1. Access Control — 164.312(a)(1)
Unique User Identification (Required)
Every user must have a unique identifier. In a multi-tenant healthcare platform, this means per-tenant user isolation with UUID-based user IDs and tenant isolation at the JWT level.
Automatic Logoff (Required)
HIPAA requires automatic termination of sessions after a period of inactivity. Industry practice for healthcare is 15 minutes.
const jwtConfig = { accessSecret: process.env.JWT_ACCESS_SECRET, refreshSecret: process.env.JWT_REFRESH_SECRET, accessTtlSecs: 900, // 15 minutes -- HIPAA inactivity timeout refreshTtlSecs: 28800, // 8 hours -- shift length issuer: 'auth1', };
Encryption and Decryption (Required — updated 2026)
User PII stored in the auth database must be encrypted at rest using AES-256-GCM with per-field derived keys.
const { piiEncrypt, piiSearchHash } = require('auth-shield'); const encryptedEmail = piiEncrypt('doctor@hospital.org', masterKey, 'email'); const emailHash = piiSearchHash('doctor@hospital.org', masterKey, 'email');
2. Audit Controls — 164.312(b)
Every authentication event must be logged and tamper-evident. Auth1 signs audit entries with ML-DSA-65 post-quantum signatures and chains them with SHA3-256 hashes.
CREATE TABLE auth_audit_log ( id BIGSERIAL PRIMARY KEY, tenant_id VARCHAR(64) NOT NULL, event_type VARCHAR(64) NOT NULL, user_id VARCHAR(64), entry_json JSONB NOT NULL, pq_signature TEXT NOT NULL, entry_hash CHAR(64) NOT NULL, previous_hash CHAR(64) NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() ); -- Prevent UPDATE and DELETE REVOKE UPDATE, DELETE ON auth_audit_log FROM app_user;
3. Integrity Controls — 164.312(c)(1)
Token integrity via HMAC-SHA256 signed JWTs. Password integrity via Argon2id hashing. Audit integrity via Dilithium-signed chains. Input integrity via SQL injection prevention and HTML sanitization.
4. Person or Entity Authentication — 164.312(d)
Single-factor password authentication is insufficient for systems with direct access to ePHI. Multi-factor authentication is the de facto standard. Auth1 supports TOTP and SMS OTP with constant-time verification.
5. Transmission Security — 164.312(e)(1)
TLS 1.2 or higher required. Token storage must use httpOnly cookies with Secure and SameSite flags. Never store access tokens in localStorage.
res.cookie('access_token', tokens.accessToken, { httpOnly: true, // not accessible via document.cookie secure: true, // HTTPS only sameSite: 'strict', // no cross-origin requests maxAge: 900000, // 15 minutes (matches JWT TTL) path: '/api', });
The Complete HIPAA Auth Checklist
- Session timeout: 15 minutes of inactivity. Access token TTL of 900 seconds.
- Password policy: complexity + history + expiration. Minimum 12 characters. Argon2id hashing.
- MFA enforcement for ePHI access. TOTP or SMS OTP required.
- Audit logging with tamper-evident signatures. Sign with ML-DSA-65. Chain with SHA3-256.
- PII encryption at rest. AES-256-GCM with per-field derived keys.
- Secure token storage. httpOnly cookies only. No localStorage.
- Rate limiting and account lockout. Per-user rate limiting. 5 failed attempts lockout.
- Token type enforcement. Separate access/refresh secrets.
- Tenant isolation. JWT claims include tenant ID. Middleware validates tenant match.
- Transmission security. TLS 1.3. HSTS. CSP headers.
PII stored in plaintext. Most auth platforms store emails and phone numbers as plain text. Database-level disk encryption does not protect against application-level breaches. Audit logs without integrity guarantees. An attacker with database access can modify logs. No server-side session enforcement. Many platforms rely on the client to implement timeouts.
Getting Started
Auth1 handles all of this out of the box. Every tenant gets encryption at rest, signed audit logs, configurable session timeouts, MFA enforcement, and rate limiting. For healthcare tenants, we provide a BAA, extended audit log retention, and a HIPAA compliance checklist.