The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction) and business associates implement reasonable and appropriate technical safeguards. These safeguards must protect (among other things) the integrity of ePHI, electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.
How Do I Maintain the Integrity of ePHI?
The “integrity” standard of the technical safeguard requirement dictates that entities implement policies and procedures to protect ePHI from improper alteration or destruction.
Maintaining the integrity of ePHI is a primary goal of the Security Rule. Why is maintaining the integrity of ePHI so important? Because ePHI that is improperly altered or destroyed can cause clinical quality problems for a covered entity, including patient safety issues.
While maintenance of ePHI integrity is a required technical safeguard, integrity can be compromised from sources that are non-technical as well as those that are technical. Non-technical compromise can occur when workforce members or business associates make accidental or intentional changes that improperly alter or destroy ePHI. Data can also be altered or destroyed through purely technological means, such as by electronic media errors or failures. The purpose of the integrity standard is to establish and implement policies and procedures for protecting ePHI from being compromised, regardless of the source.
To satisfy the requirements of the integrity standard, entities must, when it is reasonable or appropriate to do so, implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
To determine which electronic mechanisms to implement to ensure that ePHI is not altered or destroyed in an unauthorized manner, entities must consider the various risks to the integrity of ePHI identified during the risk analysis – another required Security Rule measure. Once you have identified risks to your data, you must identify security measures that will reduce these risks.
Important items to consider when addressing ePHI integrity requirements include whether existing information systems have availability functions or processes that automatically check for data integrity such as check sum verification or digital signatures, and whether electronic mechanisms are in place to protect the integrity of ePHI currently used.
