Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(b)(8) Data segmentation for privacy – receive

Version 1.1 Updated on 12-07-2016
Revision History
Version # Description of Change Version Date
1.0

Final Test Procedure

01-20-2016
1.1

Added supplied test data that includes content validation for DS4P.

12-07-2016
Regulation Text
Regulation Text

§170.315 (b)(8) Data segmentation for privacy – receive

Enable a user to:

  1. Receive a summary record that is formatted in accordance with the standard adopted in §170.205(a)(4) that is document-level tagged as restricted and subject to restrictions on re-disclosure according to the standard adopted in §170.205(o)(1);
  2. Sequester the document-level tagged document from other documents received; and
  3. View the restricted document without incorporating any of the data from the document.
Standard(s) Referenced

Please consult the Final Rule entitled: 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications for a detailed description of the certification criterion with which these testing steps are associated. We also encourage developers to consult the Certification Companion Guide in tandem with the test procedure as they provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.
 

Testing components

No GAP Icon No Documentation Icon Visual Inspection Icon Test Tool Icon ONC Supplied Test Data Icon

 

Paragraph (b)(8)(i)

System Under Test Test Lab Verification

SUT Instruction

  1. Summary records in accordance with the test steps below, based on the health IT setting(s), are provided by the Edge Testing Tool.
  2. The health IT developer identifies the policies associated with the handling of the Data Segmentation for Privacy documents.

Receive

  1. Using the Health IT Module, a user receives summary record document(s) formatted in accordance with the standard specified at § 170.205(a)(4) HL7 Implementation Guide for CDA® Release 2: Consolidated CDA Templates for Clinical Notes, DSTU Release 2.1, that is tagged as restricted and subject to restrictions on re-disclosure, according to the standard adopted at § 170.205(o)(1) HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1, which includes the following:
    • Privacy Segmented Document Template;
    • CDA Mandatory Document Provenance;
    • CDA Mandatory Document Assigned Author Template; and
    • If a document contains information protected by specific privacy policies, the CDA Privacy Markings Section.
  2. The document received in step 3 includes the following data elements:
    • The originating document Individual Author or Organization; and
    • Confidentiality Code constrained in accordance with the standard specified in § 170.205(o)(1) HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1.
  3. Using the Health IT Module, a user receives a summary record document(s) formatted in accordance with the standard specified at § 170.205(a)(4) HL7 Implementation Guide for CDA® Release 2: Consolidated CDA Templates for Clinical Notes, DSTU Release 2.1, without any restrictions.

Test Lab Instruction

  1. The tester creates a human readable version for each of the documents received in steps 3-5 of the SUT to be used for verification.

Receive

  1. The tester verifies that a Health IT Module can receive a summary record document formatted in accordance with the standard specified at § 170.205(a)(4) that is document-level tagged as restricted and contains restrictions on re-disclosure according to the standard adopted at § 170.205(o)(1) for each health IT setting being certified, using visual inspection.
  2. The tester verifies that a Health IT Module can receive a summary record document formatted in accordance with the standard specified at § 170.205(a)(4) that is not document-level tagged as restricted for each health IT setting being certified, using visual inspection.

Paragraph (b)(8)(ii)

System Under Test Test Lab Verification
  1. Using the restricted document received in (b)(8)(i), and the Health IT Module, a user demonstrates the ability to associate the restricted document to a patient’s record, but sequester it from other health IT developer supplied summary documents formatted in accordance to the standard specified at § 170.205(a)(4) HL7 Implementation Guide for CDA® Release 2: Consolidated CDA Templates for Clinical Notes, DSTU Release 2.1 that have been received for that specific patient but are not restricted.
  2. Negative Testing: Using the setup from step 1, the user demonstrates that an unauthorized user does not have access to the restricted document received in (b)(8)(i).
  1. The tester verifies that based upon the policies identified in (b)(8)(i), the Health IT Module can sequester a document–level tagged document, formatted in accordance to the standard specified at § 170.205(a)(4), with restrictions on re-disclosure according to the standard adopted at § 170.205(o)(1) from other summary documents formatted in accordance to the standard specified at § 170.205(a)(4) for a specific patient, using visual inspection.
  2. Negative Testing: The tester verifies that based upon the policies identified in (b)(8)(i), an unauthorized user does not have access to a sequestered document using visual inspection.

Paragraph (b)(8)(iii)

System Under Test Test Lab Verification

Setup

  1. The Health IT Module creates users on the system that are authorized to review sequestered documentation and users that are not authorized to review sequestered documentation.

Viewing

  1. Using the sequestered document identified in (b)(8)(ii) and the Health IT Module, authorized users view the document data without incorporating the data into the patient’s record as discrete data elements.
  2. Negative Testing: The user demonstrates that an unauthorized user cannot view the documents sequestered in (b)(8)(ii).

Viewing

  1. The tester verifies that the Health IT Module allows an authorized user to view the data in the restricted document without incorporating it into the patient’s record (e.g. medications, medication allergies, problems) using visual inspection.
  2. The tester verifies that the Health IT Module view of the document data includes the Data Segmentation for Privacy specific data, and that the data is complete and without omission; including:
    • The General Header Author; and
    • If a document contains information protected by specific privacy policies, text indicating the nature of the explicit notice to the provider receiving the disclosed information.
  3. If the author of document sections is different than the document author, using the health IT developer-identified health IT function(s), the tester verifies that the Health IT Module provides the correct data provenance.
  4. Negative Testing: The tester verifies that the Health IT Module does not allow unauthorized users to access or view restricted data or documents.

Version 1.3 Updated on 09-21-2018
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

12-30-2015
1.1

Provides notification of March 2017 Validator Update of C-CDA 2.1 Corrections adoption and compliance requirements within paragraph (b)(8)(i).

09-29-2017
1.2

Provides notification of April 2018 Validator Update of C-CDA 2.1 Corrections adoption and compliance requirements within paragraph (b)(8)(i). Note: Due to an error in calculation ONC is also updating the dates for compliance with the March 2017 Validator Update of C-CDA 2.1 Corrections that were adopted September 29, 2017.

05-02-2018
1.3

Provides notification of August 2018 Validator Update of C-CDA 2.1 Corrections adoption and compliance requirements within paragraph (b)(8)(i).

09-21-2018
Regulation Text
Regulation Text

§170.315 (b)(8) Data segmentation for privacy – receive

Enable a user to:

  1. Receive a summary record that is formatted in accordance with the standard adopted in §170.205(a)(4) that is document-level tagged as restricted and subject to restrictions on re-disclosure according to the standard adopted in §170.205(o)(1);
  2. Sequester the document-level tagged document from other documents received; and
  3. View the restricted document without incorporating any of the data from the document.
Standard(s) Referenced

Certification Companion Guide: Data segmentation for privacy – receive

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 2015 Edition final regulation. It extracts key portions of the rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the 2015 Edition final rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.
 

 

Certification Requirements

Privacy and Security: This certification criterion was adopted at § 170.315(b)(8). As a result, an ONC-ACB must ensure that a product presented for certification to a § 170.315(b) “paragraph (b)” criterion includes the privacy and security criteria (adopted in § 170.315(d)) within the overall scope of the certificate issued to the product.

  • The privacy and security criteria (adopted in § 170.315(d)) do not need to be explicitly tested with this specific paragraph (b) criterion unless it is the only criterion for which certification is requested.
  • As a general rule, a product presented for certification only needs to be tested once to each applicable privacy and security criterion (adopted in § 170.315(d)) so long as the health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification. However, exceptions exist for § 170.315(e)(1) “VDT” and (e)(2) “secure messaging,” which are explicitly stated.

Design and Performance: The following design and performance certification criteria (adopted in § 170.315(g)) must also be certified in order for the product to be certified.

  • When a single quality management system (QMS) is used, the QMS only needs to be identified once. Otherwise, the QMS’ need to be identified for every capability to which it was applied.
  • When a single accessibility-centered design standard is used, the standard only needs to be identified once. Otherwise, the accessibility-centered design standards need to be identified for every capability to which they were applied; or, alternatively the developer must state that no accessibility-centered design was used.
Table for Privacy and Security
Technical Explanations and Clarifications

 

Applies to entire criterion

Clarifications:

  • No additional clarifications available.

Paragraph (b)(8)(i)

Technical outcome – The health IT must be able to receive a summary record (formatted to Consolidated CDA Release 2.1) that is document-level tagged as restricted and subject to re-disclosure restrictions using the HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1.

Clarifications:

  • The DS4P standard does not have a service discovery mechanism to determine if a potential recipient is able to receive a tagged document. We expect that providers will have to determine the receiving capabilities of their exchange partners, similar to how they have to work with their exchange partners today when they are manually exchanging sensitive health information via fax. [see 80 FR 62648]
  • In order to mitigate potential interoperability errors and inconsistent implementation of the HL7 Implementation Guide for CDA® Release 2: Consolidated CDA Templates for Clinical Notes, Draft Standard for Trial Use, Release 2.1, ONC assesses, approves, and incorporates corrections as part of required testing and certification to this criterion. [see FAQ #51] Certified health IT adoption and compliance with the following corrections are necessary because they implement updates to vocabularies, update rules for cardinality and conformance statements, and promote proper exchange of C-CDA documents. Consistent with FAQ 51, there is a 90-day delay from the time the CCG has been updated with the ONC-approved corrections to when compliance with the corrections will be required to pass testing (i.e., C-CDA 2.1 Validator). Similarly consistent with FAQ 51, there will be an 18-month delay before a finding of a correction’s absence in certified health IT during surveillance would constitute a non-conformity under the Program.

Paragraph (b)(8)(ii)

Technical outcome – A user must be to separate the document-level tagged document from other documents received.

Clarifications:

  • “Sequester” in this case means that only authorized users will have the ability to view the document. Once document-level tagged documents are received and stored in the Health IT Module they must only be accessible and viewable by authorized users and separated from other documents. The developer has full design and development discretion to implement a solution which handles this capability properly. Specific functionality other than authorized user access is not required, but if a developer opts to implement a more complex solution than described that is permissible and acceptable.

Paragraph (b)(8)(iii)

Technical outcome – A user must be able to view the restricted document without having to incorporate any of the data from the document.

Clarifications:

  • No additional clarifications available.

Regulation Text
Regulation Text

§170.315 (b)(8) Data segmentation for privacy – receive

Enable a user to:

  1. Receive a summary record that is formatted in accordance with the standard adopted in §170.205(a)(4) that is document-level tagged as restricted and subject to restrictions on re-disclosure according to the standard adopted in §170.205(o)(1);
  2. Sequester the document-level tagged document from other documents received; and
  3. View the restricted document without incorporating any of the data from the document.
Testing Tool

Edge Testing Tool (ETT): Message Validators

 

Test Tool Documentation

Test Tool Supplemental Guide

 

Criterion Subparagraph Test Data
(b)(8)(i)

Inpatient setting: 170.315_b8_ds4p_inp_sample1*.xml

Ambulatory setting: 170.315_b8_ds4p_amb_sample1*.xml

Content last reviewed on September 21, 2018
Was this page helpful?