ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Response. We intend for this <strong>certification</strong> criterion to support, at a minimum, the<br />
HIPAA Security Rule implementation specification provided at 45 CFR 164.312(e)(2)(i)<br />
“[i]mplement security measures to ensure that electronically transmitted electronic<br />
protected health information is not improperly modified without detection until disposed<br />
<strong>of</strong>.” Because this <strong>certification</strong> criterion specifies a capability that Certified EHR<br />
Technology must include, we do not believe that it is necessary or appropriate for us to<br />
address whether hashing is applicable to public and private networks. Additionally, we<br />
clarify that Certified EHR Technology must include the capability to check the integrity<br />
<strong>of</strong> health information that has been received through electronic exchange. However,<br />
similar to our approach to many adopted <strong>certification</strong> criteria, we do not specify the<br />
instances in which this capability needs to be executed. Nevertheless, in response to<br />
public comments we have attempted to clarify this <strong>certification</strong> criterion. We clarify that<br />
we expect Certified EHR Technology to be capable <strong>of</strong> creating a message digest and<br />
when in receipt <strong>of</strong> a message digest, to use the message digest to verify that the contents<br />
<strong>of</strong> the message have not been altered. We have revised the <strong>certification</strong> criterion to<br />
clarify our intent.<br />
Additionally, based on these revisions in the <strong>certification</strong> criterion, we wish to<br />
clarify the wording <strong>of</strong> the integrity standard specified at 170.210(c). The standard<br />
currently includes the words “or higher” at the end <strong>of</strong> the standard. To provide more<br />
certainty to the industry <strong>of</strong> our intended meaning, we are replacing those words with<br />
more accurate terminology. We have modified the standard to read as follows: “A<br />
hashing algorithm with a security strength equal to or greater than SHA-1 must be used to<br />
verify that electronic health information has not been altered.” More information on<br />
Page 112 <strong>of</strong> 228