Technical outcome –
- A user can create one or more audit reports for a specific time period that includes some or all of the data specified in sections 7.1.1, 7.1.2 and 7.1.6, through 7.1.9 of ASTM E1247-18; including changes to user privileges when health IT is in use; and record the date and time of the action in accordance with RFC 5905.
- The content included in each audit log is sortable.
Clarifications:
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support 7.1.3 Duration of Access in the ASTM E2147 – 18 standard. However, ONC determined this requirement is not in scope for testing and certification and removed the 7.1.3 requirement in the subsequent IFR.
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support updates to audit logging and has incorporated by reference the standards, as amended effective June 30, 2020, § 170.299(1) ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, approved May 1, 2018, IBR approved for §170.210(h).
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support the auditing requirements as specified in ASTM E2148-18. For the purposes of certification, sections 7.2 and 7.4 have been updated to sections 7.1.1 and 7.1.7. It is the expectation that the updated specification will be used.
- For purposes of certification, a Health IT Module should adhere to any Network Time Protocol standard for the synchronized clock requirement.
- For purposes of certification, a Health IT Module may produce a single audit report with all of the specified auditable data or it may produce multiple audit reports with some portion of the required auditable data. However, if this latter approach is used, when all of the audit reports are considered together the total content they include must represent all of the required auditable data (which would be equivalent to the single audit report approach).
- If third party software is relied upon to meet the criteria, one of the following approaches applies:
- Approach 1 requires disclosure of the software that was relied upon to meet the criterion.
- Approach 2 requires documentation of how the external services that are necessary to meet the requirements of criteria will be deployed and used.
- A user could be a healthcare professional or office staff; or a software program or service that would interact directly with the certified health IT. A “user” is not a patient for the purposes of this criterion. [see also 77 FR 54168]
- For Health Information Service Provider (HISP) software that does not normally store patient data, certification to § 170.315 (d)(3) does not create the obligation to do so. Rather, certification to § 170.315(d)(3) requires that a user is able to produce a forensic reconstruction of events in the case of a security incident. Audit reports would need to be generated that can sort and filter on the types of data identified in § 170.315(d)(2).
