|
Regulation, Specification, or Guidance
|
Requirement
|
45 CFR Part 170.315 (a-1–a-4)
|
25.1 The electronic health record (EHR) module should provide computerized provider order entry (CPOE) functionality for medication orders, laboratory orders, and diagnostic imaging, including making checks for potential drug-drug and drug-allergy interactions.
|
45 CFR Part 170.315 (a-5) 45 CFR Part 170.315 (a-11–a-12) 45 CFR Part 170.315 (a-15)
|
25.2 The EHR module should allow authorized personnel to record, change, and access patient demographic data, including, but not limited to, race and ethnicity, patient's preferred language, birth sex, current sex, sexual orientation, gender identity, birth date, smoking status, alcohol use, family health history, psychological aspects, social aspects, and behavioral aspects.
|
45 CFR Part 170.315 (a-6–a-8) 45 CFR Part 170.315 (a-10) 45 CFR Part 170.315 (a-14)
|
25.3 The EHR module should allow authorized personnel to record, change, and access a patient's active problem list, medication list, medication allergy list, preferred drug list, and implantable device list, incorporating, where appropriate, at a minimum the SNOMED CT nomenclature standard.
|
45 CFR Part 170.315 (a-19)
|
25.4 The EHR module should incorporate configurable, role-based clinical decision support tools capable of allowing authorized personnel to trigger electronic interventions based on liked reference information standardized to Health Level 7 (HL7) Version 3 implementation guides. The reference information should be sourced.
|
45 CFR Part 170.315 (a-13)
|
25.5 The EHR module should be able to identify education resources specific to a patient's active problem and medication lists. The educational resources should be standardized to Health Level 7 (HL7) Version 3 implementation guides.
|
45 CFR Part 170.315 (b-1–b-2; b-4–b-5)
|
25.6 The EHR module should allow authorized personnel to create, view, send, and receive transition of care or referral summaries in such a way that the summary is properly formatted, matched to the correct patient, and reconciled according to the standards and protocols outlined in 45 CFR Part 170.315 (b-1), (b-2), (b-4), and (b-5).
|
45 CFR Part 170.315 (b-3)
|
25.7 The EHR module should allow authorized personnel to conduct electronic prescribing actions such as creating, changing, cancelling, and refilling prescriptions, incorporating at least the RxNorm and NCPDP SCRIPT standards.
|
45 CFR Part 170.315 (b-6)
|
25.8 The EHR module should allow authorized personnel to configure, create, and store data exports, incorporating at least HL7 Version 3 implementation standards, as well as SNOMED CT and ICD-9 standards.
|
45 CFR Part 170.315 (b-7–b-8)
|
25.9 The EHR module should allow for the secure creation, sending, and receipt of restricted summary records, incorporating HL7 Version 3 implementation standards.
|
45 CFR Part 170.315 (b-9)
|
25.10 The EHR module should allow authorized personnel to create, record, change, access, and receive care plan information, incorporating HL7 Version 3 implementation standards.
|
45 CFR Part 170.315 (c)
|
25.11 The EHR module should provide a means to record, calculate, import, export, filter, and report on clinical quality measures according to the standards outlined in 45 CFR Part 170.315 (c).
|
45 CFR Part 170.315 (d)
|
25.12 The EHR module shall provide security and access controls for protecting stored data.
|
45 CFR Part 170.315 (d)
|
25.13 The EHR module shall record an audit trail for each and every record created and modified, using version control.
|
45 CFR Part 170.315 (d-7)
|
25.14 The EHR module shall either encrypt electronic health information on end-user devices after use of the technology on the device stops or prevent electronic health information from being stored on end-user devices after use of the technology on the device stops.
|
45 CFR Part 170.315 (d-8)
|
25.15 The EHR module shall ensure that electronically exchanged health information has not been altered during the transfer process, using at least a hashing algorithm secured to SHA-2 or better.
|
45 CFR Part 170.315 (d-11)
|
25.16 The EHR module should be capable of recording patient disclosures made for treatment, payment, and health care operations.
|
45 CFR Part 170.315 (e-1)
|
25.17 The EHR module should provide a means for patients and their authorized representatives to view, download, and transmit their personal health information and activity history log from the EHR via an internet-based technology, using the standards outlined in 45 CFR Part 170.315 (e-1).
|
45 CFR Part 170.315 (e-2–e-3)
|
25.18 The EHR module should provide a means for authorized users to securely send messages to and receive messages from patients, at the same time allowing for the recording, accessing, and linking of information shared by the patient electronically (as well as directly).
|
45 CFR Part 170.315 (f)
|
25.19 The EHR module should allow vital patient information as it relates to public health to be transmitted to immunization registries, cancer registries, and public health agencies, as well as be accessed after the fact. This includes, but is not limited to, immunization history, surveillance information, laboratory test results, cancer case information, case reports, antimicrobial reporting, and health care survey information.
|
45 CFR Part 170.315 (g-3–g-5)
|
25.20 The EHR developer should use user-centered and accessibility-centered design processes for creating and testing the EHR's functionality. A quality management system should be used during these processes.
|
45 CFR Part 170.315 (g-6)
|
25.21 The EHR module's use of clinical document architecture (CDA) should be demonstrated and verified for conformance to the standards identified in 45 CFR Part 170.315 (g-6).
|
45 CFR Part 170.315 (g-7–g-9)
|
25.22 The EHR module should include an application programming interface (API) that demonstrates the EHR's ability to uniquely identify a patient and corresponding ID/token in a received records or data category request in order to accurately and securely meet the request for that patient's data. The API should be well documented.
|