Medical billing accounts are among the most targeted credentials in healthcare. They sit at the intersection of financial data and protected health information, giving attackers two reasons to pursue them. According to HHS, the number of reported healthcare data breaches doubled between 2018 and 2024, affecting approximately 459 million people.
Multi-factor authentication for medical billing is no longer a security best practice reserved for large health systems. HHS has classified it as an Essential Goal in its 2024 Cybersecurity Performance Goals, and proposed updates to the HIPAA Security Rule published in January 2025 would make it mandatory for covered entities and business associates. Billing managers, practice administrators, and RCM staff who have been treating MFA as optional need to recalibrate.
This guide covers what HHS requires today, what is changing, which MFA methods actually provide protection, and how to roll out MFA across a billing operation without disrupting your team.
Why MFA Has Become Non-Negotiable in Healthcare Billing
Credential theft is the primary attack vector against billing staff. Phishing emails that mimic payer portals, clearinghouse login pages, and EHR systems are common enough that they no longer require sophisticated targeting. A billing coordinator who enters credentials into a convincing fake login page hands attackers everything they need to access claims data, patient records, and payer accounts.
Healthcare records carry high value on criminal markets. A stolen healthcare record contains far more actionable data than a stolen credit card number: names, dates of birth, Social Security numbers, insurance IDs, diagnosis codes, and provider information. That combination enables identity theft, fraudulent billing, and insurance fraud in ways a financial record alone cannot.
The scale of this problem is documented by HHS. Reported healthcare data breaches have doubled in a six-year period, with roughly 459 million individuals affected. Billing operations, payer portals, and clearinghouse accounts are consistently among the targeted systems because they are accessible from the internet and often secured only with a username and password.
A password alone does not provide adequate protection against phishing, credential stuffing, or brute-force attacks. Multi-factor authentication adds a second verification requirement that remains valid even after a password has been compromised.
What HHS Currently Requires: HIPAA and the 2024 Cybersecurity Performance Goals
The current HIPAA Security Rule requires covered entities to implement procedures to verify the identity of persons or entities seeking access to electronic protected health information. However, the rule does not specify the verification method. A practice that verifies identity through a password alone is technically compliant with the current rule’s identity verification standard, even though a password-only approach is widely recognized as inadequate.
That gap has not gone unaddressed. In January 2024, HHS released its Cybersecurity Performance Goals, a structured framework for healthcare organizations to assess and improve their cybersecurity posture. MFA is classified as an Essential Goal within this framework, not an enhanced or optional one.
The framework language is specific: the objective is to “add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.” MFA appears across multiple sub-goals, including Email Security and Unique Credentials. The designation as “Essential” carries a clear message: HHS treats MFA as foundational, not aspirational.
The HHS 405(d) Program, which provides the Health Industry Cybersecurity Practices (HICP) framework used by healthcare organizations for voluntary compliance, further specifies what this looks like in practice. The HICP framework includes “Enable Multi-Factor Authentication (MFA) for all Remote Access” and structures MFA under Identity and Access Management practices: 3.M.A (Identity), 3.M.C (Authentication), and 3.M.D (Multi-factor Authentication for Remote Access).
For billing operations where staff access payer portals, clearinghouse accounts, and EHR systems from outside the office, these controls apply directly.
What Is Changing: The Proposed HIPAA Security Rule Update
The current HIPAA Security Rule’s flexibility around identity verification is on track to change. HHS published a Notice of Proposed Rulemaking for updates to the HIPAA Security Rule in January 2025, with a 60-day public comment period that closed in March 2025.
The proposed rule would make MFA mandatory for HIPAA-covered entities and business associates. This is a material shift from the current rule, which requires identity verification but leaves the method to the organization’s discretion. Under the proposed changes, using a password alone to access systems containing ePHI would not satisfy the requirement.
The rule has not been finalized as of this writing, and the timeline for finalization depends on the regulatory process. But the direction is unambiguous. HHS has signaled through both the proposed rule and the 2024 Cybersecurity Performance Goals that MFA is expected. Organizations that wait for final rulemaking to begin implementation will be behind the compliance curve when the rule takes effect.
Practices and billing companies that implement MFA now are meeting the current Essential Goal standard and positioning themselves ahead of the mandatory requirement. Those that do not are carrying documented risk.
Not All MFA Is Equal: Why Authenticator Apps Are the Right Choice
“Multi-factor authentication” describes a category of security controls, not a single technology. The three most common methods used in healthcare billing contexts differ significantly in their actual protection levels.
SMS Text Codes
SMS-based authentication sends a one-time code to a registered phone number. It is better than a password alone, but it is the weakest form of MFA available. Attackers can intercept SMS codes through SIM-swapping, a technique where a criminal convinces a mobile carrier to transfer a victim’s phone number to an attacker-controlled SIM card. Once the number is transferred, the attacker receives all verification codes.
SIM-swapping attacks have been used specifically against healthcare targets. Billing staff who use SMS codes as their sole MFA factor should understand that this method is being phased out across regulated industries precisely because of this vulnerability.
Email-Based Codes
Some systems send a one-time code to an email address as a second factor. This approach is vulnerable to phishing: if an attacker has already compromised the email account, they receive the code alongside the attacker. Email codes also require access to a separate device or browser session, which adds friction without meaningfully increasing security against common attack methods.
Authenticator Apps: The Preferred Standard
Authenticator apps, including Microsoft Authenticator, Google Authenticator, and Duo Mobile, generate time-based one-time passwords directly on the user’s enrolled device. The codes are generated locally, not transmitted over a network, which eliminates the interception risk that affects SMS and email codes.
HHS and CISA (the Cybersecurity and Infrastructure Security Agency) specifically reference these as “phishing-resistant MFA.” CISA’s Cross-Sector Cybersecurity Performance Goal 2.H covers phishing-resistant MFA, and healthcare is explicitly included in the cross-sector scope. A phishing-resistant MFA method remains secure even when a user has been deceived into visiting a fake login page, because the code generated by the authenticator is tied to the legitimate site’s authentication flow.
For billing operations, the recommendation is clear: use authenticator apps. Accept SMS codes only where a system does not yet support authenticator apps, and treat SMS as a gap to address with the vendor.
Where to Enable MFA in a Billing Operation
Every internet-accessible account that touches claims data, patient information, or payer communication should be protected with MFA. For most billing operations, that includes:
- Practice management system and EHR login: Any system containing ePHI or claims data, whether cloud-hosted or accessed via web portal
- Clearinghouse portal accounts: Every user should have an individual login with MFA enabled. Shared login credentials are a HIPAA violation and an operational security risk
- Medicare PECOS: Provider enrollment account access should be secured; credential compromise on PECOS can enable fraudulent enrollment changes
- Payer portal accounts: Each payer portal used for eligibility checks, claim status, and remittance should have MFA enabled for every user
- Billing company administrative accounts: Billing companies managing accounts for multiple provider clients carry elevated risk. Administrator accounts with access to multiple client datasets require MFA without exception
- Email accounts used for billing communications: Business email is a common attack target. An attacker who controls a billing staff member’s email can intercept remittance advices, payer communications, and patient correspondence
- Cloud storage and shared drives containing claims data: Any cloud-based folder or drive containing claims files, patient lists, or remittance data needs MFA on the account that controls access
The cybersecurity guide for medical billing on ClaimRev’s site covers broader security practices for practices of all sizes. MFA is foundational to every framework referenced there, and it is the control that prevents most credential-based attacks from succeeding.
How to Roll Out MFA Across Your Billing Team
Rolling out MFA without preparation creates resistance and gaps. A structured approach ensures full coverage without operational disruption.
Step 1: Audit all accounts. Create a complete list of every system your billing team accesses. Include payer portals, clearinghouse accounts, EHR access, email, and cloud storage. Most practices and billing companies find that this list is longer than expected.
Step 2: Check MFA support for each system. For each account on your list, determine whether the system supports authenticator apps, SMS codes, or no MFA at all. Document what each system offers. Gaps where a system only supports SMS or no MFA at all become items on your vendor conversation list.
Step 3: Set up individual accounts. If any shared logins exist, eliminate them before enabling MFA. Each staff member needs their own login for each system. This is both a HIPAA access control requirement and a prerequisite for MFA to function correctly, since MFA binds to individual devices and phone numbers.
Step 4: Enroll devices before go-live. Have each staff member download their authenticator app of choice (Microsoft Authenticator, Google Authenticator, or Duo Mobile) and complete the enrollment process for each account before the go-live date. Walking through enrollment during a team session reduces confusion and ensures no one is locked out at launch.
Step 5: Train before enabling. Explain what MFA does, how to use the authenticator app, and what to do if a device is lost or replaced. Staff should understand that they will need their phone (or enrolled device) to log in. Brief training before launch prevents day-one support calls.
Step 6: Set a hard go-live date and hold it. Pick a date, communicate it clearly, and enforce it. Indefinite soft launches result in incomplete adoption. Every account that remains without MFA after go-live is an open vulnerability.
Step 7: Build offboarding into your MFA process. When a staff member leaves, their MFA-enrolled devices must be removed from all shared systems. This step is frequently missed. If a former employee’s device remains enrolled, it can be used to access accounts long after their password has been changed. Add device deactivation to every offboarding checklist.
ClaimRev’s services include claims management and clearinghouse functions where individual user access is structured by design. If your current clearinghouse or billing platform requires shared logins or does not support per-user access controls, that is a platform problem that MFA alone will not fully resolve.
What to Do When a Payer Portal Does Not Support MFA
Not every payer portal supports MFA. Some older systems accept only username and password authentication with no second factor option. This is a gap in the payer’s security infrastructure, but it creates risk for your practice regardless of whose platform it is.
When a portal does not support MFA, take these steps:
- Document the gap in your risk assessment. HIPAA requires covered entities to conduct risk assessments. A payer portal that does not support MFA is a documented control gap. Record it as such, along with the date you identified it and the compensating controls in place.
- Use the strongest available option. If SMS codes are available but not authenticator apps, use SMS codes until the system supports a stronger method. A weaker MFA method is still better than no MFA.
- Ask the vendor directly and in writing. Contact the payer or portal operator and ask when MFA will be available. Document their response. This creates a record that you identified the gap and pursued a solution.
- Apply compensating controls. For portals that accept no MFA at all, strengthen passwords (use long, randomly generated passwords stored in a password manager), restrict access to a named set of users, and review access logs if the portal provides them.
- Revisit the gap on a schedule. Payer portal security capabilities change. Set a calendar reminder to check the status of any portal that currently lacks MFA support every six months.
Regulatory guidance from HHS includes the qualifier “where safe and technically capable” in its Essential Goal language for MFA. That language acknowledges that not every system will support MFA immediately. But the phrase is not an exemption. It is an expectation that organizations enable MFA wherever the technology exists, and pursue it where it does not yet exist.
Taking Action Before the Rule Is Final
The proposed HIPAA Security Rule update makes MFA mandatory. The HHS 2024 Cybersecurity Performance Goals treat it as Essential. The breach data documents the cost of operating without it.
Billing operations that implement MFA now are not jumping ahead of requirements. They are meeting the current standard and protecting their practice, their clients, and their patients against credential theft that is already happening at scale.
Start with the accounts your team uses every day: the clearinghouse portal, the EHR, the payer portals, and email. Get every user on an authenticator app. Document what you have covered and what gaps remain. That is the foundation of a defensible security posture under any version of the HIPAA Security Rule.
For practices and billing companies that want to see how ClaimRev handles access controls and per-user account management, schedule a demo and we can walk through exactly how claims access is structured.
Multi-factor authentication for medical billing is the single highest-impact control a billing operation can implement today. It is not technically complex, it does not require a large budget, and the HHS framework is clear on where it belongs: not in the “enhanced” category, but in the essential one.
Key Takeaways
- HHS classified MFA as an Essential Goal in its January 2024 Cybersecurity Performance Goals, covering email security and credentials for internet-accessible accounts.
- The current HIPAA Security Rule requires identity verification but does not mandate MFA by method. The proposed January 2025 NPRM would change that, making MFA explicitly mandatory.
- Authenticator apps (Microsoft Authenticator, Google Authenticator, Duo Mobile) are the recommended method. SMS codes carry SIM-swap risk. Email codes are phishing-vulnerable.
- Every clearinghouse account, payer portal, EHR login, and billing email should have MFA enabled. Shared logins must be eliminated before MFA can be deployed correctly.
- Payer portals that do not support MFA require documented gap management, vendor engagement, and compensating controls. “Not supported yet” is not an exemption.
- Healthcare data breaches doubled between 2018 and 2024, with approximately 459 million people affected (HHS data). The credential theft driving many of those breaches is precisely what MFA is designed to stop.
For a broader look at securing a practice’s billing infrastructure, review ClaimRev’s cybersecurity guide for medical billing. And if you have questions about how ClaimRev manages access controls for billing teams, reach out to our team.