No More Gray Areas: Preparing for Mandatory MFA, Encryption, and Access Controls Under HIPAA 2025
by: Drew Duffy, MHA, FACHE
Why the Time for Full Compliance Is Now
As of 2025, healthcare organizations can no longer afford to treat cybersecurity requirements under HIPAA as optional or open to interpretation. The long-standing distinction between “required” and “addressable” security standards is being redefined — and in some cases, eliminated altogether. Whether you’re a hospital system or a five-provider family clinic, the expectation is the same: implement the full spectrum of technical safeguards — including multi-factor authentication (MFA), encryption of ePHI, and access control measures — or face the legal, financial, and reputational consequences.
This is not a recommendation. It’s a structural shift. And it demands serious attention.
Mandatory MFA, Encryption, and Access Controls: The End of “Addressable”
For years, HIPAA’s Security Rule allowed some flexibility around the implementation of specific safeguards. Under 45 CFR § 164.312, certain standards were labeled as “addressable,” meaning a covered entity could implement an alternative solution or document why a standard wasn’t reasonable or appropriate.
But in the 2025 proposed update to the HIPAA Security Rule (NPRM), that flexibility is being narrowed dramatically. In particular, MFA and encryption are no longer optional — they are now expected to be fully implemented across all systems handling electronic protected health information (ePHI), regardless of size, budget, or organizational complexity.
Let’s break this down:
Multi-Factor Authentication (MFA) — A New Standard, Not a Suggestion
What’s Changing:
All users accessing ePHI must authenticate using two or more factors: something they know (password), something they have (authenticator app or hardware token), or something they are (biometric).
SMS and voice codes are being discouraged due to known vulnerabilities.
Google Prompt and similar push-notification systems are acceptable only when paired with a secure device enrollment process.
Why It Matters:
MFA is now considered a non-negotiable layer of protection. The days of relying on username + password alone — especially for cloud-based services like EHR platforms or email systems — are over. Credential theft and phishing have driven a surge in healthcare-related ransomware attacks, and the federal government is making it clear: organizations that skip MFA are in violation of their duty to protect patient data.
What You Must Do:
Enforce MFA across all accounts that access ePHI — this includes physicians, nurses, billing staff, and administrative users.
Disable access to non-compliant devices or accounts that bypass MFA.
Require use of time-based one-time passcodes (TOTP) via apps like Google Authenticator or Authy.
Encryption in Transit and at Rest — Now Presumed Required
What’s Changing:
Encryption of all ePHI during transmission (TLS/HTTPS for emails, secure FTP, VPN tunnels) and while stored (full disk encryption, encrypted databases, etc.) is now considered mandatory unless a demonstrable technical impossibility exists.
The standard applies to cloud storage, mobile devices, external drives, and internal systems.
Why It Matters:
Any unencrypted ePHI is a liability — and under the new rules, failure to encrypt is presumed noncompliance unless rigorously justified and documented. This significantly raises the bar for what regulators will accept in a breach investigation.
What You Must Do:
Implement full-disk encryption (e.g., BitLocker, FileVault) on all workstations and portable devices.
Require TLS 1.2 or higher for all external communications containing PHI.
Encrypt server storage, backups, and removable media.
Role-Based Access Controls — Lock Down What Doesn’t Need to Be Open
What’s Changing:
Organizations must apply the principle of least privilege to all systems containing ePHI.
Access logs, automatic timeouts, and re-authentication mechanisms are now considered essential.
Why It Matters:
If every staff member can access every record, your system is not compliant — it is wide open to internal threat, human error, and external exploitation.
What You Must Do:
Create user roles that define the minimum access necessary based on job duties.
Implement audit logs that monitor and retain records of access attempts.
Use automatic logouts and session expiration controls.
How ClearPath Compliance Can Help
We understand that most clinics and practices are not IT firms — but they are expected to act like one when it comes to compliance. That’s where we come in.
We offer:
Secure MFA Deployment — We configure and enforce app-based MFA (e.g., Google Authenticator) across all platforms, including EHR, cloud email, and file storage.
Encryption Strategy & Rollout — From mobile devices to email to network drives, we ensure all PHI is encrypted in motion and at rest — in full alignment with 2025 guidance.
Access Policy Engineering — We design and implement customized access control policies tailored to your workflows, staffing structure, and risk profile.
Our team brings over 20 years of healthcare compliance experience to each engagement, and we’ve helped providers of every size modernize without disruption.
❤️ A Note About Equity: Supporting Those Who Serve the Underserved
If you are a small clinic, community-based provider, or organization that primarily serves marginalized populations, or has a high volume of Medicare/Medicaid patients, we believe you deserve the same level of data security as any large system. As part of our founder’s commitment to equitable care access, we offer significantly reduced rates for qualifying practices.
Everyone deserves to be protected. We make sure you can be.
📣 Final Thoughts
HIPAA is no longer tolerating excuses. Whether you're still using outdated systems, relying on password-only logins, or haven't encrypted your devices — you are on borrowed time.
But you don’t have to navigate this alone.
At ClearPath Compliance, we help providers meet today’s standards — and prepare for tomorrow’s. Let us bring you into full alignment with the 2025 HIPAA framework, without disruption, confusion, or guesswork.
If you find our blogs and insights helpful, we invite you to visit our Contact Us page. Simply enter your name and email, and let us know you'd like to receive updates. You’ll be among the first to know when we publish new articles, resources, or important compliance news.
-Drew
