ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Response. As discussed above, we have adopted in the standard the action <strong>of</strong><br />
“accessed” which would encompass the action <strong>of</strong> “read.” At the present time, we only<br />
identify certain data elements in the adopted standard that must be recorded and believe<br />
that this specificity will help reduce any potential burden associated with recording the<br />
action <strong>of</strong> “accessed.”<br />
§170.302(s) - Integrity<br />
Meaningful Use<br />
Stage 1<br />
Objective<br />
Protect electronic<br />
health information<br />
created or<br />
maintained by the<br />
certified EHR<br />
technology through<br />
the implementation<br />
<strong>of</strong> appropriate<br />
technical<br />
capabilities<br />
Meaningful Use<br />
Stage 1 Measure<br />
Conduct or review<br />
a security risk<br />
analysis per 45<br />
CFR 164.308 (a)(1)<br />
and implement<br />
security updates as<br />
necessary and<br />
correct identified<br />
security<br />
deficiencies as part<br />
<strong>of</strong> its risk<br />
management<br />
process<br />
Page 111 <strong>of</strong> 228<br />
Certification Criterion<br />
Interim Final Rule Text:<br />
(1)In transit. Verify that electronic health information has not<br />
been altered in transit in accordance with the standard<br />
specified in §170.210(c).<br />
(2) Detection. Detect the alteration and deletion <strong>of</strong> electronic<br />
health information and audit logs, in accordance with the<br />
standard specified in §170.210(c).<br />
Final Rule Text:<br />
§170.302(s)<br />
(1) Create a message digest in accordance with the standard<br />
specified in 170.210(c).<br />
(2) Verify in accordance with the standard specified in<br />
170.210(c) upon receipt <strong>of</strong> electronically exchanged health<br />
information that such information has not been altered.<br />
(3) Detection. Detect the alteration <strong>of</strong> audit logs.<br />
Comments. Several commenters requested a definition <strong>of</strong> “in transit.” Other<br />
commenters suggested that hashing <strong>of</strong> messages in transit be limited to circumstances <strong>of</strong><br />
transmission over public networks only. These commenters suggested that messages<br />
transmitted over private networks be exempt from complying with this standard. One<br />
commenter suggested that in addition to message hashing, digital signatures should be<br />
required on messages in transit. Another commenter stated that requiring hashing <strong>of</strong><br />
messages in transit is overly burdensome. One commenter requested that we clarify<br />
whether we intended §170.302(s)(1) to require that the receiver <strong>of</strong> a message always<br />
verify messages received rather than simply demonstrate the capability to use hashing.