Navigating HIPAA Authentication: Ensuring Compliance with Hideez Key

There are many IT solutions on the market that can help healthcare organizations meet the security requirements for the Health Insurance Portability and Accountability Act’s (HIPAA) clauses on safeguarding protected health information (PHI). HIPAA’s security rule lays out specific administrative, physical, and technical components that are necessary for full compliance. Hideez supports compliance with HIPAA demands for ePHI protection as a multi-factor authentication solution.

Authentication assurance levels 

Multi-factor authentication (MFA) is required when dealing with electronic protected health information. Three authentication assurance levels (AAL) are outlined in national digital identity standards (NIST SP 800-63-3), but only the last two meet the requirements for MFA.


  • AAL1 - provides some assurance that the claimant controls an authenticator bound to the subscriber’s account. AAL1 requires either single-factor or multi-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol.
  • AAL2 - provides high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.
  • AAL3 - provides very high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements. In order to authenticate at AAL3, claimants SHALL prove possession and control of two distinct authentication factors through secure authentication protocol(s).


Hideez Key: AAL2 compliant

Hideez Key meets AAL2 standards as it provides for authentication via MFA, specifically via a memorized secret and single-factor one-time password:

Memorized secrets in layperson’s terms are passwords, but they should meet certain requirements to fit AAL2. If chosen by the subscriber, they should be least 8 characters in length. If chosen by a Cloud Service Provider or verifier, they should be 6 characters long and can be entirely numeric. Hideez Key stores thousands of passwords of any length for users and can also generate strong passwords consisting of different random symbols, including alphabetic, numeric and special symbols, inputting them automatically via Bluetooth with just one click on the device.

Our product also qualifies as a single-factor one-time password (OTP) authenticator. Hideez can generate OTP, based on the standard RFC6238 for TOTP aka Time-Based One-Time Password algorithms. The OTPs are based on HMAC-SHA-1, with 160 bit key length and provides 6 digit values. Hideez Key stands out as a hardware OTP generator that, as a device, is something you have, providing proof of possession.

To find out more about how Hideez Key, schedule a demo or talk to a sales representative, please email us at [email protected]. We’ll be happy to discuss how we can help!