Review your existing procedures for protecting electronic protected health information and other sensitive information from improper alteration and destruction. Four policies in this Guide at least partially deal with this issue and should be referenced in your policy for protecting electronic protected health information from alteration and destruction:
- The Sample General Computer Resources Acceptable Use Policy includes a prohibition on altering or destroying protected health information unless it is part of the employee’s job duties or is approved by a supervisor or security officer.
- The Sample Auditing and Activity Review Policy includes a requirement to periodically audit electronic protected health information to assure that it is being properly accessed and is not subject to improper modification, deletion, or blocking.
- The Sample Hardware and Software Control Policy includes a requirement to designate a responsible person to inspect all hardware and software that has been checked-out of and returned to the organization to insure that all equipment is returned and working properly and that software and files have not been corrupted, altered or destroyed.
- The Sample Security Incident Reporting Policy includes destruction or alteration as a reportable security incident.
In addition, your policy should list all software installed and other systems to detect improper alteration or destruction of sensitive information such as:
- File integrity checking software that will detect alteration or destruction. Your policy should list this software, how it works, how it reports, and what steps are taken upon receiving a report of a change.
- Virus detection and elimination software. Your policy policy should list this software and how it works and reports and what steps are taken upon receiving a report of a virus.
- Any other software or systems in place for monitoring and controlling the improper alteration or destruction of electronic protected health information.