Person or Entity Authentication: What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth Technical Safeguard Standard.  There is not a separately described implementation specification.  Rather, this standard’s implementation specification is connoted in the language of the standard and is required.  As we have noted in earlier postings on, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity is required to implement procedures to verify that a person or entity seeking access to electronic protected health information is the person or entity claimed.

How to Do It

During its risk analysis, a covered entity must determine threats and vulnerabilities to authentication of persons or entities that seek access to its electronic protected health information, and mitigate risks by establishing verification techniques to ensure that the person or entity seeking access to such information is the person or entity claimed.  Accordingly, the covered entity must establish a system requiring the person or entity seeking access to have positive identification.  A person or entity authentication system involves two electronic round trip inquiries and responses to authenticate party seeking access:

» Inquiry of party (1):  Who are you? (Computer waits for response from party)
» Inquiry of party (2):  Prove it! (Computer verifies party’s identification to authenticate access)

Three accepted methods of authentication are:

» Something you have. Examples are ATM or other type of swipe or smart card, token, or badge.
» Something you know. Examples are User ID, mother’s maiden name, personal ID number, or password.
» Something you are. Examples are biometric such as a facial image, finger image, voice scan, or iris or retina scan.

The covered entity’s Security Official will define the policy to achieve the requirements of this authentication standard for controlling, monitoring, and enforcing access to electronic protected health information.  How to do so will be an outcome of the covered entity’s risk analysis.  For workforce members, the policy likely will involve logon username and password procedures and audit trails.  Passwords should be at least eight characters long and alphanumeric, and never based on username, actual names, or any dictionary name.  For business associates of a covered entity that seek access to the covered entity’s electronic protected health information, we recommend the same conditions for passwords, but that passwords be at least ten characters long and alphanumeric.  We anticipate that biometric identification techniques will by a surrogate for passwords in the healthcare clinical environment in the years ahead as providers adopt single sign-on and electronic health record systems.

Leave a Reply

Your email address will not be published. Required fields are marked *