What are integrity controls? 

According to the Department of Health and Human Services (HHS), integrity means that data has not been altered or destroyed unless unauthorized. A study published in Science and Technology notes, “Data integrity is elucidated as the accuracy, reliability, and consistency of data over its lifecycle. In simpler terms, data integrity ensures that data is not corrupted or modified in an unauthorized manner, either intentionally or unintentionally.” The HIPAA Security Rule states certain controls as necessary to secure electronic protected health information (ePHI). To comply with integrity control requirements, covered entities and business associates are encouraged to establish targeted policies and procedures. 

The types of integrity controls 

1. Access controls: Policies that restrict access to ePHI to authorized personnel only.
2. Audit controls: Mechanisms that track and review how ePHI is accessed and modified.
3. File integrity monitoring: Tools that monitor files for unauthorized changes or deletions.
4. Data encryption: Techniques that protect ePHI by making it unreadable to unauthorized users.
5. Digital signatures: Electronic signatures that verify the authenticity and integrity of ePHI.
6. Checksum verification: Methods that use unique values to detect unauthorized changes in data.

Best practices for the implementation of integrity controls

1. Develop policies that define who can access ePHI so that only authorized personnel have the necessary permissions. 
2. Perform comprehensive risk assessments to identify vulnerabilities that could pose a risk to the integrity of ePHI. 
3. Use file integrity tools to continuously monitor files containing ePHI for any unauthorized changes or deletions. 
4. Use digital signatures to verify that documents containing ePHI have not been altered. 
5. Create clear guidelines outlining how ePHI should be handled, stored, and transmitted. 
6. Regularly perform self-audits to assess compliance with established policies and procedures. 
7. Develop a clear incident response plan that outlines steps to take in the event of a security breach impacting ePHI integrity.

FAQs

What are examples of file integrity tools? 

• Paessler PRTG is a tool that provides file integrity monitoring capabilities, allowing organizations to track changes to files and configurations.
• Tripwire is a solution that automates compliance evidence generation and monitors file changes.

How often should self-audits be conducted? 

Self-audits should be conducted regularly, although specific frequency is not mandated by HIPAA or NIST guidelines. It is recommended that healthcare organizations perform self-audits at least quarterly or more frequently if there are changes in systems or processes.

How can healthcare organizations ensure data integrity during transmission? 

The use of HIPAA compliant email platforms like Paubox allows for the protection of ePHI during transmission.