Core Platform

Medicare Underpayment Audit

Find potential coding & charge-capture leaks in your paid claims, cited to CMS.

HIPAA Kit

Downloadable policy templates covering all 23 required safeguards.

Free Tools

Doc Builder

FREE

Free AI generator for appeal letters, PA requests, and call scripts.

Ask D3

FREE

AI compliance assistant answering HIPAA & billing questions instantly.

GuidesSign In
HelpGuidesStatesTemplatesAsk D3PrivacyTerms
© 2026 D3rx. All rights reserved.

Questions or feedback? [email protected]

HIPAA Templates/Integrity Controls Policy
Technical Safeguards (164.312)

Integrity Controls Policy

45 CFR § 164.312(c)

Protects ePHI from improper alteration or destruction. Implements mechanisms to authenticate electronic records, detect unauthorized changes, and maintain data integrity across all systems that process protected health information.

What's Included

  • Policy document
  • Data integrity verification procedures
  • Change detection configuration guide
  • Implementation checklist
  • Annual review template
2 pages · ~823 words · 8 sectionsEstimated customization: ~10 minutesLast updated May 2026

Sample Preview

Technical Safeguards (164.312)Page 1 of 2

Integrity Controls Policy

Version 1.0·Effective [EFFECTIVE DATE]·Approved by [PRIVACY/SECURITY OFFICER NAME]

1. Purpose

This policy establishes the measures [PRACTICE NAME] implements to protect ePHI from improper alteration or destruction. Maintaining the integrity of health information is critical for patient safety, accurate clinical decision-making, and regulatory compliance.

2. Scope

This policy applies to all ePHI created, received, maintained, or transmitted by [PRACTICE NAME], in all forms and on all systems. It covers the integrity of data at rest (stored on devices and servers), data in processing (being used by applications), and data in transit (being transmitted between systems, which is also addressed in the Transmission Security Policy).

3. Policy Statement

[PRACTICE NAME] shall implement policies and procedures to protect ePHI from improper alteration or destruction, as required by 45 CFR § 164.312(c)(1). The practice shall implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner, as specified in the addressable implementation specification at 45 CFR § 164.312(c)(2).

4. Definitions

Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner.

Authentication (of data): The corroboration that data is what it purports to be — that it has not been altered or corrupted during storage, processing, or transmission.

Hash Function: A mathematical algorithm that converts data into a fixed-size value (hash) that can be used to verify data integrity. Any change to the data produces a different hash.

Checksum: A value computed from a data set that is used to verify data integrity during storage or transmission.

Digital Signature: A cryptographic technique that verifies both the integrity and the origin of data.

5. Procedures

1. DATA INTEGRITY AT REST

1.1 ePHI stored on servers, workstations, and media shall be protected through: file system permissions that restrict write, modify, and delete access to authorized users, use of database integrity features (e.g., referential integrity constraints, transaction logs), regular backup procedures that enable restoration to a known good state (see Contingency Plan), and file integrity monitoring where feasible.

1.2 The IT Manager shall ensure that storage systems use error-detection mechanisms (e.g., RAID, ECC memory, filesystem checksums) to detect and correct data corruption.

1.3 The EHR system shall maintain an audit trail of all record modifications, including the original value, the modified value, the user who made the change, and the date/time of the change.

2. DATA INTEGRITY IN PROCESSING

2.1 Applications that process ePHI shall implement input validation to prevent the entry of corrupted or malformed data.

2.2 System updates and patches shall be tested in a non-production environment before deployment to ePHI systems, where feasible, to prevent updates from introducing integrity issues.

2.3 Anti-malware protection shall be maintained on all systems to detect and prevent malicious software from altering or destroying ePHI (see Security Awareness & Training Policy for malware prevention training).

3. DATA INTEGRITY IN TRANSIT

3.1 ePHI transmitted electronically shall be protected using integrity verification mechanisms. See the Transmission Security Policy for detailed requirements.

3.2 At minimum, transmission integrity controls shall include: use of protocols that include built-in integrity checking (e.g., TLS, HTTPS, SFTP), verification of data completeness after file transfers, and digital signatures for sensitive or legally significant transmissions where applicable.

4. INTEGRITY VERIFICATION MECHANISMS

4.1 Where feasible, [PRACTICE NAME] shall implement mechanisms to authenticate ePHI and detect unauthorized alterations, including: hash values or checksums for files containing ePHI that are archived or transferred, EHR audit trail features that track all modifications, database transaction logs, and file integrity monitoring tools on servers hosting ePHI.

4.2 If [PRACTICE NAME] determines that a specific integrity mechanism is not reasonable and appropriate, the decision shall be documented along with the alternative measures implemented, per the addressable specification process at 45 CFR § 164.306(d).

5. INCIDENT RESPONSE FOR INTEGRITY VIOLATIONS

5.1 Any suspected unauthorized alteration or destruction of ePHI shall be reported and investigated per the Security Incident Response Policy.

5.2 If ePHI integrity has been compromised, the IT Manager shall assess the scope of the impact, restore data from the most recent clean backup, and document the incident and restoration.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Defines integrity control requirements. Reviews integrity-related incidents. Ensures integrity controls are evaluated during annual assessments.

IT Manager/Vendor ([IT CONTACT NAME]): Implements technical integrity controls (permissions, checksums, monitoring). Maintains backup and restoration capabilities. Manages anti-malware and patch management. Responds to integrity incidents.

EHR Vendor: Provides built-in integrity features (audit trails, referential integrity, data validation). Supports integrity-related configuration and reporting.

All Workforce Members: Follow data entry procedures accurately. Report any suspected data corruption, unauthorized changes, or system errors to the IT Manager.

7. Review Schedule

This policy shall be reviewed at least annually. Integrity controls shall be evaluated as part of the annual security evaluation. The effectiveness of backup and restoration procedures in maintaining data integrity shall be tested at least annually per the Contingency Plan.

8. Regulatory References

45 CFR § 164.312(c)(1) — Integrity (Required) 45 CFR § 164.312(c)(2) — Mechanism to authenticate electronic protected health information (Addressable) 45 CFR § 164.312(e)(2)(i) — Integrity controls for transmission (Addressable) 45 CFR § 164.306(d) — Implementation specifications for addressable safeguards

Continue reading — unlock the full integrity controls policy
D3rx · HIPAA Compliance Templates
Free

while we’re in beta

A professional, CFR-referenced policy template, ready to customize for your practice. Free during the beta.

Open template

Free while we’re in beta

Need more than one?

Get all 23 policies — free

The Complete HIPAA Policy Library — every policy, checklist, and review template. Free while we’re in beta.

Open the library

Free while we’re in beta

Templates require customization and legal review before adoption. Not legal advice. See full disclaimer.