Clarifications:
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support updates to audit logging and has incorporated by reference the standards, as amended effective June 30, 2020, § 170.299(1) ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, approved May 1, 2018, IBR approved for §170.210(h).
- For purposes of certification, a Health IT Module should adhere to any Network Time Protocol (NTP) standard for the synchronized clock requirement.
- Actions and information must be captured in a manner that supports the forensic reconstruction of the sequence of changes to a patient’s chart. [see also 77 FR 54235]
- Any changes to a user’s privileges must be captured to meet this criterion (e.g., user account creation, user switches roles and new privileges are assigned, revoking privileges, account disabling, etc.). [see also 77 FR 54235]
- If the Health IT Module does not include a capability for which an ‘‘action’’ is listed, testing and certification can proceed for the audit log process without the Health IT Module showing that it can record actions related to a non-existent capability.
- Similarly, for example, a developer that is seeking to certify a Health IT Module to § 170.315(h) will not necessarily have end-user device encryption features (see 170.315(d)(7)). As such, certification can proceed for the audit log process without the Health IT Module demonstrating that it can record an encryption status as required by § 170.315(d)(2)(i)(C).
- If third-party software is relied upon to meet the criteria, one of the following approaches applies:
- Approach 1 requires disclosure of the software that was relied upon to meet the criterion.
- Approach 2 requires documentation of how the external services that are necessary to meet the requirements of criteria will be deployed and used.
- A user could be a healthcare professional or office staff; or a software program or service that would interact directly with the Certified Health IT Module. [see also 80 FR 62611; 77 FR 54168] A “user” is not a patient for the purposes of this criterion. [see also 77 FR 54168]
- For Health Information Service Provider (HISP) software that does not normally store patient data, certification to (d)(2) does not create the obligation to do so. Rather, certification to (d)(2) requires that a user is able to produce a forensic reconstruction of events in the case of a security incident. At a minimum, some type of message ID, date/time, sender, receiver, confirmation of receipt, and other values may be necessary. For example, it may be helpful to consider what types of data a user would need to track misrouted or dropped messages. Additionally, the HISP software being certified may contain error queues, support dashboards, and other tools where messages containing protected health information (PHI) are persisted. Audit records would have to be created when actions are performed on PHI through these tools, per (d)(2).
- For portal products seeking (e)(1) certification, testing the activity history log will involve much of the patient level audit recording, such as patient account login, view, download, and transmit actions. This criterion would not be applicable to the patient user. Rather, it applies to administrative functionality such as creating accounts, revoking privileges, and account disabling. It is not applicable to the activity history log for patient use of the (e)(1) functionality.
