This is the third article of a five-part series that looks at the area of HIPAA law known as “Technical Safeguards.” Technical safeguards are designed to protect electronic Protected Health Information (ePHI) from internal and external risks. Implementation of these safeguards is required by law, and helps you avoid costly fines. In this brief article, we address “Authentication” [Standard §164.312(d)].
What is the “Authentication” Standard?
This standard requires a covered entity to verify people (or entities) seeking access to ePHI are who they say they are in any electronic communication, such as email.
To accomplish “authentication” (verify user identity), require something:
- Known only to the individual, such as password or PIN.
- Possessed by the individual, such as a smart card, a token or a key.
- Unique to the individual, such as a biometric (e.g. fingerprints, voice patterns, facial patterns or iris patterns).
Or you may
- Implement a system that uses the federally-recognized DIRECT protocol. (DIRECT is a set of standards for securely transmitting ePHI.)
How do I know if my system meets the HIPAA Technical Safeguards?
Your safest route is to consult with a vetted provider of HIPAA-compliant email and software. The provider can conduct an assessment of your current system.
When looking for a practice management and HIPAA-compliant email provider, confirm it provides at least two “authentication” methods or uses the DIRECT protocol, as well as meets or exceeds all five HIPAA Technical Safeguards.