Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(d)(3) Audit report(s)

Version 1.3 Updated on 09-21-2017
Revision History
Version # Description of Change Version Date
1.0

Final Test Procedure

01-08-2016
1.1

Updated Gap Eligibility.

04-08-2016
1.2

Step 2 for SUT and TLV were both clarified and changed to reflect that multiple audit reports can also be created to meet the criterion. The data references in the SUT column were also re-ordered to make the required data clearer.

05-26-2017
1.3

As of September 21, 2017, Test Procedure has been moved to Attestation/Developer self-declaration only.

09-21-2017
Regulation Text
Regulation Text

§170.315 (d)(3) Audit report(s)—

Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).

Standard(s) Referenced

Applies to entire criterion

§ 170.210(e)(1)

  1. The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
  2. The date and time must be recorded in accordance with the standard specified at § 170.210(g).

(2)

  1. The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the audit log status is changed.
  2. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

(3) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 1305) Network Time Protocol or (RFC 5905) Network Time Protocol Version 4

§ 170.210(h) Audit log content. ASTM E2147-01 (Reapproved 2013) Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Testing components

Self-Declaration: As of September 21, 2017, the testing approach for this criterion is satisfied by self-declaration.

The archived version of the Test Procedure is attached below for reference.

 

System Under Test

Test Lab Verification

The health IT developer submits their self-declaration to the ONC-ATL.

The Tester verifies the self-declaration document contains all of the required data elements.

 

 

Archived Version:
Version 1.3 Updated on 05-26-2017
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

10-22-2015
1.1

Updated to reflect this criterion is not eligible for gap certification per the 2015 Edition final rule correction notice.

12-18-2015
1.2

Edited document to correctly reflect that the 2015 Edition “audit report(s)” certification criterion is revised as compared to the 2014 Edition “audit report(s)” criterion.

04-01-2016
1.3

Added clarifications for the application of this criterion to relied upon software and HISPs. In addition, clarified the meaning of the term “user” and that either a single audit log or multiple audit logs may be used to meet the requirements of this criterion.

05-26-2017
Regulation Text
Regulation Text

§170.315 (d)(3) Audit report(s)—

Enable a user to create an audit report for a specific time period and to sort entries in the audit log according to each of the data specified in the standards in §170.210(e).

Standard(s) Referenced

Applies to entire criterion

§ 170.210(e)(1)

  1. The audit log must record the information specified in sections 7.2 through 7.4, 7.6, and 7.7 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
  2. The date and time must be recorded in accordance with the standard specified at § 170.210(g).

(2)

  1. The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the audit log status is changed.
  2. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

(3) The audit log must record the information specified in sections 7.2 and 7.4 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by EHR technology on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g).

§ 170.210(g) Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized following (RFC 1305) Network Time Protocol or (RFC 5905) Network Time Protocol Version 4

§ 170.210(h) Audit log content. ASTM E2147-01 (Reapproved 2013) Standard Specification for Audit and Disclosure Logs for Use in Health Information Systems

Certification Companion Guide: Audit report(s)

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 2015 Edition final regulation. It extracts key portions of the rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the 2015 Edition final rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.
 

 

Certification Requirements

Quality management system (§ 170.315(g)(4)) and accessibility-centered design (§ 170.315(g)(5)) must be certified as part of the overall scope of the certificate issued to the product.

  • When a single quality management system (QMS) is used, the QMS only needs to be identified once. Otherwise, the QMS’ need to be identified for every capability to which it was applied.
  • When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively the developer must state that no accessibility-centered design was used.
Technical Explanations and Clarifications

 

Applies to entire criterion

Technical outcome –

  • A user can create one or more audit reports for a specific time period that includes some or all of the data specified in sections 7.2, 7.3, 7.4, 7.6, and 7.7 of ASTM E1247-01; including changes to user privileges when health IT is in use; and record the date and time of the action in accordance with RFC 1305 or RFC 5905.
  • The content included in each audit log is sortable.

Clarifications:

  • For the purposes of certification, a Health IT Module may produce a single audit report with all of the specified auditable data or it may produce multiple audit reports with some portion of the required auditable data. However, if this latter approach is used, when all of the audit reports are considered together the total content they include must represent all of the required auditable data (which would be equivalent to the single audit report approach).
  • If third party software is relied upon to meet the criteria, one of the following approaches applies:
    • Approach 1 requires disclosure of the software that was relied upon to meet the criterion.
    • Approach 2 requires documentation of how the external services that are necessary to meet the requirements of criteria will be deployed and used.
  • A user could be a health care professional or office staff; or a software program or service that would interact directly with the certified health IT. [see 80 FR 62611; 77 FR 54168] A “user” is not a patient for the purposes of this criterion. [see also 77 FR 54168]
  • For HISP software that does not normally store patient data, certification to (d)(3) does not create the obligation to do so. Rather, certification to (d)(3) requires that a user is able to produce a forensic reconstruction of events in the case of a security incident. Audit reports would need to be generated that can sort and filter on the types of data identified in (d)(2).

Content last reviewed on March 29, 2018
Was this page helpful?