ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Other commenters also expressed c<strong>onc</strong>ern that unless TLS is explicitly named, all<br />
example protocols would be required to be supported.<br />
Response. The example list <strong>of</strong> protocols that would meet the <strong>certification</strong><br />
criterion is not intended to be exhaustive or suggest that Complete EHRs or EHR<br />
Modules must be capable <strong>of</strong> using all <strong>of</strong> the listed protocols to be certified. The example<br />
list <strong>of</strong> protocols in the Interim Final Rule was included solely for illustrative purposes.<br />
We have, however, consistent with the way we have restructured the regulatory text for<br />
some standards (to better associate them with the adopted <strong>certification</strong> criterion that<br />
reference them), modified this standard to simply express that the standard is any<br />
encrypted and integrity protected link.<br />
Comments. Several commenters suggested replacing the functional description <strong>of</strong><br />
the encryption standard with a specific reference to FIPS 140-2. These commenters also<br />
noted that HHS had included such a reference in an update to its guidance specifying the<br />
technologies and methodologies that render protected health information unusable,<br />
unreadable, or indecipherable that was included in the Breach Notification for Unsecured<br />
Protected <strong>Health</strong> Information Interim Final Rule, published on August 24, 2009 (74 FR<br />
42740), and further, requested that we make our standard consistent with this guidance.<br />
Some commenters explicitly recommended that AES be specified as the encryption<br />
algorithm standard.<br />
Response. We have considered these commenters’ points and have decided to<br />
revise our adopted standard to be more flexible regarding the encryption algorithms we<br />
permit EHR Technology to implement to be certified. We have also sought to clarify<br />
how our adopted standard relates to the guidance included in the breach notification<br />
Page 117 <strong>of</strong> 228