§170.315(d)(3) Audit report(s)
| Version # | Description of Change | Version Date |
|---|---|---|
| 1.0 |
Final Test Procedure |
01-08-2016
|
| 1.1 |
Updated Gap Eligibility. |
04-08-2016
|
| 1.2 |
Step 2 for SUT and TLV were both clarified and changed to reflect that multiple audit reports can also be created to meet the criterion. The data references in the SUT column were also re-ordered to make the required data clearer. |
05-26-2017
|
| 1.3 |
As of September 21, 2017, Test Procedure has been moved to Attestation/Developer self-declaration only. |
09-21-2017
|
| 1.4 |
Changed language from self-declaration to attestation |
08-25-2021
|
§ 170.315 (d)(3) Audit report(s)—
Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).
Applies to entire criterion
§ 170.210(e)(1)
- The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
- The date and time must be recorded in accordance with the standard specified at § 170.210(g).
(2)
- The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
- The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems
- Resource Documents
- Revision History
-
Version # Description of Change Version Date 1.0 Final Test Procedure
01-08-20161.1 Updated Gap Eligibility.
04-08-20161.2 Step 2 for SUT and TLV were both clarified and changed to reflect that multiple audit reports can also be created to meet the criterion. The data references in the SUT column were also re-ordered to make the required data clearer.
05-26-20171.3 As of September 21, 2017, Test Procedure has been moved to Attestation/Developer self-declaration only.
09-21-20171.4 Changed language from self-declaration to attestation
08-25-2021 - Regulation Text
-
Regulation Text
§ 170.315 (d)(3) Audit report(s)—
Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).
- Standard(s) Referenced
-
Applies to entire criterion
§ 170.210(e)(1)
- The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
- The date and time must be recorded in accordance with the standard specified at § 170.210(g).
(2)
- The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
- The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems
Testing components
Attestation: As of September 21, 2017, the testing approach for this criterion is satisfied by attestation.
The archived version of the Test Procedure is attached below for reference.
|
System Under Test |
ONC-ACB Verification |
|---|---|
|
The health IT developer will attest directly to the ONC-ACB to conformance with the §170.315 (d)(3) Audit report(s) requirements. |
The ONC-ACB verifies the health IT developer attests conformance to the §170.315 (d)(3) Audit report(s) requirements. |
Archived Version:
| Version # | Description of Change | Version Date |
|---|---|---|
| 1.0 |
Initial Publication |
06-15-2020
|
| 1.1 |
Updated regulation text, removed clarifications, and added compliance dates addressed in the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency |
11-02-2020
|
| 1.2 |
Updated to include flexibility for use of Microsoft NTP for Health IT using Microsoft OS for network time synchronization. |
08-02-2021
|
§ 170.315 (d)(3) Audit report(s)—
Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).
Applies to entire criterion
§ 170.210(e)(1)
- The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
- The date and time must be recorded in accordance with the standard specified at § 170.210(g).
(2)
- The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
- The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems
- Resource Documents
- Revision History
-
Version # Description of Change Version Date 1.0 Initial Publication
06-15-20201.1 Updated regulation text, removed clarifications, and added compliance dates addressed in the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency
11-02-20201.2 Updated to include flexibility for use of Microsoft NTP for Health IT using Microsoft OS for network time synchronization.
08-02-2021 - Regulation Text
-
Regulation Text
§ 170.315 (d)(3) Audit report(s)—
Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).
- Standard(s) Referenced
-
Applies to entire criterion
§ 170.210(e)(1)
- The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
- The date and time must be recorded in accordance with the standard specified at § 170.210(g).
(2)
- The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
- The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems
Certification Companion Guide: Audit report(s)
This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.
| Base EHR Definition | In Scope for CEHRT Definition | Real World Testing | USCDI | SVAP |
|---|---|---|---|---|
| Not Included | No | No | No | No |
Design and Performance: Quality management system (QMS) (§ 170.315(g)(4)) and Accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.
- When a single QMS is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
- When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively, the developer must state that no accessibility-centered design was used.
Design and Performance: Quality management system (QMS) (§ 170.315(g)(4)) and Accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.
- When a single QMS is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
- When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively, the developer must state that no accessibility-centered design was used.
Applies to entire criterion
Technical outcome –
- A user can create one or more audit reports for a specific time period that includes some or all of the data specified in sections 7.1.1, 7.1.2 and 7.1.6, through 7.1.9 of ASTM E1247-18; including changes to user privileges when health IT is in use; and record the date and time of the action in accordance with RFC 5905.
- The content included in each audit log is sortable.
Clarifications:
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support 7.1.3 Duration of Access in the ASTM E2147 – 18 standard. However, ONC determined this requirement will not be in scope for testing and certifying to 2015 Edition Cures Update certification and removed the 7.1.3 requirement in the subsequent IFR.
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support updates to audit logging and has incorporated by reference the standards, as amended effective June 30, 2020, § 170.299(1) ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, approved May 1, 2018, IBR approved for §170.210(h).
- The ONC Cures Act Final Rule included the requirement for Health IT Modules to support the auditing requirements as specified in ASTM E2148-18. For the purposes of certification, sections 7.2 and 7.4 have been updated to sections 7.1.1 and 7.1.7. It is the expectation that the updated specification will be used.
- For purposes of certification, a Health IT Module should adhere to (RFC 5905) Network Time Protocol Version 4 for the synchronized clock requirement. The previous (RFC 1305) Network Time Protocol is obsolete and was replaced by the updated standard in the IFR.
- Microsoft-based certified health IT using Operating System to synchronize network time, may use Microsoft’s version of Network Time Protocol (MS NTP) as an alternative to Network Time Protocol Version 4 (NTP v4) of RFC 5905 as specified in § 170.210(g), and must meet the time accuracy requirement as defined in the certification criteria.
For the purposes of certification, a Health IT Module may produce a single audit report with all of the specified auditable data or it may produce multiple audit reports with some portion of the required auditable data. However, if this latter approach is used, when all of the audit reports are considered together the total content they include must represent all of the required auditable data (which would be equivalent to the single audit report approach).
- If third party software is relied upon to meet the criteria, one of the following approaches applies:
- Approach 1 requires disclosure of the software that was relied upon to meet the criterion.
- Approach 2 requires documentation of how the external services that are necessary to meet the requirements of criteria will be deployed and used.
- A user could be a healthcare professional or office staff; or a software program or service that would interact directly with the certified health IT. [see 80 FR 62611; 77 FR 54168] A “user” is not a patient for the purposes of this criterion. [see also 77 FR 54168]
- For Health Information Service Provider (HISP) software that does not normally store patient data, certification to § 170.315 (d)(3) does not create the obligation to do so. Rather, certification to § 170.315(d)(3) requires that a user is able to produce a forensic reconstruction of events in the case of a security incident. Audit reports would need to be generated that can sort and filter on the types of data identified in § 170.315(d)(2).
- Compliance date updated to December 31, 2022, per IFR.
Applies to entire criterion
|
Technical outcome –
Clarifications:
For the purposes of certification, a Health IT Module may produce a single audit report with all of the specified auditable data or it may produce multiple audit reports with some portion of the required auditable data. However, if this latter approach is used, when all of the audit reports are considered together the total content they include must represent all of the required auditable data (which would be equivalent to the single audit report approach).
|
Archived Version: