Integrity: Mechanism to Authenticate Electronic Protected Health Information-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the  implementation specification for the third Technical Safeguard Standard, Integrity. This implementation specification is addressable. Addressable does not mean “optional.”

Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

Implement electronic controls to ensure that electronic protected health information has not been altered or destroyed in an unauthorized manner.

How to Do It

A covered entity or its electronic information systems vendor should establish electronic controls to protect  electronic protected health information from being altered or destroyed. The covered entity’s risk analysis will determine how the covered entity should authenticate electronic protected health information in its electronic information systems. Considerations should include how many times the covered entity’s system has crashed and damaged information in storage, or how many times incorrect information has been added to the database that should not have been allowed. An outcome of the risk analysis, based on these types of considerations, will be how to mitigate risk through preventive electronic controls. Controls that check for human errors and accuracy of back-ups should be employed. In addition, intrusion detection systems should be used if there is evidence of hacking or tampering attempts.

The Security Official of the covered entity is responsible for designing policies and procedures to ensure the integrity of electronic protected health information. A policy should be regular testing for data integrity. A covered entity should check with its electronic information systems vendor to see if its systems have automatic data integrity testing capabilities. If not, the vendor should be able to recommend software programs to add to the covered entity’s electronic information systems to do such testing. The policy for the covered entity also should include regular examination of test logs to ensure that integrity checks have run successfully.