Does HIPAA Require MFA for a Dental Practice? (2026)

This article explains whether HIPAA requires MFA for a dental practice. It is general information, not legal advice for your specific situation. For that, consult a healthcare attorney or a qualified HIPAA compliance professional.

Does HIPAA require MFA for a dental practice?

Not in those words. The control that comes closest is the Security Rule's authentication standard, 45 CFR 164.312(d), which tells a practice to "implement procedures to verify that a person or entity seeking access" to patient data "is the one claimed." It does not name a password, a code, or MFA. It names the goal, identity verification, and leaves you to pick a method that is reasonable for your practice. On an office that keeps patient data in the cloud and checks email from home, a single password is hard to defend as reasonable, which is why MFA has become the practical answer even though the words are not in the rule.

What HIPAA actually requires on authentication today

The Security Rule sorts its safeguards into two buckets, and the difference matters. Some are "required" and some are "addressable". Required means you implement it. Addressable does not mean optional: you implement it if it is reasonable and appropriate, or you document why not and put an equivalent measure in its place. Authentication itself is a required standard, so you must verify identity. But the specific method, password versus MFA, sits in that risk-based judgment, not in a named rule, and for most modern practices that judgment lands on MFA.

There is one authentication-adjacent control the rule does name, and dental offices break it constantly. Unique user identification is a required specification: every person who touches patient data needs their own login. A shared "frontdesk" account does not satisfy that required standard, MFA or no MFA. So the honest picture is this: unique logins are required by name, and MFA is not.

The proposed 2026 rule: what would change, and why it isn't law yet

In January 2025 the federal government proposed the most significant overhaul of the Security Rule in over two decades. The proposed rule would do two things that matter here. It would erase the "addressable" category, making those safeguards mandatory, and it would name MFA directly, requiring it with limited exceptions. If it becomes law, "is MFA required?" gets a one-word answer: yes.

But it is not law, and it may never be. As of 2026 the rule is still a proposal. The comment window closed in March 2025, the government's own May 2026 target to finalize it came and went with nothing published, and a coalition of more than 100 health care organizations has asked the government to withdraw it, and the American Dental Association has urged the same. They point to the price: the government's own estimate puts the first-year cost at roughly $9 billion. If a final rule does land, practices would get about 240 days to comply. Until then, anyone telling you the "2026 rule" already forces you to use MFA is wrong: it is proposed, not in force.

What OCR actually enforces

Here is the part most articles skip, and it should change how you spend your money. When OCR penalizes a practice after a breach, the charge is almost always the same: the missing risk analysis, not the missing MFA.

Take PIH Health, a California network that settled with the HHS Office for Civil Rights for $600,000 in April 2025. A phishing attack had walked into 45 employee email accounts and exposed the records of 189,763 patients, the kind of break-in MFA is built to stop. But when OCR wrote up what PIH did wrong, the violations included the failure to conduct a risk analysis and the failure to report the breach on time. MFA is not in the charges. It appears only in OCR's list of non-binding recommendations afterward.

It is a pattern, not a one-off. Lafourche Medical Group, a small Louisiana group whose owner clicked a phishing email, was OCR's first phishing settlement at $480,000 in 2023, and the cited failure was again the missing risk analysis. Even when an employee at New York's Montefiore Medical Center stole records from the inside, OCR charged the risk analysis and the audit controls, not the authentication method. OCR has even built an enforcement program around this single failure, its Risk Analysis Initiative, launched in 2024. The wider pattern of dental and small-practice settlements is tracked in our HIPAA breach and enforcement report.

The clearest case runs the other way. In 2024 OCR imposed a $548,265 penalty on Children's Hospital Colorado and said plainly that the first breach happened because multi-factor authentication was disabled on an email account. Even there, the violations OCR charged were the missing risk analysis and untrained staff, not the missing MFA, because the rule gave it no MFA provision to cite. The disabled MFA explains how the attacker got in. The risk analysis is what OCR could enforce.

None of this means MFA is optional. The most vivid case in health care makes the opposite point. The largest breach ever reported to the federal government, the 2024 attack on Change Healthcare that exposed records on roughly 190 million people, began on a remote-access portal that had no multi-factor authentication. One stolen password was the whole entry. So MFA matters enormously. It is just not the box OCR checks when it writes the penalty. And the two are not a choice between each other. The risk analysis is the process that finds the exposure and tells you to turn MFA on; skip it, and you do not find the gap until a breach does.

This is the trap in the free check-the-box tools. They will tell you to switch MFA on, and you should. But under the current rule there is no MFA box for OCR to check, so what it cites is the missing risk analysis underneath the breach, the document those tools rarely produce in a form that survives an audit. The free HIPAA Scorecard shows you where your authentication and your risk analysis actually stand, and names your biggest gap in about three minutes. It is a starting point, not a full audit, but it tells you whether you are exposed on the thing OCR actually cites.

Where to turn on MFA in a dental practice

If you decide to add MFA, and you should, the job is to cover every place patient data lives, not just the front-door login. The gaps that get practices in trouble are the ones nobody thought to check: a cloud backup, an imaging portal, the email account a hygienist reads from home. A compliance professional can confirm the list for your specific systems, but here is the map most dental offices need.

Which kind of MFA counts

Not every second factor is equal. A code texted to a phone is better than nothing, but it is the weakest common option, because phone numbers can be hijacked through SIM-swaps and number porting. The federal standards body, NIST, classifies text-message codes as "restricted": still allowed, but discouraged and hedged with conditions. The stronger choices are an authenticator app on a phone or a physical security key, both of which resist the phishing that text codes do not.

Cost is rarely the obstacle. Authenticator apps are free, and MFA is already built into many practice-management and email platforms. What a fully compliant year actually costs is its own question, covered in how much HIPAA compliance costs for a dental practice.

What to do now

You do not have to wait for the rule to settle. The steps below are the reasonable-and-appropriate baseline today, and every one of them would also put you ahead of the proposed rule if it lands.

Two of these have their own guides: what a risk analysis involves is laid out in the dental HIPAA risk assessment, and which vendors need a contract, and what it must say, is covered in does my dental practice need a BAA. The proposed 2026 rule would also require that vendor contract to name MFA and encryption specifically, one more reason to get the agreement in place now.

If you want a fast read on where you stand, the free HIPAA Scorecard checks your authentication, your risk analysis, your vendor agreements, and six other core controls, then names your biggest gap in about three minutes.

This is general information about HIPAA and a proposed federal rule, not legal advice, and the rule's status can change. Before you rely on any authentication setup to meet HIPAA, have it reviewed by a healthcare attorney or a qualified HIPAA compliance professional.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. Regulatory claims trace back to those sources, and figures name where they come from; anything that can't be verified is labeled rather than asserted. More about Hipsana →

Sources

• U.S. Department of Health and Human Services, Office for Civil Rights, “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information,” notice of proposed rulemaking, 90 FR 898 (Federal Register, Jan. 6, 2025): proposed, not finalized as of June 2026.
• 45 CFR § 164.312(d) (person or entity authentication) and § 164.312(a)(2)(i) (unique user identification, Required) (eCFR, current as of June 2026).
• 45 CFR § 164.306(d) (the “required” versus “addressable” framework) (eCFR, current).
• 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis, Required) (eCFR, current).
• HHS Office for Civil Rights, “Settles Phishing Attack Breach with Health Care Network for $600,000” (PIH Health) (hhs.gov, Apr. 23, 2025): the cited failures were the risk analysis and breach-notification timing; MFA was not charged.
• HHS Office for Civil Rights, settlement with Lafourche Medical Group (hhs.gov, Dec. 7, 2023) and the malicious-insider settlement with Montefiore Medical Center (hhs.gov, Feb. 6, 2024): in each, the cited failure was the risk analysis, not the authentication method.
• HHS Office for Civil Rights, “Settles HIPAA Ransomware Cybersecurity Investigation for $90,000” (Bryan County Ambulance Authority) (hhs.gov, Oct. 31, 2024): the first enforcement action in OCR’s Risk Analysis Initiative; the cited failure was the risk analysis.
• NIST Special Publication 800-63B-4, Digital Identity Guidelines (2025, superseding the 2017 edition): use of the PSTN (SMS and voice) for out-of-band authentication is “restricted” (nvlpubs.nist.gov, accessed June 2026).
• American Dental Association, “ADA urges HHS to withdraw proposed HIPAA cybersecurity rule” (ada.org, December 2025): the ADA joined a coalition of more than 100 organizations seeking withdrawal.
• Change Healthcare / UnitedHealth Group: the 2024 ransomware breach, the largest reported to HHS, began on a Citrix remote-access portal with no multi-factor authentication (UnitedHealth Group congressional testimony, 2024); affected individuals reported at roughly 190 million.