hipaa-ts-3 High priority Technical Safeguards / Integrity

Implement policies and procedures to protect ePHI from improper alteration or destruction

The integrity of ePHI means that it has not been altered or destroyed in an unauthorized manner. Corrupted, modified, or destroyed ePHI can compromise patient safety by leading to incorrect treatment decisions. HIPAA requires covered entities to implement technical mechanisms to corroborate that ePHI has not been improperly altered or destroyed. This includes controls like message authentication codes, digital signatures, checksums, and file integrity monitoring that can detect unauthorized modifications.

6h estimated effort

hipaa data-integrity encryption access-control

Implementation steps

1

Implement data integrity verification mechanisms

Use cryptographic techniques to verify the integrity of ePHI. For data in transit, use TLS which includes integrity checking (HMAC). For stored ePHI, consider database integrity controls, checksums on backups, and file integrity monitoring on systems containing ePHI. Detect and alert on unauthorized modifications.

tripwire aws-macie microsoft-sentinel
2

Protect ePHI from unauthorized deletion or modification

Implement access controls that restrict who can modify or delete ePHI. Clinical staff may need to create and update records but rarely need to delete them. Administrative users who manage systems should not have access to modify clinical data. Implement write-once storage for audit logs and backup systems to prevent tampering.

aws-s3-object-lock azure-immutable-storage okta
3

Validate ePHI integrity after transfers and restorations

After migrating ePHI between systems, restoring from backup, or transmitting records to another organization, verify that the data was not corrupted or altered. Use checksums, hash comparisons, or record counts. Document validation procedures and results.

confluence excel