Healthcare Information Security

Cybersecurity News

ONC delivers EHR certification privacy and security guidance

By Patrick Ouellette

- The Office of the National Coordinator for Health IT (ONC) supplied EHR vendors that work with healthcare providers unable to take part in the Stage 2 Meaningful Use of the HITECH Act with further EHR certification clarification this week. Part of this supplemental guidance was the 2014 edition of privacy and security-focused EHR certification criteria.

Though these organizations aren’t Meaningful Use eligible, they “routinely interact with health care providers who are eligible for EHR incentive payments and face policy and technology challenges unique to their settings” and still need to protect patient data. ONC’s table below with certification criteria aims ensure electronic protected health information (ePHI) is protected when it is stored and transmitted and only authorized personnel can access the data. Regardless of customer settings or eligibility, these descriptions will help guide vendors toward privacy and security best practices.

45 CFR §170.314(d)(1)Authentication, Access  Control, and Authorization

Requires EHR technology to be capable of authenticating a user, authorizing them, and establishing their ability to access electronic health.

45 CFR §170.314(d)(2) Auditable Events and Tamper-Resistance

Requires EHR technology to be capable of:

- Recording user actions related to electronic health information in an audit log in addition to when the audit log or the encryption status of electronic health information locally stored on end user devices is disabled or enabled.

- Being set by default to record actions related to electronic health information in an audit log, and recording audit log status or encryption status.

- Only enabling specific users to disable an audit log, if possible.

- Protecting actions and statuses related to the recording of electronic health information, audit log status, and encryption status from being changed, overwritten, or deleted by the EHR technology.

- Detecting when the audit log has been altered.

45 CFR §170.314(d)(3) Audit Report(s)

Requires EHR technology to be capable of:

- Enabling a user to generate an audit report for a specific time period, and

- Sort entries in the audit log according to the data elements specified in the audit log content standard.

45 CFR §170.314(d)(4) Amendments

Requires EHR technology to be capable of enabling a user to capture a patient’s (accepted or denied) request for an amendment to their electronic health information.

45 CFR §170.314(d)(5)Automatic Log-Off

Requires EHR technology to be capable of preventing a user from gaining further access to an electronic session after a predetermined time of inactivity.

45 CFR §170.314(d)(6) Emergency Access

Requires EHR technology to be able to permit an identified set of users to access electronic health information during an emergency.

45 CFR §170.314(d)(7)End-User Device Encryption

Requires EHR technology to be capable of encrypting electronic health information (following security standards from the National Institute of Standards and Technology) when it is designed to store such information on end-user devices after use on those devices stops.

45 CFR §170.314(d)(8)Integrity

Requires EHR technology to be able to use secure hashing standards to verify that electronic health information has not been altered.

45 CFR §170.314(d)(9)Optional – Accounting of Disclosures

Requires EHR technology to be able to record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations.

EHR vendors are required to meet HIPAA requirements for EHR certification regardless of meaningful use participation, but these are helpful security and authentication reminders for EHR technologies. One tip that should stand out is encryption requirements. Among the main reasons why providers may not encrypt their data is they may not have legacy systems that are interoperable with encryption technology, but ONC reminds readers to follow National Institute of Standards and Technology (NIST) standards.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks