ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
pr<strong>of</strong>essional or eligible hospital who adopts Certified EHR Technology to use this<br />
capability. We disagree that requiring Certified EHR Technology be capable <strong>of</strong><br />
encryption would hinder adoption. To the contrary, we believe that Certified EHR<br />
Technology capable <strong>of</strong> encrypting electronic health information will be desired,<br />
especially in light <strong>of</strong> the new breach notification requirements established by the<br />
HITECH Act and the Breach Notification for Unsecured Protected <strong>Health</strong> Information<br />
Interim Final Rule. We also take this opportunity to make a technical correction to this<br />
<strong>certification</strong> criterion. We inadvertently combined both encryption capabilities under the<br />
same paragraph and per our reaffirmed interpretation expressed in the Temporary<br />
Certification Program, we believe that the scope <strong>of</strong> one <strong>certification</strong> criterion starts at the<br />
first paragraph level and includes all subparagraphs. As a result, we view these as two<br />
distinct capabilities and have created a separate <strong>certification</strong> criterion for each.<br />
Comments. One commenter stated that the security requirements, particularly for<br />
encryption, are lower than the security standards it already meets. This commenter<br />
consequently believes that our adoption <strong>of</strong> this standard would require it to reduce the<br />
security <strong>of</strong> its products. Another commenter stated that encryption technology should not<br />
be integrated into an EHR product, but should instead be implemented through other<br />
means as part <strong>of</strong> the system on which an EHR may be installed.<br />
Response. We believe that Certified EHR Technology must be capable <strong>of</strong><br />
performing encryption. Because <strong>of</strong> the flexibility in the adopted standard, however, how<br />
encryption is technically implemented is up to the Complete EHR or EHR Module<br />
developer to determine within the parameters <strong>of</strong> Annex A <strong>of</strong> FIPS 140-2. Given the<br />
changes we have made to the general encryption standard, we believe that the full range<br />
Page 120 <strong>of</strong> 228