How do checksums and hashes contribute to HIPAA compliant forms?

Checksums and hashes help ensure that HIPAA compliant forms are accurate and unaltered by indicating when changes are made to data during its transmission to different degrees of complexity. 

Understanding checksums and hashes

A checksum is a simple value (generally a numerical sum) calculated from a data set to detect errors that have been introduced during its transmission or storage. It can be thought of as a mathematical fingerprint. If one aspect changes the checksum value also changes to represent the possibility of an error occurring along the way. 

Hashes provides a similar but more complex function. Hashing takes input data (of any size) and produces fixed-size string of bytes (ie a fixed series of characters). This string of bytes is known as a hash and remains unique to the original input data. Like with checksums if the data changes at all, the hash changes. It makes hashes useful for securely checking data integrity. 

A technical report from Stony Brook University provides, “Checksums that are generated using cryptographic hash functions prevent unauthorized users from generating custom checksums to match the malicious data modification that they have made.” What can be taken from this quote is that the combination of hashing in cryptography when creating checksums allows for improved security. 

How checksums and hashes contribute to electronic forms

One example of how an ideal HIPAA compliant email form operates starts when a healthcare provider submits an electronic form. A checksum is generated for the data in the form. The checksum acts as a baseline to verify data integrity. Once the email reaches the patient the recipient's system recalculates the checksum. If the recalculated checksum matches the original, it confirms that the form has not been altered or corrupted during transmission. 

Alongside the checksum, a hash value is created from the data, creating a unique digital fingerprint. The new hash is generated from the received data and compared with the original hash. If they match, it confirms that the data has not been tampered with during transit. 

Best practices for ensuring HIPAA compliance in electronic forms

1. Send and receive forms electronically through communication methods like HIPAA compliant email. Organizations should still provide for emergencies that leave electronic records unavailable by making provisions for maintaining physical copies of patient records. 
2. Use software that allows for seamless encryption between sender and recipient. An example of this is Paubox Forms which protects patient information within forms from transmission to storage. 
3. Make sure that the software used to send and receive forms electronically is regularly patched and updated. The action protected against vulnerabilities and new forms of cyberattacks not provided for in earlier versions of the software. 
4. Educate staff on how to send and receive patient forms through email. This training should include informing patients on how to record patient data from forms into EHRs and physical copies kept securely. 
5. Always enter into a business associate agreement (BAA) with any third party handling data, from the email provider to any cloud services. 
   
   

FAQs

What is a conduit? 

An organization that only handles transmission and not storage in any capacity. 

What is a digital signature? 

An electronic form of a signature that validates the authenticity and integrity of digital documents. 

What is secure encryption?

A method of converting data into a coded format to prevent unauthorized access.