Q&A: Multifactor authentication for patient access

Q. I recently tried to access my medical records through the hospital’s patient portal. I had a hard time logging in because it prompted me to enter codes sent to my phone several times. It was difficult to keep track of which code was the most recent. I feel like this was an unreasonable barrier. Usually, you’re given the choice to opt out of multifactor authentication or only have to enter one code along with your password. Do multiple authentication codes represent a significant barrier to patient access?

A. Multifactor authentication is actually a better way to protect your health information—far better than just relying on a password. OCR has not issued any guidance on what represents barriers to accessing a patient portal. It has issued guidance noting that covered entities (CE) can’t place unreasonable barriers on requesting a copy of your designated record set or viewing it. As an example, a CE can’t require you to travel to its office to pick up a request form, and it can’t require you to get that form notarized. There may be a way to bypass multifactor authentication for that particular patient portal. That would be a good question to ask your healthcare provider. The requirement to use multifactor authentication, however, has not been defined by OCR to be an unreasonable barrier.