Appendix Q 483
insurers. Identifying these instances will define the scope of work required
to come into compliance with this requirement. To obtain this information,
it is imperative to involve process owners as well as technology owners.
Once this list is complete, a risk analysis should be performed to determine
what steps to take. As noted below, there are no “required” implementation
specifications related to this standard. The specific measures to take are de-
pendent on the level of risk.
Client Response:
2. Is instant messaging used for communicating electronic protected health
information?
Guidance: Instant messaging has gone from being used for socializing to
being used for business purposes. You should find out if it is being used and
what is being transmitted using instant messaging software. There are so-
lutions to secure instant message traffic.
Client Response:
a. REQUIRED Implementation Specifications
i. None
b. ADDRESSABLE Implementation Specifications
i. Integrity Controls
Security measures to ensure that electronically transmitted electronic protected health
information is not improperly modified without detection until it is disposed of.
Guidance: Based on what is being transmitted, the risk analysis should
consider the likelihood that electronic protected health information can be
altered during transmission. Depending on the risk, different solutions can
be implemented including software that can check integrity or other pro-
cedures that check to determine whether information has been altered.
Client Response:
AU1706_book.fm Page 483 Tuesday, August 17, 2004 11:02 AM