πŸ”’ New 2026 HIPAA Security Rule changes are here. Download the Free 2026 HIPAA Compliance Checklist β†’

Administrator Guide 5 min read

Enforcing Two-Step Authentication Org-Wide

HIPAA requires multi-factor authentication for all systems that access ePHI. As an administrator, you can enforce Two-Step Authentication across your entire organization with a single policy toggle β€” ensuring every user is protected.

Why Enforce Org-Wide 2FA

The 2026 HIPAA Security Rule updates explicitly require multi-factor authentication for access to systems containing ePHI. Relying on individual users to voluntarily enable 2FA creates compliance gaps. The organization-wide policy ensures 100% coverage β€” no exceptions.

  • Prevents unauthorized access even if a user's password is compromised.
  • Satisfies the HIPAA Security Rule's technical safeguard requirements for access control.
  • Reduces the risk of credential-based breaches, which account for over 80% of healthcare data breaches.
  • Provides an auditable record that 2FA was enforced across the organization.

Enabling the Policy

  1. 1Log in to the web portal with your administrator credentials.
  2. 2Click the Admin tab, then navigate to Settings β†’ Policies.
  3. 3Scroll to the Security section and find Require Two-Step Authentication.
  4. 4Check the Require Two-Step Authentication checkbox.
  5. 5Click Save.

Note

The policy takes effect immediately. Users who have not yet configured 2FA will be prompted to set it up the next time they log in to the web portal. They cannot access their account until 2FA is configured.

What Users Experience After Enforcement

  • On their next web portal login, users who haven't set up 2FA are redirected to the 2FA Setup Wizard.
  • They must complete setup before they can access any files.
  • Mobile app users will be prompted to configure a passcode (PIN) in addition to their 2FA code.
  • Desktop client users will be prompted for a 2FA code when re-registering or after their session expires.

Tip

Send a communication to your users before enabling the policy so they know what to expect. Recommend they use an Authenticator App (Google Authenticator, Microsoft Authenticator, or Authy) for the best experience.

Monitoring 2FA Compliance

  1. 1In the Admin panel, navigate to Users.
  2. 2Look for the 2FA Status column in the user list.
  3. 3Users with 2FA enabled will show a green checkmark; those without will show a warning icon.
  4. 4Filter by 2FA Status to identify users who have not yet completed setup.
  5. 5You can send a reminder email to non-compliant users directly from the Admin panel.

Handling Exceptions

In rare cases, a user may need a temporary exception (e.g., they lost access to their 2FA device). Administrators can reset a user's 2FA configuration:

  1. 1In the Admin panel, click Users and find the affected user.
  2. 2Click the user's name to open their profile.
  3. 3Click Reset Two-Step Authentication.
  4. 4The user's 2FA configuration is cleared. They will be prompted to set it up again on their next login.

Important

Resetting a user's 2FA temporarily reduces their account security. Only do this when the user has verified their identity through another channel (e.g., in-person or via a known phone number).

Disabling the Policy

If you turn off the Require Two-Step Authentication policy, the organization-wide requirement is removed. However, individual users who have already configured 2FA will not have it automatically disabled β€” they must disable it themselves in their Account Settings.

Important

Disabling the 2FA policy creates a HIPAA compliance gap. Only disable this policy if you have an alternative MFA solution in place (e.g., SSO with MFA). Document the decision in your risk analysis.
Back to All Tutorials
Schedule a DemoFree Trial