HIPAA and CIAM: The Healthcare Identity Compliance Checklist for 2026
Updated 2026-05-15 · 13 min read · By @guptadeepak
Key takeaways
- HIPAA itself does not name specific CIAM features; the Security Rule's Technical Safeguards (45 CFR §164.312) do, and they map cleanly to CIAM primitives.
- Every CIAM vendor handling PHI must execute a Business Associate Agreement (BAA). Vendors without HIPAA BAA support cannot be used for PHI workloads regardless of feature parity.
- Audit logs are the single biggest CIAM compliance lever for HIPAA — comprehensive, tamper-evident, retained six years.
- MFA is not literally required by HIPAA but is required in practice; OCR enforcement actions in 2024-2025 cite missing MFA as a contributing factor in nearly every settlement.
- Authentication assurance for clinician access is AAL2 minimum; for prescription writing and high-risk PHI, AAL3 (FIDO2 / smart cards) is the production default.
- Patient-facing portals are CIAM, not just B2C — HIPAA still applies to patient identity, but the assurance bar is lower than clinician-facing.
Where HIPAA intersects with CIAM
The Security Rule has three categories of safeguards: Administrative (policies and procedures), Physical (facilities), and Technical. CIAM lives in Technical. The relevant subsections:
- §164.312(a)(1) Access Control — unique user identification, emergency access procedure, automatic logoff, encryption and decryption.
- §164.312(b) Audit Controls — record and examine activity in information systems with ePHI.
- §164.312(c)(1) Integrity — protect ePHI from improper alteration or destruction.
- §164.312(d) Person or Entity Authentication — verify that the entity seeking access is who they claim to be.
- §164.312(e)(1) Transmission Security — guard against unauthorized access during transmission.
Each maps to one or more CIAM features. A CIAM vendor that ships the technical features but does not sign a BAA cannot be used (the contract is what binds the vendor to the Rule); a vendor that signs a BAA but ships weak audit logs leaves the covered entity holding the compliance bag.
The Business Associate Agreement gate
A BAA is the contractual mechanism that extends HIPAA obligations from the covered entity (the healthcare provider, plan, or clearinghouse) to its vendors. Without a BAA, a CIAM vendor handling PHI is non-compliant by definition, regardless of how good its technical posture is.
The CIAM vendors that publicly offer HIPAA BAAs as of 2026:
- Workforce/enterprise: Auth0, Okta Workforce, Microsoft Entra (Azure AD), Ping Identity, IBM Security Verify, ForgeRock, CyberArk Customer Identity, Transmit Security.
- Developer-first: Auth0 (same product), Frontegg (with negotiation), Stytch (case-by-case).
- B2B-specific: WorkOS (in-discussion publicly as of 2025; check current status), Frontegg.
- Self-hosted: Keycloak, FusionAuth, Authentik — no BAA needed because the deployment is yours; you sign the BAA your customer wants.
The vendors that explicitly do not currently offer BAAs include several of the developer-first newcomers (check the specific vendor's compliance page before architecting). For ePHI workloads, BAA availability is a hard gate that filters the market materially.
Mapping Technical Safeguards to CIAM features
§164.312(a)(1)(i) Unique User Identification
Every user must have a unique identifier. CIAM ships this trivially — sub claim, internal user ID, NameID. The compliance question is whether shared accounts are anywhere in the deployment. The answer must be no; every clinician, admin, patient gets their own identity. Service accounts for system integrations are separately identifiable as service accounts, not impersonating a human.
§164.312(a)(2)(iv) Encryption and Decryption (addressable)
PHI at rest must be encrypted unless an alternative measure is documented. CIAM tokens that contain PHI claims (rare but possible) need to be encrypted, not just signed. The OIDC default is JWS (signed JWTs); for PHI in claims, switch to JWE (encrypted JWTs) or use opaque tokens with PHI fetched separately under encryption.
§164.312(b) Audit Controls
The single biggest CIAM compliance lever. The Rule requires recording and examining activity. In CIAM terms:
- Every authentication attempt (success and failure).
- Every authorization decision (grant and deny).
- Every administrative action (user created, role assigned, permission changed).
- Every PHI access event the CIAM is positioned to see.
Tamper-evident logs — append-only or signed — are best practice and OCR-expected, though not literally specified. Six-year retention from the most recent date the record was in effect. Plan for cold storage with SLA-bound retrieval; six years of hot audit logs at any meaningful PHI access volume is expensive.
CIAM vendors with strong audit-log structure for HIPAA workloads: Auth0 (Audit Logs API), Okta (System Log), IBM Security Verify, Ping Identity, ForgeRock, Transmit Security. Check that the logs include the IP, user agent, MFA method, and the outcome including the deny reason.
§164.312(d) Person or Entity Authentication
In practice, this means MFA — even though the Rule text predates the term. The 2025 HIPAA Modernization NPRM proposes mandatory MFA explicitly. OCR enforcement has been treating MFA as table-stakes since 2023.
The assurance levels:
- Clinical / EHR access: AAL2 minimum (multi-factor with a cryptographic factor — passwords + TOTP, passwords + push, or passwordless via passkeys). SMS OTP no longer meets AAL2 since NIST SP 800-63B-4 (2024).
- Prescription writing (DEA EPCS): AAL3 by DEA rule — hardware-based cryptographic authenticator (FIDO2 hardware key, PIV/CAC smart card, or platform authenticator with attestation).
- Admin / privileged access: AAL3 by best practice. The blast radius of a compromised IAM admin in a HIPAA environment is regulatory-reportable.
- Patient-facing portal: AAL2 by default; some plans go lighter for low-risk patient functions (viewing own immunization record vs viewing own medical history).
Details on the AAL levels and authenticator choices: MFA in CIAM and FIDO2 Explained.
§164.312(e)(1) Transmission Security
TLS for everything. TLS 1.2 minimum (1.3 preferred). Mutual TLS for high-assurance B2B integrations with EHR systems. No protocol downgrades; reject TLS 1.0 and 1.1 connections at the load balancer.
Patient identity vs clinician identity
The Rule applies to both, but the architectural decisions diverge.
Patient identity (B2C-like):
- Lower assurance bar at the floor (AAL1 for low-risk operations; AAL2 for accessing medical records).
- Self-service registration and recovery flows; the patient is the user.
- Account-takeover defense is paramount; patients reuse passwords across many services.
- BAA still required for the CIAM; patient identity data is PHI.
- Often integrated with a patient-portal product (MyChart, FollowMyHealth) that has its own identity layer; the CIAM is the federated IdP or the embedded login provider.
Clinician identity (B2B/B2E):
- AAL2 minimum, AAL3 for high-risk and admin.
- Provisioned via the hospital's directory; rarely self-service.
- Federated SSO from the workforce IdP (Active Directory, Entra, Okta) is the dominant pattern.
- Role-based access tightly coupled to the EHR system; SCIM provisioning standard.
- Treatment relationship matters for authorization — clinicians can access only patients within their treatment scope.
A CIAM that supports both audiences with different policies per audience can be one product (Auth0, Okta, Ping Identity, IBM Verify, ForgeRock, Microsoft Entra External ID + Entra ID); larger deployments often run separate products for the two audiences because the operational concerns are so different.
DEA EPCS and the AAL3 corner
If your healthcare workload includes electronic prescribing of controlled substances (EPCS), DEA rules require AAL3 authentication and credential certification per 21 CFR 1311. The practical implications:
- The clinician must hold a hardware authenticator certified for DEA EPCS use.
- The identity-proofing path that issued the credential must be certified.
- The CIAM cannot meet this on its own; you need a DEA-certified credential service provider (CSP) — IdenTrust, IdRamp, ID.me, or equivalent — to issue the authenticator and attest the proofing.
- Two-factor at the prescription event itself (the clinician re-authenticates with the AAL3 factor on every prescription action).
EPCS is a narrow corner of HIPAA-adjacent compliance but a high-stakes one. If it is in scope, the CIAM selection and the credential-service-provider selection are joint decisions.
Breach Notification Rule implications
If a CIAM incident exposes PHI — credential database breach, audit log exposure, misconfigured access — the Breach Notification Rule applies. The covered entity must notify affected individuals within 60 days, HHS for breaches affecting 500+ individuals also within 60 days (immediate for very large breaches), and prominent media outlets for state-wide breaches affecting 500+ individuals.
CIAM choices that reduce breach likelihood:
- Phishing-resistant MFA (FIDO2 / passkeys, not SMS OTP). The Rule does not require this; it materially reduces the kind of takeover that triggers reporting.
- Strong audit-log retention and integrity, so the entity can determine the scope of a breach quickly. Slow breach scoping extends the notification clock and increases penalties.
- Per-user encryption keys for any PHI stored in CIAM systems, so a database compromise doesn't expose all users' data.
The HIPAA-specific vendor selection checklist
Beyond the standard CIAM evaluation (covered in How we evaluate vendors), HIPAA workloads require:
- BAA available? Hard gate.
- HIPAA Compliance posture documented? Public page describing controls mapped to Technical Safeguards.
- AAL2 by default, AAL3 available? Both must be achievable.
- DEA EPCS-certified credential path? Only if EPCS is in scope.
- Audit logs comprehensive, tamper-evident, six-year exportable? Verify export format and retrieval SLA.
- PHI handling in tokens minimized or encrypted? If the CIAM does not put PHI in tokens, the question is moot — verify.
- SOC 2 Type II? Often required by the covered entity's procurement team independently of HIPAA.
- HITRUST CSF or HITRUST e1? Increasingly required by larger healthcare buyers; not strictly HIPAA but common on contracts.
- Data residency in the US? Required by some healthcare buyers; verify hosting region and data location.
- Incident response SLA for breach notification? The CIAM vendor needs to notify the covered entity in time for the covered entity to meet the 60-day clock.
Implementation guidance
- BAA first, vendor evaluation second. Filter the market to BAA-offering vendors before comparing features.
- Treat MFA as required. Even where the Rule is silent, OCR is not. Default to AAL2 for all clinical access and patient access to medical records.
- AAL3 for prescriptions and admin. FIDO2 hardware keys are the production default; smart cards (PIV/CAC) for institutional deployments with existing PKI.
- Audit log retention is six years. Plan the storage now; do not let it become an expensive surprise.
- Separate clinician and patient identity policies. Same CIAM product is fine; same policy set is not.
- Integrate with SIEM for behavioral monitoring on the audit log. OCR settlement orders increasingly cite missing SIEM as a failure to detect breaches.
- Document everything. The HIPAA compliance binder is real; the CIAM section of it needs the architecture diagram, the policy document, the BAA, and the access-review evidence.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
CyberArk Identity
CyberArk Customer Identity (formerly Idaptive) is the right CIAM choice for existing CyberArk Privileged Access Management customers consolidating identity into one vendor, the CIAM-plus-PAM combination is uncommon and meaningful for security-conscious enterprises. FedRAMP Moderate plus strong adaptive MFA inherited from Idaptive suit regulated workloads. Outside CyberArk ecosystem, the standard enterprise-CIAM trade-offs apply: high pricing, dated DX, and limited mid-market access.
IBM Verify
IBM Security Verify is the right CIAM choice for existing IBM enterprise shops with Cloud Pak for Security or QRadar deployments, where integration with the broader IBM Security portfolio justifies the platform on its own. FedRAMP High plus advanced post-quantum cryptography roadmap suit federal and high-assurance scenarios. Outside the IBM ecosystem, the DX gap and enterprise-only commercial structure make it the wrong answer for greenfield projects or mid-market evaluation.
Ping Identity
Ping Identity remains the right CIAM choice for large enterprise and public-sector workloads with complex federation, on-prem requirements, or regulated-industry compliance baselines that hyperscaler CIAM cannot meet. DaVinci flow orchestration is genuinely capable for complex auth journeys. The trade-offs, opaque pricing, fragmented post-ForgeRock product family, heavy professional services, make Ping the wrong answer for everything below the enterprise-quote threshold. After the 2023 ForgeRock acquisition the combined product surface is broader but more confusing.
Transmit Security
Transmit Security is the right CIAM choice for fintech, banking, and high-fraud-pressure B2C deployments where unified CIAM plus fraud detection plus orchestration removes the typical three-vendor stack. The Mosaic platform's combination of risk decisioning, behavioral biometrics, and passkey orchestration is among the most capable in the enterprise tier. Enterprise-only pricing and opaque commercial structure exclude mid-market evaluation; for teams below that threshold, look at Auth0 plus Authsignal or Descope.
FAQ
- Does HIPAA require MFA?
- Not in the text — HIPAA's Security Rule (45 CFR §164.312) requires 'authentication' without specifying multi-factor. But OCR (the HIPAA enforcement arm) has cited missing or weak MFA as a contributing factor in nearly every major settlement of 2024-2025. The 2025 NPRM (Notice of Proposed Rulemaking) for HIPAA modernization explicitly proposes mandatory MFA for accessing ePHI. In practice, MFA is required.
- Do I need a BAA with my CIAM vendor?
- Yes, if the CIAM platform stores, processes, or transmits PHI (protected health information). That includes patient names, identifiers, contact details, or anything that ties an identity to a healthcare service. A BAA is a contract between the covered entity (or another business associate) and the CIAM vendor that binds the vendor to HIPAA's Security and Breach Notification Rules. CIAM vendors that do not offer BAAs cannot be used for PHI; this excludes a meaningful subset of the market.
- What's the difference between AAL2 and AAL3?
- AAL (Authenticator Assurance Level) is from NIST SP 800-63. AAL2 requires multi-factor authentication where at least one factor is a cryptographic credential — passwords plus TOTP qualify; passwords plus SMS OTP do not (SMS is below AAL2 since the 2024 800-63-4 revision). AAL3 requires hardware-based cryptographic credentials with verifier impersonation resistance — security keys (FIDO2 hardware), PIV/CAC smart cards, or platform authenticators with attestation. For clinical access, AAL2 is the practical minimum; for prescription writing (DEA EPCS) and admin operations, AAL3 is the production default.
- How long do I have to retain CIAM audit logs for HIPAA?
- Six years from the date of creation or the date the record was last in effect, whichever is later (45 CFR §164.530(j)). This applies to authentication logs, access logs, configuration changes, and PHI access events. Six years of CIAM audit log retention is a meaningful storage and search-cost decision; plan archival to cold storage with SLA-bound retrieval rather than keeping six years hot.
- Can I use a SaaS CIAM for a HIPAA-covered workload?
- Yes, if the vendor signs a BAA, ships the Technical Safeguards (encryption in transit and at rest, audit logging, access controls, MFA), and has SOC 2 Type II plus a documented HIPAA compliance posture. The vendors that publicly support HIPAA BAAs include Auth0, Okta, Ping Identity, IBM Security Verify, ForgeRock, CyberArk Customer Identity, Transmit Security, and Microsoft Entra. Many smaller / developer-first CIAM vendors do not offer BAAs; check before architecting.
- What about patient-facing identity vs clinician identity?
- Different assurance bars but same compliance umbrella. Patient identity for a portal allowing the patient to view their own records is HIPAA-regulated (still PHI), but the AAL2 + MFA + audit log requirements are lighter — patients aren't accessing other patients' records. Clinician identity for an EHR system needs the full stack: AAL2/AAL3, attribute-based access (role + treatment relationship), comprehensive audit, no shared credentials. The CIAM may be one product handling both with different policies per audience, or two products.
Sources
- 45 CFR Part 164 (HIPAA Security Rule)
- NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule
- NIST SP 800-63B-4 (Authenticator Assurance Levels)
- HHS OCR enforcement actions 2024-2025
- HIPAA Modernization NPRM, 2025