Implement secure authentication mechanisms for all APIs that access or transmit ePHI. ## Acceptance criteria - [ ] OAuth 2.0 or OpenID Connect required - [ ] API keys must not be sole authentication method - [ ] Token expiration: maximum 1 hour for access tokens - [ ] Refresh token rotation required --- **Source:** § 4.1.1 > Covered entities MUST implement secure authentication mechanisms for all APIs that access or transmit ePHI.
Implement secure authentication mechanisms for all APIs that access or transmit ePHI.
Acceptance criteria
Source: § 4.1.1