ehr onc final certification - Department of Health Care Services

More documents

Recommendations

Info

it has not been altered when it has been electronically exchanged. We recognize that certain situations may not be conducive to the use of hashes, which is why, as we noted above, we do not specify the instances in which hashing must be used, just that Certified EHR Technology include these capabilities. Comment. One commenter stated that secure transmission requirements are “inappropriate” because they do not support any meaningful use requirements. Response. We disagree. Meaningful use requires the electronic exchange of health information and the protection of such information. We believe that the only practical and effective way that electronic health information can be exchanged in a meaningful manner is if the integrity of the information can be maintained. Information “integrity” is also one of the three pillars of securing or “protecting” electronic information. §170.302(t) - Authentication Meaningful Use Stage 1 Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Meaningful Use Stage 1 Measure Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process Page 114 of 228 Certification Criterion Interim Final Rule Text: (1)Local. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. (2)Cross network. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in §170.210(d). Final Rule Text: §170.302(t) Authentication. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information. Comments. One commenter expressly supported this certification criterion. A majority of commenters expressed concerns related to §170.302(t) and the cross- enterprise authentication standard specified at §170.210(d). Some commenters
misinterpreted our example and stated that Security Assertion Markup Language (SAML) should not be required or be a named standard. One commenter suggested expanding the set of examples we provided. Other commenters requested that the standard and the related portion of the certification criterion be removed because it was too burdensome to implement at the present time, was overly broad, and could be subject to multiple interpretations. Other commenters contended that there is an insufficient infrastructure to support cross-enterprise authentication. One commenter stated that cross-enterprise authentication would not reside in an EHR application, but rather in the network infrastructure. Response. We have considered the concerns issued by commenters and agree that the burden associated with cross enterprise authentication is unnecessarily high and cross-network authentication should not be a condition of certification at the present time. As a result, we have removed this specific part of the certification criterion and the associated standard. Comment. A commenter requested clarification as to whether “user name and password” would be sufficient to authorize a user or whether biometrics would be required. Response. We do not believe that it is appropriate to specify, as a condition of certification, the types of factors that users could utilize to authenticate themselves. §170.302(u) - Encryption Meaningful Use Stage 1 Objective Protect electronic health information created or maintained by the certified EHR Meaningful Use Stage 1 Measure Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement Page 115 of 228 Certification Criterion Interim Final Rule Text: (1) General. Encrypt and decrypt electronic health information according to user-defined preferences in accordance with the standard specified in §170.210(a)(1). (2) Exchange. Encrypt and decrypt electronic health
Page 1 and 2:
DEPARTMENT OF HEALTH AND HUMAN SERV
Page 3 and 4:
HHS Department of Health and Human
Page 5 and 6:
5. Definition of Qualified EHR 6. D
Page 7 and 8:
technology. Section 3004(b)(1) of t
Page 9 and 10:
esolve identified technical challen
Page 11 and 12:
Some commenters appear to have misi
Page 13 and 14:
efficiencies and desired quality im
Page 15 and 16:
codes must be used “inside” an
Page 17 and 18:
not necessarily have applied to our
Page 19 and 20:
3. Definition of Implementation Spe
Page 21 and 22:
program established by the National
Page 23 and 24:
criteria adopted by the Secretary a
Page 25 and 26:
Comment. In the context of the defi
Page 27 and 28:
y the certification criteria for a
Page 29 and 30:
commenters asked whether we meant t
Page 31 and 32:
adopted by the Secretary. The secon
Page 33 and 34:
Response. We would like to make cle
Page 35 and 36:
Response. In the Interim Final Rule
Page 37 and 38:
could be a health care professional
Page 39 and 40:
standard for certain purposes. In s
Page 41 and 42:
e voluntary and would not be requir
Page 43 and 44:
already existing regulatory require
Page 45 and 46:
setting). We also include, where ap
Page 47 and 48:
clarification on why the number of
Page 49 and 50:
more clearly specify this capabilit
Page 51 and 52:
Response. While we do not require t
Page 53 and 54:
that check, the functionality show
Page 55 and 56:
Response. The comments are correct
Page 57 and 58:
enable the user to electronically r
Page 59 and 60:
longitudinal care, or whether the E
Page 61 and 62:
EHR and EHR Module developers to pr
Page 63 and 64: suggestions for different age range
Page 65 and 66: Record smoking status for patients
Page 67 and 68: 23) during the EHR reporting period
Page 69 and 70: laboratory test results are receive
Page 71 and 72: commenters reasoned that because a
Page 73 and 74: laboratory test results to be elect
Page 75 and 76: or outreach Generate patient lists.
Page 77 and 78: months). We believe that these revi
Page 79 and 80: that the PQRI 2009 Registry XML spe
Page 81 and 82: To better align this certification
Page 83 and 84: the capability specified by the cer
Page 85 and 86: vendors were unwilling or unable to
Page 87 and 88: the concerns expressed by some comm
Page 89 and 90: Page 89 of 228 electronically compa
Page 91 and 92: (1) The standard (and applicable im
Page 93 and 94: for the purposes of demonstrating c
Page 95 and 96: Guide for Immunization Messaging Re
Page 97 and 98: Response. We clarify for commenters
Page 99 and 100: serve as a limiting factor, however
Page 101 and 102: Page 101 of 228 Unchanged Comment.
Page 103 and 104: Comment. One commenter suggested th
Page 105 and 106: Response. We appreciate the thought
Page 107 and 108: Complete EHRs or EHR Modules design
Page 109 and 110: Response. We disagree. As stated ab
Page 111 and 112: Response. As discussed above, we ha
Page 113: SHA-1 and other secure hash algorit
Page 117 and 118: Other commenters also expressed con
Page 119 and 120: eferenced in FIPS 140-2 Annex A, wh
Page 121 and 122: of the most secure encryption algor
Page 123 and 124: the disclosure was made (recipient)
Page 125 and 126: Use CPOE for medication orders dire
Page 127 and 128: equire EHRs to build custom interfa
Page 129 and 130: esult, we do not believe that this
Page 131 and 132: was needed before RxNorm could be a
Page 133 and 134: • MDDB - Medi-Span Master Drug Da
Page 135 and 136: Response. We do not believe that it
Page 137 and 138: Send reminders to patients per pati
Page 139 and 140: specified data elements and CMS’s
Page 141 and 142: what would qualify as a "response."
Page 143 and 144: Comment. A commenter recommended th
Page 145 and 146: in accordance with one of the adopt
Page 147 and 148: Comments. Many commenters suggested
Page 149 and 150: flexibility in this certification c
Page 151 and 152: productive, confusing, time-consumi
Page 153 and 154: include in this initial set. Accord
Page 155 and 156: to the HITSP C32 implementation spe
Page 157 and 158: Response. Again, we do not believe
Page 159 and 160: e achieved without these and recomm
Page 161 and 162: electronically record, store, retri
Page 163 and 164: EHRs and EHR Modules designed for a
Page 165 and 166:
§170.205(a)(2)(iii); and (v) The s
Page 167 and 168:
Response. We disagree, as doing so
Page 169 and 170:
Dental Terminology as a condition o
Page 171 and 172:
However, we do not preclude Complet
Page 173 and 174:
ability of CCD and CCR to support t
Page 175 and 176:
ability to receive these reports. M
Page 177 and 178:
commenters acknowledged and express
Page 179 and 180:
a meaningful use objective they wou
Page 181 and 182:
CMS and ONC had worked together to
Page 183 and 184:
The eligible professional or eligib
Page 185 and 186:
EHR technology with the needs of us
Page 187 and 188:
The RFA requires agencies to analyz
Page 189 and 190:
values seemed low and that the gap
Page 191 and 192:
commenter provided), our assumption
Page 193 and 194:
absolute low we estimated for a per
Page 195 and 196:
number of previously CCHIT-certifie
Page 197 and 198:
for Certification Low High Page 197
Page 199 and 200:
Finally, the third type of cost we
Page 201 and 202:
2012 15% $10.10 $30.80 $20.45 3-Yea
Page 203 and 204:
The RFA requires agencies to analyz
Page 205 and 206:
The Office of Management and Budget
Page 207 and 208:
The standards and implementation sp
Page 209 and 210:
The Secretary adopts the following
Page 211 and 212:
any edition other than that specifi
Page 213 and 214:
(e) Regenstrief Institute, Inc., LO
Page 215 and 216:
4. Revise subpart C to read as foll
Page 217 and 218:
smoker; current some day smoker; fo
Page 219 and 220:
(2) Generate audit log. Enable a us
Page 221 and 222:
(3) Medication allergy list; (4) De
Page 223 and 224:
§170.205(a)(1) or §170.205(a)(2).
Page 225 and 226:
(d) Electronic copy of health infor
Page 227 and 228:
specifications) specified in §170.
show all

ehr onc final certification - Department of Health Care Services

Create successful ePaper yourself

Delete template?

Save as template?