Integrity: What This HIPAA Security Rule Technical Safeguard Standard Means

This is the third Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has one implementation specification:  mechanism to authenticate electronic protected health information. This implementation specification is addressable. Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

For compliance with this Technical Safeguard Standard, a covered entity is required to implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Integrity means that a covered entity’s data are dependable and accurate. It also means that the authorized user can have access to the right information at the appropriate time, and that the data are not altered or destroyed in any manner. Inaccurate electronic protected health information could result in harm or even potential death of a patient. In addition, the risk of such information could adversely impair the business viability of one or more covered entities. It is for these reasons that integrity is one of the foundational concepts underpinning HIPAA Administrative Simplification, along with availability and confidentiality.

The Technical Safeguard Standards of access control and audit control can help in maintaining confidentiality of electronic protected health information, but data comprising such information can become inaccurate or corrupt from several sources, including data entry errors, hacking or tampering, mechanical errors in storage devices, transmission error, and inadequate data capture from poorly integrated or interfaced electronic information systems. Also, corruption of data can be due to software or programming bugs, computer viruses, or human error. A covered entity must ensure that its electronic protected health information, as well as other critical electronic business information, has not been altered or destroyed without its knowledge and approval.