OpenEMR QA against NIST
Color Legend
PASSED TEST | FEATURE NOT IMPLEMENTED OR NOT YET TESTED | CURRENTLY UNDERGOING TESTING/ANALYSIS | FLAGGED FOR TESTING |
NIST Meaningful Use Test Method by Criteria
Status Summary:
NIST Meaningful Use Test Method | ||
§170.302 | §170.304 |
Links to individual testing procedures where pulled from Approved Test Procedures Version 1.1 Effective October 24, 2010 and could become stale. If so, please edit this page and to link to the most recent, approved, and effective version(s).
§170.302 General Certification Criteria
Status Summary:
General Certification Criteria | ||||||||||||||||||||||
a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w |
(a) Drug-grug, drug-allergy interaction checks
NIST Test Procedure for §170.302 (a) Drug-drug, drug-allergy interaction checks
No test results.
Currently unimplemented in OpenEMR.
(b) Drug formulary checks
NIST Test Procedure for §170.302 (b) Drug formulary checks
Currently unimplemented in OpenEMR.
(c) Maintain up-to-date problem list
NIST Test Procedure for §170.302 (c) Maintain up-to-date problem list
Pass (9/9). File:Problem list.pdf
Implemented in fc72 and later versions of OpenEMR.
(d) Maintain active medication list
NIST Test Procedure for §170.302 (d) Maintain Active Medication List
Pass (10/10). File:Medication List.pdf
Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(e) Maintain active medication allergy list
NIST Test Procedure for §170.302 (e) Maintain active medication allergy list
Pass (6/6). File:Medication Allergy.pdf (Note: The quoted section of the Final Rule is incorrect, but the test results are for §170.302 (e))
Implemented in fc72 and later versions of OpenEMR.
(f) Record and chart vital signs
Status Summary:
Record and chart vital signs | ||
1 | 2 | 3 |
(1) Vital signs
NIST Test Procedure for §170.302 (f) (1) Vital Signs
Pass (16/16). All test results for (f) Record and chart vital signs are combined in one document linked above.
Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(2) Calculate body mass index
NIST Test Procedure for §170.302(f) (2) Calculate Body Mass Index
Pass (5/5). All test results for (f) Record and chart vital signs are combined in one document linked above.
Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(3) Plot and display growth charts
NIST Test Procedure for §170.302(f) (3) Plot and Display Growth Charts
Pass (9/9). All test results for (f) Record and chart vital signs are combined in one document linked above.
Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(g) Smoking status
NIST Test Procedure for §170.302 (g) Smoking Status
Pass (10/10). File:Smoking Status.pdf
Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(h) Incorporate laboratory test results
NIST Test Procedure for §170.302 (h) Incorporate labratory test results
Currently unimplemented in OpenEMR.
(i) Generate patient lists
NIST Test Procedure for §170.302 (i) Generate patient lists
Pass
Implemented in a7ec and later versions of OpenEMR. (note the above link points to the patch)
(j) Medication reconciliation
NIST Test Procedure for §170.302 (j) Medication reconciliation
Currently unimplemented in OpenEMR.
A patch available in the tracker did not pass NIST QA testing. Awaiting a new patch - see Test Summary link below for details. Patch
Test Summary for Medication reconciliation
(k) Submission to immunization registries
NIST Test Procedure for §170.302 (k) Submission to immunization registries
Currently unimplemented in OpenEMR.
(l) Public health surveillance
NIST Test Procedure for §170.302 (l) Public health surveillance
Implemented in d6db and later versions of OpenEMR.
Ready to test (Syndromic Surveillance)
(m) Patient specific education resources
NIST Test Procedure for §170.302 (m) Patient specific education resources
Currently unimplemented in OpenEMR.
(n) Automated measure calculation
NIST Test Procedure for §170.302 (n) Automated measure calculation
Currently unimplemented in OpenEMR.
(o) Access control
NIST Test Procedure for §170.302 (o) Access Control
Pass (8/8). File:Access Control.pdf
Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(p) Emergency access
NIST Test Procedure for §170.302 (p) Emergency Access
Pass (9/9). File:Emergency-Access.pdf
Configuring and testing Emergency access
Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(q) Automatic log-off
NIST Test Procedure for §170.302 (q) Automatic log-off
Pass (2/2). File:Automatic Log Off.pdf
Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.
(r) Audit log
NIST Test Procedure for §170.302 (r) Audit Log
Pass (15/15). File:Audit log.pdf
Implemented in e97e and later versions of OpenEMR.
(s) Integrity
NIST Test Procedure for §170.302 (s) Integrity
Fail (6/6). File:Data Integrity.pdf Failure Reason: The hashing algorithm currently in use is MD5. The standard requires an algorithm at last as strong as SHA-1. According to Wikipedia SHA-1 has 51 bits of effective security, while MD5 has less than 21. In fact, (unsalted) MD5 collisions can be found in seconds on GHz-class 32-bit PCs.
Currently implemented poorly in OpenEMR. Please edit this page to include information about the implementation location in the source tree.
Per ICSA:
- As long as you can demonstrate that the hash value has been created, and then a different hash value appears once the data is modified. SSL would also meet the requirements for transport. The secure hashing algorithm used to provide the hash value should also be SHA-1 or higher. For this test procedure you would also have to electronically exchange test data (that you specify) and the generated message digest to a receiving system (of your choice) and demonstrate that the electronically exchanged message digest and the message digest generated on the receiving system are the same for the provided test data.
(t) Authentication
NIST Test Procedure for §170.302 (t) Authentication
Pass (10/10). File:Authentication.pdf
Currently implemented by OpenEMR with using client SSL certificates. Please edit this page to include information about the implementation location in the source tree.
(u) General encryption
NIST Test Procedure for §170.302 (u) General encryption
Currently unimplemented in OpenEMR????
Per ICSA:
- General Encryption: 3rd party applications can be sued to satisfy this requirement. Any 3rd party application used would be considered part of the system seeking certification, and would need to use a standards based algorithm as identified in the NIST test procedures (FIPS 140-2). The algorithm as well as the 3rd party application would be documented as part of your self-attestation materials. It is up to the applicant to decide what data is encrypted during the testing session, as the NIST procedures are not specific on that point. It may not be necessary to have a separate screen that shows the process, however you would be required to demonstrate that the selected data has been encrypted, and can be decrypted, and provide documentation and self-attestation as to the type of algorithm and any 3rd party applications. SHA-1 or higher should be used for any 3rd party applications used to meet this step.
(v) Encryption when exchanging electronic health information
NIST Test Procedure for §170.302 (v) Encryption when exchanging electronic health information
Pass (5/5). File:Encryption For Exchanging Health Information.pdf
Currently implemented by OpenEMR when using Apache configured for SSL. Please edit this page to include information about the implementation location in the source tree.
(w) Accounting of disclosures (optional)
NIST Test Procedure for §170.302 (w) Optional. Accounting of Disclosures
Pass (5/5). File:Disclosure.pdf
Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.
§170.304 Ambulatory Certification Criteria
Status Summary:
Ambulatory Certification Criteria | ||||||||||||||||||||||
a | b | c | d | e | f | g | h | i | j |
(a) Computerized provider order entry
NIST Test Procedure for §170.304 (a) Computerized provider order entry
Implemented in 6e74 and later versions of OpenEMR.
PENDING FINAL TESTING
(b) Electronic Prescribing
NIST Test Procedure for §170.304 (b) Electronic Prescribing
Currently unimplemented in OpenEMR.
(c) Record demographics
NIST Test Procedure for §170.304 (c) Record Demographics
Pass (12/12). File:Demographics.pdf
Implemented in 1c745 and later versions of OpenEMR.
(d) Patient reminders
NIST Test Procedure for §170.304 (d) Patient reminders
Currently unimplemented in OpenEMR.
(e) Clinical decision support
NIST Test Procedure for §170.304 (e) Clinical decision support
Currently unimplemented in OpenEMR.
(f) Electronic copy of health information
NIST Test Procedure for §170.304 (f) Electronic copy of health information
Currently unimplemented in OpenEMR.
(g) Timely access
NIST Test Procedure for §170.304 (g) Timely access
Currently unimplemented in OpenEMR.
(h) Clinical summaries
NIST Test Procedure for §170.304 (h) Clinical summaries
Currently unimplemented in OpenEMR.
(i) Exchange clinical information and patient summary record
NIST Test Procedure for §170.304 (i) Exchange clinical information and patient summary record
Currently unimplemented in OpenEMR.
(j) Calculate and submit clinical quality measures
NIST Test Procedure for §170.304 (j) Calculate and submit clinical quality measures
Currently unimplemented in OpenEMR.