Statutes, codes, and regulations
Code of Federal Regulations
Title 45 - PUBLIC WELFARESubtitle A - DEPARTMENT OF HEALTH AND HUMAN SERVICESSubchapter D - HEALTH INFORMATION TECHNOLOGYPart 170 - HEALTH INFORMATION TECHNOLOGY STANDARDS, IMPLEMENTATION SPECIFICATIONS, AND CERTIFICATION CRITERIA AND CERTIFICATION PROGRAMS FOR HEALTH INFORMATION TECHNOLOGY
Subpart B - STANDARDS AND IMPLEMENTATION SPECIFICATIONS FOR HEALTH INFORMATION TECHNOLOGY
Section 170.210 - Standards for health information technology to protect electronic health information created, maintained, and exchanged

45 C.F.R. § 170.210

Download
PDF
Current through 4/2/2024
Section 170.210 - Standards for health information technology to protect electronic health information created, maintained, and exchanged

The Secretary adopts the following standards to protect electronic health information created, maintained, and exchanged:

(a)Encryption and decryption of electronic health information.
(1) [Reserved]
(2)General. Any encryption algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the Federal Information Processing Standards (FIPS) Publication 140-2, October 8, 2014 (incorporated by reference in § 170.299 ).
(b) [Reserved]
(c)Hashing of electronic health information.
(1) [Reserved]
(2)Standard. A hashing algorithm with a security strength equal to or greater than SHA-2 as specified by NIST in FIPS Publication 180-4 (August 2015) (incorporated by reference in § 170.299 ).
(d)Record treatment, payment, and health care operations disclosures. The date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at 45 CFR 164.501 .
(e)Record actions related to electronic health information, audit log status, and encryption of end-user devices.
(1)
(i) The audit log must record the information specified in sections 7.1.1 and 7.1.2 and 7.1.6 through 7.1.9 of the standard specified in § 170.210(h) and changes to user privileges when health IT is in use.
(ii) The date and time must be recorded in accordance with the standard specified at § 170.210(g) .
(2)
(i) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the audit log status is changed.
(ii) The date and time each action occurs in accordance with the standard specified at § 170.210(g) .
(3) The audit log must record the information specified in sections 7.1.1 and 7.1.7 of the standard specified at § 170.210(h) when the encryption status of electronic health information locally stored by health IT on end-user devices is changed. The date and time each action occurs in accordance with the standard specified at § 170.210(g) .
(f)Encryption and hashing of electronic health information. Any encryption and hashing algorithm identified by the National Institute of Standards and Technology (NIST) as an approved security function in Annex A of the FIPS Publication 140-2 (incorporated by reference in § 170.299 ).
(g)Synchronized clocks. The date and time recorded utilize a system clock that has been synchronized using any Network Time Protocol (NTP) standard.
(h)Audit log content. ASTM E2147-18, (incorporated by reference in § 170.299 ).

45 C.F.R. §170.210

75 FR 44649, July 28, 2010, as amended at 77 FR 54285, Sept. 4, 2012; 79 FR 54478, Sept. 11, 2014; 80 FR 62745, Oct. 16, 2015; 85 FR 25940, May 1, 2020; 85 FR 70082, Nov. 4, 2020
85 FR 25940, 6/30/2020; 85 FR 70082, 12/4/2020; 89 FR 1428, 2/8/2024; 89 FR 8548, 3/11/2024