ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services ehr onc final certification - Department of Health Care Services
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged: (a) Encryption and decryption of electronic health information—(1) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2 (incorporated by reference in §170.299). (2) Exchange. Any encrypted and integrity protected link. (b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded. (c) Verification that electronic health information has not been altered in transit. Standard. A hashing algorithm with a security strength equal to or greater than SHA-1 (Secure Hash Algorithm (SHA-1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180-3 (October, 2008)) must be used to verify that electronic health information has not been altered. (d) Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501. §170.299 Incorporation by reference. (a) Certain material is incorporated by reference into this subpart with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce Page 210 of 228
any edition other than that specified in this section, the Department of Health and Human Services must publish notice of change in the Federal Register and the material must be available to the public. All approved material is available for inspection at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.h tml. Also, it is available for inspection at U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology, Hubert H. Humphrey Building, Suite 729D, 200 Independence Ave, S.W., Washington, DC 20201, call ahead to arrange for inspection at 202-690-7151, and is available from the sources listed below. (b) Health Level Seven, 3300 Washtenaw Avenue, Suite 227, Ann Arbor, MI 48104; Telephone (734) 677-7777 or http://www.hl7.org/. (1) Health Level Seven Standard Version 2.3.1 (HL7 2.3.1), An Application Protocol for Electronic Data Exchange in Healthcare Environments, April 14, 1999, IBR approved for §170.205. (2) Health Level Seven Messaging Standard Version 2.5.1 (HL7 2.5.1), An Application Protocol for Electronic Data Exchange in Healthcare Environments, February 21, 2007, IBR approved for §170.205. (3) Health Level Seven Implementation Guide: Clinical Document Architecture (CDA) Release 2 – Continuity of Care Document (CCD), April 01, 2007, IBR approved for §170.205. Page 211 of 228
- Page 159 and 160: e achieved without these and recomm
- Page 161 and 162: electronically record, store, retri
- Page 163 and 164: EHRs and EHR Modules designed for a
- Page 165 and 166: §170.205(a)(2)(iii); and (v) The s
- Page 167 and 168: Response. We disagree, as doing so
- Page 169 and 170: Dental Terminology as a condition o
- Page 171 and 172: However, we do not preclude Complet
- Page 173 and 174: ability of CCD and CCR to support t
- Page 175 and 176: ability to receive these reports. M
- Page 177 and 178: commenters acknowledged and express
- Page 179 and 180: a meaningful use objective they wou
- Page 181 and 182: CMS and ONC had worked together to
- Page 183 and 184: The eligible professional or eligib
- Page 185 and 186: EHR technology with the needs of us
- Page 187 and 188: The RFA requires agencies to analyz
- Page 189 and 190: values seemed low and that the gap
- Page 191 and 192: commenter provided), our assumption
- Page 193 and 194: absolute low we estimated for a per
- Page 195 and 196: number of previously CCHIT-certifie
- Page 197 and 198: for Certification Low High Page 197
- Page 199 and 200: Finally, the third type of cost we
- Page 201 and 202: 2012 15% $10.10 $30.80 $20.45 3-Yea
- Page 203 and 204: The RFA requires agencies to analyz
- Page 205 and 206: The Office of Management and Budget
- Page 207 and 208: The standards and implementation sp
- Page 209: The Secretary adopts the following
- Page 213 and 214: (e) Regenstrief Institute, Inc., LO
- Page 215 and 216: 4. Revise subpart C to read as foll
- Page 217 and 218: smoker; current some day smoker; fo
- Page 219 and 220: (2) Generate audit log. Enable a us
- Page 221 and 222: (3) Medication allergy list; (4) De
- Page 223 and 224: §170.205(a)(1) or §170.205(a)(2).
- Page 225 and 226: (d) Electronic copy of health infor
- Page 227 and 228: specifications) specified in §170.
The Secretary adopts the following standards to protect electronic health information<br />
created, maintained, and exchanged:<br />
(a) Encryption and decryption <strong>of</strong> electronic health information—(1) General. Any<br />
encryption algorithm identified by the National Institute <strong>of</strong> Standards and Technology<br />
(NIST) as an approved security function in Annex A <strong>of</strong> the Federal Information<br />
Processing Standards (FIPS) Publication 140-2 (incorporated by reference in §170.299).<br />
(2) Exchange. Any encrypted and integrity protected link.<br />
(b) Record actions related to electronic health information. The date, time, patient<br />
identification, and user identification must be recorded when electronic health<br />
information is created, modified, accessed, or deleted; and an indication <strong>of</strong> which<br />
action(s) occurred and by whom must also be recorded.<br />
(c) Verification that electronic health information has not been altered in transit.<br />
Standard. A hashing algorithm with a security strength equal to or greater than SHA-1<br />
(Secure Hash Algorithm (SHA-1) as specified by the National Institute <strong>of</strong> Standards and<br />
Technology (NIST) in FIPS PUB 180-3 (October, 2008)) must be used to verify that<br />
electronic health information has not been altered.<br />
(d) Record treatment, payment, and health care operations disclosures. The date, time,<br />
patient identification, user identification, and a description <strong>of</strong> the disclosure must be<br />
recorded for disclosures for treatment, payment, and health care operations, as these<br />
terms are defined at 45 CFR 164.501.<br />
§170.299 Incorporation by reference.<br />
(a) Certain material is incorporated by reference into this subpart with the approval <strong>of</strong> the<br />
Director <strong>of</strong> the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce<br />
Page 210 <strong>of</strong> 228