDANCE / TRADITIONAL ROTATION — select one].

1.3 Account Lockout: After [NUMBER — recommended 5] consecutive failed login attempts, the account shall be locked for [NUMBER] minutes or until manually unlocked by the IT Manager.

1.4 Default Passwords: All vendor-supplied default passwords shall be changed before a system is deployed in the production environment.

2. MULTI-FACTOR AUTHENTICATION

2.1 MFA shall be required for: all remote access to ePHI systems (VPN, remote desktop, cloud EHR login from outside the practice network), administrator and privileged accounts, and patient portal administration.

2.2 Acceptable MFA methods include: authenticator applications (e.g., Microsoft Authenticator, Google Authenticator), hardware security tokens, push notifications to a registered mobile device, and biometric verification combined with a knowledge factor.

2.3 SMS-based one-time codes are [DISCOURAGED/PROHIBITED] due to known vulnerabilities (SIM swapping, interception). If SMS is the only MFA option supported by a system, it is acceptable as a transitional measure with a documented plan to migrate to a more secure method.

3. CREDENTIAL MANAGEMENT

3.1 Workforce members shall not share their authentication credentials (passwords, tokens, PINs) with any other person, including supervisors, IT staff, or vendors.

3.2 Workforce members shall not write passwords on sticky notes, whiteboards, or other visible locations.

3.3 The use of a practice-approved password manager is [REQUIRED/STRONGLY RECOMMENDED] to enable the use of strong, unique passwords for each system.

3.4 If a workforce member suspects their credentials have been compromised, they shall immediately notify the Security Officer and change their password.

4. SYSTEM AND ENTITY AUTHENTICATION

4.1 Where systems communicate with each other (e.g., EHR to lab interface, HL7/FHIR integrations), authentication shall be implemented to verify the identity of the connecting system. Methods include API keys, certificates, and OAuth tokens.

4.2 Service accounts used for system-to-system authentication shall have strong credentials, be documented, and be reviewed at least annually.

5. BIOMETRIC AUTHENTICATION

5.1 If biometric authentication is used (fingerprint, facial recognition), it shall be implemented in accordance with applicable state biometric privacy laws.

5.2 Biometric data shall be stored securely and encrypted.

5.3 Biometric authentication shall be used as one factor in a multi-factor scheme, not as a sole authentication method for ePHI access.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Defines authentication standards and MFA requirements. Reviews authentication-related incidents. Evaluates new authentication technologies.

IT Manager/Vendor ([IT CONTACT NAME]): Configures authentication settings on all systems. Implements and manages the MFA platform. Manages account lockout and recovery procedures. Monitors for brute-force attacks and credential compromise.

All Workforce Members: Create and maintain strong, unique passwords. Enroll in MFA where required. Never share credentials. Report suspected credential compromise immediately.

7. Review Schedule

This policy shall be reviewed at least annually and updated to reflect changes in authentication technology, threat landscape, and regulatory guidance (particularly NIST standards). Password standards shall be re-evaluated annually against current best practices.

8. Regulatory References

45 CFR § 164.312(d) — Person or entity authentication (Required) 45 CFR § 164.312(a)(2)(i) — Unique user identification (Required — supports authentication) 45 CFR § 164.308(a)(5)(ii)(D) — Password management (Addressable — training requirement) NIST SP 800-63B-4 — Digital Identity Guidelines: Authentication and Authenticator Management NIST SP 800-63-4 (finalized 2025) — Updated digital identity guidelines

Continue reading — unlock the full authentication policy

D3rx · HIPAA Compliance Templates

Free

while we’re in beta

A professional, CFR-referenced policy template, ready to customize for your practice. Free during the beta.

Open template

Free while we’re in beta

Need more than one?

Get all 23 policies — free

The Complete HIPAA Policy Library — every policy, checklist, and review template. Free while we’re in beta.

Open the library

Free while we’re in beta

Templates require customization and legal review before adoption. Not legal advice. See full disclaimer.