POLICY # 47
INTEGRITY
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures to protect EPHI from improper
alteration or destruction.”
Policy Summary:
Sindecuse Health Center (SHC) must appropriately protect the integrity
of all EPHI contained on its information systems. SHC must implement
a formal, documented process for appropriately protecting the integrity of
all EPHI contained on its information systems. Only properly authorized
and trained SHC workforce members may access and use EPHI on SHC
information systems. Methods used to protect the integrity of EPHI
contained on SHC information systems must ensure that the value and
state of the EPHI is maintained and protected from unauthorized
modification and destruction.
Purpose:
This policy reflects SHC’s commitment to appropriately protect the
integrity of all EPHI contained on its information systems.
Policy:
1. SHC must appropriately protect the integrity of all EPHI contained on
its information systems. Such EPHI must be protected from improper
alteration or destruction.
2. SHC must perform regular risk analysis to determine the appropriate
means to protect the integrity of all EPHI contained on its information
systems. At a minimum, SHC’s risk analysis must consider the following
factors when defining what mechanisms must be implemented to protect
the integrity of EPHI contained on SHC information systems:



The sensitivity of the EPHI
The risks to the EPHI
The expected impact to SHC functionality and work flow if these
mechanisms are used to protect the integrity of the EPHI
3. SHC must implement a formal, documented process for appropriately
protecting the integrity of all EPHI contained on its information systems.
At a minimum, the process must include:

A procedure for ensuring that the methods and controls used to
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
INTEGRITY



protect integrity are effective and do not significantly impact
SHC functionality and workflow.
A procedure defining how SHC will detect and report instances
of attempted or successful improper alteration or destruction of
SHC EPHI.
A procedure defining how SHC will respond to instances of
attempted or successful improper alteration or destruction of
SHC EPHI.
A procedure defining when and how unnecessary SHC EPHI can
be destroyed. Such destruction must be conducted only by
properly authorized SHC workforce members.
4. Only properly authorized and trained SHC workforce members may
access and use EPHI on SHC information systems. Such access and use
must be provided only to SHC workforce members having a need for
access to specific EPHI in order to accomplish a legitimate task.
5. Such access and use must be clearly defined and documented and be
regularly reviewed and revised as necessary.
6. Methods used to protect the integrity of EPHI contained on SHC
information systems must ensure that the value and state of the EPHI is
maintained and it is protected from unauthorized modification and
destruction. Such controls include but are not limited to:




Checksums
Digital signatures
Hash values
Encryption
7. All methods used to protect the integrity of EPHI contained on SHC
information systems must be approved by SHC’s information security
office.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Regulatory Type:
Standard
Regulatory
45 CFR 164.312(c)(1)
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
INTEGRITY
Reference:
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Checksum means a count of the number of bits in a transmission unit that
is included with the unit so that the receiver can check to see whether the
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
INTEGRITY
same number of bits arrived. If the counts match, it's assumed that the
complete transmission was received. This number can be regularly
verified to ensure that the data has not been improperly altered.
Hash (or hash value) means a number generated from a string of text. A
sender of data generates a hash of the message, encrypts it, and sends it
with the message itself. The recipient of the data then decrypts both the
message and the hash, produces another hash from the received message,
and compares the two hashes. If they are the same, there is a very high
probability that the message was transmitted intact.
Digital signature means a cryptographic code that is attached to a piece
of data. This code can be regularly verified to ensure that the data has not
been improperly altered.
Encryption means the conversion of data into secret, unreadable code.
To read encrypted data, a person must have access to a secret key or
password that enables them to decrypt (decode) the data.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Mechanism to Authenticate EPHI
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.