Integrity 45 CFR § 164.312(c)(1) ePHI that is improperly altered or destroyed can result in clinical quality problems for a covered entity, including patient safety issues. The integrity of your ePHI can be compromised by technical and non-technical sources. As always, educating your staff is the first step since their inappropriate actions could damage the integrity of the data. You must have in place the means to protect the data from alteration through access authorization, as well as protection from damage such as a power failure or disaster. This could include the use of a business class firewall with an intrusion prevention system (IPS) and uninterrupted power supply units (UPS).
Mechanism to Authenticate Electronic Protected Health Information 45 CFR § 164.312(c)(2) In order to determine which electronic mechanisms to implement to ensure that ePHI is not altered or destroyed, a covered entity must consider the various risks identified during the risk analysis. Once covered entities have identified risks to the integrity of their data, they must identify security measures that will reduce the risks. Most EHRs and data backup systems have the capabilities of verifying the data through check sum verifications or digital signatures.
Person or Entity Authentication 45 CFR § 164.312(d) In general, authentication ensures that a person is in fact who he or she claims to be before being allowed access to ePHI. This is accomplished by providing proof of identity. Once this authentication process is complete, then the user has access to ePHI. Passwords are the most common authentication process. They are also the most easily compromised. Depending on the size and needs of your organization you make need to adopt a two-step authentication process to include tokens, cards, or bio-metric scanning. There are many options available at reasonable costs.
Transmission Security 45 CFR § 164.312(e)(1) Data that is transmitted over electronic communications systems, such as the internet, email, or some form of point-to-point network, must be protected against modification or interception. Organizations must review their workflow to determine how ePHI is communicated and if there are any risks involved. The Security Rule allows for ePHI to be sent over an electronic open network as long as it is adequately protected.
Integrity Controls 45 CFR § 164.312(e)(2)(i) One method for protecting the integrity of ePHI being transmitted is through the use of network communications protocols, such as digital (electronic) signatures. Most EHRs utilize at least a level 2 type signature, such as a pin or token used to sign. A covered entity should discuss reasonable and appropriate security measures to protect the integrity of ePHI during transmission with its IT professionals, vendors, business associates, and trading partners.
Encryption 45 CFR § 164.312(e)(2)(ii) This is your only safe harbor against a data breach. This could be a VPN for access to the network for mobile users or the use of SSL VPN to allow users to transmit data through their web browser. These methods offer the safe haven of encryption. Another area that needs the protection of encryption is email and text messaging. There are software providers available to ensure that your data being transmitted is encrypted and secure. Do not forget to review how data is stored, this may need to be encrypted as well. For instance, how are messages delivered and how are they stored from your website, faxes, and emails. This should be uncovered during your risk analysis.
Let Aris work with you for an easy online path to HIPAA compliance