45 CFR 170.210 - Standards for health information technology to protect electronic health information created, maintained, and exchanged.

Status message

There is 1 rule appearing in the Federal Register for 45 CFR 170. View below or at eCFR (GPOAccess)
§ 170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(a) Encryption and decryption of electronic health information—
(1) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2 (incorporated by reference in § 170.299).
(2) Exchange. Any encrypted and integrity protected link.
(b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded.
(c) Verification that electronic health information has not been altered in transit. Standard. A hashing algorithm with a security strength equal to or greater than SHA-1 (Secure Hash Algorithm (SHA-1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180-3 (October, 2008)) must be used to verify that electronic health information has not been altered.
(d) Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501.
§ 170.210, Nt.
Effective Date Note:
At 77 FR 54285, Sept. 4, 2012, § 170.210 was amended in paragraph (a)(1), by adding the phrase “, (January 27, 2010)” after “140-2”; in paragraph (c), by removing “180-3 (October, 2008))” and add in its place “180-4 (March 2012))”; and adding paragraphs (e) through (h), effective Oct. 4, 2012. For the convenience of the user, the added and revised text is set forth as follows:
§ 170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(e) Record actions related to electronic health information, audit log status, and encryption of end-user devices. (1)(i) The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at § 170.210(h) when EHR technology is in use.
(ii) The date and time must be recorded in accordance with the standard specified at § 170.210(g).
(2)(i) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the audit log status is changed.
(ii) The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(3) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(f) Encryption and hashing of electronic health information. Any encryption and hashing algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the FIPS Publication 140-2 (incorporated by reference in § 170.299).
(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 1305) Network Time Protocol, (incorporated by reference in § 170.299) or (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
(h) Audit log content. ASTM E2147-01(Reapproved 2009), (incorporated by reference in § 170.299)

Title 45 published on 2013-10-01

The following are only the Rules published in the Federal Register after the published date of Title 45.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2013-11-04; vol. 78 # 213 - Monday, November 4, 2013
    1. 78 FR 65884 - 2014 Edition Electronic Health Record Certification Criteria: Revision to the Definition of “Common Meaningful Use (MU) Data Set”
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Interim final rule with comment period.
      Effective date: This regulation is effective on December 4, 2013. Comment date: To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on January 3, 2014.
      45 CFR Part 170

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code

Title 45 published on 2013-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR 170 after this date.

  • 2014-03-19; vol. 79 # 53 - Wednesday, March 19, 2014
    1. 79 FR 15282 - Voluntary 2015 Edition Electronic Health Record (EHR) Certification Criteria; Interoperability Updates and Regulatory Improvements; Correction
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Proposed rule; correction.
      Comments on the proposed rule published February 26, 2014, at 79 FR 10880, continue to be accepted until no later than 5 p.m. on April 28, 2014.
      45 CFR Part 170