ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Meaningful Use<br />
Stage 1<br />
Objective<br />
Protect electronic<br />
health information<br />
created or<br />
maintained by the<br />
certified EHR<br />
technology through<br />
the implementation<br />
<strong>of</strong> appropriate<br />
technical<br />
capabilities<br />
Meaningful Use<br />
Stage 1 Measure<br />
Conduct or review<br />
a security risk<br />
analysis per 45<br />
CFR 164.308 (a)(1)<br />
and implement<br />
security updates as<br />
necessary and<br />
correct identified<br />
security<br />
deficiencies as part<br />
<strong>of</strong> its risk<br />
management<br />
process<br />
Page 104 <strong>of</strong> 228<br />
Certification Criterion<br />
Interim Final Rule Text:<br />
(1) Record actions. Record actions related to electronic health<br />
information in accordance with the standard specified in<br />
§170.210(b).<br />
(2) Alerts. Provide alerts based on user-defined events.<br />
(3) Display and print. Electronically display and print all or a<br />
specified set <strong>of</strong> recorded information upon request or at a set<br />
period <strong>of</strong> time.<br />
Final Rule Text:<br />
§170.302(r)<br />
(1) Record actions. Record actions related to electronic health<br />
information in accordance with the standard specified in<br />
§170.210(b).<br />
(2) Generate audit log. Enable a user to generate an audit log<br />
for a specific time period and to sort entries in the audit log<br />
according to any <strong>of</strong> the elements specified in the standard at<br />
170.210(b).<br />
Comments. Several commenters recommended that we add to the standard<br />
specified at §170.210(b) “access,” “reading,” or “viewing” as triggers for when actions<br />
needed to be recorded as part <strong>of</strong> an audit log. One commenter recommended expanding<br />
the audit content to include maintaining the before-access content <strong>of</strong> the information<br />
accessed as well as the after-access content. Some commenters requested clarification <strong>of</strong><br />
the intended meaning <strong>of</strong> the reference to recording the action <strong>of</strong> “printing.” Commenters<br />
recommended expanding or replacing “print” in the standard with other types <strong>of</strong> output<br />
methods such as extraction, copy, exchange, report, and export. Some commenter stated<br />
that the print function in many operating systems and s<strong>of</strong>tware products is a multiple step<br />
process that is difficult for any system to audit. Other commenters expressed c<strong>onc</strong>erns<br />
that the requirement to audit all printing would be difficult because there were numerous<br />
ways to circumvent the specific action <strong>of</strong> printing, such as using the print screen function<br />
and printing out the image <strong>of</strong> the screen shot. One commenter stated that auditing <strong>of</strong> the<br />
print function would be possible, but complete auditing <strong>of</strong> all possible ways <strong>of</strong> printing<br />
would be impracticable.