(2) Implementation specifications:

(i) Integrity controls (Addressable).  Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Tell Me More:

The Integrity Controls implementation specification requires covered entities to address implementing security measures to make sure that electronically transmitted electronic protected health information (EPHI)  is not improperly modified without detection until disposed of properly.

In reality the risk of illicitly intercepting ePHI and changing it is generally low.  However, it can happen.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the organization use or need to use electronic signatures? The electronic signature is currently the best way to verify that the data has not been altered.
  • Does the organization have procedures to use an integrity authentication mechanism to ensure the integrity of ePHI when it is transmitted? (e.g., digital signatures)
  • Does your organization have procedures in place to ensure that ePHI entries by authenticated users are tracked appropriately through audit trails and the changes are periodically reviewed to ensure integrity against changes made to ePHI without authorization?

References:

Series Navigation<< 164.310(a)(2)(iv) Standard: Facility access controls – Maintenance records164.312(a)(2)(iv) Standard: Access control – Encryption and decryption >>