Multi-factor authentication and encryption are the two highest-impact changes in the updated HIPAA Security Rule. Both were previously "addressable"—giving organizations the option to implement alternatives or document why the control wasn't reasonable. The updated rule eliminates that flexibility. Both are now mandatory.
Understanding "Addressable" vs. Mandatory
Under the current rule, "addressable" meant evaluate and decide. In practice, it often meant skip and document why. Many healthcare organizations used the classification to defer encryption and MFA deployments indefinitely, citing cost, complexity, or operational disruption.
The updated rule eliminates the addressable category for these controls. There is no opt-out, no alternative, and no documentation path that avoids implementation.
MFA: What's Now Required
Scope
Every system, application, and access point that handles ePHI must be protected by MFA:
- Electronic health record (EHR) systems
- Cloud-based healthcare applications
- Remote access (VPN, RDP, virtual desktops)
- Email accounts that send or receive ePHI
- Administrative consoles for healthcare IT infrastructure
- Patient portals with staff-facing administrative interfaces
Implementation for MSPs
- Inventory ePHI access points. Map every system and access method that touches patient data.
- Assess current MFA coverage. Identify where MFA exists and where gaps remain.
- Select MFA methods. Authentication apps, hardware tokens, and biometrics all qualify. SMS-based MFA is technically compliant but increasingly discouraged due to SIM-swapping risks.
- Deploy in phases. Start with highest-risk access points—remote access, cloud apps, admin accounts—then extend.
- Document everything. Record which systems have MFA, what method is used, when deployed, and how managed.
Handling Clinical Workflow Pushback
Healthcare staff often resist MFA because it adds friction to workflows. The response: the updated rule doesn't offer a workflow exemption. Help clients choose MFA methods that minimize disruption—single sign-on with MFA at the front door, push notifications instead of code entry, proximity-based authentication where appropriate.
Encryption: What's Now Required
At Rest
- Full-disk encryption on all endpoints (workstations, laptops, tablets)
- Database encryption for servers hosting patient records
- Encrypted storage for backup media and archives
- Encrypted volumes for USB drives and portable media
- Cloud storage encryption—verify provider defaults and configuration
In Transit
- TLS for web-based applications and API communications
- Encrypted email (TLS minimum; consider S/MIME or portal-based for sensitive messages)
- VPN for remote access connections
- Encrypted file transfer protocols (SFTP, FTPS) for data exchanges
- Encrypted connections between sites for multi-location organizations
Implementation for MSPs
- Audit current encryption state. Verify encryption is not just available but actively enabled and properly configured.
- Deploy endpoint encryption. BitLocker on Windows, FileVault on Mac, MDM encryption policies for mobile devices.
- Secure email. Enforce TLS. For organizations regularly transmitting ePHI via email, consider an encrypted email gateway.
- Verify cloud encryption. Check key management practices and ensure the organization retains control where possible.
- Document the architecture. Record what's encrypted, how, who manages keys, and when last verified.
The Documentation Requirement
Implementing MFA and encryption isn't enough. Organizations must maintain documentation proving these controls are in place, properly configured, and actively maintained. Automating compliance documentation is the only scalable path for MSPs managing multiple healthcare environments.
The Broader Context
MFA and encryption aren't unique to HIPAA. Every major compliance framework requires both. MSPs who implement once and document against multiple frameworks create efficiency for clients facing overlapping obligations. The updated HIPAA Security Rule reinforces that healthcare cybersecurity is converging with the compliance standards every regulated industry faces.
Explore the Full Series
Understand the full context of the 2026 HIPAA updates:
Take the Next Step
Beachhead Solutions provides layered encryption and access control tools that help MSPs meet the updated HIPAA requirements. Schedule An Eval to see how BeachheadSecure® and ComplianceEZ™ simplify MFA and encryption compliance. Visit our Downloads & Resources library for compliance tools and guides.
Learn more about ComplianceEZ™ and BeachheadSecure®.
