If you run a medical practice and someone in IT has mentioned “MFA” lately, they’re not wrong to bring it up.
Multi-factor login checks is about to become a legal rule under HIPAA. The proposed HIPAA Security Rule update — expected to be finalized in May 2026 — removes it from the “nice to have” category and puts it squarely in the “required or face a fine” category. You’ll have 240 days from publication to comply.
But here’s the thing: you don’t need to wait for the final rule. MFA is one of the most effective security controls that exists, it’s inexpensive, and for most habits it takes less than a day to set up. If you’re not using it yet, that’s the single highest-impact security improvement you can make today.
This guide is written for practice administrators and healthcare managers who aren’t tech. No jargon. Just what you need to know and exactly what to do.
What Multi-Factor login checks Actually Is (Without the Tech-Speak)
You already use multi-factor login checks in your personal life. When your bank texts you a code after you enter your password, that’s MFA. When you log into your personal email on a new device and it asks for a code from an app — that’s MFA.
The concept is simple: instead of proving who you are with just a password, you prove it with two things. Usually a password plus a code that only you can generate right now, on a device only you have.
Here’s why that matters for healthcare security: passwords get stolen constantly. Phishing emails trick employees into typing their credentials into fake login pages. Data breaches expose millions of passwords at once. People reuse passwords across accounts. Any of these scenarios can hand a hacker valid login credentials for your EHR, your email, your billing system.
But with MFA turned on, stolen credentials alone aren’t enough. The attacker also needs physical access to your employee’s phone. That’s a dramatically harder attack to pull off, which is why MFA blocks 99.9% of automated account compromise attacks according to Microsoft’s security data.
A phishing attack took down a small Illinois addiction treatment clinic in 2022 — 1,980 patients’ records exposed, a $103,000 fine from OCR, two years of federal tracking. That breach started with one employee’s password getting stolen. MFA would have stopped it cold. You can read the full enforcement story in our OCR Part 2 enforcement breakdown.
The 3 Types of MFA (And Which One Your Practice Needs)
1. SMS Text Message Codes (Weakest)
After entering your password, the system texts a 6-digit code to your phone. You enter the code to get in.
This is the most common and the easiest to understand. It’s also the weakest form of MFA. There’s an attack called SIM swapping where a criminal convinces your mobile carrier to transfer your phone number to a new SIM card they control — then they receive your texts. It’s not common, but it happens. For a medical practice handling sensitive patient data, you can do better.
2. Authenticator App Codes (Best for Most Practices)
An app on your phone generates a new 6-digit code every 30 seconds. To log in, you open the app and type the current code. The code is generated locally on your phone — nothing is transmitted over the cellular network, so SIM swapping doesn’t work against it.
This is the sweet spot for small habits: strong security, easy to use, costs nothing extra. The three main apps are:
- Microsoft Authenticator — Best choice if you use Microsoft 365 (Outlook, Teams, etc.). Free. Works on iPhone and Android.
- Google Authenticator — Simple, reliable, works with almost any system. Free. Good choice if you don’t use Microsoft products.
- Duo — More features, designed for business use, has a management dashboard. Free plan available, paid plans start around $3/user/month.
For most habits under 20 people, Microsoft Authenticator or Google Authenticator is all you need. They’re free, they’re widely supported, and your IT person can set them up in a morning.
3. Hardware Security Keys (Most Secure)
A physical USB device (like a YubiKey, which runs $25-$50 per key) that you plug in when logging in. This is the most secure option and is essentially impossible to phish or compromise remotely. It’s also the most expensive and most in daily practice complex — you need to manage physical keys, deal with lost keys, and ensure staff have them available wherever they log in.
This is right for high-privilege accounts (your IT administrator, your EHR superuser) but is probably overkill as a standard for every front desk employee. Start with authenticator apps, consider hardware keys for your most sensitive accounts.
What MFA Costs for a Small Healthcare Practice
For most small habits, MFA costs very little — often nothing extra.
If you use Microsoft 365: MFA is included with every Microsoft 365 subscription at no extra cost. You already paid for it. You just need to turn it on.
If you use Google Workspace: Same situation. MFA is built in, included in your subscription.
If you use Duo: The free tier supports unlimited users with core MFA. The paid Duo Essentials plan ($3/user/month) adds device health checking and more integrations — useful if you want a centralized dashboard showing which staff have MFA active.
If you use a standalone EHR or billing system: Check whether your vendor supports MFA. Most major EHR platforms (Epic, athenahealth, eClinicalWorks, etc.) support it. For some older or less sophisticated systems, you may need a third-party identity provider — your IT person can advise.
The bottom line for a five-provider practice: you’re likely looking at $0-$50/month total, depending on whether you need a paid Duo plan. Compare that to the cost of a breach — the average healthcare data breach hit $10.9 million in 2024 — and MFA is the best security investment you’ll ever make.
How to Roll Out MFA: Step-by-Step setup Guide
You don’t need a big IT project for this. Here’s a practical sequence for a small practice.
Step 1: List Every System That Accesses Patient Data
Start with your EHR. Then: email (this is huge — email is where most breaches start), patient portal, billing software, practice management system, any cloud storage where you keep scanned records or records, remote access tools if your staff works from home or between locations.
You want MFA on all of them. Prioritize: EHR first, email second, everything else after.
Step 2: Check What Your Vendors Already Support
Log into the admin settings of each system and look for “Security,” “login checks,” or “Two-Factor login checks.” Most will have a section for it. If you can’t find it, call your vendor’s support line and ask: “Does your system support multi-factor login checks, and how do I enable it?”
Don’t assume it’s enabled just because the option exists. You have to turn it on. And while you’re reviewing vendor security, make sure you don’t have any of the common BAA mistakes that leave you exposed.
Step 3: Pick Your Authenticator App
For most habits: Microsoft Authenticator if you use Microsoft 365, Google Authenticator if you don’t. Download it on your own phone first and test it with one account before you roll it out to staff.
Step 4: Set a Deadline and Tell Your Staff
Give your team two weeks’ notice. Send a clear, simple message: “On [date], we’re turning on two-step login for [EHR name] and email. This is a HIPAA rule. You’ll need to download [app name] on your phone. We’ll walk everyone through it.”
Include a reason. People are more cooperative when they understand why. “This protects our patients’ records and keeps us from getting hacked” is a reason they’ll respect.
Step 5: Do a 15-Minute Setup Session With Each Staff Member
Don’t email instructions and hope for the best. Sit with each person — in person or over video — and walk through the setup. It takes about 10-15 minutes per person. Open the app, scan the QR code the system shows, verify the first code works. Done.
For staff who don’t have smartphones or who resist using personal devices, you have options: a dedicated small tablet kept at their workstation, a hardware security key, or in some cases SMS codes (weaker but better than nothing). Work with people, but don’t let “I don’t have a smartphone” become a permanent exception.
Step 6: Turn on MFA for the Whole group
Once everyone is enrolled in the app, flip the switch in your admin settings to require MFA. Don’t leave it as optional — optional means someone will skip it. Required means everyone is protected.
Step 7: Have a Backup Plan for Lost Phones
This will happen. Someone will get a new phone and forget to transfer their authenticator codes. Document what your vendor’s account recovery process is before someone is locked out at 8am on a Monday. Most systems have backup codes you can generate and store securely, or an admin override process.
Common MFA Objections in Healthcare, Answered
“My staff will hate this.”
The first week, you’ll get complaints. After that, most people forget it’s even there — it takes 10 seconds to open an app and type a code. Frame it as protecting the practice and patients. The resistance is usually lower than administrators expect.
“What if someone doesn’t have a smartphone?”
See Step 5 above. Hardware keys or a dedicated tablet at their workstation solve this. SMS codes are a fallback. Work around it — don’t use it as a reason to skip MFA entirely.
“Our EHR vendor doesn’t support MFA.”
Push your vendor on this. Major EHR vendors universally support MFA at this point. If yours doesn’t, that is a major security and rule-keeping liability. Consider whether it’s time to raise this issue formally with your vendor, or whether that system’s lifecycle is coming to an end.
“We’re a tiny practice — nobody is targeting us.”
Healthcare data is among the most valuable data on the black market. A patient’s full record — name, date of birth, Social Security number, diagnosis, insurance information — can fetch $250-$1,000 per record on criminal forums. The attackers running phishing campaigns aren’t targeting large groups namely — they’re running automated attacks against thousands of email addresses at once. Small practice, large practice, it doesn’t matter to a phishing bot. In 2025, 710 large breaches were reported to OCR, and that doesn’t count the thousands of smaller breaches that fly under the radar.
Your MFA Compliance Timeline
The proposed HIPAA Security Rule is expected to be finalized in May 2026. After that, you have 240 days to comply — putting the hard deadline around January 2027.
But here’s a better way to think about the timeline: every month you’re not using MFA is a month where a phishing email can hand a hacker access to your patient records. The rule-keeping deadline is the legal forcing function, but the security benefit starts the day you turn it on.
Most habits can have MFA running on their EHR and email within a week of deciding to do it. That’s a week of effort to eliminate one of the most common entry points for healthcare data breaches.
The rule is coming. The deadline is real. And the technology to comply is sitting free in the App Store and Google Play right now.
Related Reading
- The New HIPAA Security Rule Is Coming — 7 Major Changes for 2026
- Why “Addressable” Doesn’t Mean “Optional” — The HIPAA Myth That Gets Practices Fined
- OCR Just Fined a Substance Abuse Clinic $103K — What It Means for Your Practice
- Ransomware Hit Your Practice — The First 72 Hours
- The affordable HIPAA Compliance Starter Kit for Small Practices
Need help getting your practice in line? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services