ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
ehr onc final certification - Department of Health Care Services
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>of</strong> the most secure encryption algorithms are available for Complete EHR and EHR<br />
Module developers to implement.<br />
Comments. A few commenters stated that the term “user-defined preferences” in<br />
the <strong>certification</strong> criteria was too vague and allowed too much latitude for divergent<br />
interpretations <strong>of</strong> the requirement. Other commenters noted that users do not always get<br />
to define such preferences as they would conflict with overarching organizational<br />
policies.<br />
Response. We intended the phrase, “according to user-defined preferences” in the<br />
Interim Final Rule, to mean that users would have the ability to elect when they wanted<br />
encryption to occur, for example, at log-<strong>of</strong>f. We recognize that organizational policies,<br />
s<strong>of</strong>tware as service models and other architectures in which Certified EHR Technology<br />
may be implemented, could lead to encryption being instituted in significantly different<br />
ways and, as a result, we have removed the reference to “user-defined preferences.”<br />
§170.302(v) - Accounting <strong>of</strong> disclosures<br />
Meaningful Use Stage 1<br />
Objective<br />
Protect electronic health<br />
information created or<br />
maintained by the certified<br />
EHR technology through the<br />
implementation <strong>of</strong><br />
appropriate technical<br />
capabilities<br />
Meaningful Use Stage 1<br />
Measure<br />
Conduct or review a<br />
security risk analysis per<br />
45 CFR 164.308 (a)(1) and<br />
implement security updates<br />
as necessary and correct<br />
identified security<br />
deficiencies as part <strong>of</strong> its<br />
risk management process<br />
Page 121 <strong>of</strong> 228<br />
Certification Criterion<br />
Interim Final Rule Text:<br />
Record disclosures made for treatment,<br />
payment, and health care operations in<br />
accordance with the standard specified in<br />
§170.210(e).<br />
Final Rule Text:<br />
§170.302(w)<br />
Certification criterion made optional, while the<br />
text <strong>of</strong> this <strong>certification</strong> criterion remains<br />
unchanged<br />
Comments. Many commenters asserted that the <strong>certification</strong> criterion and<br />
accompanying standard for accounting <strong>of</strong> disclosures for treatment, payment, and health<br />
care operations (as these terms are defined at 45 CFR 164.501) would be a resource