Printer Friendly, PDF & Email Printer Friendly, PDF & Email

§170.315(d)(13) Multi-factor authentication

Version 1.0 Updated on 06-01-2020
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Final Test Procedure

06-01-2020
1.1

Updated regulation text from “identify” to “identity” per the IFR, Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency 

11-02-2020
Regulation Text
Regulation Text

§ 170.315 (d)(13) Multi-factor authentication.

Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:

  1. Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
  2. No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.
Standard(s) Referenced

None

Please consult the Final Rule entitled: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program and and the Interim Final Rule (IFR) Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency for a detailed description of the certification criterion with which these testing steps are associated. Developers are encouraged to consult the Certification Companion Guide in tandem with the test procedure as they both provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.

Testing components

No GAP Icon Documentation Icon Visual Inspection Icon No Test Tool Icon No ONC Supplied Test Data Icon

Paragraph (d)(13)(i) – (Alternative)

System Under Test
ONC-ACB Verification
  1. The health IT developer attests, “Yes, the Health IT Module supports authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards,” and;
  2. The health IT developer submits a description of the supported use cases.
  1. The ONC-ACB verifies the health IT developer attests, ”Yes, the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
  2. The ONC-ACB verifies the health IT developer provided a description of the supported use cases.  

Paragraph (d )(13)(ii) - (Alternative)

System Under Test
ONC-ACB Verification
  1. The health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.” 
  2. The health IT developer may submit an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.
  1. The ONC-ACB verifies the health IT developer attests, “No, the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.”
  2. If the health IT developer provides an explanation why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards, then the ONC-ACB verifies the health IT developer’s explanation.

Version 1.2 Updated on 11-02-2020
Resource Documents
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

05-27-2020
1.1

Added clarifications to the reporting requirements of results to the ONC-ACB and for the CHPL listing.

06-30-2020
1.2

Updated regulation text from “identify” to “identity” per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency

11-02-2020
Regulation Text
Regulation Text

§ 170.315 (d)(13) Multi-factor authentication.

Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:

  1. Yes – the Health IT Module supports the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “yes,” the health IT developer must describe the use cases supported.
  2. No – the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards. When attesting “no,” the health IT developer may explain why the Health IT Module does not support authentication, through multiple elements, of the user’s identity with the use of industry recognized standards.
Standard(s) Referenced

None

Certification Companion Guide: Multi-factor authentication

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the ONC Cures Act Final Rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

 

Certification Requirements
Technical Explanations and Clarifications

 

Applies to Entire Criterion

Clarifications:

  • The criterion does not require certified health IT to have these capabilities or for health IT developers to implement these capabilities for a specific use case or any use case, just to attest “yes” or “no” to whether the Health IT Module supports multi-factor authentication. The criteria places no requirements on health IT customers, such as health care providers, to implement these capabilities (if present in their products) in their health care settings.
  • Health IT developers attesting “yes” to supporting multi-factor authentication must provide a report outlining the use cases supported to the ONC-ACB that is either a hard copy or in an acceptable human readable electronic format.  To be open and transparent to the public, developers must also provide a hyperlink to any required use cases or optional documentation to be published with the product on the ONC Certified Health IT Product List (CHPL).  

 

Paragraph (i)

Clarifications:

  • If a health IT developer attests “yes” it must describe the use cases supported. For example, a health IT developer could attest “yes” to supporting multi-factor authentication and provide a summary that the Health IT Module supports multi-factor authentication for remote access by clinical users, thus providing clarity on the user roles to which multi-factor authentication applies for that particular Health IT Module.
  • Health IT developers are not expected to provide specific technical details about how they support multi-factor authentication as that information could pose security risks. A succinct, high-level summary that gives an indication of the types of uses supported is adequate.
  • If a health IT developer adds a new multi-factor authentication use case it must comply with this criterion’s “yes” attestation provisions and be part of the quarterly CHPL reporting by health IT developers and ONC-ACBs under § 170.523(m).

 

Paragraph (ii)

Clarifications:

  • Health IT developers will be permitted, but not required, to provide a reason for attesting “no,” which may be due to multi-factor authentication being inapplicable or inappropriate. In those cases, a health IT developer could, for example, state that the Health IT Module does not support multi-factor authentication because it is engaged in system-to-system public health reporting and multi-factor authentication is not applicable.

Content last reviewed on November 19, 2020
Was this page helpful?