The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:
(a) Encryption and decryption of electronic health information--(1) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, (January 27, 2010) (incorporated by reference in Sec. 170.299).
(1) General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, (January 27, 2010) (incorporated by reference in Sec. 170.299).
(2) [Reserved]
(b) [Reserved]
(c) Verification that electronic health information has not been altered in transit. Standard. A hashing algorithm with a security strength equal to or greater than SHA-1 (Secure Hash Algorithm (SHA-1) as specified by the National Institute of Standards and Technology (NIST) in FIPS PUB 180-4 (March 2012)) must be used to verify that electronic health information has not been altered.
(d) Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501.
(e) Record actions related to electronic health information, audit log status, and encryption of end-user devices. (1)(i) The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at Sec. 170.210(h) when EHR technology is in use.
(1)(i) The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at Sec. 170.210(h) when EHR technology is in use.
(i) The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified at Sec. 170.210(h) when EHR technology is in use.
(ii) The date and time must be recorded in accordance with the standard specified at Sec. 170.210(g).
(2)(i) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at Sec. 170.210(h) when the audit log status is changed.
(i) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at Sec. 170.210(h) when the audit log status is changed.
(ii) The date and time each action occurs in accordance with the standard specified at Sec. 170.210(g).
(3) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at Sec. 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at Sec. 170.210(g).
(f) Encryption and hashing of electronic health information. Any encryption and hashing algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the FIPS Publication 140-2 (incorporated by reference in Sec. 170.299).
(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 1305) Network Time Protocol, (incorporated by reference in Sec. 170.299) or (RFC 5905) Network Time Protocol Version 4, (incorporated by reference in Sec. 170.299).
(h) Audit log content. ASTM E2147-01(Reapproved 2009), (incorporated by reference in Sec. 170.299) [75 FR 44649, July 28, 2010, as amended at 77 FR 54285, Sept. 4, 2012; 79 FR 54478, Sept. 11, 2014]