The system must not allow successful authentication of users
with expired, revoked or blocked credentials.
HIPAA Security Rules 164.310(a)(2)(iii):
Access Control and Validation Procedures: Implement procedures
to control and validate a person’s access to facilities
based on their role or function, including visitor control,
and control of access to software programs for testing and revision.