Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(d)(3) Audit report(s)

Updated on 03-11-2024
Regulation Text
Regulation Text

§ 170.315 (d)(3) Audit report(s)—

Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).

Standard(s) Referenced

Applies to entire criterion

§ 170.210(e)(1)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
  2. The date and time must be recorded in accordance with the standard specified at § 170.210(g).

(2)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
  2. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized using any Network Time Protocol (NTP) standard.

§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Certification Dependencies

Design and performance: Quality management system (QMS) (§ 170.315(g)(4)) and Accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.

  • Quality management system (§ 170.315(g)(4)): When a single QMS is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
  • Accessibility-centered design (§ 170.315(g)(5)): When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively, the developer must state that no accessibility-centered design was used.
Version # Description of Change Version Date
1.0

Initial publication
03-11-2024
Regulation Text
Regulation Text

§ 170.315 (d)(3) Audit report(s)—

Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).

Standard(s) Referenced

Applies to entire criterion

§ 170.210(e)(1)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
  2. The date and time must be recorded in accordance with the standard specified at § 170.210(g).

(2)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
  2. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized using any Network Time Protocol (NTP) standard.

§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Certification Dependencies

Design and performance: Quality management system (QMS) (§ 170.315(g)(4)) and Accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.

  • Quality management system (§ 170.315(g)(4)): When a single QMS is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
  • Accessibility-centered design (§ 170.315(g)(5)): When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively, the developer must state that no accessibility-centered design was used.
Revision History
Version # Description of Change Version Date
1.0

Initial publication
03-11-2024

Testing components

Attestation: As of September 21, 2017, the testing approach for this criterion is satisfied by attestation.

The archived version of the Test Procedure is attached below for reference.

 

 

System Under Test

ONC-ACB Verification

The health IT developer will attest directly to the ONC-ACB to conformance with the § 170.315 (d)(3) Audit report(s) requirements. 

The ONC-ACB verifies the health IT developer attests conformance to the § 170.315 (d)(3) Audit report(s) requirements.

 

 

Archived Version:
§170.315(d)(3) Test Procedure
Updated on 03-11-2024
Regulation Text
Regulation Text

§ 170.315 (d)(3) Audit report(s)—

Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).

Standard(s) Referenced

Applies to entire criterion

§ 170.210(e)(1)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
  2. The date and time must be recorded in accordance with the standard specified at § 170.210(g).

(2)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
  2. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized using any Network Time Protocol (NTP) standard.

§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Certification Dependencies

Design and performance: Quality management system (QMS) (§ 170.315(g)(4)) and Accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.

  • Quality management system (§ 170.315(g)(4)): When a single QMS is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
  • Accessibility-centered design (§ 170.315(g)(5)): When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively, the developer must state that no accessibility-centered design was used.
Version # Description of Change Version Date
1.0

Initial publication
03-11-2024
Regulation Text
Regulation Text

§ 170.315 (d)(3) Audit report(s)—

Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).

Standard(s) Referenced

Applies to entire criterion

§ 170.210(e)(1)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
  2. The date and time must be recorded in accordance with the standard specified at § 170.210(g).

(2)

  1. The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
  2. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized using any Network Time Protocol (NTP) standard.

§ 170.210(h) Audit log content. ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Certification Dependencies

Design and performance: Quality management system (QMS) (§ 170.315(g)(4)) and Accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.

  • Quality management system (§ 170.315(g)(4)): When a single QMS is used, the QMS only needs to be identified once. Otherwise, when different QMS are used, each QMS needs to be separately identified for every capability to which it was applied.
  • Accessibility-centered design (§ 170.315(g)(5)): When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively, the developer must state that no accessibility-centered design was used.
Revision History
Version # Description of Change Version Date
1.0

Initial publication
03-11-2024

Certification Companion Guide: Audit report(s)

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product certification. The CCG is not a substitute for the requirements outlined in regulation and related ONC final rules. It extracts key portions of ONC final rules’ preambles and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the Certification Regulations page for links to all ONC final rules or consult other regulatory references as noted. The CCG is for public use and should not be sold or redistributed.

The below table outlines whether this criterion has additional Maintenance of Certification dependencies, update requirements and/or eligibility for standards updates via SVAP. Review the Certification Dependencies and Required Update Deadline drop-downs above if this table indicates “yes” for any field.

 

Base EHR Definition Real World Testing Insights Condition SVAP Requires Updates
Not Included No No No No
Certification Requirements
Technical Explanations and Clarifications

Applies to entire criterion

Technical outcome –

  • A user can create one or more audit reports for a specific time period that includes some or all of the data specified in sections 7.1.1, 7.1.2 and 7.1.6, through 7.1.9 of ASTM E1247-18; including changes to user privileges when health IT is in use; and record the date and time of the action in accordance with RFC 5905.
  • The content included in each audit log is sortable.

Clarifications:

  • The ONC Cures Act Final Rule included the requirement for Health IT Modules to support 7.1.3 Duration of Access in the ASTM E2147 – 18 standard. However, ONC determined this requirement is not in scope for testing and certification and removed the 7.1.3 requirement in the subsequent IFR
  • The ONC Cures Act Final Rule included the requirement for Health IT Modules to support updates to audit logging and has incorporated by reference the standards, as amended effective June 30, 2020, § 170.299(1) ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, approved May 1, 2018, IBR approved for §170.210(h).
  • The ONC Cures Act Final Rule included the requirement for Health IT Modules to support the auditing requirements as specified in ASTM E2148-18.  For the purposes of certification, sections 7.2 and 7.4 have been updated to sections 7.1.1 and 7.1.7.  It is the expectation that the updated specification will be used.
  • For purposes of certification, a Health IT Module should adhere to any Network Time Protocol standard for the synchronized clock requirement.
  • For purposes of certification, a Health IT Module may produce a single audit report with all of the specified auditable data or it may produce multiple audit reports with some portion of the required auditable data. However, if this latter approach is used, when all of the audit reports are considered together the total content they include must represent all of the required auditable data (which would be equivalent to the single audit report approach).
  • If third party software is relied upon to meet the criteria, one of the following approaches applies:
    • Approach 1 requires disclosure of the software that was relied upon to meet the criterion.
    • Approach 2 requires documentation of how the external services that are necessary to meet the requirements of criteria will be deployed and used.
  • A user could be a healthcare professional or office staff; or a software program or service that would interact directly with the certified health IT. A “user” is not a patient for the purposes of this criterion. [see also 77 FR 54168]
  • For Health Information Service Provider (HISP) software that does not normally store patient data, certification to § 170.315 (d)(3) does not create the obligation to do so. Rather, certification to § 170.315(d)(3) requires that a user is able to produce a forensic reconstruction of events in the case of a security incident. Audit reports would need to be generated that can sort and filter on the types of data identified in § 170.315(d)(2).

Technical outcome –

  • A user can create one or more audit reports for a specific time period that includes some or all of the data specified in sections 7.1.1, 7.1.2 and 7.1.6, through 7.1.9 of ASTM E1247-18; including changes to user privileges when health IT is in use; and record the date and time of the action in accordance with RFC 5905.
  • The content included in each audit log is sortable.

Clarifications:

  • The ONC Cures Act Final Rule included the requirement for Health IT Modules to support 7.1.3 Duration of Access in the ASTM E2147 – 18 standard. However, ONC determined this requirement is not in scope for testing and certification and removed the 7.1.3 requirement in the subsequent IFR
  • The ONC Cures Act Final Rule included the requirement for Health IT Modules to support updates to audit logging and has incorporated by reference the standards, as amended effective June 30, 2020, § 170.299(1) ASTM E2147-18 Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems, approved May 1, 2018, IBR approved for §170.210(h).
  • The ONC Cures Act Final Rule included the requirement for Health IT Modules to support the auditing requirements as specified in ASTM E2148-18.  For the purposes of certification, sections 7.2 and 7.4 have been updated to sections 7.1.1 and 7.1.7.  It is the expectation that the updated specification will be used.
  • For purposes of certification, a Health IT Module should adhere to any Network Time Protocol standard for the synchronized clock requirement.
  • For purposes of certification, a Health IT Module may produce a single audit report with all of the specified auditable data or it may produce multiple audit reports with some portion of the required auditable data. However, if this latter approach is used, when all of the audit reports are considered together the total content they include must represent all of the required auditable data (which would be equivalent to the single audit report approach).
  • If third party software is relied upon to meet the criteria, one of the following approaches applies:
    • Approach 1 requires disclosure of the software that was relied upon to meet the criterion.
    • Approach 2 requires documentation of how the external services that are necessary to meet the requirements of criteria will be deployed and used.
  • A user could be a healthcare professional or office staff; or a software program or service that would interact directly with the certified health IT. A “user” is not a patient for the purposes of this criterion. [see also 77 FR 54168]
  • For Health Information Service Provider (HISP) software that does not normally store patient data, certification to § 170.315 (d)(3) does not create the obligation to do so. Rather, certification to § 170.315(d)(3) requires that a user is able to produce a forensic reconstruction of events in the case of a security incident. Audit reports would need to be generated that can sort and filter on the types of data identified in § 170.315(d)(2).

Archived Version:

2015 Edition Archived CCG