In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Technical Safeguard Standard, Transmission Security. This implementation specification is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
Implement security measures to ensure that electronically transmitted protected health information is not improperly modified without detection until disposed of.
How to Do It
A covered entity must ensure data integrity. Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.” As a covered entity, you ensure that electronic protected health information is not altered without appropriate knowledge and approval of your Security Official. To do this, you need to assign appropriate authentication credentials to workforce members and business associates and make sure that all entries by an authenticated user are tracked appropriately through audit trails. The Security Official should be responsible for periodically examining the audit trails to ensure integrity, and for applying appropriate sanctions if changes to electronic protected health information are made without authorization. During review and update of the covered entity’s risk analysis, the Security Official should report on the success of the integrity controls, based on an empirical review of the audit trails and any incidence of unauthorized modification of electronic protected health information.