Where in the Security or Privacy regs does it state that for access over the Internet you need 2-factor authentication?
I don’t believe it does. HIPAA Security regulations require a baseline of user id and password – not user id plus token/ biometric/etc. I don’t see anything in the HCFA Internet policy that would require user id plus token/biometric/etc. The policy specifically states that the policy guidance is consistent with the proposed HIPAA Security requirements. It does speak in some detail to authentication and user identification. While the HCFA Internet Policy authority applies directly only to government programs, its existence serves to establish a reasonable baseline for commercial as well. I think it would be extraordinarily difficult to justify deploying something less than what is contained in this policy. While the term “irrefutably” is contained only once in the Security NPRM preamble (and once in the glossary), I don’t think that the context and usage of it can be extrapolated to mean a requirement for 2-factor authentication. I think the authentication guidelines that occur many tim
