Person or Entity Authentication
164.312(c)
Technical Safeguards
Critical Risk
Moderate
Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Implementation Guidance
Implement authentication mechanisms including passwords, tokens, biometrics, or other authentication methods.
NIST References
NIST SP 800-66 Rev. 2: Section 3.3.4
Best Practices
Strong password policies, multi-factor authentication, unique user accounts, regular authentication reviews.
Testing Procedures
Review authentication policies, test password strength, verify multi-factor authentication, test authentication failure handling.
Frequently Asked Questions
Q: What authentication methods are acceptable? A: Authentication methods should be appropriate to the risk level and may include passwords, tokens, biometrics, or other methods.
Control Information
Control ID:
164.312(c)
164.312(c)
Category:
Technical Safeguards
Technical Safeguards
Subcategory:
Authentication
Authentication
Risk Level:
Critical
Critical
Implementation Difficulty:
Moderate
Moderate
Estimated Cost:
Medium
Medium
Implementation Timeframe:
2-4 months
2-4 months
Views:
3
3
Last Updated:
Oct 1, 2025
Oct 1, 2025
Related Controls
Additional Resources
NIST SP 800-66 Rev. 2: Authentication Guidance, HHS Authentication Guidance, Multi-Factor Authentication Best Practices