DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What is the HIPAA Security Rule Integrity Controls Standard?
The HIPAA Security Rule contains a series of technical safeguard requirements. One of these requirements is the integrity controls standard. Under the integrity controls standard, covered entities and business associates must “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” To accomplish this, HIPAA requires that covered entities and associates implement a mechanism to authenticate electronic protected health information. What does this mean? It means that covered entities and business associates must implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
How Does an Organization Maintain the Integrity of ePHI?
Maintaining the integrity of ePHI is a primary goal of the Security Rule. ePHI that is improperly altered or destroyed can cause clinical quality problems for a covered entity or its business associate, including patient safety issues.
Integrity of ePHI can be compromised from sources that are non-technical as well as those that are technical. Non-technical compromise can occur when workforce members or business associates make accidental or intentional changes that improperly alter or destroy ePHI. Data can also be altered or destroyed through purely technological means, such as by electronic media errors or failures. The integrity control standards requires implementation of policies and procedures to protect the integrity of ePHI from being compromised, regardless of the source.
To determine which electronic mechanisms to implement to ensure that ePHI is not altered or destroyed in an unauthorized manner, covered entities and business associates must consider the various risks to the integrity of ePHI identified during their security risk analysis. Once a covered entity or business associate has identified the risks to their ePHI, the covered entity or business associate must then identify security measures that will reduce these risks.
Important items to consider when addressing ePHI integrity requirements include whether existing information systems have availability functions or processes that automatically check for data integrity such as check sum verification or digital signatures, and whether electronic mechanisms are in place to protect the integrity of ePHI currently used.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article