Microsoft Authenticator can support HIPAA compliance when it is used with Microsoft Entra ID under an eligible Microsoft 365 subscription that is covered by Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule access control and person or entity authentication safeguards, and managed through documented administrative procedures and workforce practices.
Microsoft Authenticator is a multi-factor authentication application that supports sign-in approval prompts and one-time passcodes for workforce accounts. The application is not a clinical record system, but it supports access to systems that create, receive, maintain, or transmit electronic protected health information. HIPAA compliance depends on whether authentication controls are consistently applied to those systems and whether account recovery and device replacement processes prevent unauthorized access.
Microsoft’s HIPAA guidance for Microsoft Entra controls states, “Microsoft Entra ID meets identity-related practice requirements for implementing Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards.” In a HIPAA-governed environment, Microsoft Authenticator is used to implement multi-factor authentication through Microsoft Entra ID so that password compromise alone does not grant access to email, file storage, collaboration platforms, or line-of-business applications that handle electronic protected health information.
A HIPAA Business Associate Agreement is required when a vendor creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity or Business Associate. Microsoft is willing to sign a HIPAA Business Associate Agreement for in-scope Microsoft services under its contractual terms, and the agreement must be in effect before using covered Microsoft 365 services to handle electronic protected health information.
Operational controls should include role-based access for administrators, multi-factor authentication enforcement for administrative accounts, logging of authentication events, and review of sign-in anomalies. Procedures should define enrollment requirements, lost-device reporting, token revocation, and identity verification standards for help desk resets. Mobile device management controls should address screen lock and encryption for devices used for authentication and for access to protected health information.