HIPAA Data Integrity: Proving ePHI Is Unaltered

Introduction

Healthcare data lives or dies on whether it can be trusted. A lab result, an imaging file, a medication record or a backup of a patient database is only useful if you can show it is exactly what it was when it was created. That is the heart of HIPAA data integrity. The HIPAA Security Rule includes an integrity standard that requires covered entities and business associates to protect electronic protected health information (ePHI) from improper alteration or destruction. In other words, you must be able to demonstrate that ePHI has not been changed in an unauthorized way. This article explains what integrity means in that context, how to evidence it across backups, archives and transfers, and how a lightweight, fully offline approach with e-Dex (formerly Hash Calculator) helps you produce that evidence without ePHI ever leaving your machine.

What "Integrity" Means Under HIPAA

Under the HIPAA Security Rule, integrity is the property that ePHI has not been altered or destroyed in an unauthorized manner. The rule pairs that goal with the expectation that organizations implement reasonable and appropriate technical measures to confirm it — including, where appropriate, mechanisms to electronically verify that information has not been improperly changed. Integrity sits alongside confidentiality and availability as one of the three core security objectives, but it is distinct: a record can be perfectly confidential and still be silently corrupted or tampered with. The integrity standard is specifically about being able to say, with confidence and evidence, "this ePHI is unchanged from its known-good state." Importantly, HIPAA describes the objective and leaves the specific methods to each organization's own risk analysis, which is why a clear, repeatable technical practice matters so much.

How to Evidence ePHI Integrity Across Backups, Archives and Transfers

The practical mechanism is straightforward and well established: baseline plus re-hash. A cryptographic hash is a fixed-length digital fingerprint computed over a file's contents; change a single byte and the hash changes completely. So when ePHI is in a known-good state — at the moment you archive it, back it up, or hand it off — you compute and record a baseline hash for each file. Later, at restore, before and after a transfer, or on a periodic schedule, you re-hash the same files and compare. A match means the data is bit-for-bit identical and unaltered; a mismatch flags corruption or tampering for investigation. The output worth keeping is a signed integrity certificate: a single document that lists each file, its recorded and recomputed hashes, an explicit verdict and the time of verification. Retained alongside an audit trail of who ran the check and when, those certificates become a defensible, reusable record that your backups, archives and transfers preserved ePHI integrity.

A Lightweight, Offline Approach

For covered entities, one detail matters more than almost any other: no ePHI should leave your machine just to be verified. Routing protected health information through an online service to prove it is unchanged simply trades one risk for another and creates a new data flow to assess. e-Dex is built the opposite way. It runs fully offline on your own Windows computer. Hashing files, comparing them against recorded baselines and generating the integrity certificate all happen locally, so the ePHI never touches a network or a third party. Where you want extra assurance, you can apply a digital signature so any later edit to the certificate is detectable, and attach an RFC-3161 trusted timestamp that seals the exact time the check was produced — and even that step transmits only a hash, never the file contents. The result is integrity evidence you can generate in minutes, on a single machine, inside your own controlled environment.

An Important Note: e-Dex Supports Integrity Evidence — It Does Not Make You Compliant

It is worth being precise about scope. e-Dex helps you produce integrity evidence — proof that specific ePHI is unaltered. That addresses one slice of one standard. HIPAA compliance, by contrast, is an organizational program spanning administrative, physical and technical safeguards, a documented risk analysis, policies and procedures, business associate agreements, and workforce training. Using e-Dex does not, by itself, make your organization HIPAA compliant, and nothing here is legal or compliance advice. Think of integrity certificates as a strong, demonstrable building block that supports the integrity standard — one you fit into your broader compliance program, alongside everything else the rule expects. If you are mapping technical controls to requirements, our compliance verification certificate guide and the file integrity compliance overview show how integrity evidence fits a wider picture.

Frequently Asked Questions

What does HIPAA say about data integrity?
The HIPAA Security Rule sets an integrity standard requiring covered entities and business associates to protect electronic protected health information (ePHI) from improper alteration or destruction. In practice this means having technical measures to confirm that ePHI has not been changed in an unauthorized manner. Cryptographic hashing and signed integrity records are a common, defensible way to provide that confirmation across backups, archives and transfers.

How do you prove ePHI has not been altered?
You record a baseline cryptographic hash of each file when it is known-good, then re-hash the same file later and compare. If the recomputed hash matches the baseline, the file is byte-for-byte identical and unaltered; if it differs, the file has changed or been corrupted. A signed integrity certificate captures those hashes, the comparison result and the time of verification in a single document you can retain as evidence.

Does using e-Dex make my organization HIPAA compliant?
No. HIPAA compliance is an organizational program covering administrative, physical and technical safeguards, risk analysis, policies and workforce training. e-Dex supports just one slice of that picture: producing integrity evidence that ePHI is unaltered. It is a tool that helps you address the integrity standard; it does not, by itself, make you HIPAA compliant and it is not legal advice.

Does e-Dex send ePHI to the cloud?
No. e-Dex runs fully offline on your own Windows machine. Hashing files, comparing them against recorded baselines and generating the integrity certificate all happen locally, so ePHI never leaves your computer. This local-only design is important for covered entities, because it lets you evidence integrity without introducing a new third-party data flow. Only an optional trusted timestamp step uses the internet, and it does not transmit file contents.

How often should ePHI integrity be checked?
There is no single mandated interval; the frequency should follow your own risk analysis and the nature of the data. Common practice is to record a baseline whenever ePHI is archived or backed up, and to re-verify on a schedule, before and after transfers, after restores, and whenever an integrity concern arises. The goal is to be able to demonstrate, at any point, that the protected data is unchanged from its recorded baseline.

Conclusion

HIPAA's integrity standard asks a simple question with serious consequences: can you show this ePHI is unaltered? A baseline-and-re-hash workflow, captured in signed integrity certificates with a clear audit trail, answers it in a way you can hand to an auditor, a regulator or your own security team. Doing it offline keeps protected data on the machine where it belongs. e-Dex supports that integrity evidence — it is one defensible building block in your compliance program, not the whole program. Learn how it fits your controls on our file integrity compliance page, or download e-Dex free and start producing integrity evidence on your own Windows machine today.