Drexel University Clinical Covered Entities
HIPPA Privacy and Security Program
Security Policies and Procedures
Policy Title: Integrity
Policy Number: IS-16 (Technical Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To describe the procedures implemented by Drexel University (DU) to protect electronic protected health information (e-PHI) from improper alteration or destruction, to corroborate that e-PHI has not been altered or destroyed in an unauthorized manner, and to verify that a person or entity seeking access to e-PHI is the one claimed.
DU maintains a comprehensive internal security control program coordinated by DU Information Technology (IT) to protect e-PHI from improper alteration or destruction and to keep it consistent with its source. DU’s ability to preserve the integrity of the e-PHI in its possession is directly dependent upon the successful implementation of a combination of policies and technical solutions, which includes:
- Policies and procedures to protect e-PHI from improper alteration or destruction and keep it consistent with its source; and
- Electronic mechanisms to corroborate that the e-PHI has not been altered or destroyed in an unauthorized manner.
1. Data Authentication Controls
Authentication of e-PHI is a technical process of corroborating or validating that data has not been altered or destroyed in an unauthorized manner. DU's data authentication controls include:
- Data Base integrity – integrity checking and data recovery features such as check sums, hashes, data duplication, transaction logging, and error, correcting memory.
- Transmission integrity – transmitting e-PHI from one place to another, using data integrity features.
- Procedure integrity – based on the level of risk it may be necessary to use redundant systems to store e-PHI such as disc systems that are mirrored, duplicate power systems and appropriate power conditioning and cooling systems.
2. Controls for Data While in Transit
These controls are designed to insure data is not improperly modified until it reaches its appropriate destination or is disposed of. Technical solutions that DU is implementing to assist in preserving data while in transit include the use of firewalls, cryptography, other authentication devices, and the use of encryption and decryption when necessary.
3. Password Security: Controls for Data While At Rest
All systems-level passwords are changed quarterly for IDX and Allscripts systems. Other systems passwords are to be changed regularly. Passwords must not be inserted into email messages, scripts or databases, or stored in any other electronic form unless encrypted.
4. Workforce Protocol
DU's ability to preserve data integrity depends on the successful implementation and workforce compliance with all other security policies.
45 CFR §164.312 (c)(1)(2)
Cross Reference: IT-7, Email Policy
Back to Top