"Two-factor authentication (2FA) is not a requirement of HIPAA per se. However, if a Covered Entity or Business Associate conducts a risk assessment and identifies vulnerabilities that could be addressed with 2FA, it then becomes a “reasonable and appropriate” security measure that should be implemented to comply with Security Standards relating to Workforce Security and Information Access Management (§164.308(A)(3) and §164.308(A)(4))" - The HIPAA Journal, January 1, 2023.

See also FaxBetter and HIPAA compliance.