HIPAA Compliance Plan
« Previous PageHIT Standards ContentsNext Page »

Download our Free HIPAA Project Plan.

§170.302 General certification criteria for Complete EHRs or EHR Modules.

The Secretary adopts the following general certification criteria for Complete EHRs or EHR Modules. Complete EHRs or EHR Modules must include the capability to perform the following functions electronically and in accordance with all applicable standards and implementation specifications adopted in this part:

(a) Drug-drug, drug-allergy, drug-formulary checks.

(1) Alerts. Automatically and electronically generate and indicate in real-time, alerts at the point of care for drug-drug and drug-allergy contraindications based on medication list, medication allergy list, age, and computerized provider order entry (CPOE).

(2) Formulary checks. Enable a user to electronically check if drugs are in a formulary or preferred drug list in accordance with the standard specified in §170.205(b).

(3) Customization. Provide certain users with administrator rights to deactivate, modify, and add rules for drug-drug and drug-allergy checking. (4) Alert statistics. Automatically and electronically track, record, and generate reports on the number of alerts responded to by a user.

(b) Maintain up-to-date problem list. Enable a user to electronically record, modify, and retrieve a patient’s problem list for longitudinal care in accordance with:

(1) The standard specified in §170.205(a)(2)(i)(A); or

(2) At a minimum, the version of the standard specified in §170.205(a)(2)(i)(B).

(c) Maintain active medication list. Enable a user to electronically record, modify, and retrieve a patient’s active medication list as well as medication history for longitudinal care in accordance with the standard specified in §170.205(a)(2)(iv).

(d) Maintain active medication allergy list. Enable a user to electronically record, modify, and retrieve a patient’s active medication allergy list as well as medication allergy history for longitudinal care.

(e) Record and chart vital signs.

(1) Vital signs. Enable a user to electronically record, modify, and retrieve a patient’s vital signs including, at a minimum, the height, weight, blood pressure, temperature, and pulse.

(2) Calculate body mass index. Automatically calculate and display body mass index (BMI) based on a patient’s height and weight.

(3) Plot and display growth charts. Plot and electronically display, upon request, growth charts for patients 2-20 years old.

(f) Smoking status. Enable a user to electronically record, modify, and retrieve the smoking status of a patient. Smoking status types must include: current smoker, former smoker, or never smoked.

(g) Incorporate laboratory test results.

(1) Receive results. Electronically receive clinical laboratory test results in a structured format and display such results in human readable format.

(2) Display codes in readable format. Electronically display in human readable format any clinical laboratory tests that have been received with LOINC® codes.

(3) Display test report information. Electronically display all the information for a test report specified at 42 CFR 493.1291(c)(1) through (7).

(4) Update. Enable a user to electronically update a patient’s record based upon received laboratory test results.

(h) Generate patient lists. Enable a user to electronically select, sort, retrieve, and output a list of patients and patients’ clinical information, based on user-defined demographic data, medication list, and specific conditions.

(i) Report quality measures.

(1) Display. Calculate and electronically display quality measures as specified by CMS or states.

(2) Submission. Enable a user to electronically submit calculated quality measures in accordance with the standard and implementation specifications specified in §170.205(e).

(j) Check insurance eligibility. Enable a user to electronically record and display patients’ insurance eligibility, and submit insurance eligibility queries to public or private payers and receive an eligibility response in accordance with the applicable standards and implementation specifications specified in §170.205(d)(1) or (2).

(k) Submit claims. Enable a user to electronically submit claims to public or private payers in accordance with the standard and implementation specifications specified in §170.205(d)(3).

(l) Medication reconciliation. Electronically complete medication reconciliation of two or more medication lists by comparing and merging into a single medication list that can be electronically displayed in real-time.

(m) Submission to immunization registries. Electronically record, retrieve, and transmit immunization information to immunization registries in accordance with:

(1) One of the standards specified in §170.205(h)(1) and, at a minimum, the version of the standard specified in §170.205(h)(2); or

(2) The applicable state-designated standard format.

(n) Public health surveillance. Electronically record, retrieve, and transmit syndromebased public health surveillance information to public health agencies in accordance with one of the standards specified in §170.205(g).

(o) Access control. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

(p) Emergency access. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.

(q) Automatic log-off. Terminate an electronic session after a predetermined time of inactivity.

(r) Audit log.

(1) Record actions. Record actions related to electronic health information in accordance with the standard specified in §170.210(b).

(2) Alerts. Provide alerts based on user-defined events.

(3) Display and print. Electronically display and print all or a specified set of recorded information upon request or at a set period of time.

(s) Integrity.

(1) In transit. Verify that electronic health information has not been altered in transit in accordance with the standard specified in §170.210(c).

(2) Detection. Detect the alteration and deletion of electronic health information and audit logs, in accordance with the standard specified in §170.210(c).

(t) Authentication.

(1) Local. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.

(2) Cross network. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in §170.210(d).

(u) Encryption

(1) General. Encrypt and decrypt electronic health information according to userdefined preferences in accordance with the standard specified in §170.210(a)(1).

(2) Exchange. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in §170.210(a)(2).

(v) Accounting of disclosures. Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in §170.210(e).

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

« Previous PageHIT Standards ContentsNext Page »