45 CFR 170.210 - Standards for health information technology to protect electronic health information created, maintained, and exchanged.

Status message

There is 1 rule appearing in the Federal Register for 45 CFR Part 170. View below or at eCFR (GPOAccess)
§ 170.210 Standards for health information technology to protect electronic health information created, maintained, and exchanged. Link to an amendment published at 79 FR 54478, Sept. 11, 2014.
The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(a) Encryption and decryption of electronic health information
(1) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, (January 27, 2010) (incorporated by reference in § 170.299).
(2) Exchange. Any encrypted and integrity protected link.
(b) Record actions related to electronic health information. The date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which action(s) occurred and by whom must also be recorded.
(c) Verification that electronic health information has not been altered in transit. Standard. A hashing algorithm with a security strength equal to or greater than SHA-1 (Secure Hash Algorithm (SHA-1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180-4 (March 2012)) must be used to verify that electronic health information has not been altered.
(d) Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501.
(e) Record actions related to electronic health information, audit log status, and encryption of end-user devices.
(1)
(i) The audit log must record the information specified insections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at § 170.210(h) when EHR technology is in use.
(ii) The date and time must be recorded in accordance with the standard specified at§ 170.210(g).
(2)
(i) The audit log must record the information specified insections 7.2 and 7.4 of the standard specified at § 170.210(h) when the audit log status is changed.
(ii) The date and time each action occurs in accordance with the standard specified at§ 170.210(g).
(3) The audit log must record the information specified insections 7.2 and 7.4 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).
(f) Encryption and hashing of electronic health information. Any encryption and hashing algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the FIPS Publication 140-2 (incorporated by reference in § 170.299).
(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 1305) Network Time Protocol, (incorporated by reference in § 170.299) or (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in § 170.299).
(h) Audit log content. ASTM E2147-01(Reapproved 2009), (incorporated by reference in § 170.299)
[75 FR 44649, July 28, 2010, as amended at 77 FR 54285, Sept. 4, 2012]
Effective Date Note:
At 79 FR 54478, Sept. 11, 2014, § 170.210 was amended by removing and reserving paragraphs (a)(2) and (b), effective Mar. 1, 2015.

Title 45 published on 2014-10-01.

The following are only the Rules published in the Federal Register after the published date of Title 45.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2015-06-09; vol. 80 # 110 - Tuesday, June 9, 2015
    1. 80 FR 32477 - Acceptance and Approval of Non-Governmental Developed Test Procedures, Test Tools, and Test Data for Use Under the ONC Health IT Certification Program
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the National Coordinator for Health Information Technology (ONC)
      Reissuance.
      Reissued June 9, 2015.
      45 CFR Part 170

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code

Title 45 published on 2014-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR Part 170 after this date.

  • 2015-06-09; vol. 80 # 110 - Tuesday, June 9, 2015
    1. 80 FR 32477 - Acceptance and Approval of Non-Governmental Developed Test Procedures, Test Tools, and Test Data for Use Under the ONC Health IT Certification Program
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the National Coordinator for Health Information Technology (ONC)
      Reissuance.
      Reissued June 9, 2015.
      45 CFR Part 170