Add to collection(s) Add to saved
  1. Business
  2. Management

POLICY # 48 ADMINISTRATIVE MANUAL APPROVED BY:

MECHANISM TO AUTHENTICATE EPHI
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
POLICY # 48
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement electronic mechanisms to corroborate that EPHI has not
been altered or destroyed in an unauthorized manner.”
Policy Summary:
Sindecuse Health Center (SHC) must implement appropriate electronic
mechanisms to confirm that EPHI contained on SHC information systems
has not been altered or destroyed in an unauthorized way. SHC must
perform regular risk analysis to determine the appropriate electronic
mechanisms to protect the integrity of all EPHI contained on its
information systems. SHC workforce members must receive regular
training and awareness about such electronic mechanisms. All such
mechanisms must be approved by SHC’s information security office.
Purpose:
This policy reflects SHC’s commitment to implement appropriate
electronic mechanisms to confirm that EPHI contained on SHC
information systems has not been altered or destroyed in an unauthorized
manner.
Policy:
1. SHC must implement appropriate electronic mechanisms to confirm
that EPHI contained on SHC information systems has not been altered or
destroyed in an unauthorized manner.
2. SHC must perform regular risk analysis to determine the appropriate
electronic mechanisms to implement to protect the integrity of EPHI
contained on its information systems.
3. At a minimum, SHC’s risk analysis must consider the following
factors when defining what electronic mechanisms must be implemented
to protect the integrity of specific EPHI contained on SHC information
systems:



The sensitivity of the EPHI
The risks to the EPHI if it is compromised
The expected impact to SHC functionality and work flow if
specific mechanisms are used to protect the integrity of the EPHI
4. Electronic mechanisms used to protect the integrity of EPHI contained
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
MECHANISM TO AUTHENTICATE EPHI
on SHC information systems must ensure that the value and state of the
EPHI is maintained and it is protected from unauthorized modification
and destruction. Such mechanisms must also be capable of detecting and
reporting unauthorized alteration or destruction of EPHI. Such
mechanisms include but are not limited to:



Checksums
Digital signatures
Hash values
5. All electronic mechanisms used to protect the integrity of EPHI
contained on SHC information systems must be approved by SHC’s
information security office.
6. SHC workforce members must receive regular training and awareness
about the electronic mechanisms used to protect the integrity of EPHI
contained on SHC information systems.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Integrity Standard
Regulatory
Reference:
45 CFR 164.312(c)(2)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
MECHANISM TO AUTHENTICATE EPHI
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Checksum means a count of the number of bits in a transmission unit that
is included with the unit so that the receiver can check to see whether the
same number of bits arrived. If the counts match, it's assumed that the
complete transmission was received. This number can be regularly
verified to ensure that the data has not been improperly altered.
Hash (or hash value) means a number generated from a string of text. A
sender of data generates a hash of the message, encrypts it, and sends it
with the message itself. The recipient of the data then decrypts both the
message and the hash, produces another hash from the received message,
and compares the two hashes. If they are the same, there is a very high
probability that the message was transmitted intact.
Digital signature means a cryptographic code that is attached to a piece
of data. This code can be regularly verified to ensure that the data has not
been improperly altered.
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
MECHANISM TO AUTHENTICATE EPHI
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Integrity
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
POLICY # 44 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 44 ADMINISTRATIVE MANUAL APPROVED BY:
P37-DISPSL
P37-DISPSL
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:
P5-ISAREV
P5-ISAREV
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
Download