The Security Rule defines the phrase “integrity” as “the property that data or information have not been altered or destroyed in an unauthorized manner.”
The HIPAA Security Rule requires covered entities and business associates to (among other things):
1 Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
These requirements dictate that covered entities and business associates implement measures to protect ePHI from improper alteration or destruction.
How Can the Integrity of ePHI be Compromised?
Both workforce and non-workforce sources can compromise the integrity of ePHI. integrity. An example of a workforce source that can compromise the integrity of ePHI, is when an employee accidentally or intentionally makes changes that improperly alter or destroy ePHI. Examples of such changes include intentional or accidental file deletion, or intentionally or unintentionally typing in inaccurate data. An example of a non-workforce compromise of integrity occurs when electronic media, such as a hard drive, stops working properly or fails to display or save information.
What Measures Must be Taken to Ensure the Integrity of ePHI?
Per the technical safeguards provision of the HIPAA Security Rule, covered entities and business associates must, per the implementation specification at 45 CFR 164.312(c)(2), “implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate—
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.))
To determine which electronic mechanisms to implement to ensure that ePHI is not altered or destroyed in an unauthorized manner, organizations must consider the various risks to the integrity of ePHI identified during a security risk assessment. Once these risks have been identified, covered entities and business associates must identify security measures that will reduce these risks.
The mechanisms to be implemented must be capable of detecting (1) whether ePHI has been altered and destroyed, and (2) if so, whether the alteration or destruction is unauthorized.
Mechanisms to be considered for implementation include, for smaller organizations, maintaining offsite backups of all ePHI. In more complex environments, solutions such as Data Loss Prevention, or other data protection solutions, may be appropriate.
Additional measures to be considered include:
1. Implementing running alerts for unusual logon and access length and times.
2. Protecting sensitive data with appropriate measures, such as malicious software protection, secure file standards, and use of web browser security standards.
3. Implementing processes to notify users, and take other appropriate remedial action, in the event that malicious software has been propagated. In some cases, this can be managed by manual reporting to the Security Official, followed by remediation of the incident. In environments presenting a higher-risk, technology such as managed detection and response, or security operations center (SOC) should be considered.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article