Auditable events and tamper-resistance (MU2)

From OpenEMR Project Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Overview

MU Requirements

Per ONC

Taken from ONC Final Rule:File:2014 Edition Cert Federal Register.pdf
(2) Auditable events and tamper-resistance. (i) Record actions. EHR technology must be able
to:
(A) Record actions related to electronic health information in accordance with the standard
specified in § 170.210(e)(1);
(B) Record the audit log status (enabled or disabled) in accordance with the standard
specified in § 170.210(e)(2) unless it cannot be disabled by any user; and
(C) Record the encryption status (enabled or disabled) of electronic health information
locally stored on end-user devices by EHR technology in accordance with the standard
specified in § 170.210(e)(3) unless the EHR technology prevents electronic health
information from being locally stored on end-user devices (see 170.314(d)(7) of this
section).
(ii) Default setting. EHR technology must be set by default to perform the capabilities
specified in paragraph (d)(2)(i)(A) of this section and, where applicable, paragraphs
(d)(2)(i)(B) or (C), or both paragraphs (d)(2)(i)(B) and (C).
(iii) When disabling the audit log is permitted. For each capability specified in paragraphs
(d)(2)(i)(A) through (C) of this section that EHR technology permits to be disabled, the
ability to do so must be restricted to a limited set of identified users.
(iv) Audit log protection. Actions and statuses recorded in accordance with paragraph
(d)(2)(i) of this section must not be capable of being changed, overwritten, or deleted by
the EHR technology.
(v) Detection. EHR technology must be able to detect whether the audit log has been altered.

Per ONC/NIST Final Test Methods

See here: http://www.healthit.gov/policy-researchers-implementers/2014-edition-final-test-method

Status

Proposal

Owner

Links