45 CFR 170.210 - Standards for health information technology to protect electronic health information created, maintained, and exchanged.

Status message

There are 4 Updates appearing in the Federal Register for 45 CFR 170. View below or at eCFR (GPOAccess)
§ 170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(a) Encryption and decryption of electronic health information—
(1) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2 (incorporated by reference in § 170.299).
(2) Exchange. Any encrypted and integrity protected link.
(b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded.
(c) Verification that electronic health information has not been altered in transit. Standard. A hashing algorithm with a security strength equal to or greater than SHA-1 (Secure Hash Algorithm (SHA-1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180-3 (October, 2008)) must be used to verify that electronic health information has not been altered.
(d) Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501.
§ 170.210, Nt.
Effective Date Note:
At 77 FR 54285, Sept. 4, 2012, § 170.210 was amended in paragraph (a)(1), by adding the phrase “, (January 27, 2010)” after “140-2”; in paragraph (c), by removing “180-3 (October, 2008))” and add in its place “180-4 (March 2012))”; and adding paragraphs (e) through (h), effective Oct. 4, 2012. For the convenience of the user, the added and revised text is set forth as follows:
§ 170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(e) Record actions related to electronic health information, audit log status, and encryption of end-user devices. (1)(i) The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at § 170.210(h) when EHR technology is in use.
(ii) The date and time must be recorded in accordance with the standard specified at § 170.210(g).
(2)(i) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the audit log status is changed.
(ii) The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(3) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(f) Encryption and hashing of electronic health information. Any encryption and hashing algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the FIPS Publication 140-2 (incorporated by reference in § 170.299).
(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 1305) Network Time Protocol, (incorporated by reference in § 170.299) or (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
(h) Audit log content. ASTM E2147-01(Reapproved 2009), (incorporated by reference in § 170.299)

Title 45 published on 2012-10-01

The following are only the Rules published in the Federal Register after the published date of Title 45.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2014-09-11; vol. 79 # 176 - Thursday, September 11, 2014
    1. 79 FR 54430 - 2014 Edition Release 2 Electronic Health Record (EHR) Certification Criteria and the ONC HIT Certification Program; Regulatory Flexibilities, Improvements, and Enhanced Health Information Exchange
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Final rule.
      This rule is effective October 14, 2014, except for the amendments to the amendatory instruction number 3 amendment to § 170.102, the amendments to §§ 170.205, 170.207, 170.210, 170.302, 170.304, 170.306, and the amendatory instruction number 18 amendment to § 170.550, which are effective on March 1, 2015. The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of October 14, 2014.
      45 CFR Part 170

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code

Title 45 published on 2012-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR 170 after this date.

  • 2014-09-11; vol. 79 # 176 - Thursday, September 11, 2014
    1. 79 FR 54430 - 2014 Edition Release 2 Electronic Health Record (EHR) Certification Criteria and the ONC HIT Certification Program; Regulatory Flexibilities, Improvements, and Enhanced Health Information Exchange
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Final rule.
      This rule is effective October 14, 2014, except for the amendments to the amendatory instruction number 3 amendment to § 170.102, the amendments to §§ 170.205, 170.207, 170.210, 170.302, 170.304, 170.306, and the amendatory instruction number 18 amendment to § 170.550, which are effective on March 1, 2015. The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of October 14, 2014.
      45 CFR Part 170