Difference between revisions of "Auditable events and tamper-resistance (MU2)"
From OpenEMR Project Wiki
Bradymiller (talk | contribs) (Created page with "==Overview== ==MU Requirements== ===Per ONC=== :Taken from [http://www.ofr.gov/OFRUpload/OFRData/2012-20982_PI.pdf ONC Final Rule] <pre> </pre> ==Status== ==Proposal== ==Own...") |
Bradymiller (talk | contribs) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==MU Requirements== | ==MU Requirements== | ||
===Per ONC=== | ===Per ONC=== | ||
:Taken from [ | :Taken from ONC Final Rule:[[File:2014_Edition_Cert_Federal_Register.pdf]] | ||
<pre> | <pre> | ||
(2) Auditable events and tamper-resistance. (i) Record actions. EHR technology must be able | |||
to: | |||
(A) Record actions related to electronic health information in accordance with the standard | |||
specified in § 170.210(e)(1); | |||
(B) Record the audit log status (enabled or disabled) in accordance with the standard | |||
specified in § 170.210(e)(2) unless it cannot be disabled by any user; and | |||
(C) Record the encryption status (enabled or disabled) of electronic health information | |||
locally stored on end-user devices by EHR technology in accordance with the standard | |||
specified in § 170.210(e)(3) unless the EHR technology prevents electronic health | |||
information from being locally stored on end-user devices (see 170.314(d)(7) of this | |||
section). | |||
(ii) Default setting. EHR technology must be set by default to perform the capabilities | |||
specified in paragraph (d)(2)(i)(A) of this section and, where applicable, paragraphs | |||
(d)(2)(i)(B) or (C), or both paragraphs (d)(2)(i)(B) and (C). | |||
(iii) When disabling the audit log is permitted. For each capability specified in paragraphs | |||
(d)(2)(i)(A) through (C) of this section that EHR technology permits to be disabled, the | |||
ability to do so must be restricted to a limited set of identified users. | |||
(iv) Audit log protection. Actions and statuses recorded in accordance with paragraph | |||
(d)(2)(i) of this section must not be capable of being changed, overwritten, or deleted by | |||
the EHR technology. | |||
(v) Detection. EHR technology must be able to detect whether the audit log has been altered. | |||
</pre> | </pre> | ||
===Per ONC/NIST Final Test Methods=== | |||
:See here: http://www.healthit.gov/policy-researchers-implementers/2014-edition-final-test-method | |||
==Status== | ==Status== | ||
| Line 15: | Line 37: | ||
==Links== | ==Links== | ||
:*[[OpenEMR Certification Stage II Meaningful Use|OpenEMR Certification Stage II Meaningful Use Main Project Page]] | |||
:*[[3.1 Auditing in OpenEMR|3.1 Auditing in OpenEMR wiki page for stage I certification]] | |||
:*[[4. Audit Control|4. Audit Control wiki page for stage I certification]] | |||
:*[[Auditing Changes|Auditing Changes wiki page for stage I certification]] | |||
:*[[3.2 ATNA related tasks|3.2 ATNA related tasks wiki page for stage I certification]] | |||
[[Category:Certification]][[Category:Certification Stage II]] | [[Category:Certification]][[Category:Certification Stage II]] | ||
Latest revision as of 01:20, 26 January 2013
Overview
MU Requirements
Per ONC
- Taken from ONC Final Rule:File:2014 Edition Cert Federal Register.pdf
(2) Auditable events and tamper-resistance. (i) Record actions. EHR technology must be able to: (A) Record actions related to electronic health information in accordance with the standard specified in § 170.210(e)(1); (B) Record the audit log status (enabled or disabled) in accordance with the standard specified in § 170.210(e)(2) unless it cannot be disabled by any user; and (C) Record the encryption status (enabled or disabled) of electronic health information locally stored on end-user devices by EHR technology in accordance with the standard specified in § 170.210(e)(3) unless the EHR technology prevents electronic health information from being locally stored on end-user devices (see 170.314(d)(7) of this section). (ii) Default setting. EHR technology must be set by default to perform the capabilities specified in paragraph (d)(2)(i)(A) of this section and, where applicable, paragraphs (d)(2)(i)(B) or (C), or both paragraphs (d)(2)(i)(B) and (C). (iii) When disabling the audit log is permitted. For each capability specified in paragraphs (d)(2)(i)(A) through (C) of this section that EHR technology permits to be disabled, the ability to do so must be restricted to a limited set of identified users. (iv) Audit log protection. Actions and statuses recorded in accordance with paragraph (d)(2)(i) of this section must not be capable of being changed, overwritten, or deleted by the EHR technology. (v) Detection. EHR technology must be able to detect whether the audit log has been altered.
