Multi-factor authentication

Clarifications:

• The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just to attest “yes” or “no” to whether the Health IT Module supports multi-factor authentication. The criteria places no requirements on health IT customers, such as health care providers, to implement these capabilities (if present in their products) in their healthcare settings.
• Health IT developers attesting “yes” to supporting multi-factor authentication must provide a report outlining the use cases supported to the ONC Authorized Certification Body (ONC-ACB) that is either a hard copy or in an acceptable human readable electronic format.  To be open and transparent to the public, developers must also provide a hyperlink to any required use cases or optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).  

Clarifications:

• If a health IT developer attests “yes” it must describe the use cases supported. For example, a health IT developer could attest “yes” to supporting multi-factor authentication and provide a summary that the Health IT Module supports multi-factor authentication for remote access by clinical users, thus providing clarity on the user roles to which multi-factor authentication applies for that particular Health IT Module.
• Health IT developers are not expected to provide specific technical details about how they support multi-factor authentication as that information could pose security risks. A succinct, high-level summary that gives an indication of the types of uses supported is adequate.
• If a health IT developer adds a new multi-factor authentication use case it must comply with this criterion’s “yes” attestation provisions and be part of the quarterly CHPL reporting by health IT developers and ONC-ACBs under § 170.523(m).

Clarifications:

• Health IT developers will be permitted, but not required, to provide a reason for attesting “no,” which may be due to multi-factor authentication being inapplicable or inappropriate. In those cases, a health IT developer could, for example, state that the Health IT Module does not support multi-factor authentication because it is engaged in system-to-system public health reporting and multi-factor authentication is not applicable.