§164.312(c)(2): Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Audit Inquiry
Does the entity have policies and procedures in place regarding the implementation of electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner?
Does the entity have electronic mechanism to corroborate that ePHI has not been altered or destroyed in an unauthorized manner?
Obtain and review policies and procedures for authenticating ePHI. Evaluate the content relative to the specified criteria to determine that electronic mechanisms are in place to authenticate ePHI.
Elements to review include but are not limited to:
• How to detect if ePHI has not been altered or destroyed
• How to detect if ePHI has been altered or destroyed in an unauthorized manner.
Obtain and review documentation demonstrating that electronic mechanisms are implemented to authenticate ePHI. Evaluate the implemented mechanisms to determine that the implemented mechanisms would appropriately corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable