Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(b)(10) Electronic Health Information export

Version 1.0 Updated on 06-01-2020
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Final Test Procedure

06-01-2020
Regulation Text
Regulation Text

§ 170.315 (b)(10) Electronic Health Information export-

  1. Single patient electronic health information export.
    1. Enable a user to timely create an export file(s) with all of a single patient’s electronic health information that can be stored at the time of certification by the product, of which the Health IT Module is a part.
    2. A user must be able to execute this capability at any time the user chooses and without subsequent developer assistance to operate.
    3. Limit the ability of users who can create such export file(s) in at least one of these two ways:
      1. To a specific set of identified users
      2. As system administrator function.
    4. The export file(s) created must be electronic and in a computable format.
    5. The publicly accessible hyperlink of the export’s format must be included with the exported file(s).
  2. Patient population electronic health information export. Create an export of all the electronic health information that can be stored at the time of certification by the product, of which the Health IT Module is a part.
    1. The export created must be electronic and in a computable format.
    2. The publicly accessible hyperlink of the export’s format must be included with the exported file(s).
  3. Documentation. The export format(s) used to support paragraphs (b)(10)(i) and (ii) of this section must be kept up-to-date.
Standard(s) Referenced

None

Please consult the Final Rule entitled 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program for a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the Test Procedure, as they both provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.

Testing components

No GAP Icon Documentation Icon No Visual Inspection Icon No Test Tool Icon No ONC Supplied Test Data Icon

Paragraph (b)(10)(i)

System Under Test
ONC-ACB Verification
  1. The health IT developer attests that a user of the Health IT Module can perform an electronic health information (EHI) export for a single patient at any time the user chooses without developer assistance and that the export file(s):
  • Is created in a timely fashion;
  • Includes all the EHI for a single patient as described in § 170.315(b)(10)(i)(A);
  • Is electronic and in a computable format; and
  • Includes a publicly accessible hyperlink of the export’s format.
  1. The health IT developer attests that the Health IT Module can limit users who can perform an EHI export for a single patient using one of the following methods:
  • Grant a set of users the ability to perform the export; or
  • Grant system administrator(s) the ability to perform the export.
  1. The ONC-ACB verifies the health IT developer attests that a user of the Health IT Module can perform an EHI export for a single patient at any time the user chooses without developer assistance, and that the export file(s):
  • Is created in a timely fashion;
  • Includes all the EHI for a single patient as described in § 170.315(b)(10)(i)(A);
  • Is electronic and in a computable format;
  • Includes a publicly accessible hyperlink of the export’s format.
  1. The ONC-ACB verifies the health IT developer attests that the Health IT Module can limit users who can perform an EHI export for a single patient using one of the following methods:
  • Grant a set of users the ability to perform the export; or
  • Grant system administrator(s) the ability to perform the export.

Paragraph (b)(10)(ii)

System Under Test
ONC-ACB Verification

The health IT developer attests that a user of the Health IT Module can perform an EHI export for all electronic health information, and that the export:

  • Includes all the EHI for a patient population as described in § 170.315(b)(10)(ii);
  • Is electronic and in a computable format; and
  • Includes a publicly accessible hyperlink of the export’s format.

The ONC-ACB verifies the health IT developer attests that a user of the Health IT Module can perform an EHI export for all electronic health information, and that the export:

  • Includes all the EHI for a patient population as described in § 170.315(b)(10)(ii);
  • Creates export files that are electronic and are in a computable format; and
  • Includes a publicly accessible hyperlink of the export’s format.

Paragraph (b)(10)(iii)

System Under Test
ONC-ACB Verification

The health IT developer attests that the health IT developer has a process for keeping the export format(s) used to support paragraphs (b)(10)(i) and (ii) of this section up-to-date.

The ONC-ACB verifies the health IT developer attests that the health IT has a process for maintaining the export format(s) used to support paragraphs (b)(10)(i) and (ii) of this section up-to-date.


Version 1.0 Updated on 06-15-2020
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

06-15-2020
Regulation Text
Regulation Text

§ 170.315 (b)(10) Electronic Health Information export-

  1. Single patient electronic health information export.
    1. Enable a user to timely create an export file(s) with all of a single patient’s electronic health information that can be stored at the time of certification by the product, of which the Health IT Module is a part.
    2. A user must be able to execute this capability at any time the user chooses and without subsequent developer assistance to operate.
    3. Limit the ability of users who can create such export file(s) in at least one of these two ways:
      1. To a specific set of identified users
      2. As system administrator function.
    4. The export file(s) created must be electronic and in a computable format.
    5. The publicly accessible hyperlink of the export’s format must be included with the exported file(s).
  2. Patient population electronic health information export. Create an export of all the electronic health information that can be stored at the time of certification by the product, of which the Health IT Module is a part.
    1. The export created must be electronic and in a computable format.
    2. The publicly accessible hyperlink of the export’s format must be included with the exported file(s).
  3. Documentation. The export format(s) used to support paragraphs (b)(10)(i) and (ii) of this section must be kept up-to-date.
Standard(s) Referenced

None

Certification Companion Guide: Electronic Health Information export

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the ONC Cures Act Final Rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

 

Certification Requirements

Privacy and Security: § 170.315(b)(10) and, consistent with the rationale provided in the 2015 Edition Final rule, (g)(1) through (6) are exempt from the P&S Certification Framework due to the capabilities included in these criteria, which do not implicate privacy and security concerns (80 FR 62707).

  • In general, please note that those who use Health IT Module(s) certified to the “EHI export” criterion remain responsible for safeguarding the security and privacy of individuals’ EHI consistent with applicable laws and regulations related to health information privacy and security, including the HITECH Act, HIPAA Privacy and Security Rules, 42 CFR part 2, and state laws. The existence of a technical capability to make EHI more accessible and useable by Health IT Module users does not alter or change any of their data protection responsibilities under applicable laws and regulations.
Technical Explanations and Clarifications

 

Applies to Entire Criterion

Clarifications:

  • Electronic health information (EHI) means “electronic protected health information” (ePHI) as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity. But EHI does NOT include psychotherapy notes as defined in 45 CFR 164.501 or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
  • The EHI definition represents the same ePHI that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Rule.
  • The criterion is specific to EHI, as defined above, that can be stored by the health IT product at the time the Health IT Module is presented for certification. 
  • Conformance “at the time of certification” means the combined data that is stored in and by the Health IT Module in its original form as presented for certification. It does not include within the certification criterion’s scope of export any data subsequently generated from unique post-certification deployments.
  • The criterion does not specify transport method(s) or data standards that must be used.
  • The criterion does not specify a predefined data set and will differ by developer and products of which the Health IT Module is a part. As a result, the amount of EHI that will need to be able to be exported in order to demonstrate conformance with this certification criterion will vary widely because of the diversity of products presented for certification.
  • “Stored” data applies to all EHI and is agnostic as to whether the EHI is stored in or by the certified Health IT Module or in or by any of the other “non-certified” capabilities of the health IT product of which the certified Health IT Module is a part.
  • “Can be stored by” refers to the EHI types stored in and by the health IT product, of which the Health IT Module is a part and is meant to be interpreted as the combination of EHI a heath IT product stores itself and in other data storage locations. Thus, the cumulative data covered by these storage techniques would be in the scope of data export.
  • Any images, imaging information, and image elements that fall within this finalized scope of EHI that can be stored at the time of certification in or by the product, of which the Health IT Module is a part will need to be exported under this certification criterion.
  • In the context of imaging, if the only EHI stored in or by the product to which this certification criterion applies are links to images/imaging data (and not the images themselves, which may remain in a picture archiving and communication system (PACS)) then only such links must be part of what is exported.
  • This certification criterion also does not prescribe how (i.e., media/medium) the exported information is to be made available to the user, as this may depend on the size and type of information to be exported.
  • The export format need not be the same format used internally by the certified health IT, and the health IT developer does not need to make public its proprietary data model.
  • The file formats and related definitions are not finalized as specific certification requirements,developers are encouraged to continue to foster transparency and best practices for data sharing, such as machine-readable format, when they create and update their export format information
  • The documentation for the export format consists of information on the structure and syntax for how the EHI will be exported by the product such as, for example, Consolidated-Clinical Document Architecture (C-CDA) document(s) or data dictionary for comma separated values (csv) file(s), and not the actual EHI.
  • Health IT developers must keep the export format “up-to-date.” For example, if the health IT developer had previously specified the C-CDA standard as the export format for meeting the criterion, but subsequently updated its product to use the FHIR® standard and stopped supporting C-CDA export format, then the documentation for export format would need to be updated so that users are able to continue to accurately process the EHI exported by the product.

 

Paragraph (i)(A)

Technical outcome – Enable a user to timely create an export file(s) with all of a single patient’s electronic health information stored at the time of certification by the product, of which the Health IT Module is a part.

Clarifications:

  • No additional clarifications.

 

Paragraph (i)(B)

Technical outcome –A user must be able to execute this capability at any time the user chooses and without subsequent developer assistance to operate.

Clarifications:

  • “Timely” means near real-time, while being reasonable and prudent given the circumstances.

 

Paragraph (i)(C)

Technical outcome – Limit the ability of users who can create export file(s) in at least one of these two ways: (1) To a specific set of identified users (2) As a system administrative function.

Clarifications:

  • “User” is a health care professional or his or her office staff; or a software program or service that would interact directly with the certified health IT (80 FR 62611, 77 FR 54168).
  • The ability to limit the health IT users’ access to the single patient EHI export functionality in § 170.315(b)(10)(i) is intended to be used by and at the discretion of the organization implementing the technology.  This cannot be used by health IT developers as a way to thwart or moot the overarching user-driven aspect of this capability (80 FR 62646).
  • This certification criterion does not require “direct-to-patient” functionality in order to demonstrate conformance. The capability to execute this certification criterion can be health care provider/health care organization initiated (presumably upon that organization receiving a request by patient for his or her EHI).

 

Paragraph (i)(D)

Technical outcome – The export files(s) created must be electronic and in a computable format.

Clarifications:

  • No additional clarifications.

 

Paragraph (i)(E)

Technical outcome – The publicly accessible hyperlink of the export’s format must be included with the exported file(s).

Clarifications:

  • No additional clarifications.

 

Paragraph (ii)

Technical outcome – Create an export of all the electronic health information that can be stored at the time of certification by product of which the Health IT Module is a part.

Clarifications:

  • The patient population EHI export capability of this criterion could require action or support on the part of the health IT developer.

 

Paragraph (iii)

Technical outcome – The exported format(s) used to support paragraphs (b)(10)(i) and (ii) of this section must be kept up-to-date.

Clarifications:

  • The developer’s clinical EHI export format should be made publicly available via a hyperlink as part of certification to the criterion, including keeping the hyperlink up-to-date with the current export format. Similar to the API documentation, this link will also be made available on the CHPL.
  • The hyperlink must allow any person to directly access the information without any preconditions or additional steps.

Content last reviewed on June 18, 2020
Was this page helpful?