OpenEMR QA against NIST

From OpenEMR Project Wiki

Color Legend

PASSED TEST FEATURE NOT IMPLEMENTED OR NOT YET TESTED CURRENTLY UNDERGOING TESTING/ANALYSIS FLAGGED FOR TESTING

NIST Meaningful Use Test Method by Criteria

Status Summary:

NIST Meaningful Use Test Method
§170.302 §170.304

Links to individual testing procedures where pulled from Approved Test Procedures Version 1.1 Effective October 24, 2010 and could become stale. If so, please edit this page and to link to the most recent, approved, and effective version(s).

§170.302 General Certification Criteria

Status Summary:

General Certification Criteria
a b c d e f g h i j k l m n o p q r s t u v w

(a) Drug-grug, drug-allergy interaction checks

NIST Test Procedure for §170.302 (a) Drug-drug, drug-allergy interaction checks

No test results.

Currently unimplemented in OpenEMR.

(b) Drug formulary checks

NIST Test Procedure for §170.302 (b) Drug formulary checks

Currently unimplemented in OpenEMR.

(c) Maintain up-to-date problem list

NIST Test Procedure for §170.302 (c) Maintain up-to-date problem list

Pass (9/9). File:Problem list.pdf

Implemented in fc72 and later versions of OpenEMR.

(d) Maintain active medication list

NIST Test Procedure for §170.302 (d) Maintain Active Medication List

Pass (10/10). File:Medication List.pdf

Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(e) Maintain active medication allergy list

NIST Test Procedure for §170.302 (e) Maintain active medication allergy list

Pass (6/6). File:Medication Allergy.pdf (Note: The quoted section of the Final Rule is incorrect, but the test results are for §170.302 (e))

Implemented in fc72 and later versions of OpenEMR.

(f) Record and chart vital signs

Status Summary:

Record and chart vital signs
1 2 3

File:Vital sign.pdf

(1) Vital signs

NIST Test Procedure for §170.302 (f) (1) Vital Signs

Pass (16/16). All test results for (f) Record and chart vital signs are combined in one document linked above.

Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(2) Calculate body mass index

NIST Test Procedure for §170.302(f) (2) Calculate Body Mass Index

Pass (5/5). All test results for (f) Record and chart vital signs are combined in one document linked above.

Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(3) Plot and display growth charts

NIST Test Procedure for §170.302(f) (3) Plot and Display Growth Charts

Pass (9/9). All test results for (f) Record and chart vital signs are combined in one document linked above.

Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(g) Smoking status

NIST Test Procedure for §170.302 (g) Smoking Status

Pass (10/10). File:Smoking Status.pdf

Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(h) Incorporate labratory test results

NIST Test Procedure for §170.302 (h) Incorporate labratory test results

(i) Generate patient lists

NIST Test Procedure for §170.302 (i) Generate patient lists

Implemented in a7ec and later versions of OpenEMR.

Needs to undergo NIST QA testing.

(j) Medication reconciliation

NIST Test Procedure for §170.302 (j) Medication reconciliation

Currently not committed in OpenEMR code. Patch available in the tracker Patch
Test Summary for Medication reconciliation

(k) Submission to immunization registries

NIST Test Procedure for §170.302 (k) Submission to immunization registries

Currently unimplemented in OpenEMR.

(l) Public health surveillance

NIST Test Procedure for §170.302 (l) Public health surveillance

Implemented in d6db and later versions of OpenEMR.

Ready to test (Syndromic Surveillance)

(m) Patient specific education resources

NIST Test Procedure for §170.302 (m) Patient specific education resources

Currently unimplemented in OpenEMR.

(n) Automated measure calculation

NIST Test Procedure for §170.302 (n) Automated measure calculation

Currently unimplemented in OpenEMR.

(o) Access control

NIST Test Procedure for §170.302 (o) Access Control

Pass (8/8). File:Access Control.pdf

Currently implemented by OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(p) Emergency access

NIST Test Procedure for §170.302 (p) Emergency Access

Pass (9/9). File:Emergency-Access.pdf

Configuring and testing Emergency access

Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(q) Automatic log-off

NIST Test Procedure for §170.302 (q) Automatic log-off

Pass (2/2). File:Automatic Log Off.pdf

Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.

(r) Audit log

NIST Test Procedure for §170.302 (r) Audit Log

Pass (15/15). File:Audit log.pdf

Implemented in e97e and later versions of OpenEMR.

(s) Integrity

NIST Test Procedure for §170.302 (s) Integrity

Fail (6/6). File:Data Integrity.pdf Failure Reason: The hashing algorithm currently in use is MD5. The standard requires an algorithm at last as strong as SHA-1. According to Wikipedia SHA-1 has 51 bits of effective security, while MD5 has less than 21. In fact, (unsalted) MD5 collisions can be found in seconds on GHz-class 32-bit PCs.

Currently implemented poorly in OpenEMR. Please edit this page to include information about the implementation location in the source tree.

Per ICSA:

As long as you can demonstrate that the hash value has been created, and then a different hash value appears once the data is modified. SSL would also meet the requirements for transport. The secure hashing algorithm used to provide the hash value should also be SHA-1 or higher. For this test procedure you would also have to electronically exchange test data (that you specify) and the generated message digest to a receiving system (of your choice) and demonstrate that the electronically exchanged message digest and the message digest generated on the receiving system are the same for the provided test data.

(t) Authentication

NIST Test Procedure for §170.302 (t) Authentication

Pass (10/10). File:Authentication.pdf

Currently implemented by OpenEMR with using client SSL certificates. Please edit this page to include information about the implementation location in the source tree.

(u) General encryption

NIST Test Procedure for §170.302 (u) General encryption

Currently unimplemented in OpenEMR.

Per ICSA:

General Encryption: 3rd party applications can be sued to satisfy this requirement. Any 3rd party application used would be considered part of the system seeking certification, and would need to use a standards based algorithm as identified in the NIST test procedures (FIPS 140-2). The algorithm as well as the 3rd party application would be documented as part of your self-attestation materials. It is up to the applicant to decide what data is encrypted during the testing session, as the NIST procedures are not specific on that point. It may not be necessary to have a separate screen that shows the process, however you would be required to demonstrate that the selected data has been encrypted, and can be decrypted, and provide documentation and self-attestation as to the type of algorithm and any 3rd party applications. SHA-1 or higher should be used for any 3rd party applications used to meet this step.

(v) Encryption when exchanging electronic health information

NIST Test Procedure for §170.302 (v) Encryption when exchanging electronic health information

Pass (5/5). File:Encryption For Exchanging Health Information.pdf

Currently implemented by OpenEMR when using Apache configured for SSL. Please edit this page to include information about the implementation location in the source tree.

(w) Accounting of disclosures (optional)

NIST Test Procedure for §170.302 (w) Optional. Accounting of Disclosures

Pass (5/5). File:Disclosure.pdf

Currently implemented in OpenEMR. Please edit this page to include information about the implementation location in the source tree.

§170.304 Ambulatory Certification Criteria

Status Summary:

Ambulatory Certification Criteria
a b c d e f g h i j

(a) Computerized provider order entry

NIST Test Procedure for §170.304 (a) Computerized provider order entry

Test Summary

(b) Electronic Prescribing

NIST Test Procedure for §170.304 (b) Electronic Prescribing

Currently unimplemented in OpenEMR.

(c) Record demographics

NIST Test Procedure for §170.304 (c) Record Demographics

Pass (12/12). File:Demographics.pdf

Implemented in 1c745 and later versions of OpenEMR.

(d) Patient reminders

NIST Test Procedure for §170.304 (d) Patient reminders

Currently unimplemented in OpenEMR.

(e) Clinical decision support

NIST Test Procedure for §170.304 (e) Clinical decision support

Currently unimplemented in OpenEMR.

(f) Electronic copy of health information

NIST Test Procedure for §170.304 (f) Electronic copy of health information

Currently unimplemented in OpenEMR.

(g) Timely access

NIST Test Procedure for §170.304 (g) Timely access

Currently unimplemented in OpenEMR.

(h) Clinical summaries

NIST Test Procedure for §170.304 (h) Clinical summaries

Currently unimplemented in OpenEMR.

(i) Exchange clinical information and patient summary record

NIST Test Procedure for §170.304 (i) Exchange clinical information and patient summary record

Currently unimplemented in OpenEMR.

(j) Calculate and submit clinical quality measures

NIST Test Procedure for §170.304 (j) Calculate and submit clinical quality measures

Currently unimplemented in OpenEMR.