§170.315(d)(13) Multi-factor authentication

2015 Edition Cures Update CCG
2015 Edition Cures Update Conformance Method

Updated on 06-01-2020

Revision History

Version #	Description of Change	Version Date
1.0	Final Test Procedure	06-01-2020
1.1	Updated regulation text from “identify” to “identity” per the IFR, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency	11-02-2020

Regulation Text

§ 170.315 (d)(13) Multi-factor authentication.

Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:

Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.

Standard(s) Referenced

None

Resource Documents

Resource Document

Revision History

Version #	Description of Change	Version Date
1.0	Final Test Procedure	06-01-2020
1.1	Updated regulation text from “identify” to “identity” per the IFR, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency	11-02-2020

Regulation Text

Regulation Text

§ 170.315 (d)(13) Multi-factor authentication.

Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:

Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.

Standard(s) Referenced

None

Please consult the Final Rule entitled: 21^st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program and and the Interim Final Rule (IFR) Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency for a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the test procedure as they both provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.

Testing components

Paragraph (d)(13)(i) – (Alternative)

System Under Test

The health IT developer attests, “Yes, the Health IT Module supports authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards,” and;
The health IT developer submits a description of the supported use cases.

Test Lab Verification

The ONC-ACB verifies the health IT developer attests, ”Yes, the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
The ONC-ACB verifies the health IT developer provided a description of the supported use cases.

Paragraph (d)(13)(i) – (Alternative)

System Under Test	ONC-ACB Verification
The health IT developer attests, “Yes, the Health IT Module supports authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards,” and; The health IT developer submits a description of the supported use cases.	The ONC-ACB verifies the health IT developer attests, ”Yes, the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.” The ONC-ACB verifies the health IT developer provided a description of the supported use cases.

Paragraph (d )(13)(ii) - (Alternative)

System Under Test

The health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
The health IT developer may submit an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.

Test Lab Verification

The ONC-ACB verifies the health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
If the health IT developer provides an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards, then the ONC-ACB verifies the health IT developer’s explanation.

Paragraph (d )(13)(ii) - (Alternative)

System Under Test	ONC-ACB Verification
The health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.” The health IT developer may submit an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.	The ONC-ACB verifies the health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.” If the health IT developer provides an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards, then the ONC-ACB verifies the health IT developer’s explanation.

System Under Test

ONC-ACB Verification

The health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
The health IT developer may submit an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.

The ONC-ACB verifies the health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
If the health IT developer provides an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards, then the ONC-ACB verifies the health IT developer’s explanation.

Updated on 11-02-2020

Revision History

Version #	Description of Change	Version Date
1.0	Initial Publication	05-27-2020
1.1	Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing.	06-30-2020
1.2	Updated regulation text from “identify” to “identity” per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency	11-02-2020

Regulation Text

§ 170.315 (d)(13) Multi-factor authentication.

Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:

Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.

Standard(s) Referenced

None

Resource Documents

Resource Document

Revision History

Version #	Description of Change	Version Date
1.0	Initial Publication	05-27-2020
1.1	Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing.	06-30-2020
1.2	Updated regulation text from “identify” to “identity” per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency	11-02-2020

Regulation Text

Regulation Text

§ 170.315 (d)(13) Multi-factor authentication.

Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:

Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.

Standard(s) Referenced

None

Certification Companion Guide: Multi-factor authentication

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21^st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the ONC Cures Act Final Rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

Link to ONC Cures Act Final Rule Preamble

Link to Interim Final Rule

Edition Comparision	Gap Certification Eligible	Base EHR Definition
New	No	Not Included

Certification Requirements

Technical Explanations and Clarifications

Applies to Entire Criterion

Clarifications:

The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just to attest “yes” or “no” to whether the Health IT Module supports multi-factor authentication. The criteria places no requirements on health IT customers, such as health care providers, to implement these capabilities (if present in their products) in their healthcare settings.
Health IT developers attesting “yes” to supporting multi-factor authentication must provide a report outlining the use cases supported to the ONC Authorized Certification Body (ONC-ACB) that is either a hard copy or in an acceptable human readable electronic format. To be open and transparent to the public, developers must also provide a hyperlink to any required use cases or optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).

Applies to Entire Criterion

Clarifications:

The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just to attest “yes” or “no” to whether the Health IT Module supports multi-factor authentication. The criteria places no requirements on health IT customers, such as health care providers, to implement these capabilities (if present in their products) in their healthcare settings.
Health IT developers attesting “yes” to supporting multi-factor authentication must provide a report outlining the use cases supported to the ONC Authorized Certification Body (ONC-ACB) that is either a hard copy or in an acceptable human readable electronic format. To be open and transparent to the public, developers must also provide a hyperlink to any required use cases or optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).

Paragraph (i)

Clarifications:

If a health IT developer attests “yes” it must describe the use cases supported. For example, a health IT developer could attest “yes” to supporting multi-factor authentication and provide a summary that the Health IT Module supports multi-factor authentication for remote access by clinical users, thus providing clarity on the user roles to which multi-factor authentication applies for that particular Health IT Module.
Health IT developers are not expected to provide specific technical details about how they support multi-factor authentication as that information could pose security risks. A succinct, high-level summary that gives an indication of the types of uses supported is adequate.
If a health IT developer adds a new multi-factor authentication use case it must comply with this criterion’s “yes” attestation provisions and be part of the quarterly CHPL reporting by health IT developers and ONC-ACBs under § 170.523(m).

Paragraph (i)

Clarifications:

If a health IT developer attests “yes” it must describe the use cases supported. For example, a health IT developer could attest “yes” to supporting multi-factor authentication and provide a summary that the Health IT Module supports multi-factor authentication for remote access by clinical users, thus providing clarity on the user roles to which multi-factor authentication applies for that particular Health IT Module.
Health IT developers are not expected to provide specific technical details about how they support multi-factor authentication as that information could pose security risks. A succinct, high-level summary that gives an indication of the types of uses supported is adequate.
If a health IT developer adds a new multi-factor authentication use case it must comply with this criterion’s “yes” attestation provisions and be part of the quarterly CHPL reporting by health IT developers and ONC-ACBs under § 170.523(m).

Paragraph (ii)

Clarifications:

Health IT developers will be permitted, but not required, to provide a reason for attesting “no,” which may be due to multi-factor authentication being inapplicable or inappropriate. In those cases, a health IT developer could, for example, state that the Health IT Module does not support multi-factor authentication because it is engaged in system-to-system public health reporting and multi-factor authentication is not applicable.

Paragraph (ii)

Clarifications:

Health IT developers will be permitted, but not required, to provide a reason for attesting “no,” which may be due to multi-factor authentication being inapplicable or inappropriate. In those cases, a health IT developer could, for example, state that the Health IT Module does not support multi-factor authentication because it is engaged in system-to-system public health reporting and multi-factor authentication is not applicable.

Open Survey

Certification of Health IT

Health Information Technology Advisory Committee (HITAC)

Health Equity

Information Blocking

Interoperability

Patient Access to Health Records

Clinical Quality and Safety

Global Health IT Efforts

Health IT and Health Information Exchange Basics

Health IT in Health Care Settings

Health IT Resources

Laws, Regulation, and Policy

ONC Funding Opportunities

ONC HITECH Programs

Privacy, Security, and HIPAA

Scientific Initiatives

Standards & Technology

Usability and Provider Burden

§170.315(d)(13) Multi-factor authentication

Testing components

Paragraph (d)(13)(i) – (Alternative)

Paragraph (d)(13)(i) – (Alternative)

Paragraph (d )(13)(ii) - (Alternative)

Paragraph (d )(13)(ii) - (Alternative)

Certification Companion Guide: Multi-factor authentication

Applies to Entire Criterion

Applies to Entire Criterion

Paragraph (i)

Paragraph (i)

Paragraph (ii)

Paragraph (ii)

Connect with us: