July 2, 2020

Volume X, Number 184

July 01, 2020

Subscribe to Latest Legal News and Analysis

June 30, 2020

Subscribe to Latest Legal News and Analysis

June 29, 2020

Subscribe to Latest Legal News and Analysis

Office for Civil Rights Guidance Underscores Importance of Authentication under HIPAA

In its tenth OCR Cyber Awareness Newsletter of the year (Newsletter), the Office for Civil Rights (OCR) reminded HIPAA-covered entities and business associates of the importance of selecting an appropriate authentication method to protect electronic protected health information (ePHI). Authentication is the process used to “verify whether someone or something is who or what it purports to be and keeps unauthorized people or programs from gaining access to information.” The Newsletter notes that the health care sector has been a significant target of cybercrime and that some incidents result from weak authentication methods.

Authentication methods can consist of one or more factors and are often described as: (1) something you know, such as a password; (2) something you are, such as a fingerprint; or (3) something you have, such as a mobile device or smart card. Single-factor authentication requires use of only one of the methods. Multifactor authentication requires use of two or more methods (for example, a password prompt followed by an additional prompt to a mobile device).

The selection of an authentication method should be tied to the results of a covered entity’s or business associate’s required security risk assessment, which can uncover “the vulnerabilities of current authentication methods, the threats that can exploit the weakness, the likelihood of a breach occurring. . . .” Based on the probability of potential risks and vulnerabilities to the ePHI, business associates and covered entities should select a form of authentication that is “reasonable and appropriate” for the size, complexity, technical infrastructure, hardware and software capabilities of the organization.

OCR’s Cyber Awareness Newsletter was launched in February 2016 in order “to assist the regulated community to become more knowledgeable about the various security threats and vulnerabilities that currently exist in the healthcare sector, to understand what security measures can be taken to decrease the possibility of being exposed by these threats; and how to reduce breaches of ePHI.” Past issues of the Newsletter are available on the OCR website and have covered various security topics, including ransomware, malware and medical devices, business associate preparedness for a security incident, vulnerabilities in third-party application software, inter-organizational information sharing, and file transfer protocol vulnerabilities.

© 2020 McDermott Will & EmeryNational Law Review, Volume VI, Number 323


About this Author


Ryan S. Higgins is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office. He focuses his practice on representing hospitals, health systems, private equity firms and platform companies, and other health care organizations in corporate and transactional matters, including mergers, acquisitions, joint ventures, and management arrangements. He also focuses a significant portion of his practice on representing health care organizations in matters involving health information privacy and security and HIPAA compliance.

Amanda Enyeart Healthcare and Life Sciences Attorney Mcdermott WIll Emery Law Firm

Amanda Enyeart is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Amanda focuses her practice on general regulatory health law matters. 

Previously, Amanda was an associate at a national law firm in its Chicago office where she provided guidance on regulatory issues, such as practitioner licensure; telehealth; Medicare and Medicaid reimbursement; and compliance with Stark Law and the Anti-Kickback Statute and state fraud and abuse laws.

Additionally, Amanda has counseled health care providers and health information technology vendors regarding data privacy and security and related implications of HIPAA and the HITECH Act as well as state data privacy laws. 

312 984 5488