§170.315(d)(13) Multi-factor authentication
Version # | Description of Change | Version Date |
---|---|---|
1.0 |
Final Test Procedure |
06-01-2020
|
1.1 |
Updated regulation text from “identify” to “identity” per the IFR, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency |
11-02-2020
|
§ 170.315 (d)(13) Multi-factor authentication.
Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:
- Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
- No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.
None
- Resource Documents
- Revision History
-
Version # Description of Change Version Date 1.0 Final Test Procedure
06-01-20201.1 Updated regulation text from “identify” to “identity” per the IFR, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency
11-02-2020 - Regulation Text
-
Regulation Text
§ 170.315 (d)(13) Multi-factor authentication.
Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:
- Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
- No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.
- Standard(s) Referenced
-
None
Please consult the Final Rule entitled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program and and the Interim Final Rule (IFR) Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency for a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the test procedure as they both provide clarifications that may be useful for product development and testing.
Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.
Testing components





Paragraph (d)(13)(i) – (Alternative)
- The health IT developer attests, “Yes, the Health IT Module supports authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards,” and;
- The health IT developer submits a description of the supported use cases.
- The ONC-ACB verifies the health IT developer attests, ”Yes, the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
- The ONC-ACB verifies the health IT developer provided a description of the supported use cases.
System Under Test |
ONC-ACB Verification
|
---|---|
|
|
Paragraph (d )(13)(ii) - (Alternative)
- The health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
- The health IT developer may submit an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.
- The ONC-ACB verifies the health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
- If the health IT developer provides an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards, then the ONC-ACB verifies the health IT developer’s explanation.
System Under Test |
ONC-ACB Verification
|
---|---|
|
|
Version # | Description of Change | Version Date |
---|---|---|
1.0 |
Initial Publication |
05-27-2020
|
1.1 |
Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing. |
06-30-2020
|
1.2 |
Updated regulation text from “identify” to “identity” per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency |
11-02-2020
|
§ 170.315 (d)(13) Multi-factor authentication.
Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:
- Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
- No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.
None
- Resource Documents
- Revision History
-
Version # Description of Change Version Date 1.0 Initial Publication
05-27-20201.1 Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing.
06-30-20201.2 Updated regulation text from “identify” to “identity” per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency
11-02-2020 - Regulation Text
-
Regulation Text
§ 170.315 (d)(13) Multi-factor authentication.
Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:
- Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
- No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.
- Standard(s) Referenced
-
None
Certification Companion Guide: Multi-factor authentication
This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the ONC Cures Act Final Rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.
Base EHR Definition | In Scope for CEHRT Definition | Real World Testing | USCDI | SVAP |
---|---|---|---|---|
Not Included | No | No | No | No |
Applies to Entire Criterion
Clarifications:
- The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just to attest “yes” or “no” to whether the Health IT Module supports multi-factor authentication. The criteria places no requirements on health IT customers, such as health care providers, to implement these capabilities (if present in their products) in their healthcare settings.
- Health IT developers attesting “yes” to supporting multi-factor authentication must provide a report outlining the use cases supported to the ONC Authorized Certification Body (ONC-ACB) that is either a hard copy or in an acceptable human readable electronic format. To be open and transparent to the public, developers must also provide a hyperlink to any required use cases or optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).
Applies to Entire Criterion
Clarifications:
|
Paragraph (i)
Clarifications:
- If a health IT developer attests “yes” it must describe the use cases supported. For example, a health IT developer could attest “yes” to supporting multi-factor authentication and provide a summary that the Health IT Module supports multi-factor authentication for remote access by clinical users, thus providing clarity on the user roles to which multi-factor authentication applies for that particular Health IT Module.
- Health IT developers are not expected to provide specific technical details about how they support multi-factor authentication as that information could pose security risks. A succinct, high-level summary that gives an indication of the types of uses supported is adequate.
- If a health IT developer adds a new multi-factor authentication use case it must comply with this criterion’s “yes” attestation provisions and be part of the quarterly CHPL reporting by health IT developers and ONC-ACBs under § 170.523(m).
Paragraph (i)
Clarifications:
|
Paragraph (ii)
Clarifications:
- Health IT developers will be permitted, but not required, to provide a reason for attesting “no,” which may be due to multi-factor authentication being inapplicable or inappropriate. In those cases, a health IT developer could, for example, state that the Health IT Module does not support multi-factor authentication because it is engaged in system-to-system public health reporting and multi-factor authentication is not applicable.
Paragraph (ii)
Clarifications:
|