Clarifications:
- In order to meet the Base EHR Definition, a provider would need to possess technology that has been certified to either this criterion at § 170.315(h)(2) or the “Direct Project” criterion at § 170.315(h)(1).
- Several training/demo videos of the Edge Testing Tool (ETT) used for the testing and certification of health IT are available on GitHub.
- Please address any ETT technical questions through the ETT Google Group.
- This certification criterion uses the Applicability Statement for Secure Health Transport, Version 1.2 standard. This new version of the specification includes updates that improve interoperability through the clarification of requirements that have been subject to varying interpretations, particularly requirements around message delivery notifications. This version also clarifies pertinent requirements in the standards underlying the Applicability Statement for Secure Health Transport. Refer to the standard for more details about the improvements it includes. [see also 80 FR 62679]
- Testing for this criterion will require the processing of invalid test cases that frequently occur in real-world situations so that Security/Trust Agents (STAs) can demonstrate error handling abilities, including handling XDM packages and message disposition.
- Direct, the Edge protocols (SMTP, XDR) and XDM processing are the required standards for health IT certifying to (h)(2). IMAP and POP3 are optional SMTP standards. [see also 80 FR 62680]
- Certification to this criterion is the only option for “transport-only” focused health information services providers (HISPs). However, HISP technology certified to this criterion would be able to electronically exchange with any health IT certified to § 170.315(b)(1) Transitions of care criterion. Further, HISP technology certified to this criterion may also be used to meet the Base EHR definition with any other health IT certified to § 170.315(b)(1) without the need for joint certification of the products.
- Consistent with the IG for Delivery Notification in Direct, ONC's policy intent is that the receiving HISP must provide delivery notification messages either when it is also the sending HISP, or when it is specifically requested to do so by the sending HISP. A HISP is not compelled to request delivery notifications, but a certified HISP is required to produce them if requested.
- A secure network is generally recognized as one where all of the nodes (endpoints) are known, uniquely identified, access controlled, with strong end-to-end encryption. For example, a virtual private network (VPN) or a network physically isolated from any other with specialized equipment using endpoint encryption.
