Compliance

The post says the update makes multi-factor authentication mandatory for systems containing ePHI, requires enhanced audit log retention for ePHI access and modification events for at least seven years, and makes encryption of data at rest required for electronic PHI storage. It says these controls will be scrutinized during breach investigations and OCR audits.

The post recommends inventorying every system that stores or processes ePHI, checking MFA coverage, reviewing audit log configuration, and implementing encryption at rest across workstations, servers, databases, cloud storage, and backups. It also says organizations should document what controls were implemented, when, who approved them, and how they are monitored and tested.