[Federal Register Volume 75, Number 8 (Wednesday, January 13, 2010)]
[Rules and Regulations]
[Pages 2014-2047]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-31216]



[[Page 2013]]

-----------------------------------------------------------------------

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



45 CFR Part 170



Health Information Technology: Initial Set of Standards, Implementation 
Specifications, and Certification Criteria for Electronic Health Record 
Technology; Interim Final Rule

  Federal Register / Vol. 75 , No. 8 / Wednesday, January 13, 2010 / 
Rules and Regulations  

[[Page 2014]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 170

RIN 0991-AB58


Health Information Technology: Initial Set of Standards, 
Implementation Specifications, and Certification Criteria for 
Electronic Health Record Technology

AGENCY: Office of the National Coordinator for Health Information 
Technology, Department of Health and Human Services.

ACTION: Interim final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS) is issuing 
this interim final rule with a request for comments to adopt an initial 
set of standards, implementation specifications, and certification 
criteria, as required by section 3004(b)(1) of the Public Health 
Service Act. This interim final rule represents the first step in an 
incremental approach to adopting standards, implementation 
specifications, and certification criteria to enhance the 
interoperability, functionality, utility, and security of health 
information technology and to support its meaningful use. The 
certification criteria adopted in this initial set establish the 
capabilities and related standards that certified electronic health 
record (EHR) technology will need to include in order to, at a minimum, 
support the achievement of the proposed meaningful use Stage 1 
(beginning in 2011) by eligible professionals and eligible hospitals 
under the Medicare and Medicaid EHR Incentive Programs.

DATES: Effective Date: This interim final rule is effective February 
12, 2010. The incorporation by reference of certain publications listed 
in the rule is approved by the Director of the Federal Register as of 
February 12, 2010.
    Comment Date: To be assured consideration, written or electronic 
comments must be received at one of the addresses provided below, no 
later than 5 p.m. on March 15, 2010.

ADDRESSES: Because of staff and resource limitations, we cannot accept 
comments by facsimile (FAX) transmission. You may submit comments, 
identified by RIN 0991-AB58, by any of the following methods (please do 
not submit duplicate comments).
     Federal eRulemaking Portal: Follow the instructions for 
submitting comments. Attachments should be in Microsoft Word, 
WordPerfect, or Excel; however, we prefer Microsoft Word. http://www.regulations.gov.
     Regular, Express, or Overnight Mail: Department of Health 
and Human Services, Office of the National Coordinator for Health 
Information Technology, Attention: HITECH Initial Set Interim Final 
Rule, Hubert H. Humphrey Building, Suite 729D, 200 Independence Ave., 
SW., Washington, DC 20201. Please submit one original and two copies.
     Hand Delivery or Courier: Office of the National 
Coordinator for Health Information Technology, Attention: HITECH 
Initial Set Interim Final Rule, Hubert H. Humphrey Building, Suite 
729D, 200 Independence Ave., SW., Washington, DC 20201. Please submit 
one original and two copies. (Because access to the interior of the 
Hubert H. Humphrey Building is not readily available to persons without 
federal government identification, commenters are encouraged to leave 
their comments in the mail drop slots located in the main lobby of the 
building.)
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for public inspection, 
including any personally identifiable or confidential business 
information that is included in a comment. Please do not include 
anything in your comment submission that you do not wish to share with 
the general public. Such information includes, but is not limited to: A 
person's social security number; date of birth; driver's license 
number; state identification number or foreign country equivalent; 
passport number; financial account number; credit or debit card number; 
any personal health information; or any business information that could 
be considered to be proprietary. We will post all comments received 
before the close of the comment period at http://www.regulations.gov.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov or U.S. Department 
of Health and Human Services, Office of the National Coordinator for 
Health Information Technology, Hubert H. Humphrey Building, Suite 729D, 
200 Independence Ave., SW., Washington, DC 20201 (call ahead to the 
contact listed below to arrange for inspection).

FOR FURTHER INFORMATION CONTACT: Steven Posnack, Policy Analyst, 202-
690-7151.

SUPPLEMENTARY INFORMATION:

Acronyms

AHIC American Health Information Community
ANSI American National Standards Institute
ASP Application Service Provider
CAH Critical Access Hospital
CCD Continuity of Care Document
CCHIT Certification Commission for Health Information Technology
CCR Continuity of Care Record
CDA Clinical Document Architecture
CDC Centers for Disease Control and Prevention
CFR Code of Federal Regulations
CGD Certification Guidance Document
CMS Centers for Medicare & Medicaid Services
CPOE Computerized Provider Order Entry
EHR Electronic Health Record
FIPS Federal Information Processing Standards
GIPSE Geocoded Interoperable Population Summary Exchange
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act of 1996
HIT Health Information Technology
HITECH Health Information Technology for Economic and Clinical 
Health
HITSP Healthcare Information Technology Standards Panel
HL7 Health Level Seven
ICD International Classification of Diseases
ICD-9-CM ICD, 9th Revision, Clinical Modifications
ICD-10-PCS ICD, 10th Revision, Procedure Coding System
ICD-10-CM ICD, 10th Revision, Related Health Problems
IHS Indian Health Service
LOINC Logical Observation Identifiers Names and Codes
MA Medicare Advantage
NCPDP National Council for Prescription Drug Programs
NCVHS National Committee on Vital and Health Statistics
NLM National Library of Medicine
NQF National Quality Forum
OASIS Organization for the Advancement of Structured Information 
Standards
OCR Office for Civil Rights
OIG Office of Inspector General
OMB Office of Management and Budget
ONC Office of the National Coordinator for Health Information 
Technology
PHSA Public Health Service Act
PQRI Physician Quality Reporting Initiative
REST Representational state transfer
RFA Regulatory Flexibility Act
SDOs Standards Development Organizations
SNOMED CT Systematized Nomenclature of Medicine Clinical Terms
SOAP Simple Object Access Protocol
UCUM Unified Code for Units of Measure
UMLS Unified Medical Language System
UNII Unique Ingredient Identifier
XML eXtensible Markup Language

Table of Contents

I. Background
    A. ONC Background

[[Page 2015]]

    B. Interdependencies With Other HITECH Provisions and 
Relationship to Other Regulatory Requirements and Related Activities
    1. Medicare and Medicaid EHR Incentive Programs Proposed Rule
    2. Health Insurance Portability and Accountability Act of 1996 
(HIPAA) Privacy Rule Accounting of Disclosures Regulation
    3. Previous Recognition of Certification Bodies and New 
Authority Under the HITECH Act
    4. Other HHS Regulatory Actions
    a. Health Insurance Portability and Accountability Act of 1996 
(HIPAA) Transactions and Code Sets Standards
    b. Electronic Prescribing Standards
    C. Standards, Implementation Specifications, and Certification 
Criteria Processes Before and After the HITECH Act
    1. ONC's Processes Prior to the HITECH Act
    2. HITECH Act Requirements for the Adoption of Standards, 
Implementation Specifications, and Certification Criteria
    D. Future Updates to Standards, Implementation Specifications, 
and Certification Criteria
II. Overview of the Interim Final Rule
III. Section-By-Section Description of the Interim Final Rule
    A. Applicability
    B. Definitions
    1. Definition of Standard
    2. Definition of Implementation Specification
    3. Definition of Certification Criteria
    4. Definition of Qualified Electronic Health Record (EHR)
    5. Definition of EHR Module
    6. Definition of Complete EHR
    7. Definition of Certified EHR Technology
    8. Definition of Disclosure
    C. Initial Set of Standards, Implementation Specifications, and 
Certification Criteria
    1. Adopted Certification Criteria
    2. Adopted Standards
    a. Transport Standards
    b. Content Exchange and Vocabulary Standards
    i. Patient Summary Record
    ii. Drug Formulary Check
    iii. Electronic Prescribing
    iv. Administrative Transactions
    v. Quality Reporting
    vi. Submission of Lab Results to Public Health Agencies
    vii. Submission to Public Health Agencies for Surveillance or 
Reporting
    viii. Submission to Immunization Registries
    ix. Table 2A
    c. Privacy and Security Standards
    3. Adopted Implementation Specifications
    4. Additional Considerations, Clarifications, and Requests for 
Public Comments
    a. Relationship to Other Federal Laws
    b. Human Readable Format
    c. Certification Criterion and Standard Regarding Accounting of 
Disclosures
    d. Additional Requests for Public Comment
IV. Collection of Information Requirements
V. Regulatory Impact Analysis
    A. Introduction
    B. Why Is This Rule Needed?
    C. Costs and Benefits
    1. Costs
    2. Benefits
    D. Regulatory Flexibility Act Analysis
    E. Executive Order 13132--Federalism
    F. Unfunded Mandates Reform Act of 1995 Regulation Text

I. Background

    The Health Information Technology for Economic and Clinical Health 
Act (HITECH Act), Title XIII of Division A and Title IV of Division B 
of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 
111-5), was enacted on February 17, 2009. The HITECH Act amended the 
Public Health Service Act (PHSA) and created ``Title XXX--Health 
Information Technology and Quality'' to improve health care quality, 
safety, and efficiency through the promotion of health information 
technology (HIT) and the electronic exchange of health information. 
Section 3004(b)(1) of the PHSA requires the Secretary of the Department 
of Health and Human Services (the Secretary) to adopt an initial set of 
standards, implementation specifications, and certification criteria by 
December 31, 2009 to enhance the interoperability, functionality, 
utility, and security of health information technology. It also permits 
the Secretary to adopt this initial set through an interim final rule.
    The certification criteria adopted in this initial set establish 
the capabilities and related standards that certified electronic health 
record (EHR) technology (Certified EHR Technology) will need to include 
in order to, at a minimum, support the achievement of the proposed 
meaningful use Stage 1 by eligible professionals and eligible hospitals 
under the Medicare and Medicaid EHR Incentive Programs.
    Throughout this interim final rule, we routinely refer to eligible 
professionals and eligible hospitals. This is done because we have 
closely aligned the initial set of standards, implementation 
specifications, and certification criteria adopted by this rule to 
focus on the capabilities that Certified EHR Technology must be able to 
provide in order to support the achievement of the proposed criteria 
for meaningful use Stage 1 by eligible professionals and eligible 
hospitals under the Medicare and Medicaid EHR Incentive Programs. This 
initial focus is not meant to limit or preclude health care providers 
who do not meet the definitions of eligible professional or eligible 
hospital from obtaining or adopting Certified EHR Technology. To the 
contrary, Certified EHR Technology will possess the capabilities that 
can assist any health care provider to improve the quality, safety and 
efficiency of the care they deliver.
    We note that ordinarily we publish a notice of proposed rulemaking 
in the Federal Register and invite public comment on the proposed rule. 
The notice of proposed rulemaking includes a reference to the legal 
authority under which the rule is proposed, and the terms and 
substances of the proposed rule or a description of the subjects and 
issues involved. As mentioned above, however, section 3004(b)(1) 
explicitly authorizes the Secretary to issue this rule on an interim 
final basis. Moreover, section 3004(b)(1) requires the Secretary to 
adopt an initial set of standards, implementation specifications, and 
certification criteria by December 31, 2009. We have therefore decided 
to proceed directly with this interim final rule. Nevertheless, we are 
providing the public with a 60-day period following publication of this 
document to submit comments on the interim final rule.
    The following discussion provides the background information 
relevant to the Secretary's adoption of an initial set of standards, 
implementation specifications, and certification criteria.

A. ONC Background

    Executive Order 13335 (69 FR 24059) established the Office of the 
National Coordinator for Health Information Technology (ONC) on April 
24, 2004. In an effort to ``provide leadership for the development and 
nationwide implementation of an interoperable health information 
technology infrastructure to improve the quality and efficiency of 
health care,'' the President directed the Secretary to create within 
the Office of the Secretary the position of National Health Information 
Technology Coordinator (National Coordinator). The National Coordinator 
was charged with: Serving as the Secretary's principal advisor on the 
development, application, and use of HIT and directing the HHS HIT 
programs; ensuring that the HIT policy and programs of HHS were 
coordinated with those of relevant Executive Branch agencies; to the 
extent permitted by law, coordinating outreach and consultation by the 
relevant Executive Branch agencies with public and private parties of 
interest; and at the request of the Office of Management and Budget 
(OMB), providing comments and advice regarding specific Federal HIT 
programs. Additionally, the National Coordinator was required, to the 
extent permitted by law, to develop, maintain, and direct the 
implementation of a strategic plan to guide the nationwide 
implementation of interoperable HIT in

[[Page 2016]]

both the public and private health care sectors. Included in Executive 
Order 13335 as a strategic plan objective, was the goal to ``advance 
the development, adoption, and implementation of health care 
information technology standards nationally through collaboration among 
public and private interests, and consistent with current efforts to 
set health information technology standards for use by the Federal 
Government.''
    Section 3001 of the PHSA establishes by statute the ONC within HHS 
and provides the National Coordinator with additional responsibilities 
and duties beyond those originally identified in Executive Order 13335. 
Specifically, the National Coordinator is charged with, among other 
duties: Reviewing and determining whether to endorse each standard, 
implementation specification, and certification criterion that is 
recommended by the HIT Standards Committee (a Federal advisory 
committee to the National Coordinator) and making such determinations 
and reporting them to the Secretary; reviewing Federal HIT investments 
to ensure they meet the objectives of the Federal HIT Strategic Plan; 
coordinating the HIT policy and programs of HHS with those of other 
relevant Federal agencies; serving as a leading member in the 
establishment and operations of the HIT Policy Committee and HIT 
Standards Committee; updating the Federal HIT Strategic Plan in 
consultation with other appropriate Federal agencies and through 
collaboration with public and private entities; keeping or recognizing 
a program or programs to certify EHR technology; conducting studies and 
reports; and establishing a governance mechanism for the Nationwide 
Health Information Network (NHIN).

B. Interdependencies With Other HITECH Provisions and Relationship to 
Other Regulatory Requirements and Related Activities

    The HITECH Act creates multiple interdependencies between this 
interim final rule and other regulatory requirements, processes, and 
programs.
1. Medicare and Medicaid EHR Incentive Programs Proposed Rule
    In writing the provisions of the HITECH Act, Congress fundamentally 
tied the standards, implementation specifications, and certification 
criteria adopted in this interim final rule to the incentives available 
under the Medicare and Medicaid EHR Incentive Programs by requiring the 
meaningful use of Certified EHR Technology. Congress outlined several 
goals for meaningful use one of which includes the ``use of certified 
EHR technology in a meaningful manner.'' This means that to qualify for 
incentives, an eligible professional or eligible hospital must both 
adopt Certified EHR Technology and demonstrate meaningful use of this 
technology. Congress further specified that Certified EHR Technology 
must be certified as meeting the standards adopted by the Secretary, 
which we adopt in this rule. As referenced in the preamble to the 
Medicare and Medicaid EHR Incentives Program proposed rule the Medicare 
and/or Medicaid incentive payments are available to certain eligible 
professionals and eligible hospitals.
    We have adopted standards, implementation specifications, and 
certification criteria in this interim final rule in part to assure 
that Certified EHR Technology is capable of supporting the achievement 
of meaningful use by eligible professionals and eligible hospitals 
under the Medicare and Medicaid EHR Incentive Programs. The 
certification criteria, adopted by the Secretary, must be used to test 
and certify that Complete EHRs or EHR Modules have properly implemented 
the capabilities required by the certification criteria and, where 
appropriate, the standards and implementation specifications adopted by 
the Secretary. ONC and the Centers for Medicare & Medicaid Services 
(CMS) have worked carefully to ensure that this interim final rule and 
the Medicare and Medicaid EHR Incentive Programs proposed rule are 
aligned.
    To inform our collaborative rulemaking processes, ONC and CMS 
received input from hundreds of technical subject matter experts, 
health care providers, and other stakeholders who provided written 
comments to, testified before, and attended meetings held by three HHS 
Federal advisory committees: the National Committee on Vital and Health 
Statistics, the HIT Policy Committee, and the HIT Standards Committee. 
After several meetings of its workgroups and the full committee, the 
HIT Policy Committee presented and recommended to the National 
Coordinator at its July 16, 2009 meeting a matrix on meaningful use of 
Certified EHR Technology that contained: Overall health outcome policy 
priorities; health care goals; draft objectives for eligible 
professionals and eligible hospitals for 2011 (beginning of meaningful 
use Stage 1), 2013 (beginning of meaningful use Stage 2), and 2015 
(beginning of meaningful use Stage 3); and specific measures for each 
of those years. With respect to this interim final rule's relationship 
to the Medicare and Medicaid EHR Incentive Programs proposed rule, we 
have adopted certification criteria that directly support CMS's 
proposed meaningful use Stage 1 objectives. The stages of meaningful 
use are described and have been proposed by CMS in the Medicare and 
Medicaid EHR Incentive Programs proposed rule as the following:
     Stage 1 (beginning in 2011): The proposed Stage 1 
meaningful use criteria ``focuses on electronically capturing health 
information in a coded format; using that information to track key 
clinical conditions and communicating that information for care 
coordination purposes (whether that information is structured or 
unstructured, but in structured format whenever feasible); consistent 
with other provisions of Medicare and Medicaid law, implementing 
clinical decision support tools to facilitate disease and medication 
management; and reporting clinical quality measures and public health 
information.''
     Stage 2 (beginning in 2013): CMS has proposed that its 
goals for the Stage 2 meaningful use criteria, ``consistent with other 
provisions of Medicare and Medicaid law, expand upon the Stage 1 
criteria to encourage the use of health IT for continuous quality 
improvement at the point of care and the exchange of information in the 
most structured format possible, such as the electronic transmission of 
orders entered using computerized provider order entry (CPOE) and the 
electronic transmission of diagnostic test results (such as blood 
tests, microbiology, urinalysis, pathology tests, radiology, cardiac 
imaging, nuclear medicine tests, pulmonary function tests and other 
such data needed to diagnose and treat disease). Additionally we may 
consider applying the criteria more broadly to both the inpatient and 
outpatient hospital settings.''
     Stage 3 (beginning in 2015): CMS has proposed that its 
goals for the Stage 3 meaningful use criteria are, ``consistent with 
other provisions of Medicare and Medicaid law, to focus on promoting 
improvements in quality, safety and efficiency, focusing on decision 
support for national high priority conditions, patient access to self 
management tools, access to comprehensive patient data and improving 
population health.''
2. Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
Privacy Rule Accounting of Disclosures Regulation
    Section 13405(c) of the HITECH Act requires the Secretary to 
promulgate regulations on what information shall be

[[Page 2017]]

collected about disclosures for treatment, payment, or health care 
operations made ``through an electronic health record'' by a HIPAA 
covered entity. These regulations, which will be issued by the 
Secretary through the HHS Office for Civil Rights, must be issued not 
later than 6 months after the date on which the Secretary adopts 
standards on accounting for disclosures described in the section 
3002(b)(2)(B)(iv) of the PHSA. The certification criterion and standard 
associated with this requirement and included in this interim final 
rule are discussed in more detail below in section III.C.4.c.
3. Previous Recognition of Certification Bodies and New Authority Under 
the HITECH Act
    Among other responsibilities, section 3001(c)(5) of the PHSA 
expressly requires the National Coordinator, in consultation with the 
Director of the National Institute of Standards and Technology, to 
``keep or recognize a program or programs for the voluntary 
certification of health information technology as being in compliance 
with applicable certification criteria adopted'' by the Secretary under 
section 3004. HHS's recognition of certain bodies to conduct HIT 
certification is not new as a result of the HITECH Act. In August 2006, 
HHS published two final rules in which CMS and the Office of Inspector 
General (OIG) promulgated an exception to the physician self-referral 
prohibition and a safe harbor under the anti-kickback statute, 
respectively, for certain arrangements involving the donation of 
interoperable EHR software to physicians and other health care 
practitioners or entities (71 FR 45140 and 71 FR 45110, respectively). 
The exception and safe harbor provide that EHR software will be 
``deemed to be interoperable if a certifying body recognized by the 
Secretary has certified the software no more than 12 months prior to 
the date it is provided to the [physician/recipient].'' ONC published 
separately a Certification Guidance Document (CGD) (71 FR 44296) to 
explain the factors ONC would use to determine whether or not to 
recommend to the Secretary a body for recognized certification body 
status. The CGD serves as a guide for ONC to evaluate applications for 
recognized certification body status and provides the information a 
body would need to apply for and obtain such status. In section VI of 
the CGD, ONC notified the public and potential applicants that the 
recognition process would be formalized through notice and comment 
rulemaking.
    After reviewing the new responsibilities assumed under the HITECH 
Act and the additional purpose to which the certification of the HIT is 
now tied (qualifying for incentive payments) in combination with ONC's 
current responsibilities under the CGD, we have decided to propose in a 
separate rulemaking, processes to replace the CGD and establish HIT 
certification programs as specified by section 3001(c)(5) of the PHSA. 
We have decided to proceed with a separate notice and comment 
rulemaking (which we anticipate publishing shortly after this interim 
final rule) to establish the policies for the certification of HIT and 
the process a certification body will need to follow to become an 
authorized certification body, as determined by the National 
Coordinator.
4. Other HHS Regulatory Actions
a. HIPAA Transactions and Code Sets Standards
    The Secretary has previously adopted and modified transactions and 
code sets standards for HIPAA covered entities. Many of these same 
covered entities are now also eligible to qualify for incentive 
payments under the Medicare and Medicaid EHR Incentives Program. As a 
result, we want to assure that Certified EHR Technology positions these 
eligible professionals and eligible hospitals to qualify for incentive 
payments and comply with these transactions and code set standards. 
Most recently, in August 2008, HHS proposed through two rules (73 FR 
49742 and 73 FR 49796) the updating of electronic transaction 
standards, new transaction standards, and the adoption of International 
Classification of Diseases (ICD), 10th Revision, Related Health 
Problems (ICD-10-CM) and ICD, 10th Revision, Procedure Coding System 
(ICD-10-PSC) code sets to replace the ICD, 9th Revision, Clinical 
Modifications (ICD-9-CM) Volumes 1 and 2, and the ICD-9-CM Volume 3 
code sets, respectively. After reviewing and considering public 
comments on these proposals, in January 2009, HHS adopted in final 
rules published at 74 FR 3296 and 74 FR 3328 certain updated 
transaction standards, new transaction standards, and code sets.
    The rules established a timeline for compliance with some of these 
updated standards and code sets. For example, all HIPAA covered 
entities are required to comply with ICD-10-CM and ICD-10-PSC on and 
after October 1, 2013.
    In adopting an initial set of standards and implementation 
specifications as specified at section 3004(b)(1) of the PHSA, we have 
taken into account HIPAA transactions and code sets standards and their 
associated implementation timetables. We have ensured that our 
standards and implementation specifications are consistent with the 
previously adopted HIPAA transactions and code sets standards and with 
the established implementation timetable. Further, we intend for our 
future adoption of standards and implementation specifications for 
meaningful use Stage 2 and Stage 3 to continue to be consistent with 
the Secretary's adoption and modification of HIPAA transactions and 
code sets standards and their timeframes for compliance.
b. Electronic Prescribing Standards
    The Medicare Prescription Drug, Improvement and Modernization Act 
of 2003 (MMA) provided for, among other things, the Voluntary 
Prescription Drug Benefit Program. Under that program, electronically 
transmitted prescriptions and certain other information for covered 
Part D drugs prescribed for Part D eligible individuals must be sent in 
a manner that complies with applicable standards that are adopted by 
the Secretary. The Secretary proposed the first of these standards in a 
February 2005 rulemaking (70 FR 6256). Subsequently, on June 23, 2006 
(71 FR 36020), HHS published an interim final rule that maintained the 
National Council for Prescription Drug Programs (NCPDP) SCRIPT 5.0 as 
the adopted standard, but allowed for the voluntary use of a subsequent 
backward compatible version of the standard, NCPDP SCRIPT 8.1.
    As a result of pilot testing of six ``initial standards'' that had 
been identified in 2005, the Secretary issued a notice of proposed 
rulemaking on November 16, 2007 (72 FR 64900) which proposed adoption 
of certain standards. The Secretary also used this proposed rule to 
solicit comments regarding the impact of adopting NCPDP SCRIPT 8.1 and 
retiring NCPDP SCRIPT 5.0. Based on the comments that were received, 
the Secretary issued a final rule (73 FR 18918) on April 7, 2008 that 
adopted NCPDP SCRIPT Version 8.1 and retired NCPDP SCRIPT Version 5.0. 
In adopting an initial set of standards to meet the requirement 
specified at section 3004(b)(1) of the PHSA, we have taken into account 
these electronic prescribing standards and ensured that our standards 
are consistent with them.

[[Page 2018]]

C. Standards, Implementation Specifications, and Certification Criteria 
Processes Before and After the HITECH Act

1. ONC's Processes Prior to the HITECH Act
    Prior to the enactment of the HITECH Act, ONC's processes consisted 
of the ``acceptance'' and ``recognition'' of HIT standards, 
implementation specifications, and certification criteria for the 
electronic exchange of health information and electronic health 
records. This prior process and its participants are described in 
further detail below.
    Chartered in 2005, the American Health Information Community 
(AHIC), a Federal advisory committee, was charged with making 
recommendations to the Secretary on how to accelerate the development 
and adoption of HIT. Until its sunset in November 2008, AHIC advanced 
to the Secretary several recommendations related to standards, 
implementation specifications, and certification criteria. To structure 
those recommendations, AHIC identified ``use cases'' to prioritize 
areas in need of harmonized standards and to enable ONC to guide the 
work of organizations with specific expertise in those priority areas. 
A use case provided a description of the activity of stakeholders, a 
sequence of their actions, and technical specifications for systems and 
technologies involved when the actors engage in responding to or 
participating in such activity.
    Created in 2005 by the American National Standards Institute (ANSI) 
under a contract with HHS, the Healthcare Information Technology 
Standards Panel (HITSP)--a cooperative partnership of more than 500 
public and private sector organizations--began its work to take into 
account AHIC identified use cases, as directed by ONC. HITSP was 
established for the purpose of harmonizing and integrating a widely 
accepted and useful set of standards to enable and support 
interoperability among healthcare software systems and the 
organizations and entities that utilize the systems. HITSP also became 
a primary forum for HIT standards harmonization after the Consolidated 
Health Informatics (CHI) initiative, which began in October 2001 as a 
collaborative effort to adopt Federal government-wide interoperability 
standards to be implemented by Federal agencies, was gradually phased 
out. The CHI initiative adopted several standards that were fed into 
and reused as part of HITSP's standards harmonization processes. As a 
result, over the course of its three-year existence, AHIC sought 
testimony from HITSP representatives several times on their standards 
harmonization work in order to inform potential recommendations for the 
Secretary. In many cases, after a presentation by HITSP, AHIC would 
make recommendations to the Secretary regarding standards and 
implementation specifications for recognition. The Secretary would 
subsequently review those recommendations and determine whether to 
recognize some or all of the recommended standards and implementation 
specifications.
    Executive Order 13410 (71 FR 51089) acknowledged that the Secretary 
recognizes interoperability standards for use by certain Federal 
agencies.\1\ This Executive Order also directed those Federal agencies, 
to the extent permitted by law, to require in their contracts and 
agreements with certain organizations the use, where available, of 
health information technology systems and products that meet recognized 
interoperability standards. Executive Order 13410 was issued on August 
28, 2006, to, among other goals, ensure that health care programs 
administered or sponsored by the Federal government promoted quality 
and efficient delivery of health care through the use of health 
information technology. On March 1, 2007, January 23, 2008, and January 
29, 2009, HHS published notices in the Federal Register (72 FR 9339, 73 
FR 3973, 74 FR 3599, respectively) announcing either the Secretary's 
acceptance or recognition of certain standards and implementation 
specifications. In an effort to assist with the implementation and 
adoption challenges associated with recognized standards, the Secretary 
chose to first ``accept'' and then formally ``recognize'' one year 
after acceptance, specified standards and implementation 
specifications. This delay provided Federal agencies with additional 
time to prepare for Executive Order 13410's directive to ``utilize, 
where available, health information technology systems and products 
that meet recognized interoperability standards'' when they 
implemented, acquired, or upgraded ``health information technology 
systems used for the direct exchange of health information between 
agencies and with non-Federal entities.''
---------------------------------------------------------------------------

    \1\ Executive Order 13410 defines ``agency'' to mean ``an agency 
of the Federal Government that administers or sponsors a Federal 
health care program.'' It also defines ``Federal health care 
program'' as including ``the Federal Employees Health Benefit 
Program, the Medicare program, programs operated directly by the 
Indian Health Service, the TRICARE program for the Department of 
Defense and other uniformed services, and the health care program 
operated by the Department of Veterans Affairs.'' For purposes of 
the Executive Order, ``Federal health care program'' does not 
include ``State operated or funded federally subsidized programs 
such as Medicaid, the State Children's Health Insurance Program, or 
services provided to Department of Veterans' Affairs beneficiaries 
under 38 U.S.C. 1703.''
---------------------------------------------------------------------------

    The third participant besides AHIC and HITSP that played a role in 
ONC's prior processes was the Certification Commission for Health 
Information Technology (CCHIT). Founded in 2004, CCHIT established the 
first comprehensive process to test and certify EHR technology. After 
establishing a certification criteria development process that included 
diverse stakeholders and a voluntary, consensus-based approach, CCHIT 
began certifying ambulatory EHR technology in 2006. Since 2006, CCHIT 
has expanded its certification program to include inpatient EHR 
technology, emergency department EHR technology, as well as its 
certification criteria for EHR technology to meet specific needs of 
certain health care providers/specialists (e.g., cardiovascular, child 
health). On May 16, 2006, CCHIT presented its 2006 ambulatory EHR 
certification criteria to AHIC and after considering the criteria, AHIC 
recommended that the Secretary recognize CCHIT-identified certification 
criteria for functionality, interoperability, and security.
    This recommendation informed the Secretary's decision to recognize 
the 2006 ambulatory EHR certification criteria for use by recognized 
certification bodies in conjunction with published final rules for 
exceptions to the physician self-referral law and safe harbors to the 
anti-kickback statute for electronic prescribing and EHR software 
arrangements (71 FR 45140 and 71 FR 45110, respectively). The exception 
and safe harbor provide that EHR software will be ``deemed to be 
interoperable if a certifying body recognized by the Secretary has 
certified the software no more than 12 months prior to the date it is 
provided to the [physician/recipient].'' These provisions of the EHR 
exception and safe harbor anticipated that: (1) HHS would recognize one 
or more EHR certifying bodies, and (2) HHS would recognize criteria for 
the certification of EHRs. The Federal Register notice (71 FR 44295) 
describing the Secretary's recognition of these certification criteria 
was published on August 4, 2006.
    Section 3004(b)(2) of the PHSA provides that in adopting an initial 
set of standards, implementation specifications, and certification 
criteria in accordance with section 3004(b)(1), the Secretary may adopt 
those standards, implementation specifications, and certification 
criteria

[[Page 2019]]

that went through the process established by ONC before the date of the 
enactment of the HITECH Act. We believe that in separately requiring 
the Secretary to adopt an ``initial set'' of standards, implementation 
specifications, and certification criteria under section 3004(b)(1) of 
the PHSA, Congress provided the Secretary with the discretion to adopt 
standards, implementation specifications, or certification criteria 
which had not gone through the prior process. As described above, while 
the prior process included a significant body of work it did not 
encompass the entirety of the areas Congress requested the Secretary to 
focus on in the HITECH Act, nor did it envision the policies and 
capabilities that would be necessary for Certified EHR Technology to 
meet the proposed definition of meaningful use Stage 1 included in the 
Medicare and Medicaid EHR Incentive Programs proposed rule. As a 
result, we have, after considering the input received through the 
recommendations of the HIT Policy Committee and HIT Standards 
Committee, adopted an initial set of standards, implementation 
specifications, and certification criteria to, at a minimum, support 
the achievement of what is being proposed for meaningful use Stage 1. 
We have noted in section III of this rule, where applicable, those 
standards and implementation specifications that were previously 
accepted or recognized by the Secretary under this prior process and 
those that were not. Due to our approach of aligning adopted 
certification criteria with the proposed definition of meaningful use 
Stage 1, the Secretary has decided not to adopt previously recognized 
certification criteria developed in 2006 as any of the certification 
criteria in this interim final rule.
2. HITECH Act Requirements for the Adoption of Standards, 
Implementation Specifications, and Certification Criteria
    With the passage of the HITECH Act, two new Federal advisory 
committees, the HIT Policy Committee and the HIT Standards Committee, 
were established as specified in the new sections of the PHSA, 3002 and 
3003, respectively. Both are responsible for advising the National 
Coordinator on different aspects of standards, implementation 
specifications, and certification criteria and consequently they both 
have the potential to impact how and when standards, implementation 
specifications, and certification criteria are adopted by the 
Secretary. The HIT Policy Committee is responsible for, among other 
duties, recommending priorities for standards, implementation 
specifications, and certification criteria while the HIT Standards 
Committee is responsible for recommending standards, implementation 
specifications, and certification criteria for adoption under section 
3004 of the PHSA.
    Section 3002 of the PHSA directs the HIT Policy Committee to ``make 
policy recommendations to the National Coordinator relating to the 
implementation of a nationwide health information technology 
infrastructure.'' Section 3002(b) further specifies the type of policy 
recommendations expected of the HIT Policy Committee by requiring that 
the committee focus on ``specific areas of standards development'' and 
in so doing ``recommend the areas in which standards, implementation 
specifications, and certification criteria are needed for the 
electronic exchange and use of health information for purposes of 
adoption under section 3004.'' Section 3002(b) also requires the HIT 
Policy Committee, after determining the areas where standards, 
implementation specifications, and certification criteria are needed (a 
process and analysis that are likely to occur on a periodic basis), to 
``recommend an order of priority for the development, harmonization, 
and recognition of such standards, specifications, and certification 
criteria among the areas so recommended.'' After receipt of a 
recommendation related to a priority order, the National Coordinator is 
expected to review the priorities identified by the HIT Policy 
Committee and generally will either accept them as submitted, request 
adjustments, or reject the priority order in whole or in part. Once the 
National Coordinator accepts a recommendation for the priority order of 
standards, implementation specifications, and certification criteria, 
such priorities will be communicated to the HIT Standards Committee to 
guide its work. The HIT Policy Committee is charged with making 
recommendations in at least the following eight areas as specified in 
section 3002(b)(2)(B) of the PHSA:

    (1) Technologies that protect the privacy of health information 
and promote security in a qualified electronic health record, 
including for the segmentation and protection from disclosure of 
specific and sensitive individually identifiable health information 
with the goal of minimizing the reluctance of patients to seek care 
(or disclose information about a condition) because of privacy 
concerns, in accordance with applicable law, and for the use and 
disclosure of limited data sets of such information;
    (2) A nationwide health information technology infrastructure 
that allows for the electronic use and accurate exchange of health 
information;
    (3) The utilization of a certified electronic health record for 
each person in the United States by 2014;
    (4) Technologies that as a part of a qualified electronic health 
record allow for an accounting of disclosures made by a covered 
entity (as defined for purposes of regulations promulgated under 
section 264(c) of the Health Insurance Portability and 
Accountability Act of 1996) for purposes of treatment, payment, and 
health care operations (as such terms are defined for purposes of 
such regulations);
    (5) The use of certified electronic health records to improve 
the quality of health care, such as by promoting the coordination of 
health care and improving continuity of health care among health 
care providers, by reducing medical errors, by improving population 
health, by reducing health disparities, by reducing chronic disease, 
and by advancing research and education;
    (6) Technologies that allow individually identifiable health 
information to be rendered unusable, unreadable, or indecipherable 
to unauthorized individuals when such information is transmitted in 
the nationwide health information network or physically transported 
outside of the secured, physical perimeter of a health care 
provider, health plan, or health care clearinghouse;
    (7) The use of electronic systems to ensure the comprehensive 
collection of patient demographic data, including, at a minimum, 
race, ethnicity, primary language, and gender information; and
    (8) Technologies that address the needs of children and other 
vulnerable populations.

    The HIT Policy Committee is also authorized at 3002(b)(2)(C) to 
consider other areas to make recommendations such as the ``appropriate 
uses of a nationwide health information infrastructure, including [for] 
* * * collection of quality data and public reporting,'' 
``telemedicine,'' and ``technologies that help reduce medical errors.''
    Section 3003 of the PHSA directs the HIT Standards Committee to 
``recommend to the National Coordinator standards, implementation 
specifications, and certification criteria for the electronic exchange 
and use of health information for purposes of adoption under section 
3004.'' It also established that the HIT Standards Committee must 
recommend standards, implementation specifications, and certification 
criteria they have developed, harmonized, or recognized. We note that 
in section 3003(b)(2), the HIT Standards Committee is also expressly 
permitted to recognize harmonized or updated standards from other 
entities and as a result, we expect the HIT Standards Committee to, 
where appropriate, consider the standards, implementation 
specifications, and certification criteria from various

[[Page 2020]]

entities for recommendation to the National Coordinator. We expect that 
in determining whether to recognize harmonized or updated standards 
from other entities, the HIT Standards Committee will look to entities 
such as HITSP and the National Quality Forum (NQF). Additionally, 
section 3003(a) requires the HIT Standards Committee to focus on and 
make recommendations to the National Coordinator on the eight areas in 
section 3002(b)(2)(B) listed above. The HIT Standards Committee is 
required to update their recommendations and make new recommendations 
as appropriate, including in response to a notification sent under 
section 3004(a)(2)(B) of the PHSA.
    Section 3004 of the PHSA redefines how the Secretary adopts 
standards, implementation specifications, and certification criteria.
     Section 3004(b)(1) of the PHSA requires a one-time action 
by the Secretary to adopt an initial set of standards, implementation 
specifications, and certification criteria. This interim final rule has 
been published to meet the requirements in section 3004(b)(1).
     Section 3004(a) of the PHSA defines a process whereby an 
obligation is imposed on the Secretary to review standards, 
implementation specifications, and certification criteria and 
identifies the procedures for the Secretary to follow to determine 
whether to adopt any grouping of standards, implementation 
specifications, or certification criteria included within National 
Coordinator-endorsed recommendations. The specific elements of the 
process related to section 3004(a) will be described in greater detail 
below.
     Section 3004(b)(3) of the PHSA entitled ``subsequent 
standards activity'' states that the ``Secretary shall adopt additional 
standards, implementation specifications, and certification criteria as 
necessary and consistent'' with the schedule published by the HIT 
Standards Committee. While we intend to consistently seek the insights 
and recommendations of the HIT Standards Committee, we note that 
section 3004(b)(3) provides the Secretary with the authority and 
discretion to adopt standards, implementation specifications, and 
certification criteria without having first received a National 
Coordinator-endorsed HIT Standards Committee recommendation.
    Under section 3004(a) when a recommendation regarding a standard, 
implementation specification, or certification criterion is made by the 
HIT Standards Committee to the National Coordinator, a time limited 
statutory process is triggered. First, after receiving a recommendation 
from the HIT Standards Committee, the National Coordinator must review 
and determine whether to endorse the recommendation as well as report 
such determination to the Secretary. Upon receipt of an ``endorsed 
recommendation,'' the Secretary is required to consult with 
representatives of other relevant Federal agencies to review the 
standards, implementation specifications, or certification criteria and 
determine whether to propose their adoption. The Secretary is required 
to publish all determinations in the Federal Register. If the Secretary 
determines to propose the adoption of standards, implementation 
specifications, or certification criteria, the Secretary is permitted 
to adopt any grouping of standards, implementation specifications, or 
certification criteria. On the other hand, if the Secretary determines 
not to propose the adoption of any grouping of standards, 
implementation specifications, or certification criteria, the Secretary 
must notify the National Coordinator and the HIT Standards Committee in 
writing of such determination and the reasons for not proposing their 
adoption.
    The HIT Standards Committee issued recommendations to the National 
Coordinator on August 20, 2009, and updated those recommendations on 
September 15, 2009. In fulfilling the duties under section 
3001(c)(1)(A) and (B), the National Coordinator reviewed the 
recommendations made by the HIT Standards Committee and issued a 
determination endorsing several recommendations for the Secretary's 
consideration. As specified in section 3004(a)(3), this interim final 
rule also serves as the Secretary's formal publication of the 
determinations made regarding the National Coordinator-endorsed 
recommendations.

D. Future Updates to Standards, Implementation Specifications, and 
Certification Criteria

    The initial set of standards, implementation specifications, and 
certification criteria adopted in this interim final rule marks the 
beginning of what we expect to be an iterative approach to enhancing 
the interoperability, functionality, utility, and security of HIT. A 
number of factors including maturity, prevalence in the market, and 
implementation complexity informed our adoption of the standards, 
implementation specifications, and certification criteria included in 
this interim final rule.
    Our approach to the adoption of standards, implementation 
specifications, and certification criteria is pragmatic, but forward 
looking. While a high-level of interoperability nationwide will take 
time and be challenging, we believe that the HITECH Act has generated a 
significant amount of momentum and interest in meeting the challenges 
that lie ahead.
    We recognize that interoperability and standardization can occur at 
many different levels. For example, one organization may use an 
information model to describe patient demographic information as 
(PatientAge, PatientSex, StreetAddress), while another may describe 
similar demographic information in a different way (DateOfBirth, 
Gender, City/State). To achieve interoperability at this information 
level, these information models would need to be harmonized into a 
consistent representation.
    In other cases, organizations may use the same information model, 
but use different vocabularies or code sets (for example, Systematized 
Nomenclature of Medicine Clinical Terms (SNOMED CT[supreg]) or ICD9-CM) 
within those information models. To achieve interoperability at this 
level, standardizing vocabularies, or mapping between different 
vocabularies (using tools like Unified Medical Language System (UMLS)) 
may be necessary. For some levels, (such as the network transport 
protocol), an industry standard that is widely used (e.g., Transmission 
Control Protocol (TCP) and the Internet Protocol (IP), (TCP/IP)) will 
likely be the most appropriate. Ultimately, to achieve semantic 
interoperability, we anticipate that multiple layers--network 
transportation protocols, data and services descriptions, information 
models, and vocabularies and code sets--will need to be standardized 
and/or harmonized to produce an inclusive, consistent representation of 
the interoperability requirements. We anticipate using a harmonization 
process that will integrate different representations of health care 
information into a consistent representation and maintain and update 
that consistent representation over time. For an information model, 
this process could include merging related concepts, adding new 
concepts, and mapping concepts from one representation of health care 
information to another. Similar processes to support standardization of 
data and services descriptions and vocabularies and codes sets may also 
be needed.
    We also recognize that a sustainable and incremental approach to 
the adoption of standards will require

[[Page 2021]]

processes for harmonizing both current and future standards. This will 
allow us to incrementally update our initial set of standards, 
implementation specifications, and certification criteria and provide a 
framework to maintain them. Our decision to adopt such updates will be 
informed and guided by recommendations from the HIT Policy Committee, 
HIT Standards Committee, public comment, industry readiness, and future 
meaningful use goals and objectives established for the Medicare and 
Medicaid EHR Incentive Programs. As a result, we expect, unless 
otherwise necessary, to adopt standards, implementation specifications, 
and certification criteria synchronously with and to support a 
transition to the next stage of meaningful use in the Medicare and 
Medicaid EHR Incentive Programs. In doing so, we also anticipate 
increasing the level of specificity we provide related to standards, 
implementation specifications, and certification criteria as well as 
phasing out certain alternative standards that have been adopted in 
this initial set. Furthermore, we anticipate that the requirements for 
meaningful use will become more demanding over time, and consequently 
that Certified EHR Technology will need to include greater capabilities 
as well as the ability to exchange electronic health information in a 
variety of circumstances with many different types of health 
information technology. Finally, as will be discussed in more detail in 
the HIT Certification Programs proposed rule, it is possible that the 
certification programs established by the National Coordinator could 
certify other types of HIT, perhaps related to certain specialty 
products and personal health records. In order for that to occur, 
specific standards, implementation specifications, and certification 
criteria related to those types of HIT would need to be developed and 
adopted.

II. Overview of the Interim Final Rule

    We are adding a new part, part 170, to title 45 of the Code of 
Federal Regulations (CFR) to adopt the initial set of standards, 
implementation specifications, and certification criteria required by 
section 3004(b)(1) of the PHSA. We describe the standards, 
implementation specifications, and certification criteria adopted by 
the Secretary and the factors that contributed to their adoption. We 
anticipate that adopted standards, implementation specifications, and 
certification criteria will be used to prepare Complete EHRs and EHR 
Modules for testing and certification. In turn, eligible professionals 
and eligible hospitals that wish to position themselves to achieve the 
requirements of meaningful use Stage 1, once finalized, could adopt and 
implement Certified EHR Technology. In drafting this interim final 
rule, we considered the input of the National Committee on Vital and 
Health Statistics, the HIT Policy Committee, and the HIT Standards 
Committee and the public comments received by each committee. We invite 
public comment on this interim final rule and have posed several 
questions on topics for which we are interested in receiving specific 
public comment.

III. Section-By-Section Description of the Interim Final Rule

A. Applicability--Sec.  170.101

    This part establishes the applicable standards, implementation 
specifications, and certification criteria that must be used to test 
and certify HIT.

B. Definitions--Sec.  170.102

1. Definition of Standard
    The term standard is used in many different contexts and for many 
different purposes. The HITECH Act did not define or provide a 
description of the term, standard, or how it should be used in relation 
to HIT. As a result, we looked to other sources to inform our 
definition for the term.
    As specified in the HIPAA Rules, standard is defined at 45 CFR 
160.103 to mean ``a rule, condition, or requirement: (1) Describing the 
following information for products, systems, services or practices: (i) 
Classification of components. (ii) Specification of materials, 
performance, or operations; or (iii) Delineation of procedures; or (2) 
With respect to the privacy of individually identifiable health 
information.'' This definition includes important concepts that we 
believe are applicable and appropriate for this interim final rule and 
we have included these concepts in our definition of standard. Other 
definitions or descriptions of the term standard include ``an 
established policy on a particular practice or method;'' ``a set of 
instructions for performing operations or functions;'' or ``a published 
statement on a topic specifying the characteristics, usually 
measurable, that must be satisfied or achieved to comply with the 
standard.'' \2\
---------------------------------------------------------------------------

    \2\ This last definition is referenced in Federal Information 
Processing Standards 201.
---------------------------------------------------------------------------

    We believe the types of standards envisioned by Congress in the 
HITECH Act that would be most applicable to HIT are standards that are 
technical, functional, or performance-based. For example, a technical 
standard could specify that the structure of a message containing a 
patient's blood test results must include a header, the type of test 
performed, and the results, and further, that message must always be 
put in that sequence and be 128 bits long; a functional standard could 
specify certain actions that must be consistently accomplished by HIT 
such as recording the date and time when an electronic prescription is 
transmitted; and a performance standard could specify certain 
operational requirements for HIT such as being able to properly 
identify a drug-allergy contraindication 99.99% of the time for patient 
safety purposes. With this in mind, we have chosen to define standard 
to mean: a technical, functional, or performance-based rule, condition, 
requirement, or specification that stipulates instructions, fields, 
codes, data, materials, characteristics, or actions.
2. Definition of Implementation Specification
    The term implementation specification is defined at 45 CFR 160.103 
of the HIPAA Rules as ``specific requirements or instructions for 
implementing a standard.'' We believe that this definition conveys 
accurately the meaning of the term as used in the HITECH Act, which 
seeks consistency between these implementation specifications and those 
adopted under HIPAA. Moreover, the concept it applies complements the 
definition of standard adopted in this interim final rule. 
Additionally, this definition is straightforward, easy to understand, 
and is otherwise consistent with our goals. We have therefore adopted 
the HIPAA regulatory definition of implementation specification without 
modification.
3. Definition of Certification Criteria
    The term certification criteria is described at section 
3001(c)(5)(B) of the PHSA to mean ``with respect to standards and 
implementation specifications for health information technology, 
criteria to establish that the technology meets such standards and 
implementation specifications.'' We have incorporated this description 
into our definition of certification criteria described below and 
expanded it to also address how the term is used in various parts of 
the HITECH Act. The definition consequently encompasses more than just 
certification criteria that establish technology meets ``standards and 
implementation specifications.'' In support of meaningful use, for 
instance, there are many other capabilities

[[Page 2022]]

Certified EHR Technology will need to provide under the HITECH Act even 
though such capabilities do not require a particular standard or 
implementation specification. As a result, we believe that it is 
critical for these capabilities to be tested and certified too. To do 
otherwise would potentially make it difficult for eligible 
professionals and eligible hospitals to know whether the Certified EHR 
Technology they have adopted and implemented will support their 
achievement of meaningful use. For example, if we did not require a 
certification criterion for medication reconciliation, a proposed 
meaningful use Stage 1 objective, Certified EHR Technology under this 
scenario would not provide any assurance to an eligible professional or 
eligible hospital that the proposed meaningful use Stage 1 requirement 
could be met. On the other hand, by adopting a certification criterion 
for medication reconciliation in this interim final rule, eligible 
professionals and eligible hospitals can be assured that once they 
adopt and implement Certified EHR Technology, it includes, at a 
minimum, the medication reconciliation capabilities required to support 
their achievement of the proposed meaningful use Stage 1 requirement.
    For these reasons we have defined the term certification criteria 
to encompass both the statutory description and the statutory use of 
the term. The definition consequently also includes other certification 
criteria that are not directly tied to establishing that health 
information technology has met a standard or implementation 
specification. We have therefore defined certification criteria to 
mean: criteria: (1) To establish that health information technology 
meets applicable standards and implementation specifications adopted by 
the Secretary; or (2) that are used to test and certify that health 
information technology includes required capabilities.
4. Definition of Qualified Electronic Health Record (EHR)
    Qualified EHR is defined at section 3000(13) of the PHSA as ``an 
electronic record of health-related information on an individual that: 
(A) Includes patient demographic and clinical health information, such 
as medical history and problem lists; and (B) has the capacity: (i) To 
provide clinical decision support; (ii) to support physician order 
entry; (iii) to capture and query information relevant to health care 
quality; and (iv) to exchange electronic health information with, and 
integrate such information from other sources.'' We have adopted the 
statutory definition of Qualified EHR without modification.
5. Definition of EHR Module
    We have defined the term EHR Module to mean any service, component, 
or combination thereof that can meet the requirements of at least one 
certification criterion adopted by the Secretary. Examples of EHR 
Modules include, but are not limited to, the following:
     An interface or other software program that provides the 
capability to exchange electronic health information;
     An open source software program that enables individuals 
online access to certain health information maintained by EHR 
technology;
     A clinical decision support rules engine;
     A software program used to submit public health 
information to public health authorities; and
     A quality measure reporting service or software program.
    While the use of EHR Modules may enable an eligible professional or 
eligible hospital to create a combination of products and services 
that, taken together, meets the definition of Certified EHR Technology, 
this approach carries with it a responsibility on the part of the 
eligible professional or eligible hospital to perform additional 
diligence to ensure that the certified EHR Modules selected are capable 
of working together to support the achievement of meaningful use. In 
other words, two certified EHR Modules may provide the additional 
capabilities necessary to meet the definition of Certified EHR 
Technology, but may not integrate well with each other or with the 
other EHR technology they were added to. As a result, eligible 
professionals and eligible hospitals that elect to adopt and implement 
certified EHR Modules should take care to ensure that the certified EHR 
Modules they select are interoperable and can properly perform in their 
expected operational environment.
6. Definition of Complete EHR
    The term Complete EHR is used to mean EHR technology that has been 
developed to meet all applicable certification criteria adopted by the 
Secretary. We believe this definition helps to create a clear 
distinction between a Complete EHR, an EHR Module, and Certified EHR 
Technology. The term Complete EHR is not meant to limit the 
capabilities that a Complete EHR can include. Rather, it is meant to 
encompass EHR technology that can perform all of the applicable 
capabilities required by certification criteria adopted by the 
Secretary and distinguish it from EHR technology that cannot perform 
those capabilities. We fully expect some Complete EHRs to have 
capabilities beyond those addressed by certification criteria adopted 
by the Secretary.
7. Definition of Certified EHR Technology
    Certified EHR Technology is defined at section 3000(1) of the PHSA 
as ``a qualified electronic health record that is certified pursuant to 
section 3001(c)(5) as meeting standards adopted under section 3004 that 
are applicable to the type of record involved.'' In this interim final 
rule, we have slightly revised the definition of Certified EHR 
Technology to make it more consistent with the initial standards, 
implementation specifications, and certification criteria that are 
being adopted. Certification criteria focus on the capabilities of 
Complete EHRs or EHR Modules and consequently, Certified EHR Technology 
should be defined in accordance with that approach. We believe defining 
Certified EHR Technology in that manner will provide greater clarity 
and meaning for this interim final rule.
    We have defined Certified EHR Technology to mean:
    A Complete EHR or a combination of EHR Modules, each of which:
    (1) Meets the requirements included in the definition of a 
Qualified EHR; and
    (2) has been tested and certified in accordance with the 
certification program established by the National Coordinator as having 
met all applicable certification criteria adopted by the Secretary.
    To clarify the meaning of ``applicable certification criteria'' in 
this definition's second part, we note that Congress indicated their 
expectation that different types of HIT would be certified. Congress 
elaborated on this expectation with a parenthetical in the statutory 
definition, which references two examples, ``an ambulatory electronic 
health record for office-based physicians'' and ``an inpatient hospital 
electronic health record for hospitals.'' For a variety of reasons, 
including that certain proposed meaningful use Stage 1 objectives only 
apply to an eligible professional or eligible hospital and that these 
two types of health care providers require different capabilities from 
Certified EHR Technology, we have adopted specific certification 
criteria that are only ``applicable'' to Complete EHRs or EHR Modules 
designed for use in an ambulatory setting (e.g., by eligible 
professionals) or an inpatient setting (e.g., by eligible hospitals). 
We indicate in Table 1, and in the regulation text below, which 
certification criteria apply

[[Page 2023]]

solely to Complete EHRs or EHR Modules designed for use in an 
ambulatory setting or an inpatient setting. For example, we do not 
expect Certified EHR Technology that is adopted and implemented by an 
eligible professional to include the capability to create an electronic 
copy of discharge instructions. We do, however, expect Certified EHR 
Technology that is adopted and implemented by an eligible hospital to 
include this capability.
    We believe that by adding the word ``technology'' after ``EHR,'' 
Congress intended to convey an expectation that rather than adopt a 
complete, all-in-one solution, eligible professionals and eligible 
hospitals would likely adopt and implement some number of technological 
components or EHR Modules to extend the useful life of their legacy EHR 
technology or other HIT that may not provide all of the capabilities 
necessary to achieve meaningful use.
    In the early stages of the Medicare and Medicaid EHR Incentive 
Programs, we expect most eligible professionals and many eligible 
hospitals to opt for a Complete EHR that has met the definition of 
Certified EHR Technology. However, with the future in mind, and to 
address those eligible providers and eligible hospitals that may decide 
to implement their own Complete EHRs or EHR Modules, we have adopted a 
definition of Certified EHR Technology that we believe is flexible 
enough to account for innovations in an industry that continues to 
rapidly evolve. Additionally, we believe this definition of Certified 
EHR Technology will lead to a more competitive marketplace and allow 
those who adopt HIT to choose from a variety of offerings ranging from 
subscription services, to vendor-based products, to open source 
products. An innovative and competitive HIT marketplace needs to exist 
much like the marketplace for consumer electronics, where, for the 
purpose of setting up a home theater, a television, DVD player, and 
stereo system can be purchased from three different manufacturers, from 
a single manufacturer, or as a complete system from one manufacturer.
    To that end, we believe that it will be common in the near future 
for Certified EHR Technology to be assembled from several replaceable 
and swappable EHR Modules. For example, an EHR Module specifically 
designed to enable electronic health information exchange may be 
implemented for the purposes of interoperability and participation in a 
health information organization, regional health information 
organization, or some other consortium whose purpose is to enable the 
electronic exchange of health information. As another example, a 
subscription to an application service provider (ASP) for electronic 
prescribing could be an EHR Module and used to help meet the definition 
of Certified EHR Technology provided that the electronic prescribing 
capability the ASP enables has been tested and certified.
    As long as each EHR Module has been separately tested and certified 
in accordance with the certification program established by the 
National Coordinator (which will be discussed in a future rulemaking) 
to all of the applicable certification criteria adopted by the 
Secretary, a proper combination of certified EHR Modules could meet the 
definition of Certified EHR Technology. To clarify, we are not 
requiring the certification of combinations of certified EHR Modules, 
just that the individual EHR Modules combined have each been certified 
to all applicable certification criteria in order for such a 
``combination'' to meet the definition of Certified EHR Technology.
    The following are examples of Certified EHR Technology:
     A complete EHR that is tested and certified to all 
applicable certification criteria.
     The combination of three certified EHR modules that 
include all of the capabilities required by all applicable 
certification criteria. (We note that in this circumstance it is the 
user's responsibility to determine whether the combination of these 
three certified EHR Modules would meet all of the applicable 
certification criteria necessary to meet the definition of Certified 
EHR Technology.)
    The following are examples of what would not meet the definition of 
Certified EHR Technology:
     Complete EHRs that have not been tested and certified in 
accordance with the certification program established by the National 
Coordinator even though it may be claimed that such technology provides 
the same capabilities as those required by adopted certification 
criteria.
     The combination of three certified EHR modules that do not 
include all of the capabilities required by all applicable 
certification criteria. That is, if these three certified EHR modules 
were purchased by an eligible professional and none of them included 
the capability to electronically prescribe, the combination of these 
three modules would not be a proper combination of certified EHR 
Modules and would not meet the definition of Certified EHR Technology.
    It is important to note that the capabilities included in the 
definition of Qualified EHR set the floor for the capabilities that 
Certified EHR Technology must include. For example, the definition of 
Qualified EHR does not require capabilities related to privacy and 
security; however, the Secretary has adopted certification criteria for 
privacy and security. Therefore, where the Secretary has adopted 
certification criteria that require capabilities beyond those specified 
in the definition of a Qualified EHR, a Complete EHR or EHR Module will 
need to be tested and certified to those adopted certification criteria 
in order for the definition of Certified EHR Technology to be met.
8. Definition of Disclosure
    We define disclosure in this interim final rule to have the same 
meaning specified at 45 CFR 160.103--``the release, transfer, provision 
of access to, or divulging in any other manner of information outside 
the entity holding the information.'' As previously mentioned, once the 
Secretary adopts a standard on accounting for disclosures described in 
section 3002(b)(2)(B)(iv) of the PHSA, the Secretary through the HHS 
Office for Civil Rights, is required to modify (no later than 6 months 
after the date on which the Secretary adopts standards on accounting 
for disclosures) the HIPAA Privacy Rule at 45 CFR 164.528 to require 
that HIPAA covered entities account for disclosures related to 
treatment, payment, and health care operations made through an 
electronic health record and to identify in the regulations the 
information that shall be collected about each of the disclosures.

C. Initial Set of Standards, Implementation Specifications, and 
Certification Criteria Sec. Sec.  170.202, 170.205, 170.210, 170.302, 
170.304, 170.306

    The sections below describe the initial set of standards, 
implementation specifications, and certification criteria adopted by 
the Secretary to support, in part, the achievement of meaningful use 
Stage 1 (which begins in 2011). The standards, implementation 
specifications, and certification criteria adopted are meant to serve 
as the basis for the testing and certification of Complete EHRs and EHR 
Modules and they should in no way be misconstrued as additional 
detailed requirements for meaningful use Stage 1 itself. In order to 
prevent confusion, we believe it is necessary to make clear that the 
standards, implementation specifications, and certification criteria 
adopted by the Secretary in this interim final rule apply to, and 
establish the

[[Page 2024]]

required capabilities for, Certified EHR Technology. These criteria do 
not establish requirements for health care providers, such as eligible 
professionals or eligible hospitals to follow. Because certification 
criteria describe both the required capabilities Certified EHR 
Technology must include and, where applicable, the standard(s) that 
must be used by those capabilities, we discuss adopted certification 
criteria first. Table 1 below displays the certification criteria we 
have adopted. Next we discuss adopted standards and the purposes for 
their use. Tables 2A and 2B include the standards referenced by adopted 
certification criteria for a particular exchange or privacy or security 
purpose. Lastly we discuss our approach to implementation 
specifications.
    To guide our approach to adopting the standards, implementation 
specifications, and certification criteria below, we established the 
following goals:
     Promote interoperability and where necessary be specific 
about certain content exchange and vocabulary standards to establish a 
path forward toward semantic interoperability;
     Support the evolution and timely maintenance of adopted 
standards;
     Promote technical innovation using adopted standards;
     Encourage participation and adoption by all vendors, 
including small businesses;
     Keep implementation costs as low as reasonably possible;
     Consider best practices, experiences, policies, 
frameworks, and the input of the HIT Policy Committee and HIT Standards 
Committee in current and future standards;
     Enable mechanisms such as the NHIN to serve as a test-bed 
for innovation and as an open-source reference implementation of best 
practices; and
     To the extent possible, adopt standards that are modular 
and not interdependent. For example, an adopted vocabulary standard 
would not be tied to a particular content exchange standard (e.g., the 
adoption of Current Procedural Terminology (CPT[supreg]) Fourth Edition 
(CPT-4) codes would not require or preclude the use of a particular 
patient summary record standard such as the continuity of care document 
(CCD) or continuity of care record (CCR)).
1. Adopted Certification Criteria
    At its July 16, 2009 and August 14, 2009 meetings, the HIT Policy 
Committee made recommendations to the National Coordinator on policies 
for meaningful use and the certification of HIT, which the National 
Coordinator has considered. For the purposes of this interim final rule 
and the adoption of an initial set of certification criteria, we 
believe that the meaningful use matrix recommended by the HIT Policy 
Committee as modified in the Medicare and Medicaid EHR Incentive 
Programs proposed rule provides a logical way to structure our 
presentation of adopted certification criteria. Furthermore, we found 
the following recommendations on certification from the HIT Policy 
Committee to be particularly informative for the scope of this interim 
final rule and our approach to adopting certification criteria--that 
certification should focus on meaningful use and be leveraged to 
improve security, privacy, and interoperability. We agree that for this 
initial set of certification criteria, supporting the achievement of 
meaningful use Stage 1, as proposed in the Medicare and Medicaid EHR 
Incentive Programs proposed rule, is a foremost priority. As a result, 
we have adopted, based in part on the HIT Policy Committee's 
recommendation, an initial set of certification criteria to support the 
achievement by eligible professionals and eligible hospitals of 
meaningful use Stage 1, as proposed in the Medicare and Medicaid EHR 
Incentive Programs proposed rule.
    The meaningful use matrix recommended by the HIT Policy Committee, 
a revised form of which CMS has included in the Medicare and Medicaid 
EHR Incentive Programs proposed rule, includes overall health outcome 
policy priorities and health care goals that are the same for eligible 
professionals and eligible hospitals. The health outcome policy 
priorities identified in the Medicare and Medicaid EHR Incentive 
Programs proposed rule are: ``Improving quality, safety, efficiency, 
and reducing health disparities; engage patients and families in their 
health care; improve care coordination; improve population and public 
health; and ensure adequate privacy and security protections for 
personal health information.'' For each policy priority, there are also 
associated health care goals which are described in more detail in the 
Medicare and Medicaid EHR Incentive Programs proposed rule.
    The health care goals served as the bases for the proposed specific 
meaningful use Stage 1 objectives for eligible professionals and 
eligible hospitals set forth in the Medicare and Medicaid EHR Incentive 
Programs proposed rule. We have consequently used the proposed 
objectives in the Medicare and Medicaid EHR Incentive Programs proposed 
rule to identify the initial set of certification criteria adopted in 
this interim final rule and have linked the certification criteria to 
these objectives.
    Many of the proposed meaningful use Stage 1 objectives are exactly 
the same for eligible professionals and eligible hospitals. Where 
proposed meaningful use Stage 1 objectives were identical for eligible 
professionals and eligible hospitals, we adopted identical 
certification criteria for Complete EHRs or EHR Modules. However, there 
are instances where proposed meaningful use Stage 1 objective and 
corresponding meaningful use measure are specifically aimed at an 
eligible professional (e.g., electronic prescribing) or eligible 
hospital (e.g., provision of an electronic copy of discharge 
instructions). Where the proposed meaningful use Stage 1 objectives 
were worded differently or only applied to an eligible professional or 
eligible hospital, we have adopted specific certification criteria to 
assure that Certified EHR Technology includes the capabilities 
necessary to meet that objective.
    Additionally, CMS describes in the Medicare and Medicaid EHR 
Incentive Programs proposed rule a number of the terms referenced in 
this table, specifically those in the first column which align directly 
with the proposed meaningful use Stage 1 objectives. For example, one 
of the proposed meaningful use Stage 1 objectives is to ``perform 
medication reconciliation at relevant encounters and each transition of 
care.'' We have adopted a certification criterion to assure that a 
Complete EHR or EHR Module is capable of performing medication 
reconciliation. However, it is not within the scope of this interim 
final rule to specify when or how often this needs to occur. Rather, 
the proposed meaningful use Stage 1 measure for this proposed objective 
dictates the frequency, and the preamble of the Medicare and Medicaid 
EHR Incentive Programs proposed rule provides descriptions for what is 
meant by ``relevant encounters'' and ``each transition of care.'' We 
encourage any reader seeking the meaning or further explanation of a 
particular term in the objectives to review the Medicare and Medicaid 
EHR Incentive Programs proposed rule.
    To improve the readability of Table 1 and illustrate the linkage 
between adopted certification criteria and proposed meaningful use 
Stage 1 objectives, in instances where the proposed meaningful use 
Stage 1 objective was the same in concept for eligible professionals 
and eligible hospitals but differed slightly with

[[Page 2025]]

respect to wording, we provided a combined objective and referenced the 
full proposed objective in a footnote. All certification criteria are 
prefaced with the statement ``A Complete EHR or EHR Module must include 
the capability to:'' in order to create uniformity in the way each 
certification criterion is read.
    Finally, we understand that certain types of standards, 
specifically code sets, must be maintained and frequently updated to 
serve their intended purpose effectively. Code sets are typically used 
for encoding data elements, such as medical terms, medical concepts, 
diagnoses, and medical procedures. As new medical procedures, 
technologies, treatments, or diagnostic methods are developed or 
discovered, additional codes must be added or existing codes must be 
revised. In some cases, new codes are necessary to reflect the most 
recent changes in medical practice, involving perhaps revised 
medication dosage, updated treatment procedures, or the discovery of 
new diseases. In many cases, the new codes must be disseminated and 
implemented quickly for patient safety and significant public health 
purposes.
    To address this need and accommodate industry practice, we have in 
this interim final rule indicated that certain types of standards will 
be considered a floor for certification. We have implemented this 
approach by preceding references to specific adopted standards with the 
phrase, ``at a minimum.'' In those instances, the certification 
criterion requires compliance with the version of the code set that has 
been adopted through incorporation by reference, or any subsequently 
released version of the code set. This approach will permit Complete 
EHRs and EHR Modules to be tested and certified, to, ``at a minimum,'' 
the version of the standard that has been adopted or a more current or 
subsequently released version. This will also enable Certified EHR 
Technology to be updated from an older, ``minimum,'' adopted version of 
a code set to a more current version without adversely affecting 
Certified EHR Technology's ``certified status.'' We intend to elaborate 
in the upcoming HIT Certification Programs proposed rule on how testing 
and certification would be conducted using standards we have adopted 
and designated as ``minimums'' in certain certification criteria.
    Because we expect to adopt additional code set standards in the 
future, we believe this approach is necessary. Moreover, we believe the 
certification of Complete EHRs and EHR Modules should be flexible 
enough to accommodate current code sets that are regularly maintained 
and updated. We also believe that this approach will enable and 
encourage eligible professionals and eligible hospitals to adopt 
Certified EHR Technology and keep it current, which will promote 
patient safety, public health safety, and more broadly, improve health 
care quality.
    That being said, we understand that this approach has certain 
limitations. In some cases, for instance, rather than simply 
maintaining, correcting, or slightly revising a code set, a code set 
maintaining organization will modify the structure or framework of a 
code set to meet developing industry needs. We would consider this type 
of significant revision to a code set to be a ``modification,'' rather 
than maintenance or a minor update of the code set. An example of a 
code set ``modification'' would be if a hypothetical XYZ code set 
version 1 were to use 7-digit numeric codes to represent health 
information while XYZ code set version 2 used 9-digit alphanumeric 
codes to represent health information. In such cases, interoperability 
would likely be reduced among Complete EHRs and EHR Modules that have 
adopted different versions of the structurally divergent code sets. If 
a code set that we have adopted through incorporation by reference is 
modified significantly, we will update the incorporation by reference 
of the adopted version with the more recent version of the code set 
prior to requiring or permitting certification according to the newer 
version.
    The following provides an example of how our approach will work. A 
proposed meaningful use Stage 1 objective specifies the capability to 
submit electronic data to immunization registries and, accordingly, we 
have adopted a certification criterion to assure that a Complete EHR or 
EHR Module is capable of electronically recording, retrieving, and 
transmitting immunization information to immunization registries in 
accordance with the standards specified in Table 2A row 8. Table 2A row 
8 references, as a vocabulary standard (code set), the CDC maintained 
HL7 standard code set CVX-Vaccines Administered. The current version of 
the CVX code set was published July 30, 2009, and includes new vaccine 
codes related to the ``Novel Influenza-H1N1.'' Continuing our CVX 
example, if the CDC were to publish a new version of CVX on February 1, 
2010, we would permit a Complete EHR or EHR Module to be tested and 
certified according to the minimum adopted version of the standard, the 
July 30, 2009, version of CVX or the February 1, 2010 version that was 
subsequently issued as part of the code set's maintenance.
    For certain certification criteria in Table 1 below, we include a 
percent symbol ``%'' superscript to indicate instances where the 
version of an adopted standard (specified in the regulation text) will 
be ``at a minimum'' the version to which a Complete EHR or EHR Module 
must be tested and certified in order to be considered compliant with 
the adopted standard.

                     Table 1--Certification Criteria
------------------------------------------------------------------------
                                                          Certification
                                Certification criteria     criteria to
                                    to support the         support the
 Proposed meaningful use Stage      achievement of       achievement of
         1 objectives           meaningful use Stage 1   meaningful use
                                      by eligible          Stage 1 by
                                     professionals          eligible
                                                            hospital
------------------------------------------------------------------------
                                    A Complete EHR or EHR Module must
                                        include the capability to:
------------------------------------------------------------------------
Use Computerized Provider       Enable a user to        Enable a user to
 Order Entry (CPOE) \3\.         electronically          electronically
                                 record, store,          record, store,
                                 retrieve, and manage,   retrieve, and
                                 at a minimum, the       manage, at a
                                 following order         minimum, the
                                 types:                  following order
                                                         types:
                                   1. Medications;         1.
                                                            Medications;
                                   2. Laboratory;          2.
                                                            Laboratory;
                                   3. Radiology/           3. Radiology/
                                    imaging; and            imaging;

[[Page 2026]]

 
                                   4. Provider             4. Blood
                                    referrals.              bank;
                                                        5. Physical
                                                         therapy;
                                                        6. Occupational
                                                         therapy;
                                                        7. Respiratory
                                                         therapy;
                                                        8.
                                                         Rehabilitation
                                                         therapy;
                                                        9. Dialysis;
                                                        10. Provider
                                                         consults; and
                                                        11. Discharge
                                                         and transfer.
                               -----------------------------------------
Implement drug-drug, drug-      1. Automatically and electronically
 allergy, drug-formulary         generate and indicate (e.g., pop-up
 checks.                         message or sound) in real-time, alerts
                                 at the point of care for drug-drug and
                                 drug-allergy contraindications based on
                                 medication list, medication allergy
                                 list, age, and CPOE.
                                2. Enable a user to electronically check
                                 if drugs are in a formulary or
                                 preferred drug list in accordance with
                                 the standard specified in Table 2A row
                                 2.
                                3. Provide certain users with
                                 administrator rights to deactivate,
                                 modify, and add rules for drug-drug and
                                 drug-allergy checking.
                                4. Automatically and electronically
                                 track, record, and generate reports on
                                 the number of alerts responded to by a
                                 user.
Maintain an up-to-date problem  Enable a user to electronically record,
 list of current and active      modify, and retrieve a patient's
 diagnoses based on ICD-9-CM     problem list for longitudinal care
 or SNOMED CT[supreg].           (i.e., over multiple office visits) in
                                 accordance with the applicable
                                 standards\%\ specified in Table 2A row
                                 1.
                               -----------------------------------------
Generate and transmit           Enable a user to        No Associated
 permissible prescriptions       electronically          Proposed
 electronically (eRx).           transmit medication     Meaningful Use
                                 orders                  Stage 1
                                 (prescriptions) for     Objective.
                                 patients in
                                 accordance with the
                                 standards specified
                                 in Table 2A row 3.
                               -----------------------------------------
Maintain active medication      Enable a user to electronically record,
 list.                           modify, and retrieve a patient's active
                                 medication list as well as medication
                                 history for longitudinal care (i.e.,
                                 over multiple office visits) in
                                 accordance with the applicable standard
                                 specified in Table 2A row 1.
                               -----------------------------------------
Maintain active medication      Enable a user to electronically record,
 allergy list.                   modify, and retrieve a patient's active
                                 medication allergy list as well as
                                 medication allergy history for
                                 longitudinal care (i.e., over multiple
                                 office visits).
                               -----------------------------------------
Record demographics 4 5.......  Enable a user to        Enable a user to
                                 electronically          electronically
                                 record, modify, and     record, modify,
                                 retrieve patient        and retrieve
                                 demographic data        patient
                                 including preferred     demographic
                                 language, insurance     data including
                                 type, gender, race,     preferred
                                 ethnicity, and date     language,
                                 of birth.               insurance type,
                                                         gender, race,
                                                         ethnicity, date
                                                         of birth, and
                                                         date and cause
                                                         of death in the
                                                         event of
                                                         mortality.
                               -----------------------------------------
Record and chart changes in     1. Enable a user to electronically
 vital signs:                    record, modify, and retrieve a
 Height...............   patient's vital signs including, at a
 Weight...............   minimum, the height, weight, blood
 Blood pressure.......   pressure, temperature, and pulse.
 Calculate and          2. Automatically calculate and display
 display: BMI.                   body mass index (BMI) based on a
 Plot and display        patient's height and weight.
 growth charts for children 2-  3. Plot and electronically display, upon
 20 years, including BMI.        request, growth charts (height, weight,
                                 and BMI) for patients 2-20 years old.
Record smoking status for       Enable a user to electronically record,
 patients 13 years old or        modify, and retrieve the smoking status
 older.                          of a patient to: current smoker, former
                                 smoker, or never smoked.
Incorporate clinical lab-test   1. Electronically receive clinical
 results into EHR as             laboratory test results in a structured
 structured data.                format and display such results in
                                 human readable format.
                                2. Electronically display in human
                                 readable format any clinical laboratory
                                 tests that have been received with
                                 LOINC[reg] codes.
                                3. Electronically display all the
                                 information for a test report specified
                                 at 42 CFR 493.1291(c)(1) through
                                 (7).\6\
                                4. Enable a user to electronically
                                 update a patient's record based upon
                                 received laboratory test results.
Generate lists of patients by   Enable a user to electronically select,
 specific conditions to use      sort, retrieve, and output a list of
 for quality improvement,        patients and patients' clinical
 reduction of disparities, and   information, based on user-defined
 outreach.                       demographic data, medication list, and
                                 specific conditions.
Report quality measures to CMS  1. Calculate and electronically display
 or the States 7 8.              quality measure results as specified by
                                 CMS or states.
                                2. Enable a user to electronically
                                 submit calculated quality measures in
                                 accordance with the standard specified
                                 in Table 2A row 5.

[[Page 2027]]

 
Send reminders to patients per  Electronically          No Associated
 patient preference for          generate, upon          Proposed
 preventive/follow up care.      request, a patient      Meaningful Use
                                 reminder list for       Stage 1
                                 preventive or follow-   Objective.
                                 up care according to
                                 patient preferences
                                 based on demographic
                                 data, specific
                                 conditions, and/or
                                 medication list.
                               -----------------------------------------
Implement 5 clinical decision   1. Implement            1. Implement
 support rules 9 10.             automated, electronic   automated,
                                 clinical decision       electronic
                                 support rules (in       clinical
                                 addition to drug-drug   decision
                                 and drug-allergy        support rules
                                 contraindication        (in addition to
                                 checking) according     drug-drug and
                                 to specialty or         drug-allergy
                                 clinical priorities     contraindicatio
                                 that use demographic    n checking)
                                 data, specific          according to a
                                 patient diagnoses,      high priority
                                 conditions,             hospital
                                 diagnostic test         condition that
                                 results and/or          use demographic
                                 patient medication      data, specific
                                 list.                   patient
                                                         diagnoses,
                                                         conditions,
                                                         diagnostic test
                                                         results and/or
                                                         patient
                                                         medication
                                                         list.
                                2. Automatically and    2. Automatically
                                 electronically          and
                                 generate and indicate   electronically
                                 (e.g., pop-up message   generate and
                                 or sound) in real-      indicate (e.g.,
                                 time, alerts and care   pop-up message
                                 suggestions based       or sound) in
                                 upon clinical           real-time,
                                 decision support        alerts and care
                                 rules and evidence      suggestions
                                 grade.                  based upon
                                                         clinical
                                                         decision
                                                         support rules
                                                         and evidence
                                                         grade.
                                3. Automatically and    3. Automatically
                                 electronically track,   and
                                 record, and generate    electronically
                                 reports on the number   track, record,
                                 of alerts responded     and generate
                                 to by a user.           reports on the
                                                         number of
                                                         alerts
                                                         responded to by
                                                         a user.
                               -----------------------------------------
Check insurance eligibility     Enable a user to electronically record
 electronically from public      and display patients' insurance
 and private payers.             eligibility, and submit insurance
                                 eligibility queries to public or
                                 private payers and receive an
                                 eligibility response in accordance with
                                 the applicable standards specified in
                                 Table 2A row 4.
Submit claims electronically    Enable a user to electronically submit
 to public and private payers.   claims to public or private payers in
                                 accordance with the applicable
                                 standards specified in Table 2A row 4.
                               -----------------------------------------
Provide patients with an        Enable a user to        Enable a user to
 electronic copy of their        create an electronic    create an
 health information upon         copy of a patient's     electronic copy
 request 11 12.                  clinical information,   of a patient's
                                 including, at a         clinical
                                 minimum, diagnostic     information,
                                 test results, problem   including, at a
                                 list, medication        minimum,
                                 list, medication        diagnostic test
                                 allergy list,           results,
                                 immunizations, and      problem list,
                                 procedures in: (1)      medication
                                 Human readable          list,
                                 format; and (2)         medication
                                 accordance with the     allergy list,
                                 standards\%\            immunizations,
                                 specified in Table 2A   discharge
                                 row 1 to provide to a   summary, and
                                 patient on electronic   procedures in:
                                 media, or through       (1) Human
                                 some other electronic   readable
                                 means.                  format; and (2)
                                                         accordance with
                                                         the
                                                         standards\%\
                                                         specified in
                                                         Table 2A row 1
                                                         to provide to a
                                                         patient on
                                                         electronic
                                                         media, or
                                                         through some
                                                         other
                                                         electronic
                                                         means.
Provide patients with an        No Associated Proposed  Enable a user to
 electronic copy of their        Meaningful Use Stage    create an
 discharge instructions and      1 Objective.            electronic copy
 procedures at time of                                   of the
 discharge, upon request.                                discharge
                                                         instructions
                                                         and procedures
                                                         for a patient,
                                                         in human
                                                         readable
                                                         format, at the
                                                         time of
                                                         discharge to
                                                         provide to a
                                                         patient on
                                                         electronic
                                                         media, or
                                                         through some
                                                         other
                                                         electronic
                                                         means.
Provide patients with timely    Enable a user to        No Associated
 electronic access to their      provide patients with   Proposed
 health information (including   online access to        Meaningful Use
 lab results, problem list,      their clinical          Stage 1
 medication lists, allergies)    information,            Objective.
 within 96 hours of the          including, at a
 information being available     minimum, lab test
 to the eligible professional.   results, problem
                                 list, medication
                                 list, medication
                                 allergy list,
                                 immunizations, and
                                 procedures.
Provide clinical summaries for  1. Enable a user to     No Associated
 patients for each office        provide clinical        Proposed
 visit.                          summaries to patients   Meaningful Use
                                 (in paper or            Stage 1
                                 electronic form) for    Objective.
                                 each office visit
                                 that include, at a
                                 minimum, diagnostic
                                 test results,
                                 medication list,
                                 medication allergy
                                 list, procedures,
                                 problem list, and
                                 immunizations.
                                2. If the clinical
                                 summary is provided
                                 electronically (i.e.,
                                 not printed), it must
                                 be provided in: (1)
                                 Human readable
                                 format; and (2)
                                 accordance with the
                                 standards\%\
                                 specified in Table 2A
                                 row 1 to provide to a
                                 patient on electronic
                                 media, or through
                                 some other electronic
                                 means.

[[Page 2028]]

 
Capability to exchange key      1. Electronically       1.
 clinical information among      receive a patient       Electronically
 providers of care and patient   summary record, from    receive a
 authorized entities             other providers and     patient summary
 electronically 13 14.           organizations           record, from
Provide summary care record      including, at a         other providers
 for each transition of care     minimum, diagnostic     and
 and referral.                   test results, problem   organizations
                                 list, medication        including, at a
                                 list, medication        minimum,
                                 allergy list,           discharge
                                 immunizations, and      summary,
                                 procedures and upon     diagnostic test
                                 receipt of a patient    results,
                                 summary record          problem list,
                                 formatted in an         medication
                                 alternative standard    list,
                                 specified in Table 2A   medication
                                 row 1, displaying it    allergy list,
                                 in human readable       immunizations,
                                 format.                 and procedures
                                2. Enable a user to      and upon
                                 electronically          receipt of a
                                 transmit a patient      patient summary
                                 summary record to       record
                                 other providers and     formatted in an
                                 organizations           alternative
                                 including, at a         standard
                                 minimum, diagnostic     specified in
                                 test results, problem   Table 2A row 1,
                                 list, medication        displaying it
                                 list, medication        in human
                                 allergy list,           readable
                                 immunizations, and      format.
                                 procedures in          2. Enable a user
                                 accordance with the     to
                                 standards\%\            electronically
                                 specified in Table 2A   transmit a
                                 row 1.                  patient summary
                                                         record, to
                                                         other providers
                                                         and
                                                         organizations
                                                         including, at a
                                                         minimum,
                                                         discharge
                                                         summary,
                                                         diagnostic test
                                                         results,
                                                         problem list,
                                                         medication
                                                         list,
                                                         medication
                                                         allergy list,
                                                         immunizations,
                                                         and procedures
                                                         in accordance
                                                         with the
                                                         standards\%\
                                                         specified in
                                                         Table 2A row 1.
                               -----------------------------------------
Perform medication              Electronically complete medication
 reconciliation at relevant      reconciliation of two or more
 encounters and each             medication lists (compare and merge)
 transition of care.             into a single medication list that can
                                 be electronically displayed in real-
                                 time.
Capability to submit            Electronically record, retrieve, and
 electronic data to              transmit immunization information to
 immunization registries and     immunization registries in accordance
 actual submission where         with the standards\%\ specified in
 required and accepted.          Table 2A row 8 or in accordance with
                                 the applicable state-designated
                                 standard format.
                               -----------------------------------------
Capability to provide           No Associated Proposed  Electronically
 electronic submission of        Meaningful Use Stage    record,
 reportable lab results (as      1 Objective.            retrieve, and
 required by state or local                              transmit
 law) to public health                                   reportable
 agencies and actual                                     clinical lab
 submission where it can be                              results to
 received.                                               public health
                                                         agencies in
                                                         accordance with
                                                         the
                                                         standards\%\
                                                         specified in
                                                         Table 2A row 6.
                               -----------------------------------------
Capability to provide           Electronically record, retrieve, and
 electronic syndromic            transmit syndrome-based (e.g.,
 surveillance data to public     influenza like illness) public health
 health agencies and actual      surveillance information to public
 transmission according to       health agencies in accordance with the
 applicable law and practice.    standards specified in Table 2A row 7.
Protect electronic health       1. Assign a unique name and/or number
 information created or          for identifying and tracking user
 maintained by the certified     identity and establish controls that
 EHR technology through the      permit only authorized users to access
 implementation of appropriate   electronic health information.
 technical capabilities.        2. Permit authorized users (who are
                                 authorized for emergency situations) to
                                 access electronic health information
                                 during an emergency.
                                3. Terminate an electronic session after
                                 a predetermined time of inactivity.
                                4. Encrypt and decrypt electronic health
                                 information according to user-defined
                                 preferences (e.g., backups, removable
                                 media, at log-on/off) in accordance
                                 with the standard specified in Table 2B
                                 row 1.
                                5. Encrypt and decrypt electronic health
                                 information when exchanged in
                                 accordance with the standard specified
                                 in Table 2B row 2.
                                6. Record actions (e.g., deletion)
                                 related to electronic health
                                 information in accordance with the
                                 standard specified in Table 2B row 3
                                 (i.e., audit log), provide alerts based
                                 on user-defined events, and
                                 electronically display and print all or
                                 a specified set of recorded information
                                 upon request or at a set period of
                                 time.
                                7. Verify that electronic health
                                 information has not been altered in
                                 transit and detect the alteration and
                                 deletion of electronic health
                                 information and audit logs in
                                 accordance with the standard specified
                                 in Table 2B row 4.
                                8. Verify that a person or entity
                                 seeking access to electronic health
                                 information is the one claimed and is
                                 authorized to access such information.
                                9. Verify that a person or entity
                                 seeking access to electronic health
                                 information across a network is the one
                                 claimed and is authorized to access
                                 such information in accordance with the
                                 standard specified in Table 2B row 5.
                                10. Record disclosures made for
                                 treatment, payment, and health care
                                 operations in accordance with the
                                 standard specified in Table 2B row 6.
------------------------------------------------------------------------

    We reiterate that adopted certification criteria identify the 
required capabilities for a Complete EHR or EHR Module to be certified. 
Adopted certification criteria do not apply to, or require actions by, 
eligible professionals or eligible hospitals. For example, to be 
certified, a Complete EHR or EHR Module must be capable of plotting and 
displaying growth charts for patients. By

[[Page 2029]]

being tested and certified, a Complete EHR or EHR Module will have 
demonstrated that this capability is available for an eligible 
professional or eligible hospital to use.
---------------------------------------------------------------------------

    \3\ For eligible hospitals the full proposed meaningful use 
Stage 1 objective is: ``Use CPOE for orders (any type) directly 
entered by authorizing provider (for example, MD, DO, RN, PA, NP).''
    \4\ For eligible professionals the full proposed meaningful use 
Stage 1 objective is: ``record demographics: preferred language, 
insurance type, gender, race, ethnicity, date of birth.''
    \5\ For eligible hospitals the full proposed meaningful use 
Stage 1 objective is: ``record demographics: preferred language, 
insurance type, gender, race, ethnicity, date of birth, date and 
cause of death in the event of mortality.''
    \6\ 42 CFR 493.1291(b) specifies that ``[t]he test report 
information maintained as part of the patient's chart or medical 
record must be readily available to the laboratory and to CMS or a 
CMS agent upon request.'' 42 CFR 493.1291(c) specifies the required 
test report information.
    \7\ For eligible professionals the full proposed meaningful use 
Stage 1 objective is ``Report ambulatory quality measures to CMS or 
the States.''
    \8\ For eligible hospitals the full proposed meaningful use 
Stage 1 objective is ``Report hospital quality measures to CMS or 
the States.''
    \9\ For eligible professionals the full proposed meaningful use 
Stage 1 objective is ``Implement 5 clinical decision support rules 
relevant to specialty or high clinical priority, including 
diagnostic test ordering, along with the ability to track compliance 
with those rules''
    \10\ For eligible hospitals the full proposed meaningful use 
Stage 1 objective is ``Implement 5 clinical decision support rules 
related to a high priority hospital condition, including diagnostic 
test ordering, along with the ability to track compliance with those 
rules''
    \11\ For eligible professionals the full proposed meaningful use 
Stage 1 objective is ``Provide patients with an electronic copy of 
their health information (including diagnostic test results, problem 
list, medication lists, allergies), upon request''
    \12\ For eligible hospitals the full proposed meaningful use 
Stage 1 objective is ``Provide patients with an electronic copy of 
their health information (including diagnostic test results, problem 
list, medication lists, allergies, discharge summary, procedures), 
upon request''
    \13\ For eligible professionals the full proposed meaningful use 
Stage 1 objective is ``Capability to exchange key clinical 
information (for example problem list, medication list, allergies, 
diagnostic test results) among providers of care and patient 
authorized entities electronically.''
    \14\ For eligible hospitals the full proposed meaningful use 
Stage 1 objective is ``Capability to exchange key clinical 
information (for example discharge summary, procedures, problem 
list, medication list, allergies, diagnostic test results) among 
providers of care and patient authorized entities electronically.''
---------------------------------------------------------------------------

    In adopting these certification criteria, we attempted to balance 
specificity with flexibility and the opportunity for innovation. 
However, in taking this approach we recognize that certain tradeoffs 
exist. On one hand, we anticipate that flexibility will allow Complete 
EHRs and EHR Modules to evolve over time to meet these criteria in 
increasingly efficient, useable, and innovative ways. On the other 
hand, any lack of specificity concerning the capabilities Complete EHRs 
or EHR Modules must include risks the possibility that Certified EHR 
Technology may inadequately support an eligible professional or 
eligible hospital's attempt to achieve meaningful use Stage 1, once 
finalized. Therefore, we request public comment on whether any of the 
adopted certification criteria above are insufficiently specific to be 
used to test and certify Complete EHRs or EHR Modules with reasonable 
assurance that the technology will effectively support the delivery of 
health care as well as the achievement of meaningful use Stage 1, once 
finalized.
2. Adopted Standards
    In fulfilling the Secretary's responsibility under section 
3004(b)(1), the following initial set of standards and implementation 
specifications have been adopted \15\ for use in Certified EHR 
Technology to support proposed meaningful use Stage 1 and to enable 
increased interoperability and privacy and security. We have organized 
adopted standards into the same four categories recommended by the HIT 
Standards Committee.
---------------------------------------------------------------------------

    \15\ Per section 3004(b)(1), we believe the standards adopted 
address all applicable ``areas required for consideration'' under 
section 3002(b)(2)(B)--the HIT Policy Committee required areas 
described above in Section I of this interim final rule.
---------------------------------------------------------------------------

     Vocabulary Standards (i.e., standardized nomenclatures and 
code sets used to describe clinical problems and procedures, 
medications, and allergies);
     Content Exchange Standards (i.e., standards used to share 
clinical information such as clinical summaries, prescriptions, and 
structured electronic documents);
     Transport Standards (i.e., standards used to establish a 
common, predictable, secure communication protocol between systems); 
and
     Privacy and Security Standards (e.g., authentication, 
access control, transmission security) which relate to and span across 
all of the other types of standards.
    As demonstrated by the adopted certification criteria, we expect 
Certified EHR Technology to be tested and certified as being capable of 
complying with adopted standards. We note that there are not standards 
required for every certification criterion adopted by this interim 
final rule. However, we have required standards as part of certain 
certification criteria when their adoption could lead to increased 
interoperability and privacy and security. We agree with the HIT Policy 
Committee's recommendation to focus on these two areas and believe they 
are the most important to emphasize for this initial set of standards. 
We discuss the adopted interoperability standards directly below and 
the adopted privacy and security standards in section III.C.2.c.
    With respect to interoperability standards we have, after 
considering the recommendations of the HIT Standards Committee, chosen 
to adopt alternative standards for certain purposes. Also, at the 
recommendation of the HIT Standards Committee, we have limited the 
adoption of specific vocabulary standards in this initial set to a few, 
important instances.
    Presently, we have only adopted a limited number of certification 
criteria that require Certified EHR Technology to be capable of using a 
specific vocabulary or code set. In certain instances, because of other 
HHS regulatory requirements, we have adopted those vocabularies and 
code sets with which the regulated community is already required to 
comply. We expect future stages of meaningful use will require 
Certified EHR Technology to provide additional capabilities as well as 
an increased capacity to exchange electronic health information 
according to specific vocabularies and code sets. To enhance 
interoperability, we believe it will be essential to adopt specific 
standards, vocabularies, and code sets in the future. We look forward 
to receiving recommendations from the HIT Standards Committee related 
to specific vocabularies and code sets to support future stages of 
meaningful use.
    The initial set of standards and implementation specifications in 
this interim final rule was adopted to support the proposed 
requirements for meaningful use Stage 1. We have added a column in 
Table 2A to illustrate the standards that we believe Certified EHR 
Technology should most likely be capable of to support meaningful use 
Stage 2 (although as explained in the Medicare and Medicaid EHR 
Incentives Program proposed rule, CMS intends to engage in rulemaking 
to adopt Stage 2 criteria for meaningful use and ONC would adopt 
standards consistent with this effort). We developed this list of 
candidate Stage 2 standards by considering the recommendations made by 
the HIT Standards Committee related to standards to support meaningful 
use Stage 2 and developing our own estimates of what it would take to 
advance interoperability. We have added a column in Table 2A to 
illustrate the standards that we believe should be included in 
Certified EHR Technology to support meaningful use Stage 2. With the 
exception of standards that are tied to other HHS regulatory 
requirements, this additional column represents our best estimate and 
does not in any way imply the Secretary's adoption of these standards 
or limit the Secretary's discretion to adopt different standards in the 
future. We look forward to receiving recommendations from the HIT 
Standards Committee to advance interoperability in line with these 
estimates and welcome comments on

[[Page 2030]]

the industry's ability to implement these candidate standards in time 
to support meaningful use Stage 2 (which is proposed to begin in 2013).
    As an example of our future expectations, currently adopted 
certification criteria do not require the use of the vocabulary 
standard, RxNorm. However, RxNorm maintains links from the RxNorm 
concept unique identifier (CUI) to the corresponding drug codes in 
other vocabularies. While we have not adopted RxNorm as a standard in 
this initial set, we have adopted as a standard for medication 
information the use of a vocabulary the National Library of Medicine 
has identified as an RxNorm drug data source provider with a complete 
data set integrated within RxNorm (additional detail regarding this 
standard is provided below). We believe this standard will establish an 
important bridge to full RxNorm adoption and will help facilitate this 
transition over time. We anticipate adopting certification criteria 
that requires Certified EHR Technology be capable of using the RxNorm 
superset in its entirety to support meaningful use Stage 2 and look 
forward to HIT Standards Committee recommendations in this regard.
    As another example, we have adopted a certification criterion that 
requires Certified EHR Technology to be capable of receiving a message 
with Logical Observation Identifiers Names and Codes (LOINC[supreg]) 
codes from a laboratory, retaining those LOINC[supreg] codes, and using 
LOINC[supreg] codes to populate a patient summary record. We do not 
require Certified EHR Technology to be capable of mapping all 
laboratory orders or tests to LOINC[supreg] codes. Rather, we require 
that Certified EHR Technology be capable of using LOINC[supreg] codes 
that are received and retained to populate a patient summary record. 
Moreover, having LOINC[supreg] codes used internally for meaningful use 
Stage 1 will prepare Certified EHR Technology for any future potential 
meaningful use Stage 2 requirements. We believe the use of 
LOINC[supreg], Systematized Nomenclature of Medicine Clinical Terms 
(SNOMED CT[supreg]), and other vocabulary standards will accelerate the 
adoption and use of clinical decision support. Requiring LOINC[supreg] 
as a vocabulary standard that Certified EHR Technology must have the 
capability to support for meaningful use Stage 1 provides an 
incremental approach to achieving these future goals.
    A final example would be, if an eligible professional uses 
Certified EHR Technology that has implemented the continuity of care 
document (CCD) standard for the exchange of a patient summary record 
and receives a patient summary record formatted in the continuity of 
care record (CCR) standard, their Certified EHR Technology must be 
capable of interpreting the information within the CCR message and 
displaying it in human readable format. We do not expressly state how 
this should be accomplished or in what format human readable 
information should be displayed (e.g., information in a CCR message 
could be converted to a text file or PDF). We only require that 
Certified EHR Technology must be capable of performing this function. 
We believe this requirement is critical and have included it to allow 
flexibility in the marketplace during meaningful use Stage 1 and to 
prevent good faith efforts to exchange information from going to waste 
(i.e., information is exchanged, but is unreadable to both Certified 
EHR Technology (machine readable) and humans).
    We discuss in more detail below the four categories identified 
above and the standards adopted for each. At the end of this section we 
provide in Table 2A the standards adopted for certain exchange purposes 
to support meaningful use Stage 1, as proposed in the Medicare and 
Medicaid EHR Incentive Programs proposed rule, as well as those 
candidate standards we believe should be adopted and required in 
certification criteria to support meaningful use Stage 2.
    Finally, and consistent with the National Technology Transfer and 
Advancement Act of 1995 (NTTAA) (15 U.S.C. 3701 et seq.) and OMB 
Circular A-119 \16\ (the circular), we have adopted voluntary consensus 
standards wherever practical. We have noted with a superscript ``+'' 
(plus sign) those standards that are not voluntary consensus standards. 
Both the NTTAA and the Circular require Federal agencies to use 
technical standards that are developed or adopted by voluntary 
consensus standards bodies, using such technical standards as a means 
to carry out policy objectives or activities. Federal agencies, 
however, are not required to use such standards if doing so would be 
``inconsistent with applicable law or otherwise impractical.'' In those 
instances in which we have not used voluntary consensus standards, we 
determined that to do so would be impractical for two principal 
reasons. First, in most cases a voluntary consensus standard that could 
meet the requisite technical goals was simply unavailable. Second, to 
the extent that a potentially equivalent voluntary consensus standard 
was available, the standard was too limiting and did not meet our 
policy goals, including allowing for greater innovation by the 
marketplace. We solicit comment on our approach and the availability of 
voluntary consensus standards that may be viable alternatives to any of 
the non-voluntary consensus standards we have adopted.
---------------------------------------------------------------------------

    \16\ http://www.whitehouse.gov/omb/circulars_a119.
---------------------------------------------------------------------------

a. Transport Standards
    With respect to transport standards, we have adopted Simple Object 
Access Protocol (SOAP) version 1.2 and Representational state transfer 
(REST) to provide standard ways for systems to interact with each 
other. SOAP and REST are discussed in more detail below. These 
standards are widely used and implemented by the HIT industry and were 
also recommended by the HIT Standards Committee. We understand that the 
industry is already exploring other standards beyond SOAP and REST, and 
we look forward to receiving recommendations from the HIT Standards 
Committee in this regard to help enable innovation in the marketplace 
rather than constrain it.
    We recognize, out of the four categories of standards identified 
above, that the term ``transport standard'' may be used by others to 
refer to what we have called a ``content exchange standard.'' In the 
interest of retaining the categories recommended by the HIT Standards 
Committee and to avoid further confusion, we have chosen this 
categorization and believe the following distinction can be made to 
clarify the meaning of the two terms in this interim final rule. 
Transport standards are not domain specific while content exchange 
standards are. That is, SOAP and REST can be used by other industries 
to exchange information while the CCD, for example, is specifically 
designed for the exchange of health information.
    SOAP, originally defined as ``Simple Object Access Protocol'', is a 
protocol specification for exchanging structured information in the 
implementation of Web Services in computer networks. It relies on 
Extensible Markup Language (XML) as its message format, and usually 
relies on other Application Layer protocols (most notably Remote 
Procedure Call (RPC) and HyperText Transfer Protocol (HTTP)) for 
message negotiation and transmission. SOAP can form the foundation 
layer of a web services protocol stack, providing a basic messaging 
framework upon which web services can be built. The SOAP architecture 
consists of several layers of

[[Page 2031]]

specifications for message format, message exchange patterns (MEP), 
underlying transport protocol bindings, message processing models, and 
protocol extensibility. SOAP was adopted because it is widely used and 
versatile enough to allow for the use of different transport protocols, 
is platform independent, and is language independent.
    REST is a style of software architecture for distributed hypermedia 
systems such as the Internet. Systems which follow REST principles are 
often referred to as ``RESTful''. An important concept in REST is the 
existence of Web resources (sources of specific information), each of 
which is referenced with a global identifier (e.g., a Uniform Resource 
Identifier or URI in HTTP). In order to manipulate these resources, 
``components'' of the network (user agents and origin servers) 
communicate via a standardized interface (e.g., HTTP) and exchange 
``representations'' of these resources (the actual documents conveying 
the information). A RESTful web service is a simple web service 
implemented using HTTP and the principles of REST.
b. Content Exchange and Vocabulary Standards
i. Patient Summary Record
    With respect to meaningful use Stage 1, Certified EHR Technology 
will be required to be certified as being capable of (1) using the 
Health Level Seven (HL7) Clinical Document Architecture (CDA) Release 2 
(R2) Level 2 CCD or ASTM CCR to electronically exchange a patient 
summary record; and 2) upon receipt of a patient summary record 
formatted in an alternative standard, displaying it in human readable 
format. An HL7 CCD Level 2 allows the body of the CCD to be either 
structured XML text, or unstructured text, and provides backward 
compatibility to CCD Level 1 documents as well as a migration path to 
the more complex HL7 Version 3 reference information model (RIM) based 
information found in CCD Level 3.
    For the purposes of industry readiness and to further 
interoperability in a stepwise fashion, we have decided to adopt these 
two content exchange standards as alternatives. We firmly believe one 
patient summary record standard should be adopted to support meaningful 
use Stage 2 and beyond. We believe that this is necessary to improve 
patient care and access to health information as well as 
interoperability in general. We expect the industry to move toward a 
single standard for patient summary records in the near future and 
potentially in time to support meaningful use Stage 2. We welcome 
public comments regarding these alternatives and specifically comments 
that can address the HIT industry's readiness to move to a single 
standard. We also look forward to receiving recommendations from the 
HIT Standards Committee in this regard.
    With respect to the vocabulary standards for use within a patient 
summary record, and in support of proposed meaningful Stage 1 
objectives, we expect the following fields to be populated: problem 
list; medication list; medication allergy list; procedures; vital 
signs; units of measure; lab orders and results; and, where 
appropriate, discharge summary. At this time, the Secretary has only 
adopted standards related to the use of International Classification of 
Diseases, 9th Revision, Clinical Modifications (ICD-9-CM) or SNOMED 
CT[supreg] to populate a problem list and ICD-9-CM or American Medical 
Association (AMA) Current Procedural Terminology (CPT[supreg]) Fourth 
Edition (CPT-4) to populate information related to procedures. For 
medication lists, we have adopted a standard that requires the use of 
codes from a drug vocabulary the National Library of Medicine has 
identified as an RxNorm drug data source provider with a complete data 
set integrated within RxNorm.\17\ For lab results, we have adopted a 
standard that requires the use of LOINC[supreg] to populate information 
in a patient summary record related to lab orders and results when 
LOINC[supreg] codes have been received from a laboratory and are 
retained and subsequently available to Certified EHR Technology. In 
instances where LOINC[supreg] codes have not been received from a 
laboratory, the use of any local or proprietary code is permitted 
(i.e., we do not require these local or proprietary codes to be 
converted to LOINC[supreg] codes in order to populate a patient summary 
record). Apart from the standards specified above, we do not specify 
the types of vocabularies or code sets that could potentially be used 
to populate the remaining fields of a patient summary record. As shown 
in Table 2A, we anticipate adopting vocabulary standards for many of 
the fields above to support meaningful use Stage 2. For example, we 
have not identified any code sets for medication allergies, but we 
believe there is value to integrating both medication and non-
medication related allergies using a common standard, and in providing 
ingredient-based medication allergies. These requirements would be 
satisfied through the use of the UNII standard (referenced as a 
candidate Stage 2 standard in Table 2A). We request public comment on 
the standard we have adopted to populate medication list information.
---------------------------------------------------------------------------

    \17\ According to the most recent RxNorm Release Documentation 
File Full Release (11/2/09) published by the National Library of 
Medicine, the following RxNorm drug data source providers with a 
complete data set integrated within RxNorm are identified at the end 
of section 11.1 located at http://www.nlm.nih.gov/research/umls/rxnorm/docs/2009/rxnorm_doco_full11022009.html GS--10/01/2009 
(Gold Standard Alchemy); MDDB--10/07/2009 (Master Drug Data Base. 
Medi-Span, a division of Wolters Kluwer Health); MMSL--10/01/2009 
(Multum MediSource Lexicon); MMX--09/28/2009 (Micromedex DRUGDEX); 
MSH--08/17/2009 (Medical Subject Headings (MeSH)); MTHFDA--8/28/2009 
(FDA National Drug Code Directory); MTHSPL--10/28/2009 (FDA 
Structured Product Labels); NDDF--10/02/2009 (First DataBank NDDF 
Plus Source Vocabulary); SNOMED CT--07/31/2009 (SNOMED Clinical 
Terms (drug information) SNOMED International); VANDF--10/07/2009 
(Veterans Health Administration National Drug File). We note that 
FDA Unique Ingredient Identifiers (UNII) are a component of RxNorm.
---------------------------------------------------------------------------

ii. Drug Formulary Check
    For the purposes of performing a drug formulary check, Certified 
EHR Technology must be capable of using NCPDP Formulary & Benefits 
Standard 1.0 adopted by HHS (73 FR 18918) in order to ensure in 
circumstances where an eligible professional or eligible hospital 
electronically prescribes a Part D drug for a Medicare Part D eligible 
individual, he/she can maintain compliance with applicable law. We are 
adopting this standard also to meet one of the proposed meaningful use 
Stage 1 objectives, which seeks to have an automated formulary check as 
a capability provided by Certified EHR Technology so that formulary and 
benefit information can be readily provided to advise an eligible 
professional or eligible hospital's decisions in prescribing drugs to a 
patient.
iii. Electronic Prescribing
    For the purposes of electronic prescribing, Certified EHR 
Technology must be capable of using NCPDP SCRIPT 8.1 or NCPDP SCRIPT 
8.1 and 10.6. SCRIPT 8.1 is the current standard adopted by HHS for 
specified transactions involving the communication of a prescription or 
prescription-related information between prescribers and dispensers in 
the Medicare Part D electronic prescribing drug program. While it is 
not recognized as such at this time, we expect that SCRIPT 10.6 will be 
a permitted backwards compatible alternative by the start of meaningful 
use Stage 1. Moreover, if SCRIPT 10.6 is permitted, prior to any 
modification of the provisions of this interim final rule in response 
to public comment, we

[[Page 2032]]

would expect to change our requirement to simply permit either SCRIPT 
8.1 or SCRIPT 10.6. Again, with respect to a vocabulary standard, we 
have adopted a standard that requires the use of codes from a drug 
vocabulary currently integrated into the RxNorm (see detailed 
description above). We believe that adopting RxNorm in the future will 
lead to improved interoperability and look forward to receiving 
recommendations from the HIT Standards Committee in this regard.
iv. Administrative Transactions
    For the purposes of conducting certain administrative transactions, 
Certified EHR Technology must be capable of using applicable HIPAA 
transaction standards and Medicare Part D standards adopted by the 
Secretary. This includes at least the following Accredited Standards 
Committee (ASC) X12N Subcommittee standards or NCPDP standards for the 
relevant covered transactions. Because the HIPAA transactions standards 
regulations reference the transaction standards together with the 
``implementation guides,'' which are comprised of implementation 
specifications, we have chosen to identify the adopted standards and 
implementation specifications associated with these HIPAA transaction 
standards together rather than separately in section III.C.3 below. In 
adopting these standards and the implementation specifications, we have 
referenced the CFR locations where they have been adopted for the 
relevant HIPAA transactions, and as a result the certification criteria 
will track the adopted HIPAA transactions standards requirements. 
Consequently, as the HIPAA transaction standards are updated or 
modified, Complete EHRs or EHR Modules will be certified consistently 
with the current HIPAA transaction standards requirements. We intend, 
to the extent possible, to assure that Certified EHR Technology will 
enable covered entities to conduct HIPAA covered transactions as 
``standard transactions,'' as that term is defined in 45 CFR 162.103.
    However, in pursuing this approach we note that in accordance with 
45 CFR 162.1102 and 45 CFR 162.1202, the Secretary currently permits 
the use of two versions of ASC X12N and NCPDP standards (Versions 4010/
4010A and 5010 and Versions 5.1 and D.0, respectively) until December 
31, 2011, at which point only the most recently adopted HIPAA 
transaction standards will be permitted (74 FR 3296). Unlike the 
effective date for ICD-10-CM and ICD-10-PCS which is set for October 1, 
2013, placing compliance within meaningful use Stage 2, the 5010 and 
D.0 HIPAA transaction standards are required to be used in the second 
year of meaningful use Stage 1. Consequently, in order for eligible 
professionals and eligible hospitals that adopt Certified EHR 
Technology to remain in compliance with the law for conducting certain 
administrative transactions, Certified EHR Technology must be capable 
of using both versions of applicable adopted HIPAA transaction 
standards.
     For retail pharmacy drugs and dental, professional, and 
institutional health care eligibility benefit inquiry and response 
transactions (as defined at 45 CFR 162.1201) Certified EHR must be 
capable of using the following standards:
    [cir] NCPDP Telecommunications Standards Implementation Guide, 
Version 5, Release 1 (Version 5.1), and Version D, Release 0 (Version 
D.0) equivalent NCPDP Batch Standards Batch Implementation Guide, 
Versions 1.1 and 1.2; and
    [cir] ASC X12N 270/271--Health Care Eligibility Benefit Inquiry and 
Response, Version 4010 (004010X092) and Addenda to Health Care 
Eligibility Benefit Inquiry and Response (004010X092A1) as well as ASC 
X12 Standards for Electronic Data Interchange Technical Report Type 3, 
Version 5010 (ASC X12N/005010X279).
     For retail pharmacy drugs and dental, professional, and 
institutional health care claims or equivalent encounter information 
transaction (as defined at 45 CFR 162.1101):
    [cir] NCPDP Telecommunications Standards Implementation Guide, 
Version 5, Release 1 (Version 5.1), and Version D, Release 0 (Version 
D.0) equivalent NCPDP Batch Standards Batch Implementation Guide, 
Versions 1.1 and 1.2; and
    [cir] ASC X12N 837--Health Care Claim: Dental--Version 4010 
(004010X097) and Addenda to Health Care Claim: Dental, Version 4010 
(004010X097A1) as well as ASC X12 Standards for Electronic Data 
Interchange Technical Report Type 3--Health Care Claim: Dental (837), 
(ASC X12N/005010X224), and Type 1 Errata to Health Care Claim: Dental 
(837) ASC X12 Standards for Electronic Data Interchange Technical 
Report Type 3, (ASC X12N/005010X224A1); and
    [cir] ASC X12N 837--Health Care Claims: Professional, Volumes 1 and 
2, Version 4010 (004010X098) and Addenda to Health Care Claims: 
Professional, Volumes 1 and 2, Version 4010, (004010x098A1), as well as 
ASC X12 Standards for Electronic Data Interchange Technical Report Type 
3--Health Care Claim: Professional (837), (ASC X12N/005010X222); and
    [cir] The ASC X12N 837--Health Care Claim: Institutional, Volumes 1 
and 2, Version 4010, (004010X096) and Addenda to Health Care Claim: 
Institutional, Volumes 1 and 2, Version 4010, (004010X096A1) as well as 
ASC X12 Standards for Electronic Data Interchange Technical Report Type 
3--Health Care Claim: Institutional (837), (ASC X12N/005010X223), and 
Type 1 Errata to Health Care Claim: Institutional (837) ASC X12 
Standards for Electronic Data Interchange Technical Report Type 3 (ASC 
X12N/005010X223A1).
     To perform eligibility inquiry and response transactions 
between dispensers and Part D sponsors for Part D prescription drugs.
    [cir] NCPDP Telecommunications Standards Implementation Guide, 
Version, 5, Release 1 (Version 5.1), and equivalent NCPDP Batch 
Standards Batch Implementation Guide, Version 1.1.
v. Quality Reporting
    For the purposes of electronically submitting calculated quality 
measures required by CMS or by States, Certified EHR Technology must be 
capable of using the CMS PQRI 2008 Registry XML Specification. We 
recognize that CMS has discussed in the Medicare and Medicaid EHR 
Incentive Programs proposed rule potential approaches to quality 
reporting requirements for future years of meaningful use and we 
anticipate adopting standards as necessary and in consultation with CMS 
to support future quality reporting requirements. We also understand 
that for the purposes of electronically submitting quality measures an 
upcoming standard for Complete EHRs and EHR modules may be the HL7 
Quality Reporting Document Architecture (QRDA) Implementation Guide 
based on HL7 CDA Release 2 and we request public comment on whether 
this standard is mature enough to be used in Complete EHRs and EHR 
Modules during meaningful use Stage 1.
vi. Submission of Lab Results to Public Health Agencies
    For the purposes of submitting lab results to public health 
agencies, Certified EHR Technology must be capable of using HL7 2.5.1. 
With respect to vocabulary standards for the submission of lab results 
to public health agencies, we have adopted the same standard for 
populating lab results as we do for the patient summary record above. 
We believe that enabling the use

[[Page 2033]]

of UCUM and SNOMED CT[supreg] for this exchange in the future would 
lead to improved interoperability.
vii. Submission to Public Health Agencies for Surveillance or Reporting
    For the purposes of electronically submitting information to public 
health agencies for surveillance and reporting, Certified EHR 
Technology must be capable of using HL7 2.3.1 or HL7 2.5.1 as a content 
exchange standard. This requirement is not meant to include adverse 
event reporting. At this time, we have not adopted a specific 
vocabulary standard for submitting information to public health 
agencies for surveillance and reporting, and believe that such 
standards will be determined in large part by the applicable public 
health agency receiving such information. We look forward to receiving 
recommendations from the HIT Standards Committee regarding additional 
standards that should be adopted to facilitate the electronic 
submission of information to public health agencies for surveillance 
and reporting purposes.
viii. Submission to Immunization Registries
    For the purposes of electronically submitting information to 
immunization registries Certified EHR Technology must be capable of 
using HL7 2.3.1 or HL7 2.5.1 as a content exchange standard and the CDC 
maintained HL7 standard code set CVX--Vaccines Administered \18\ as the 
vocabulary standard.
---------------------------------------------------------------------------

    \18\ The CDC's National Center of Immunization and Respiratory 
Diseases (NCIRD) maintains the HL7 external code set CVX http://www.cdc.gov/vaccines/programs/iis/stds/cvx.htm.
---------------------------------------------------------------------------

ix. Table 2A
    Table 2A below displays the applicable adopted standards for each 
exchange purpose specified. We have used ``Cx'' and ``V'' as shorthand 
for ``content exchange'' and ``vocabulary,'' respectively, to identify 
which standard category applies to the exchange purpose. Where a cell 
in table 2A includes the reference ``no standard adopted at this time'' 
it means that a Complete EHR or EHR Module would not be required to be 
tested and certified as including a particular standard. As a result, 
any local or proprietary standard could be used as well as the 
standard(s) listed as candidate meaningful use Stage 2 standards. 
Unless marked with the following superscripts, all of the adopted 
standards are from the ONC process that took place prior to the 
enactment of the HITECH Act or are required by other HHS regulations.
     A number sign ``'' indicates that the HIT 
Standards Committee recommended this standard to the National 
Coordinator but it was not part of the prior ONC process.
     An asterisk ``*'' indicates that the standard was neither 
recommended by the HIT Standards Committee nor part of the prior ONC 
process.
     A plus sign ``+'' as mentioned above indicates a standard 
that is not a voluntary consensus standard.

                           Table 2A--Adopted Content Exchange and Vocabulary Standards
----------------------------------------------------------------------------------------------------------------
                                                               Adopted standard(s) to   Candidate standard(s) to
     Row No.               Purpose              Category       support meaningful use    support meaningful use
                                                                       stage 1                   stage 2
----------------------------------------------------------------------------------------------------------------
1...............  Patient Summary Record..  Cx..............  HL7 CDA R2 CCD Level 2    Alternatives expected to
                                                               or ASTM CCR.              be narrowed based on
                                                                                         HIT Standards Committee
                                                                                         recommendations.
                   Problem List...  V...............  Applicable HIPAA code     Applicable HIPAA code
                                                               set required by law       set required by law
                                                               (i.e., ICD-9-CM); or      (e.g., ICD-10-CM) or
                                                               SNOMED CT[supreg].        SNOMED CT[supreg].
                   Medication List  V...............  Any code set by an        RxNorm.
                                                               RxNorm drug data source
                                                               provider that is
                                                               identified by the
                                                               United States National
                                                               Library of Medicine as
                                                               being a complete data
                                                               set integrated within
                                                               RxNorm+.
                   Medication       V...............  No standard adopted at    UNII.
                   Allergy List.                               this time.
                   Procedures.....  V...............  Applicable HIPAA code     Applicable HIPAA code
                                                               sets required by law      sets required by law
                                                               (i.e., ICD-9-CM or CPT-   (i.e., ICD-10-PCS or
                                                               4[supreg]).               CPT-4[supreg]).
                   Vital Signs....  V...............  No standard adopted at    CDA template.
                                                               this time.
                   Units of         V...............  No standard adopted at    UCUM.
                   Measure.                                    this time.
                   Lab Orders and   V...............  LOINC[supreg] when        LOINC[supreg].
                   Results.                                    LOINC[supreg] codes
                                                               have been received from
                                                               a laboratory.
2...............  Drug Formulary Check....  Cx..............  Applicable Part D         Applicable Part D
                                                               standard required by      standard required by
                                                               law (i.e., NCPDP          law.
                                                               Formulary & Benefits
                                                               Standard 1.0).
3...............  Electronic Prescribing..  Cx..............  Applicable Part D         NCPDP SCRIPT 10.6.
                                                               standard required by
                                                               law (e.g., NCPDP SCRIPT
                                                               8.1) or NCPDP SCRIPT
                                                               8.1 and NCPDP SCRIPT
                                                               10.6.
                                            V...............  Any code set by an        RxNorm.
                                                               RxNorm drug data source
                                                               provider that is
                                                               identified by the
                                                               United States National
                                                               Library of Medicine as
                                                               being a complete data
                                                               set integrated within
                                                               RxNorm+.
4...............  Administrative            Cx..............  Applicable HIPAA          Applicable HIPAA
                   Transactions.                               transaction standards     transaction standards
                                                               required by law.          required by law.
5...............  Quality Reporting.......  Cx..............  CMS PQRI 2008 Registry    Potentially newer
                                                               XML Specification #,+.    version(s) or standards
                                                                                         based on HIT Standards
                                                                                         Committee Input.

[[Page 2034]]

 
6...............  Submission of Lab         Cx..............  HL7 2.5.1...............  Potentially newer
                   Results to Public                                                     version(s) or standards
                   Health Agencies.                                                      based on HIT Standards
                                                                                         Committee
                                                                                         Recommendations.
                                            V...............  LOINC[supreg] when        LOINC[supreg], UCUM, and
                                                               LOINC[supreg] codes       SNOMED CT[supreg] or
                                                               have been received from   Applicable Public
                                                               a laboratory.             Health Agency
                                                                                         Requirements.
7...............  Submission to Public      Cx..............  HL7 2.3.1 or HL7 2.5.1..  Potentially newer
                   Health Agencies for                                                   version(s) or standards
                   Surveillance or                                                       based on HIT Standards
                   Reporting (excluding                                                  Committee Input.
                   adverse event
                   reporting).
                                            V...............  According to Applicable   GIPSE or According to
                                                               Public Health Agency      Applicable Public
                                                               Requirements.             Health Agency
                                                                                         Requirements.
8...............  Submission to             Cx..............  HL7 2.3.1 or HL7 2.5.1..  Potentially newer
                   Immunization Registries.                                              version(s) or standards
                                                                                         based on HIT Standards
                                                                                         Committee
                                                                                         Recommendations.
                                            V...............  CVX*,+..................  CVX.
----------------------------------------------------------------------------------------------------------------

c. Privacy and Security Standards
    We believe it is necessary for Certified EHR Technology to provide 
certain privacy and security capabilities. In that regard, we have 
aligned adopted certification criteria to applicable HIPAA Security 
Rule requirements and believe that in doing so, such capabilities may 
assist eligible professionals and eligible hospitals to improve their 
overall approach to privacy and security. In addition, some may find 
that the capabilities provided by Certified EHR Technology may 
facilitate and streamline compliance with Federal and state privacy and 
security laws. We believe that the HIPAA Security Rule serves as an 
appropriate starting point for establishing the capabilities for 
Certified EHR Technology. That being said, the HITECH Act directs the 
HIT Policy Committee, the HIT Standards Committee, and ONC to look at 
capabilities beyond those explicitly specified in the HIPAA Security 
Rule. We intend to work with both of these Committees to explore these 
areas and where possible to adopt new certification criteria and 
standards in the future to improve the capabilities Certified EHR 
Technology can provide to protect health information.
    The adopted certification criteria in Table 1 assure that Certified 
EHR Technology is capable of supporting eligible professionals and 
eligible hospitals comply with HIPAA requirements to protect electronic 
health information residing within Certified EHR Technology and, where 
appropriate, when such information is exchanged. For certain 
capabilities, we have adopted, after considering the recommendations of 
the HIT Standards Committee, specific standards to be used in Certified 
EHR Technology. These standards and their purposes are displayed in 
Table 2B. For other capabilities, we have not adopted specific 
standards because such capabilities can be appropriately addressed 
through different approaches, and we did not want to preclude 
innovation. For example, while we have adopted a certification 
criterion related to access control, we have not adopted a specific 
standard for access control because we believe that the industry will 
continue to innovate at a rapid pace in this area and better methods to 
implement this capability will be available faster than we would be 
able to adopt them via regulation. On the other hand, we have adopted 
certification criteria and standards for encryption because specific 
industry best practices and requirements exist with respect to 
encryption and the strength of encryption algorithms. HHS previously 
articulated in guidance entitled ``Guidance Specifying the Technologies 
and Methodologies That Render Protected Health Information Unusable, 
Unreadable, or Indecipherable to Unauthorized Individuals'' (74 FR 
42741) that encryption is an effective method to ``render protected 
health information unusable, unreadable, or indecipherable to 
unauthorized individuals,'' and one that can exempt a HIPAA covered 
entity from having to report a breach. To further support this 
determination, we believe a logical and practical next step and one 
that will provide eligible professionals and eligible hospitals with a 
capability they may not have had in the past is to require Certified 
EHR Technology to be capable of encryption.
    It is important to note, under 45 CFR 164.312(a)(2)(iv) and 
(e)(2)(ii), a HIPAA covered entity must assess whether encryption as a 
method for safeguarding electronic protected health information is a 
reasonable and appropriate safeguard in its environment. Consequently, 
a HIPAA covered entity could be in compliance with the HIPAA Security 
Rule if it determines that encryption is not reasonable and appropriate 
in its environment and it documents its rationale and implements an 
equivalent alternative measure if reasonable and appropriate. We hope 
that by requiring Certified EHR Technology to include this capability, 
that the use of encryption will become more prevalent. Of the 
certification criteria and associated standards we have adopted related 
to encryption, the first is for encryption in general while the second 
is specific to when electronic health information is exchanged. The 
first certification criterion and standard will assure that Certified 
EHR Technology is capable of using encryption according to user-defined 
preferences. There are several industry best practices in this regard 
and we expect that with the availability of the capability to perform 
encryption, eligible professionals and hospitals will follow suit and 
enhance how they protect electronic health information. We anticipate 
that this capability could be used by eligible professionals and 
eligible hospitals to encrypt backup hard drives or tapes, removable 
media, or portable devices. Finally, we expect other functions or 
services such as domain name service, directory access, and consistent 
time (e.g., for audit logs) to support and further enable some of the 
standards in Table 2B. However, due to the fact these functions or 
services may be part of an overall implementation of Certified EHR 
Technology (e.g., operating system, network time server) rather than a 
specific capability Certified EHR

[[Page 2035]]

Technology should be tested and certified as including, we chose not to 
adopt certification criteria or standards. We request public comment on 
whether the previously mentioned functions or services or any other 
function or service should be considered for adoption by the Secretary 
as a necessary capability for Certified EHR Technology to include.
    After considering the written and oral public comments provided to 
both the HIT Policy and HIT Standards Committees, we would like to 
clarify the applicability of the privacy and security certification 
criteria and standards adopted in this interim final rule. This interim 
final rule strictly focuses on the capabilities of Certified EHR 
Technology and does not change existing HIPAA Privacy Rule or Security 
Rule requirements, guarantee compliance with those requirements, or 
absolve an eligible professional, eligible hospital, or other health 
care provider who adopts Certified EHR Technology from having to comply 
with any applicable provision of the HIPAA Privacy or Security Rules. 
While the capabilities provided by Certified EHR Technology may assist 
an eligible professional or eligible hospital in improving their 
technical safeguards in order to meet some or all of the HIPAA Security 
Rule's requirements or influence their risk analysis, the use of 
Certified EHR Technology alone does not equate to compliance with the 
HIPAA Privacy or Security Rules. The capabilities provided by Certified 
EHR Technology do not affect in any way the analysis a HIPAA covered 
entity is responsible for performing specified at 45 CFR 164.306(b) and 
(d). Unless there are specific meaningful use measures for privacy and 
security that require the use of a particular capability, an eligible 
professional or eligible hospital may find that its security practices 
exceed these capabilities and nothing in this rule precludes the use or 
implementation of more protective privacy and security measures.

            Table 2B--Adopted Privacy and Security Standards
------------------------------------------------------------------------
       Row No.                Purpose              Adopted standard
------------------------------------------------------------------------
1...................  General Encryption and  A symmetric 128 bit fixed-
                       Decryption of           block cipher algorithm
                       Electronic Health       capable of using a 128,
                       Information.            192, or 256 bit
                                               encryption key must be
                                               used (e.g., FIPS 197
                                               Advanced Encryption
                                               Standard, (AES), Nov
                                               2001).+
2...................  Encryption and          An encrypted and integrity
                       Decryption of           protected link must be
                       Electronic Health       implemented (e.g., TLS,
                       Information for         IPv6, IPv4 with IPsec).+
                       Exchange.
3...................  Record Actions Related  The date, time, patient
                       to Electronic Health    identification (name or
                       Information (i.e.,      number), and user
                       audit log).             identification (name or
                                               number) must be recorded
                                               when electronic health
                                               information is created,
                                               modified, deleted, or
                                               printed. An indication of
                                               which action(s) occurred
                                               must also be recorded
                                               (e.g., modification).+
4...................  Verification that       A secure hashing algorithm
                       Electronic Health       must be used to verify
                       Information has not     that electronic health
                       been Altered in         information has not been
                       Transit.                altered in transit. The
                                               secure hash algorithm
                                               used must be SHA-1 or
                                               higher (e.g., Federal
                                               Information Processing
                                               Standards (FIPS)
                                               Publication (PUB) Secure
                                               Hash Standard (SHS) FIPS
                                               PUB 180-3).+
5...................  Cross-Enterprise        Use of a cross-enterprise
                       Authentication.         secure transaction that
                                               contains sufficient
                                               identity information such
                                               that the receiver can
                                               make access control
                                               decisions and produce
                                               detailed and accurate
                                               security audit trails
                                               (e.g., IHE Cross
                                               Enterprise User Assertion
                                               (XUA) with SAML identity
                                               assertions).+
6...................  Record Treatment,       The date, time, patient
                       Payment, and Health     identification (name or
                       Care Operations         number), user
                       Disclosures.            identification (name or
                                               number), and a
                                               description of the
                                               disclosure must be
                                               recorded.+
------------------------------------------------------------------------

3. Adopted Implementation Specifications
    Pursuant to section 3004 of the PHSA, the Secretary is required to 
adopt implementation specifications in addition to standards and 
certification criteria. Implementation specifications, which for HIPAA 
covered transaction standards are found in implementation guides, 
provide specific configuration instructions and constraints for 
implementing a particular standard or set of standards. Because some 
standards can be implemented in several different ways, these 
specifications are critical in some cases to make interoperability a 
reality--simply using a standard does not necessarily guarantee 
interoperability.
    Standards Development Organizations (SDOs), HITSP, and others have 
developed implementation specifications with varying degrees of 
specificity, which in turn have resulted in varying degrees of 
interoperability. In some cases, the standards used in the NHIN, for 
example, have been constrained even further and resulted in a narrow 
and unique set of implementation specifications, designed for a 
specific architecture and well-defined exchange. Based on input from 
HIT Standards Committee, we understand that very few implementation 
specifications are widely used and most are immature or too 
architecturally specific for adoption by large segments of the HIT 
industry before meaningful use Stage 2.
    Given the importance of implementation specifications and the 
analyses and field testing necessary to refine them, we do not believe, 
with the exception of the few mentioned below, that there are mature 
implementation specifications ready to adopt to support meaningful use 
Stage 1. We seek public comment on whether there are in fact 
implementation specifications that are industry-tested and would not 
present a significant burden if they were adopted. We believe that 
certain exchange purposes such as electronic prescribing and laboratory 
test results, already have available some of the most mature 
implementation specifications. We will consider adopting implementation 
specifications, though, for any or all adopted standards provided that 
there is convincing evidence submitted in public comment of the 
specifications' maturity and widespread usage.
    We have adopted a certification criterion requiring that Certified 
EHR Technology be capable of using the standard, CMS PQRI 2008 Registry 
XML Specification, for quality reporting. We have also adopted as the 
implementation specifications for this standard, the Physician Quality 
Reporting Initiative Measure Specifications Manual for Claims and 
Registry. Additionally, as we noted above we have adopted standards 
that require Certified EHR Technology to be capable of using applicable 
HIPAA transaction standards adopted by HHS for eligibility for health 
plan

[[Page 2036]]

transactions and for health care claims or equivalent encounter 
information transactions. In so doing, the specific HIPAA standards and 
``implementation specifications'' associated with these covered 
transactions have also been adopted. As a supporting implementation 
specification for the eligibility for health plan transactions HIPAA 
transaction standard we have also adopted the requirements of Phase 1 
of the Council for Affordable Quality Healthcare (CAQH) Committee on 
Operating Rules for Information Exchange (CORE). We request public 
comment on the HIT industry's experience using CAQH CORE Phase 1 with 
adopted HIPAA transactions standards.
    Finally, in preparing to adopt future implementation specifications 
to support meaningful use Stage 2, ONC plans to work with the HIT 
industry and solicit input from relevant Federal advisory committees to 
obtain further specificity in the area of implementation 
specifications. We also encourage SDOs to make widely available 
implementation specifications that can be tested and adopted by the 
Secretary in the future.
4. Additional Considerations, Clarifications, and Requests for Public 
Comments
a. Relationship to Other Federal Laws
    Nothing required by this interim final rule should be construed as 
affecting existing legal requirements under other Federal laws. While 
the capabilities provided by Certified EHR Technology may assist in the 
compliance with certain legal requirements, they do not in any way 
remove or alter those requirements. For example, Certified EHR 
Technology may be able to assist health care providers required to 
comply with the Confidentiality of Alcohol and Drug Abuse Patient 
Records Regulation, 42 CFR Part 2, but it may not provide, from a 
technical perspective, all of the capabilities necessary to comply with 
these regulations. As another example, in providing patients with 
access to their online health information, it is important to note that 
the accessibility requirements of the Americans with Disabilities Act 
of 1990 and Section 504 of the Rehabilitation Act of 1973 still apply 
to entities covered by these Federal civil rights laws. Additionally, 
Title VI of the Civil Rights Act of 1964 and its implementing 
regulations protect persons from unlawful discrimination on the basis 
of race, color and national origin. Under Title VI and its implementing 
regulations, recipients of Federal financial assistance must take 
reasonable steps to ensure meaningful access to their programs, 
services, and activities by eligible limited English proficient 
persons.
b. Human Readable Format
    As acknowledged in prior sections of this interim final rule, the 
initial set of adopted standards, implementation specifications, and 
certification criteria are only the beginning of what we expect will be 
an incremental approach to enhance the interoperability, functionality, 
and utility of health information technology. We believe that in order 
to recognize the enormous potential of HIT, greater standardization in 
future years is necessary. In that regard, we recognize that more 
advanced interoperability requires health information to be represented 
by specific vocabularies and code sets that can be interpreted by EHR 
technology as well as converted and presented in a readable format to 
the users of such technology. At the present time we recognize that 
implementing certain vocabularies and code sets in EHR technology is a 
difficult, technical undertaking. For that reason, we have not adopted 
specific vocabularies and code sets for a number of the exchange 
purposes identified above in Table 2A. We have, however, as a 
transitional step, adopted certification criteria that require 
Certified EHR Technology to be capable of presenting health information 
received in human readable format. By human readable format, we mean a 
format that enables a human to read and easily comprehend the 
information presented to them regardless of the method of presentation 
(e.g., computer screen, handheld device, electronic document). This 
would likely require information in coded or machine readable format to 
be converted to, for example, its narrative English language 
description. In an effort to further the transition to, and prevalence 
of, more specific vocabularies and code sets, we are interested in 
public comment regarding industry readiness if we were to adopt 
certification criteria requiring the use of additional vocabularies and 
code sets in parallel with meaningful use Stage 2. Such certification 
criteria could include not only that Certified EHR Technology be 
capable of presenting information in human readable format but also 
that it be capable of automatically incorporating certain vocabulary or 
code sets (i.e., machine readable information).
c. Certification Criterion and Standard Regarding Accounting of 
Disclosures
    Section 3004(b)(1) of the PHSA requires the Secretary to adopt a 
standard and certification criterion in this interim final rule that 
are consistent with section 3002(b)(2)(B)(iv) (pertaining to 
technologies that, as part of a Qualified EHR, allow for an accounting 
of disclosures made by a HIPAA covered entity for purposes of 
treatment, payment, and health care operations). This requirement is 
parallel to section 13405(c) of the HITECH Act, which requires the 
Secretary to modify (no later than 6 months after the date on which the 
Secretary adopts standards on accounting for disclosures) the HIPAA 
Privacy Rule at 45 CFR 164.528 to now require that HIPAA covered 
entities account for disclosures related to treatment, payment, and 
health care operations made through an electronic health record and to 
identify in the regulations the information that shall be collected 
about each of the disclosures. In promulgating these regulations, the 
Secretary is instructed to ``only require such information to be 
collected through an electronic health record in a manner that takes 
into account the interests of the individuals in learning the 
circumstances under which their protected health information is being 
disclosed and takes into account the administrative burden of 
accounting for such disclosures.'' Unless modified by the Secretary, 
the effective date \19\ for HIPAA covered entities that have acquired 
an electronic health record after January 1, 2009, is January 1, 2011, 
or anytime after this date when they acquire an electronic health 
record.
---------------------------------------------------------------------------

    \19\ See HITECH Act section 13405(c)(4), which also provides 
that the effective date for HIPAA covered entities that are current 
users of EHRs (i.e., acquired EHRs as of January 1, 2009) January 1, 
2014, unless modified by the Secretary.
---------------------------------------------------------------------------

    We intend for our adoption of a basic certification criterion and 
standard to account for disclosures (Sec.  170.302(v) and Sec.  
170.210(e), respectively) to provide a technical foundation for the 
information that the Secretary will subsequently determine should be 
collected for treatment, payment and health care operations 
disclosures. We have adopted a basic certification criterion that 
requires the capability to record disclosures (as defined by the HIPAA 
Privacy Rule) made for treatment, payment, and health care operations 
in accordance with the standard we have adopted. The standard specified 
in Table 2B above stipulates a functional requirement that a recorded 
disclosure for treatment, payment, or health care operations must 
include:

[[Page 2037]]

The date, time, patient identification (name or number), user 
identification (name or number), and a description of the disclosure. 
We believe date, time, patient identification, and user identification 
are all readily available data because it is the same information 
required in the standard for an audit log. We have also included the 
requirement that a ``description of the disclosure'' must be recorded; 
however, we have not required any additional specificity for what 
should be included in the ``description,'' because the Secretary has 
not yet weighed the interests of individuals with the administrative 
burden associated with accounting for such disclosures to determine 
what information shall be collected. The certification criterion and 
standard in this interim final rule are limited to disclosures for 
treatment, payment, and health care operations, as those terms are 
defined at 45 CFR 164.501. This interim final rule does not address the 
capability of Certified EHR Technology to account for other types of 
disclosures. We note that a HIPAA covered entity using Certified EHR 
Technology must continue to account for disclosures in accordance with 
45 CFR 164.528, which may require the collection of additional 
information for disclosures that are not for treatment, payment, or 
health care operations.
    We do not propose additional requirements at this time because we 
believe that several significant technical challenges will need to be 
addressed before it is possible to record additional information about 
disclosures in an efficient manner. For example, we are unaware of any 
particular technology solution that is capable of automatically 
recognizing the difference between a ``use'' and a ``disclosure,'' as 
the HIPAA regulations define these terms. Additionally, we are 
concerned about the amount of electronic storage that will be necessary 
to record three years worth of information related to treatment, 
payment, and health care operations disclosures. We welcome public 
comment, particularly from the HIT developer community, as to these 
concerns as well as about the technical feasibility of recording other 
elements of information about a disclosure. We are specifically 
interested in comments as to the technical feasibility of recording the 
purpose or reason for the disclosure, to whom the disclosure was made 
(i.e., recipient), and any other elements that may be beneficial for a 
patient to know about with respect to their health information.
    It is important to note, as discussed above, that the Secretary has 
the discretion to modify the compliance date for the revised 
accounting-for-disclosure regulations to as late as 2013 for HIPAA 
covered entities that acquire electronic health records after January 
1, 2009. The Secretary will address the compliance date for accounting 
for treatment, payment, and health care operations disclosures in a 
later rulemaking. In the interim, we again note that the standards and 
certification requirements adopted do not affect a HIPAA covered 
entity's compliance with the HIPAA Privacy or Security Rules.
    As the use of Certified EHR Technology becomes more widespread and 
technology advances, we believe the ability to account for disclosures 
will continue to evolve. Accordingly, this first certification 
criterion and standard for accounting of disclosures is intended as an 
incremental step, which will be refined as the technology develops and 
regulatory requirements are issued. We plan to work with the HIT Policy 
Committee and HIT Standards Committee to receive recommendations 
regarding the policies that should be established to address these 
standards and certification criteria requirements and with the HHS 
Office for Civil Rights to appropriately coordinate the adoption of 
policies for the accounting of treatment, payment, and health care 
operations disclosures with the capabilities that Certified EHR 
Technology must include in the future.
d. Additional Requests for Public Comment
     We are interested in public comments to inform future 
deliberations on whether specific certification criteria could be 
adopted to further promote the capabilities Certified EHR Technology 
should provide with respect to meeting the accessibility needs of 
individuals with disabilities.
     We are also interested in public comments to inform future 
deliberations on whether specific certification criteria could be 
adopted to further promote the capabilities Certified EHR Technology 
should provide with respect to the prevention and detection of 
potential fraud, waste, and abuse.
     We are interested in public comment regarding the 
``candidate standards to support meaningful use Stage 2'' listed in 
Table 2A. We are specifically interested in feedback regarding 
implementation feasibility, maturity, and prevalence in the industry.

IV. Collection of Information Requirements

    This interim final rule contains no new information collection 
requirements subject to review by the OMB under the Paperwork Reduction 
Act (PRA). The HITECH Act establishes new information collection 
requirements, but those information collection requirements are 
addressed by other regulatory and programmatic activities (e.g., the 
Medicare and Medicaid EHR Incentive Programs Proposed Rule).
    The HITECH Act applies through Section 13111(b) to ``federal 
information collection activities.'' The HITECH Act states that ``with 
respect to a standard or implementation specification adopted under 
section 3004 of the Public Health Service Act, as added by section 
13101, the President shall take measures to ensure that Federal 
activities involving the broad collection and submission of health 
information are consistent with such standard or implementation 
specification, respectively, within three years after the date of such 
adoption.'' Standards adopted in this interim final rule may affect how 
Federal agencies collect information in the future; however, the 
potential implications of this requirement will largely depend on 
actions taken by the Executive Office of the President, including how 
it interprets the terms ``consistent,'' ``broad,'' and ``health 
information.'' We welcome comments on the potential for standards and 
implementation specifications adopted in this regulation to change the 
way information is collected by Federal agencies. We will share such 
comments with the OMB.

V. Regulatory Impact Analysis

A. Introduction

    We have examined the impacts of this rule as required by Executive 
Order 12866 on Regulatory Planning and Review (September 30, 1993, as 
further amended), the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et 
seq.), section 202 of the Unfunded Mandates Reform Act of 1995 (2 
U.S.C. 1532) (UMRA), Executive Order 13132 on Federalism (August 4, 
1999), and the Congressional Review Act (5 U.S.C. 804(2)).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). A regulatory impact 
analysis (RIA) must be prepared for major rules with economically 
significant effects ($100 million or more in any one year). We have 
determined that this interim final rule is not an economically 
significant rule because

[[Page 2038]]

we estimate that the costs to prepare Complete EHRs and EHR Modules to 
be tested and certified will be less than $100 million per year. 
Nevertheless, because of the public interest in this interim final 
rule, we have prepared an RIA that to the best of our ability presents 
the costs and benefits of the interim final rule. We request comments 
on the economic analysis provided in this interim final rule with 
comment.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses if a rule has a significant impact on a substantial 
number of small entities. For more information on Small Business 
Administration's (SBA's) size standards, see the SBA's Web site.\20\ 
Although the RFA only requires an initial regulatory flexibility 
analysis (IRFA) when an agency issues a proposed rule, HHS has a policy 
of voluntarily conducting an IRFA for interim final regulations. We 
examine the burden of the interim final regulation in Section V.D 
below.
---------------------------------------------------------------------------

    \20\ http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.
---------------------------------------------------------------------------

    Section 202 of the UMRA also requires that agencies assess 
anticipated costs and benefits before issuing any rule whose mandates 
require spending in any one year of $100 million in 1995 dollars, 
updated annually for inflation. In 2009, that threshold is 
approximately $133 million. This rule will not impose an unfunded 
mandate on States, tribal government or the private sector of more than 
$133 million annually.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct costs of compliance on 
State and local governments, preempts State law, or otherwise has 
Federalism implications. We do not believe that our interim final rule 
imposes substantial direct compliance costs on State and local 
governments, preempts State law, or otherwise has Federalism 
implications.

B. Why Is This Rule Needed?

    Section 3004(b)(1) of the PHSA requires the Secretary to adopt an 
initial set of standards, implementation specifications, and 
certification criteria by December 31, 2009. Certification criteria and 
associated standards and implementation specifications will be used to 
test and certify Complete EHRs and EHR Modules in order to make it 
possible for eligible professionals and eligible hospitals to adopt and 
implement Certified EHR Technology. The use of Certified EHR Technology 
is one of the requirements an eligible professional or eligible 
hospital needs to meet in order to qualify for an incentive payment 
under the Medicare and Medicaid EHR Incentive Programs.

C. Costs and Benefits

    Throughout the following analysis we invite comments on specific 
portions of our analysis. The public, however, is invited to offer 
comments on any and all elements of the analysis and the assumption 
underlying the analysis.
1. Costs
    This interim final rule is one of three coordinated rulemakings 
(the other two being the Medicare and Medicaid EHR Incentive Programs 
proposed rule and the HIT Certification Programs proposed rule) 
undertaken to implement the goals and objectives of the HITECH Act 
related to the adoption and meaningful use of Certified EHR Technology. 
Each rule's preamble contains a RIA section. While there is no bright 
line that divides the effects of this interim final rule and the other 
two noted above, we believe that each analysis properly focuses on the 
direct effects of the provisions it creates. This interim final rule 
estimates the costs commercial vendors, open source developers, and 
relevant Federal agencies \21\ will incur to prepare Complete EHRs and 
EHR Modules to be tested and certified to adopted standards, 
implementation specifications, and certification criteria. The Medicare 
and Medicaid EHR Incentive Programs proposed rule estimates the impacts 
related to the actions taken by eligible professionals or eligible 
hospitals to become meaningful users, including purchasing or self-
developing Complete EHRs or EHR Modules. The HIT Certification Programs 
proposed rule estimates the testing and certification costs for 
Complete EHRs and EHR Modules.
---------------------------------------------------------------------------

    \21\ All Indian Health Service (IHS) facilities and the vast 
majority of Tribally-operated facilities funded by IHS utilize the 
Resource and Patient Management System (RPMS), the IHS health 
information and EHR system that is centrally developed and 
distributed by the IHS Office of Information Technology. It is our 
understanding that IHS provides information technology support to 
over 40 IHS and Tribal hospitals as well as health care providers at 
approximately 300 ambulatory facilities. The RPMS EHR is designed 
for both inpatient and ambulatory implementations and it is IHS's 
goal to remain consistent with the certification criteria adopted by 
the Secretary. As a result, we expect IHS will the RPMS EHR for 
testing and certification to applicable adopted certification 
criteria.
---------------------------------------------------------------------------

    This interim final rule adopts standards, implementation 
specifications, and certification criteria and consequently establishes 
the capabilities that Complete EHRs or EHR Modules will need to 
demonstrate in order to be certified. Due to the fact that the Medicare 
and Medicaid EHR Incentive Programs require (among other things) that 
eligible professionals and eligible hospitals use Certified EHR 
Technology in order to receive incentive payments, we anticipate that 
commercial vendors and open source developers of Complete EHRs and EHR 
Modules will respond by preparing such technology to meet the 
certification criteria adopted in this interim final rule. We expect 
this to occur because commercial vendors and open source developers who 
do not prepare Complete EHRs or EHR Modules to be tested and certified 
risk losing market share (i.e., eligible professionals and eligible 
hospitals seeking to achieve meaningful use will not buy Complete EHRs 
or EHR Modules that cannot outright or when combined with other EHR 
Modules meet the definition of Certified EHR Technology). It is 
important to note, however, as discussed in section 3001(c)(5)(A) of 
the PHSA, that Congress intended for the act of preparing for and 
subsequently seeking the certification of a Complete EHR or EHR Module 
to be voluntary.
    As we discuss above, our analysis only focuses on the direct 
effects of the provisions created by this interim final rule. As a 
result, we only include estimates for the costs commercial vendors, 
open source developers, and relevant Federal agencies may incur to 
prepare Complete EHRs or EHR Modules to be tested and certified. We do 
not include in this analysis the costs to eligible professionals and 
eligible hospitals that choose to: (1) Purchase new Certified EHR 
Technology, or (2) self-develop or modify their current, HIT to become 
meaningful users. These costs are addressed in the Medicare and 
Medicaid EHR Incentive Programs proposed rule because they are directly 
related to the actions taken by eligible professionals or eligible 
hospitals to become meaningful users. Additionally, the cost for 
Complete EHRs and EHR Modules to be tested and certified is addressed 
in the HIT Certification Programs proposed rule and not in this interim 
final rule.
    In conducting research to inform the estimates we make below we 
found several websites that listed, in an aggregate format, different 
types of Complete EHRs and EHR Modules designed for various types of 
health care providers as well as those that were designed primarily for 
specialists. Based on our research, we believe it is reasonable to 
assume that a few hundred unique Complete EHRs and EHR Modules make up 
the available universe of HIT for health care

[[Page 2039]]

providers, including eligible professionals and eligible hospitals. 
This estimate includes within it specialty and other niche HIT that are 
not the intended focus of this interim final rule. While certain 
certification criteria may be applicable to these other types of HIT, 
the Secretary has not adopted a specific or complete set of 
certification criteria for them at this time. Therefore, our estimates 
for the impacts of this interim final rule solely focus on what we 
believe will be the likely amount of Complete EHRs and EHR Modules that 
are prepared to be tested and certified and how much that preparation 
will cost.
    We have analyzed previously developed CCHIT ambulatory and 
inpatient certification criteria and believe that many, but not all, 
require the exact same capabilities required by the respective 
certification criteria adopted by the Secretary at 45 CFR 170.302, 45 
CFR 170.304, and 45 CFR 170.306. Generally speaking, we believe this 
overlap includes most of the clinically oriented capabilities required 
by the certification criteria adopted by the Secretary. Accordingly, 
with respect to this impact analysis, we believe that a significant 
number of previously CCHIT-certified-EHRs will only incur moderate 
costs to prepare for certification. We assume, for the purposes of 
creating reasonable estimates, that previously CCHIT-certified-EHRs are 
similar to our definition of a Complete EHR. As a result, we have based 
our estimates in Table 3 with the expectation that these previously 
CCHIT-certified-EHRs will again be prepared for certification as 
Complete EHRs. To add further specificity to our estimates, we 
understand, according to CCHIT's Web site, there are 74 CCHIT-
certified-EHRs that have been certified to its 2008 ambulatory 
certification criteria and 17 CCHIT-certified-EHRs, that have been 
certified to its 2007 or 2008 inpatient certification 
criteria.22 23 24 Of these 74 and 17 previously CCHIT-
certified-EHRs we expect that 90% will be prepared for certification to 
the certification criteria adopted by the Secretary. We do not believe 
that it is realistic to assume that 100% of previously CCHIT-certified-
EHRs will be prepared for certification for a number of reasons. These 
reasons include: (1) A recognition that mergers and acquisitions within 
the marketplace have reduced the number of previously CCHIT-certified-
EHRs; (2) that the subsequent resources needed to market and promote 
Certified EHR Technology may not be available at the present time; and 
(3) that some previously CCHIT-certified-EHRs will be tested and 
certified as EHR Modules rather than Complete EHRs. Given these 
assumptions we have estimated the number of previously CCHIT-certified-
EHRs that will be prepared to be tested and certified will be 65 and 
15, ambulatory and inpatient, respectively. We also believe it is 
reasonable to assume that of these 65 and 15, some will require more 
preparation than others (i.e., we assume that some previously CCHIT-
certified-EHRs include more capabilities than what CCHIT tested and 
certified and may be able to more easily meet the certification 
criteria adopted by the Secretary). Given this assumption we have 
created low and high ranges for the cost to prepare previously CCHIT-
certified ambulatory and inpatient EHRs.
---------------------------------------------------------------------------

    \22\ Some are marked with a conditional certification either 
``Pre-Market: These are conditionally certified EHRs which are new 
products that are fully certified once their operational use at a 
physician office site has been verified.'' or ``eRx Conditional: 
These are conditionally certified pending advanced ePrescribing EHRs 
that are in the process of verifying their ability to conduct 
medication history, formulary and eligibility checking through a 
national network for electronic-prescribing transactions.'' We do 
not believe that these caveats have any effect on our estimates.
    \23\ http://www.cchit.org/products/Ambulatory--when 
certification years 2006 and 2007 are unchecked.
    \24\ http://www.cchit.org/products/Inpatient.
---------------------------------------------------------------------------

    In creating our low and high ranges for the tables below we assumed 
based on our analysis of previously developed and required CCHIT 
certification criteria that certain capabilities (e.g., the capability 
to maintain a medication list) have been implemented and deployed in 
HIT to such a large degree that there would be little or no 
modification required to prepare Complete EHRs or EHR Modules for 
testing and certification to certain certification criteria. We also 
assumed that the certification criteria adopted by the Secretary range 
from relatively simple capabilities (e.g., recording a patient's 
smoking status) to more sophisticated capabilities (e.g., clinical 
decision support). As a result, we have made a general assumption that 
the costs to prepare Complete EHRs and EHR Modules to be tested and 
certified will vary depending on a number of factors including, but not 
limited to, whether the Complete EHR or EHR Module: (1) Already 
includes the capability; (2) includes some aspect of the capability 
which would need to be updated; (3) does not currently include the 
capability at all. We believe it is reasonable to estimate that it will 
cost somewhere between $10,000 and $250,000 per certification criterion 
to prepare a Complete EHR or EHR Module for testing and certification 
taking into account the factors identified directly above. We have used 
this per certification criteria range as the basis for our low and high 
cost range estimates and for the ease of our calculations assume that 
the Secretary has adopted approximately 40 certification criteria.
    For Table 3 we have made the following assumptions: (1) In general, 
previously CCHIT-certified-EHRs will need additional preparation to be 
tested and certified to 25% of the certification criteria adopted by 
the Secretary; (2) the average low and high per certification criterion 
cost for previously CCHIT-certified ambulatory EHRs to be prepared to 
be tested and certified will be $50,000 and $150,000, respectively; and 
(3) the average low and high per certification criterion cost for 
previously CCHIT-certified inpatient EHRs to be prepared to be tested 
and certified will be $75,000 and $200,000, respectively.

Table 3--Estimated One-Time Costs for Previously CCHIT-Certified-EHRs To Be Prepared To Be Tested and Certified as Complete EHRs (3-Year Period)--Totals
                                                                         Rounded
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                              One time cost per EHR ($M)           Total cost for all EHRs over 3-year
                                                             Number    ----------------------------------------                period ($M)
                          Type                            prepared for                                         -----------------------------------------
                                                         certification      Low          High       Mid-point        Low          High        Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
2008 Ambulatory CCHIT-Certified-EHR....................            65         $0.50         $1.5         $1.0         $32.5         $97.5         $65.0
2007/2008 Inpatient CCHIT-Certified-EHR................            15          0.75          2.0          1.38         11.25         30.0          20.63
                                                        ------------------------------------------------------------------------------------------------

[[Page 2040]]

 
    Total..............................................            80   ...........  ...........  ............         43.75        127.50         85.63
--------------------------------------------------------------------------------------------------------------------------------------------------------

    The second type of cost we estimate includes the costs that we 
expect for CCHIT-certified ambulatory EHRs certified prior to 2008 
(``out-of-date CCHIT-Certified-EHRs'') and never previously CCHIT-
certified-EHRs to be prepared to be tested and certified as Complete 
EHRs rather than being prepared to be tested and certified as an EHR 
Module.\25\ We assume the EHR technology that falls into this category 
may require more extensive changes than previously CCHIT-certified-EHRs 
identified in Table 3. Again, we have estimated low and high 
preparation cost ranges. We assume that there will be very little 
growth in the Complete EHR market due to the market share \26\ 
represented by the previously CCHIT-certified-EHRs included in Table 3 
and the upfront costs required to bring a Complete EHR to market. As a 
result, we expect there to be 8 and 5 Complete EHRs (for use by 
eligible professionals and eligible hospitals, respectively) prepared 
to be tested and certified to all of the applicable certification 
criteria adopted by the Secretary.\27\
---------------------------------------------------------------------------

    \25\ CCHIT began testing and certifying inpatient EHRs in 2007 
and we assume that all of those EHRs are included in Table 3 which 
is why they are not included in this discussion.
    \26\ http://www.cchit.org/about--``* * * EHR products certified 
by mid-2009, representing over 75% of the marketplace.''
    \27\ This estimate includes the fact that IHS's RPMS EHR was not 
included in Table 1 and that it will be preparing the RPMS EHR as a 
Complete EHR to meet the applicable certification criteria adopted 
by the Secretary for both ambulatory and inpatient settings.
---------------------------------------------------------------------------

    Again, using our general assumptions discussed above (40 
certification criteria and a low and high range of $10,000 to $250,000 
per certification criterion) we have made the following assumptions in 
our Table 4 calculations: (1) In general, out-of-date CCHIT-Certified-
EHRs and never previously CCHIT-certified-EHRs will need additional 
preparation to be tested and certified to 60% of the certification 
criteria adopted by the Secretary; (2) the average low and high per 
certification criterion cost for Complete EHRs for eligible 
professionals to be prepared to be tested and certified will be $50,000 
and $150,000, respectively; and (3) the average low and high per 
certification criterion cost for Complete EHRs for eligible hospitals 
to be prepared to be tested and certified will be $75,000 and $200,000, 
respectively.

   Table 4--Estimated One-Time Costs for Never CCHIT-Certified-EHRs and Out-of-Date CCHIT-Certified-EHRs To Be Prepared To Be Tested and Certified as
                                                      Complete EHRs (3-Year Period)--Totals Rounded
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                               One time cost per EHR ($M)          Total cost for all EHRs over 3-year
                                                              Number    ---------------------------------------                period ($M)
                          Type                             prepared for                                        -----------------------------------------
                                                          certification      Low          High      Mid-point        Low          High        Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
Complete EHRs for Eligible Professionals................             8          $1.2         $3.6         $2.4         $9.6         $28.8         $19.2
Complete EHRs for Eligible Hospitals....................             5           1.8          4.8          3.3          9.0          24.0          16.5
                                                         -----------------------------------------------------------------------------------------------
    Total...............................................            13   ...........  ...........  ...........         18.60         52.80         35.70
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Finally, the third type of cost we estimate relates to the number 
of EHR Modules we expect to be prepared to be tested and certified and 
the costs associated with that preparation. As discussed above, we 
believe over time that EHR Modules will play an increasingly important 
role in improving the capabilities available to eligible professionals 
and eligible hospitals. It is also our belief that EHR Modules will 
lead to a more innovative and competitive marketplace. We believe that 
during meaningful use Stage 1, approximately seven types of EHR Modules 
will be practical given the current state of the HIT marketplace. We 
assume that EHR Modules will most likely be prepared to be tested and 
certified to provide the following types of capabilities: Electronic 
prescribing; administrative transactions; core clinical capabilities; 
computerized provider order entry; quality reporting; online patient 
portals; and interfacing with a health information organization to 
enable the electronic exchange of health information.
    Generally speaking, of the available universe of HIT developers we 
assume that a small percentage will prepare the previously mentioned 
types of EHR Modules for certification prior to the beginning of 
meaningful use Stage 2 (i.e., between 2010 and 2012). Furthermore, we 
assume during meaningful use Stage 1 there will be on average 7 EHR 
Modules prepared to be tested and certified for each type of EHR Module 
described above. As a result we estimate that there will be 
approximately 50 EHR Modules (number of modules X types of modules) 
prepared to be tested and certified. Again, we have provided low and 
high preparation cost estimates in Table 5 below. We assume that some 
of EHR Modules prepared for certification will be capable of meeting 
applicable certification criteria with little modification while other 
EHR Modules may not. Given the potential differences in preparation 
costs and combinations of certification criteria to create EHR Modules 
we believe it is reasonable to estimate a wide range for the costs to 
prepare these types of EHR modules for testing and certification.

[[Page 2041]]



 Table 5--Estimated One-Time Costs to Prepare EHR Modules for Certification to Applicable Adopted Certification Criteria (3-Year Period)--Totals Rounded
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                              One time cost per EHR module ($M)      Total cost all EHR modules over 3-
                                                                  Number   ---------------------------------------              year period
                             Type                                prepared                                         --------------------------------------
                                                                                Low          High      Mid-point       Low          High      Mid-point
--------------------------------------------------------------------------------------------------------------------------------------------------------
EHR Modules..................................................           50         $0.1         $0.5         $0.3         $5.0        $25.0        $15.0
                                                              ------------------------------------------------------------------------------------------
    Total....................................................           50  ...........  ...........  ...........          5.0         25.0         15.0
--------------------------------------------------------------------------------------------------------------------------------------------------------

    We invite comments on the number of commercial vendors and open 
source developers of Complete EHRs or EHR Modules that make up the 
marketplace and the number of Complete or EHR Modules that will be 
prepared for testing and certification. Because many of the adopted 
standards and implementation specifications are already in widespread 
use and because many of the adopted certification criteria require core 
capabilities that already exist in the marketplace today we believe 
that the costs incurred as a result of voluntary actions by the private 
sector to prepare for certification will be modest. We welcome comments 
on our estimates above.
    In total, if we were to distribute the costs to prepare Complete 
EHRs and EHR Modules between 2010 and 2012 evenly per year we believe 
they would likely be in the range of $67.35 to $205.3 million or $22.45 
to $68.43 million per year with an annual cost mid-point of 
approximately about $45.44 million. However, we do not believe that the 
costs will be spread evenly over these three years due to market 
pressures and the fact that higher upfront incentive payments are 
available under the Medicare and Medicaid EHR Incentive Programs. We 
assume this factor will motivate a greater ratio of commercial vendors 
and open source developers of Complete EHRs and EHR Modules to prepare 
such technology for testing and certification in 2010 and 2011 rather 
than 2012. We also assume that it will generally take 6 to 18 months 
for commercial vendors and open source developers of Complete EHRs and 
EHR Modules to prepare for testing and certification. As a result, we 
believe as represented in Table 6 that the costs attributable to this 
interim final rule will be distributed as follows: 45% for 2010, 40% 
for 2011 and 15% for 2012.

                  Table 6--Distributed Total Preparation Costs (3-Year Period)--Totals Rounded
----------------------------------------------------------------------------------------------------------------
                                                                                    Total high     Total average
                      Year                             Ratio      Total low cost   cost estimate   cost estimate
                                                     (percent)     estimate ($M)       ($M)            ($M)
----------------------------------------------------------------------------------------------------------------
2010............................................              45          $30.31          $92.39          $61.35
2011............................................              40           26.94           82.12           54.53
2012............................................              15           10.10           30.80           20.45
                                                 ---------------------------------------------------------------
    3-Year Totals...............................  ..............           67.35           205.3          136.33
----------------------------------------------------------------------------------------------------------------

    Note that these cost estimates do not include additional costs to 
prepare for testing and certification that will likely be incurred when 
we adopt additional standards, implementation specifications, and 
certification criteria to support meaningful use Stages 2 and 3. We 
will account for costs associated with these additional standards, 
implementation specifications, and certification criteria in future 
rulemaking.
2. Benefits
    We believe that there will be several benefits from this interim 
final rule. By adopting this initial set, the Secretary will set in 
motion what we believe will be an iterative process to further enhance 
the interoperability, functionality, utility, and security of health 
information technology and to support its meaningful use. The 
capabilities required by adopted certification criteria will help arm 
health care providers with tools to improve patient care, reduce 
medical errors and unnecessary tests. The standards adopted will aid in 
fostering greater interoperability. We also believe that this interim 
final rule will be a catalyst for a more competitive and innovative 
marketplace. Finally, adopted certification criteria can be used by 
commercial vendors and open source developers of Complete EHRs and EHR 
Modules as technical requirements to ensure that their HIT can be 
tested and certified and subsequently adopted and implemented as 
Certified EHR Technology by eligible professionals and eligible 
hospitals to help them qualify for incentive payments under Medicare 
and Medicaid EHR Incentive Programs.

D. Regulatory Flexibility Act Analysis

    The RFA requires agencies to analyze options for regulatory relief 
of small businesses if a rule has a significant impact on a substantial 
number of small entities. As noted above, although the RFA only 
requires an initial regulatory flexibility analysis when an agency 
issues a proposed rule, HHS has a policy of voluntarily conducting an 
initial regulatory flexibility analysis for interim final regulations.
    We are implementing this interim final rule as required by section 
3004(b)(1) of the PHSA. The objective of the interim final rule is for 
the Secretary to adopt an initial set of standards, implementation 
specifications, and certification criteria for HIT.
    While commercial vendors and open source developers of Complete 
EHRs and EHR Modules represent a small segment of the overall 
information technology industry, we believe that the entities impacted 
by this interim final rule most likely fall under the North American 
Industry Classification System (NAICS) code 541511 ``Custom Computer 
Programming Services'' specified at 13 CFR 121.201 where the SBA 
publishes ``Small Business Size Standards by NAICS Industry.'' The size 
standard associated with this NAICS code is set at $25 million in 
annual

[[Page 2042]]

receipts \28\ which ``indicates the maximum allowed for a concern and 
its affiliates to be considered small entities.''
---------------------------------------------------------------------------

    \28\ The SBA references that annual receipts means ``total 
income'' (or in the case of a sole proprietorship, ``gross income'') 
plus ``cost of goods sold'' as these terms are defined and reported 
on Internal Revenue Service tax return forms. http://www.sba.gov/idc/groups/public/documents/sba_homepage/guide_to_size_standards.pdf.
---------------------------------------------------------------------------

    Based on our analysis, we believe that a handful of multinational 
corporations and many national or regional businesses represent a 
significant majority of the potential Complete EHR and EHR Module 
developers and that many, if not all, exceed the specified SBA size 
standard. We make this assumption based on our understanding of the 
upfront investments necessary to develop and market HIT in a 
competitive marketplace as well as the upgrade and product modification 
costs that these businesses incur to stay competitive. However, we 
note, and request public comment on, the following constraint 
encountered during our analysis. With the exception of aggregate 
business information available through the U.S. Census Bureau and the 
SBA related to NAICS code 541511, it appears that many commercial 
vendors and open source developers of Complete EHRs and EHR Modules are 
privately held or owned and do not regularly, if at all, make their 
specific annual receipts publicly available. As a result, it is 
difficult at the present time to locate empirical data related to many 
of the commercial vendors and open source developers of Complete EHRs 
and EHR Modules to correlate to the SBA size standard. We therefore 
request public comment on any additional information regarding the 
business size of commercial vendors and open source developers of 
Complete EHRs and EHR Modules in the HIT marketplace to help inform our 
analysis.
    Given the discussion above, we estimate that this interim final 
rule will have effects on commercial vendors and open source developers 
of Complete EHRs and EHR Modules, some of which may be small entities. 
However, we do not believe that the interim final rule will create a 
significant economic impact on a substantial number of these entities, 
regardless of size. The Secretary certifies that this interim final 
rule will not have a significant impact on a substantial number of 
small entities.

E. Executive Order 13132--Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on State 
and local governments, preempts State law, or otherwise has federalism 
implications.
    Nothing in this interim final rule imposes substantial direct 
requirement costs on State and local governments, preempts State law or 
otherwise has federalism implications. We are not aware of any State 
laws or regulations that are contradicted or impeded by any of the 
standards, implementation specifications, or certification criteria 
that have been adopted. This interim final rule with comment period 
affords all States an opportunity to identify any problems that our 
standards, implementation specifications, and certification criteria 
would create, and to propose constructive alternatives. We welcome 
comments from State and local governments.

F. Unfunded Mandates Reform Act of 1995

    Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires cost-benefit and other analyses before any rulemaking if 
the rule includes a ``Federal mandate that may result in the 
expenditure by State, local, and tribal governments, in the aggregate, 
or by the private sector, of $100,000,000 or more (adjusted annually 
for inflation) in any 1 year.'' The current inflation-adjusted 
statutory threshold is approximately $130 million. The Department has 
determined that this rule would not constitute a significant rule under 
the Unfunded Mandates Reform Act, because it would impose no mandates.
    The Office of Management and Budget reviewed this interim final 
rule with comment period.

List of Subjects in 45 CFR Part 170

    Computer technology, Electronic health record, Electronic 
information system, Electronic transactions, Health, Health care, 
Health information technology, Health insurance, Health records, 
Hospitals, Incorporation by reference, Laboratories, Medicaid, 
Medicare, Privacy, Reporting and recordkeeping requirements, Public 
health, Security.

0
For the reasons set forth in the preamble, the Department amends 45 CFR 
subtitle A to add subchapter D as follows:

SUBCHAPTER D--HEALTH INFORMATION TECHNOLOGY

PART 170--HEALTH INFORMATION TECHNOLOGY STANDARDS, IMPLEMENTATION 
SPECIFICATIONS, AND CERTIFICATION CRITERIA AND CERTIFICATION 
PROGRAMS FOR HEALTH INFORMATION TECHNOLOGY

Subpart A--General Provisions
Sec.
170.100 Statutory basis and purpose.
170.101 Applicability.
170.102 Definitions.
Subpart B--Standards and Implementation Specifications for Health 
Information Technology
170.200 Applicability.
170.202 Transport standards for exchanging electronic health 
information.
170.205 Content exchange and vocabulary standards for exchanging 
electronic health information.
170.210 Standards for health information technology to protect 
electronic health information created, maintained, and exchanged.
170.299 Incorporation by reference.
Subpart C--Certification Criteria for Health Information Technology
170.300 Applicability.
170.302 General certification criteria for Complete EHRs or EHR 
Modules.
170.304 Specific certification criteria for Complete EHRs or EHR 
Modules designed for an ambulatory setting.
170.306 Specific certification criteria for Complete EHRs or EHR 
Modules designed for an inpatient setting.

    Authority:  42 U.S.C 300jj-14; 5 U.S.C. 552.

Subpart A--General Provisions


Sec.  170.100  Statutory basis and purpose.

    The provisions of this subchapter implement section 3004 of the 
Public Health Service Act.


Sec.  170.101  Applicability.

    The standards, implementation specifications, and certification 
criteria adopted in this part apply to Complete EHRs and EHR Modules 
and the testing and certification of such Complete EHRs and EHR 
Modules.


Sec.  170.102  Definitions.

    For the purposes of this part:
    Certification criteria means criteria:
    (1) To establish that health information technology meets 
applicable standards and implementation specifications adopted by the 
Secretary; or
    (2) That are used to test and certify that health information 
technology includes required capabilities.

[[Page 2043]]

    Certified EHR Technology means a Complete EHR or a combination of 
EHR Modules, each of which:
    (1) Meets the requirements included in the definition of a 
Qualified EHR; and
    (2) Has been tested and certified in accordance with the 
certification program established by the National Coordinator as having 
met all applicable certification criteria adopted by the Secretary.
    Complete EHR means EHR technology that has been developed to meet 
all applicable certification criteria adopted by the Secretary.
    Disclosure means the release, transfer, provision of access to, or 
divulging in any other manner of information outside the entity holding 
the information.
    EHR Module means any service, component, or combination thereof 
that can meet the requirements of at least one certification criterion 
adopted by the Secretary.
    Implementation specification means specific requirements or 
instructions for implementing a standard.
    Qualified EHR means an electronic record of health-related 
information on an individual that:
    (1) Includes patient demographic and clinical health information, 
such as medical history and problem lists; and
    (2) Has the capacity:
    (i) To provide clinical decision support;
    (ii) To support physician order entry;
    (iii) To capture and query information relevant to health care 
quality; and
    (iv) To exchange electronic health information with, and integrate 
such information from other sources.
    Standard means a technical, functional, or performance-based rule, 
condition, requirement, or specification that stipulates instructions, 
fields, codes, data, materials, characteristics, or actions.

Subpart B--Standards and Implementation Specifications for Health 
Information Technology


Sec.  170.200  Applicability.

    The standards and implementation specifications adopted in this 
part apply with respect to Complete EHRs and EHR Modules. When a 
section of this part includes adoption of both a standard and at least 
one alternative standard, use of the specified standard or alternatives 
will be considered compliant.


Sec.  170.202  Transport standards for exchanging electronic health 
information.

    The Secretary adopts the following standards to define the common 
transport methods that must be used to electronically exchange health 
information formatted in accordance with the standards adopted under 
Sec.  170.205.
    (a) Standard. The Organization for the Advancement of Structured 
Information Standards (OASIS) Simple Object Access Protocol (SOAP) 
Version 1.2 (incorporated by reference in Sec.  170.299).
    (b) Alternative standard. A stateless, client-server, cacheable 
communications protocol that adheres to the principles of 
Representational State Transfer (REST) must be used.


Sec.  170.205  Content exchange and vocabulary standards for exchanging 
electronic health information.

    (a) Patient summary record.
    (1) The Secretary adopts the following content exchange standards 
for the purposes of electronically exchanging a patient summary record 
or to use in creating an electronic copy of a patient summary record:
    (i) Standard. Health Level Seven Clinical Document Architecture 
(CDA) Release 2, Level 2 Continuity of Care Document (CCD) 
(incorporated by reference in Sec.  170.299).
    (ii) Alternative standard. ASTM E2369 Standard Specification for 
Continuity of Care Record and Adjunct to ASTM E2369 (incorporated by 
reference in Sec.  170.299).
    (2) The Secretary adopts the following vocabulary standards for the 
purposes of specifying the code set, terminology, or nomenclature to 
use to represent health information included in a patient summary 
record:
    (i) Problem list.
    (A) Standard. The code set specified for the conditions specified 
at 45 CFR 162.1002(a)(1).
    (B) Alternative standard. International Health Terminology 
Standards Development Organization (IHTSDO) Systematized Nomenclature 
of Medicine Clinical Terms (SNOMED CT[supreg]) July 2009 version 
(incorporated by reference in Sec.  170.299).
    (ii) Procedures.
    (A) Standard. The code set specified at 45 CFR 162.1002(a)(2).
    (B) Alternative standard. The code set specified at 45 CFR 
162.1002(a)(5).
    (iii) Laboratory orders and results.
    (A) Standard. Logical Observation Identifiers Names and Codes 
(LOINC[reg]) version 2.27, when such codes were received within an 
electronic transaction from a laboratory (incorporated by reference in 
Sec.  170.299).
    (B) [Reserved]
    (iv) Medication list.
    (A) Standard. Any code set by an RxNorm drug data source provider 
that is identified by the United States National Library of Medicine as 
being a complete data set integrated within RxNorm.
    (B) [Reserved]
    (b) Drug formulary check. The Secretary adopts the following 
content exchange standard for transmitting formulary and benefits 
information between prescribers and Medicare Part D sponsors.
    (1) Standard. Drug formulary and benefits information must be 
transmitted in accordance with 42 CFR 423.160(b)(5).
    (2) [ Reserved]
    (c) Electronically transmitting prescription information.
    (1) The Secretary adopts the following content exchange standard to 
provide for the transmission of a prescription or prescription-related 
information.
    (i) Standard. An electronic prescription for a Medicare Part D 
covered drug that is prescribed for a Medicare Part D eligible 
individual must be transmitted in accordance with 42 CFR 
423.160(b)(2)(ii), in all other circumstances, if consistent with 
applicable state and other Federal law, electronic prescriptions may be 
transmitted in accordance with 42 CFR 423.160(b)(2)(ii) or using the 
NCPDP SCRIPT Standard, Implementation Guide, Version 10.6 (incorporated 
by reference in Sec.  170.299).
    (ii) [ Reserved]
    (2) The Secretary adopts the following vocabulary standard for the 
purposes of specifying the code set to use to represent health 
information included in electronic prescriptions.
    (i) Standard. Any code set by an RxNorm drug data source provider 
that is identified by the United States National Library of Medicine as 
being a complete data set integrated within RxNorm.
    (ii) [ Reserved]
    (d) Electronically exchange administrative transactions. The 
Secretary adopts the following content exchange standards and 
associated implementation specifications for the following electronic 
transactions.
    (1) Standard and implementation specifications. An eligibility for 
a health plan transaction as defined at 45 CFR 162.1201 must be 
conducted in accordance with:
    (i) 45 CFR 162.1202(b) or for the period on and after January 1, 
2012, in accordance with 45 CFR 162.1202(c); and
    (ii) The operating rules specified in Phase 1 of the Council for 
Affordable Quality Healthcare (CAQH) Committee on Operating Rules for 
Information Exchange (CORE) (incorporated by reference in Sec.  
170.299).

[[Page 2044]]

    (2) Standard and implementation specifications. Eligibility inquiry 
and response transactions between dispensers and Part D sponsors for 
Part D prescription drugs must be conducted in accordance with 42 CFR 
423.160(b)(3)(ii).
    (3) Standard and implementation specifications. A health care 
claims or equivalent encounter information transaction as defined at 45 
CFR 162.1101 must be conducted in accordance with 45 CFR 162.1102(b) or 
for the period on and after January 1, 2012, in accordance with 45 CFR 
162.1102(c).
    (e) Electronically exchange quality reporting information. The 
Secretary adopts the following content exchange standard and 
implementation specification for quality reporting.
    (1) Standard. The CMS Physician Quality Reporting Initiative (PQRI) 
2008 Registry XML Specification (incorporated by reference in Sec.  
170.299).
    (2) Implementation specification. Physician Quality Reporting 
Initiative Measure Specifications Manual for Claims and Registry 
(incorporated by reference in Sec.  170.299).
    (f) Electronic submission of lab results to public health agencies.
    (1) The Secretary adopts the following content exchange standard 
for the electronic submission of lab results to public health agencies.
    (i) Standard. HL7 2.5.1(incorporated by reference in Sec.  
170.299).
    (ii) [ Reserved]
    (2) The Secretary adopts the following vocabulary standard for the 
purposes of representing lab results in an electronic submission to 
public health authorities.
    (i) Standard. Logical Observation Identifiers Names and Codes 
(LOINC[reg]), version 2.27, when such codes were received within an 
electronic transaction from a laboratory (incorporated by reference in 
Sec.  170.299).
    (ii) [ Reserved]
    (g) Electronic submission to public health agencies for 
surveillance or reporting. The Secretary adopts the following content 
exchange standards for electronic submission to public health agencies 
for surveillance or reporting:
    (1) Standard. HL7 2.3.1 (incorporated by reference in Sec.  
170.299).
    (2) Alternative standard. HL7 2.5.1 (incorporated by reference in 
Sec.  170.299).
    (h) Electronic submission to immunization registries.
    (1) The Secretary adopts the following content exchange standards 
for electronic submission to immunization registries:
    (i) Standard. HL7 2.3.1 (incorporated by reference in Sec.  
170.299).
    (ii) Alternative standard. HL7 2.5.1 (incorporated by reference in 
Sec.  170.299).
    (2) The Secretary adopts the following vocabulary standard for 
electronic submissions to immunization registries.
    (i) Standard. HL7 Standard Code Set CVX--Vaccines Administered, 
July 30, 2009 version (incorporated by reference in Sec.  170.299).
    (ii) [Reserved]


Sec.  170.210  Standards for health information technology to protect 
electronic health information created, maintained, and exchanged.

    The Secretary adopts the following standards to protect electronic 
health information created, maintained, and exchanged:
    (a) Encryption and decryption of electronic health information.
    (1) General. A symmetric 128 bit fixed-block cipher algorithm 
capable of using a 128, 192, or 256 bit encryption key must be used.
    (2) Exchange. An encrypted and integrity protected link must be 
implemented.
    (b) Record actions related to electronic health information. The 
date, time, patient identification, and user identification must be 
recorded when electronic health information is created, modified, 
deleted, or printed; and an indication of which action(s) occurred must 
also be recorded.
    (c) Verification that electronic health information has not been 
altered in transit. Standard. A secure hashing algorithm must be used 
to verify that electronic health information has not been altered in 
transit. The secure hash algorithm (SHA) used must be SHA-1 or higher.
    (d) Cross-enterprise authentication. A cross-enterprise secure 
transaction that contains sufficient identity information such that the 
receiver can make access control decisions and produce detailed and 
accurate security audit trails must be used.
    (e) Record treatment, payment, and health care operations 
disclosures. The date, time, patient identification, user 
identification, and a description of the disclosure must be recorded 
for disclosures for treatment, payment, and health care operations, as 
these terms are defined at 45 CFR 164.501.


Sec.  170.299  Incorporation by reference.

    (a) Certain material is incorporated by reference into this part 
with the approval of the Director of the Federal Register under 5 
U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that 
specified in this section, the Department of Health and Human Services 
must publish notice of change in the Federal Register and the material 
must be available to the public. All approved material is available for 
inspection at the National Archives and Records Administration (NARA). 
For information on the availability of this material at NARA, call 202-
741-6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html. Also, it is available for 
inspection at U.S. Department of Health and Human Services, Office of 
the National Coordinator for Health Information Technology, Hubert H. 
Humphrey Building, Suite 729D, 200 Independence Ave, SW., Washington, 
DC 20201, call ahead to arrange for inspection at 202-690-7151, and is 
available from the sources listed below.
    (b) Organization for the Advancement of Structured Information 
Standards (OASIS), Post Office Box 455, Billerica, MA 01821, http://www.oasis-open.org/home/index.php, Telephone: 978-667-5115.
    (1) Simple Object Access Protocol (SOAP), Version 1.2 (Second 
Edition), parts 0-2, W3C Recommendation April 27, 2007 (SOAP version 
1.2), IBR approved for Sec.  170.202.
    (i) SOAP version 1.2 PART 0: Primer;
    (ii) SOAP version 1.2 PART 1: Messaging Framework; and
    (iii) SOAP version 1.2 PART 2: Adjuncts.
    (2) [Reserved]
    (c) Health Level Seven, 3300 Washtenaw Avenue, Suite 227, Ann 
Arbor, MI 48104; Telephone (734) 677-7777 or http://www.hl7.org/.
    (1) Health Level Seven Standard Version 2.3.1 (HL7 2.3.1), An 
Application Protocol for Electronic Data Exchange in Healthcare 
Environments, April 14, 1999, IBR approved for Sec.  170.205.
    (2) Health Level Seven Messaging Standard Version 2.5.1 (HL7 
2.5.1), An Application Protocol for Electronic Data Exchange in 
Healthcare Environments, February 21, 2007, IBR approved for Sec.  
170.205.
    (3) Health Level Seven Implementation Guide: Clinical Document 
Architecture (CDA) Release 2--Level 2 Continuity of Care Document 
(CCD), April 01, 2007, IBR approved for Sec.  170.205.
    (d) ASTM International, 100 Barr Harbor Drive, PO Box C700, West 
Conshohocken, PA, 19428-2959 USA; Telephone (610) 832-9585 or http://www.astm.org/.
    (1) ASTM E2369-05: Standard Specification for Continuity of Care 
Record (CCR), year of adoption 2005, ASTM approved July 17, 2006, IBR 
approved for Sec.  170.205.

[[Page 2045]]

    (2) ASTM E2369-05 (Adjunct to E2369): Standard Specification 
Continuity of Care Record--Final Version 1.0 (V1.0), November 7, 2005, 
IBR approved for Sec.  170.205.
    (e) National Council for Prescription Drug Programs, Incorporated, 
9240 E. Raintree Drive, Scottsdale, AZ 85260- 7518; Telephone (480) 
477-1000; and Facsimile (480) 767-1042 or http://www.ncpdp.org.
    (1) SCRIPT Standard, Implementation Guide, Version 10.6, October, 
2008, (Approval date for ANSI: November 12, 2008), IBR approved for 
Sec.  170.205.
    (2) [Reserved]
    (f) Council for Affordable Quality Healthcare (CAQH), 601 
Pennsylvania Avenue, NW., South Building, Suite 500, Washington, DC 
20004; Telephone (202) 861-1492 or http://www.caqh.org/CORE_phase1.php.
    (1) Committee on Operating Rules for Information Exchange (CORE) 
Phase I Eligibility and Benefits Operating Rules Manual, April, 2006, 
IBR approved for Sec.  170.205.
    (2) [Reserved]
    (g) Regenstrief Institute, Inc., LOINC[supreg] c/o Medical 
Informatics The Regenstrief Institute, Inc 410 West 10th Street, Suite 
2000 Indianapolis, IN 46202-3012; Telephone (317) 423-5558 or http://loinc.org/.
    (1) Logical Observation Identifiers Names and Codes (LOINC[supreg]) 
version 2.27, June 15, 2009, IBR approved for Sec.  170.205.
    (2) [Reserved]
    (h) U.S. National Library of Medicine, 8600 Rockville Pike, 
Bethesda, MD 20894; Telephone (301) 594-5983 or http://www.nlm.nih.gov/.
    (1) International Health Terminology Standards Development 
Organization Systematized Nomenclature of Medicine Clinical Terms 
(SNOMED CT[supreg]), International Release, July 2009, IBR approved for 
Sec.  170.205.
    (2) [Reserved]
    (i) Centers for Disease Control and Prevention, National Centers 
for Immunization and Respiratory Diseases Immunization Information 
System Support Branch--Informatics 1600 Clifton Road Mailstop: E-62 
Atlanta, GA 30333.
    (1) HL7 Standard Code Set CVX--Vaccines Administered, July 30, 
2009, IBR approved for Sec.  170.205.
    (2) [Reserved]
    (j) Centers for Medicare & Medicaid Services, Office of Clinical 
Standards and Quality, 7500 Security Boulevard, Baltimore, Maryland 
21244; Telephone (410) 786-3000.
    (1) CMS PQRI 2008 Registry XML Specification, December 10, 2008 IBR 
approved for Sec.  170.205.
    (2) 2009 Physician Quality Reporting Initiative Measure 
Specifications Manual for Claims and Registry, Version 3.0, December 8, 
2008 IBR approved for Sec.  170.205.

Subpart C--Certification Criteria for Health Information Technology


Sec.  170.300  Applicability.

    The certification criteria adopted in this subpart apply to the 
testing and certification of Complete EHRs and EHR Modules.


Sec.  170.302  General certification criteria for Complete EHRs or EHR 
Modules.

    The Secretary adopts the following general certification criteria 
for Complete EHRs or EHR Modules. Complete EHRs or EHR Modules must 
include the capability to perform the following functions 
electronically and in accordance with all applicable standards and 
implementation specifications adopted in this part:
    (a) Drug-drug, drug-allergy, drug-formulary checks.
    (1) Alerts. Automatically and electronically generate and indicate 
in real-time, alerts at the point of care for drug-drug and drug-
allergy contraindications based on medication list, medication allergy 
list, age, and computerized provider order entry (CPOE).
    (2) Formulary checks. Enable a user to electronically check if 
drugs are in a formulary or preferred drug list in accordance with the 
standard specified in Sec.  170.205(b).
    (3) Customization. Provide certain users with administrator rights 
to deactivate, modify, and add rules for drug-drug and drug-allergy 
checking.
    (4) Alert statistics. Automatically and electronically track, 
record, and generate reports on the number of alerts responded to by a 
user.
    (b) Maintain up-to-date problem list. Enable a user to 
electronically record, modify, and retrieve a patient's problem list 
for longitudinal care in accordance with:
    (1) The standard specified in Sec.  170.205(a)(2)(i)(A); or
    (2) At a minimum, the version of the standard specified in Sec.  
170.205(a)(2)(i)(B).
    (c) Maintain active medication list. Enable a user to 
electronically record, modify, and retrieve a patient's active 
medication list as well as medication history for longitudinal care in 
accordance with the standard specified in Sec.  170.205(a)(2)(iv).
    (d) Maintain active medication allergy list. Enable a user to 
electronically record, modify, and retrieve a patient's active 
medication allergy list as well as medication allergy history for 
longitudinal care.
    (e) Record and chart vital signs.
    (1) Vital signs. Enable a user to electronically record, modify, 
and retrieve a patient's vital signs including, at a minimum, the 
height, weight, blood pressure, temperature, and pulse.
    (2) Calculate body mass index. Automatically calculate and display 
body mass index (BMI) based on a patient's height and weight.
    (3) Plot and display growth charts. Plot and electronically 
display, upon request, growth charts for patients 2-20 years old.
    (f) Smoking status. Enable a user to electronically record, modify, 
and retrieve the smoking status of a patient. Smoking status types must 
include: current smoker, former smoker, or never smoked.
    (g) Incorporate laboratory test results.
    (1) Receive results. Electronically receive clinical laboratory 
test results in a structured format and display such results in human 
readable format.
    (2) Display codes in readable format. Electronically display in 
human readable format any clinical laboratory tests that have been 
received with LOINC[reg] codes.
    (3) Display test report information. Electronically display all the 
information for a test report specified at 42 CFR 493.1291(c)(1) 
through (7).
    (4) Update. Enable a user to electronically update a patient's 
record based upon received laboratory test results.
    (h) Generate patient lists. Enable a user to electronically select, 
sort, retrieve, and output a list of patients and patients' clinical 
information, based on user-defined demographic data, medication list, 
and specific conditions.
    (i) Report quality measures.
    (1) Display. Calculate and electronically display quality measures 
as specified by CMS or states.
    (2) Submission. Enable a user to electronically submit calculated 
quality measures in accordance with the standard and implementation 
specifications specified in Sec.  170.205(e).
    (j) Check insurance eligibility. Enable a user to electronically 
record and display patients' insurance eligibility, and submit 
insurance eligibility queries to public or private payers and receive 
an eligibility response in accordance with the applicable standards and 
implementation specifications specified in Sec.  170.205(d)(1) or (2).
    (k) Submit claims. Enable a user to electronically submit claims to 
public or private payers in accordance with the standard and 
implementation

[[Page 2046]]

specifications specified in Sec.  170.205(d)(3).
    (l) Medication reconciliation. Electronically complete medication 
reconciliation of two or more medication lists by comparing and merging 
into a single medication list that can be electronically displayed in 
real-time.
    (m) Submission to immunization registries. Electronically record, 
retrieve, and transmit immunization information to immunization 
registries in accordance with:
    (1) One of the standards specified in Sec.  170.205(h)(1) and, at a 
minimum, the version of the standard specified in Sec.  170.205(h)(2); 
or
    (2) The applicable state-designated standard format.
    (n) Public health surveillance. Electronically record, retrieve, 
and transmit syndrome-based public health surveillance information to 
public health agencies in accordance with one of the standards 
specified in Sec.  170.205(g).
    (o) Access control. Assign a unique name and/or number for 
identifying and tracking user identity and establish controls that 
permit only authorized users to access electronic health information.
    (p) Emergency access. Permit authorized users (who are authorized 
for emergency situations) to access electronic health information 
during an emergency.
    (q) Automatic log-off. Terminate an electronic session after a 
predetermined time of inactivity.
    (r) Audit log.
    (1) Record actions. Record actions related to electronic health 
information in accordance with the standard specified in Sec.  
170.210(b).
    (2) Alerts. Provide alerts based on user-defined events.
    (3) Display and print. Electronically display and print all or a 
specified set of recorded information upon request or at a set period 
of time.
    (s) Integrity.
    (1) In transit. Verify that electronic health information has not 
been altered in transit in accordance with the standard specified in 
Sec.  170.210(c).
    (2) Detection. Detect the alteration and deletion of electronic 
health information and audit logs, in accordance with the standard 
specified in Sec.  170.210(c).
    (t) Authentication.
    (1) Local. Verify that a person or entity seeking access to 
electronic health information is the one claimed and is authorized to 
access such information.
    (2) Cross network. Verify that a person or entity seeking access to 
electronic health information across a network is the one claimed and 
is authorized to access such information in accordance with the 
standard specified in Sec.  170.210(d).
    (u) Encryption.
    (1) General. Encrypt and decrypt electronic health information 
according to user-defined preferences in accordance with the standard 
specified in Sec.  170.210(a)(1).
    (2) Exchange. Encrypt and decrypt electronic health information 
when exchanged in accordance with the standard specified in Sec.  
170.210(a)(2).
    (v) Accounting of disclosures. Record disclosures made for 
treatment, payment, and health care operations in accordance with the 
standard specified in Sec.  170.210(e).


Sec.  170.304  Specific certification criteria for Complete EHRs or EHR 
Modules designed for an ambulatory setting.

    The Secretary adopts the following certification criteria for 
Complete EHRs or EHR Modules designed to be used in an ambulatory 
setting. Complete EHRs or EHR Modules must include the capability to 
perform the following functions electronically and in accordance with 
all applicable standards and implementation specifications adopted in 
this part:
    (a) Computerized provider order entry. Enable a user to 
electronically record, store, retrieve, and manage, at a minimum, the 
following order types:
    (1) Medications;
    (2) Laboratory;
    (3) Radiology/imaging; and
    (4) Provider referrals.
    (b) Electronically exchange prescription information. Enable a user 
to electronically transmit medication orders (prescriptions) for 
patients in accordance with the standards specified in Sec.  
170.205(c).
    (c) Record demographics. Enable a user to electronically record, 
modify, and retrieve patient demographic data including preferred 
language, insurance type, gender, race, ethnicity, and date of birth.
    (d) Generate patient reminder list. Electronically generate, upon 
request, a patient reminder list for preventive or follow-up care 
according to patient preferences based on demographic data, specific 
conditions, and/or medication list.
    (e) Clinical decision support.
    (1) Implement rules. Implement automated, electronic clinical 
decision support rules (in addition to drug-drug and drug-allergy 
contraindication checking) according to specialty or clinical 
priorities that use demographic data, specific patient diagnoses, 
conditions, diagnostic test results and/or patient medication list.
    (2) Alerts. Automatically and electronically generate and indicate 
in real-time, alerts and care suggestions based upon clinical decision 
support rules and evidence grade.
    (3) Alert statistics. Automatically and electronically track, 
record, and generate reports on the number of alerts responded to by a 
user.
    (f) Electronic copy of health information. Enable a user to create 
an electronic copy of a patient's clinical information, including, at a 
minimum, diagnostic test results, problem list, medication list, 
medication allergy list, immunizations, and procedures in:
    (1) Human readable format; and
    (2) On electronic media or through some other electronic means in 
accordance with:
    (i) One of the standards specified in Sec.  170.205(a)(1);
    (ii) The standard specified in Sec.  170.205(a)(2)(i)(A), or, at a 
minimum, the version of the standard specified in Sec.  
170.205(a)(2)(i)(B);
    (iii) One of the standards specified in Sec.  170.205(a)(2)(ii);
    (iv) At a minimum, the version of the standard specified in Sec.  
170.205(a)(2)(iii); and
    (v) The standard specified in Sec.  170.205(a)(2)(iv).
    (g) Timely access. Enable a user to provide patients with online 
access to their clinical information, including, at a minimum, lab test 
results, problem list, medication list, medication allergy list, 
immunizations, and procedures.
    (h) Clinical summaries.
    (1) Provision. Enable a user to provide clinical summaries to 
patients for each office visit that include, at a minimum, diagnostic 
test results, problem list, medication list, medication allergy list, 
immunizations and procedures.
    (2) Provided electronically. If the clinical summary is provided 
electronically it must be:
    (i) Provided in human readable format; and
    (ii) On electronic media or through some other electronic means in 
accordance with:
    (A) One of the standards specified in Sec.  170.205(a)(1);
    (B) The standard specified in Sec.  170.205(a)(2)(i)(A), or, at a 
minimum, the version of the standard specified in Sec.  
170.205(a)(2)(i)(B);
    (C) One of the standards specified in Sec.  170.205(a)(2)(ii);
    (D) At a minimum, the version of the standard specified in Sec.  
170.205(a)(2)(iii); and
    (E) The standard specified in Sec.  170.205(a)(2)(iv).

[[Page 2047]]

    (i) Exchange clinical information and patient summary record.
    (1) Electronically receive and display. Electronically receive a 
patient's summary record, from other providers and organizations 
including, at a minimum, diagnostic tests results, problem list, 
medication list, medication allergy list, immunizations, and procedures 
in accordance with Sec.  170.205(a) and upon receipt of a patient 
summary record formatted in an alternate standard specified in Sec.  
170.205(a)(1), display it in human readable format.
    (2) Electronically transmit. Enable a user to electronically 
transmit a patient summary record to other providers and organizations 
including, at a minimum, diagnostic test results, problem list, 
medication list, medication allergy list, immunizations, and procedures 
in accordance with:
    (i) One of the standards specified in Sec.  170.205(a)(1);
    (ii) The standard specified in Sec.  170.205(a)(2)(i)(A), or, at a 
minimum, the version of the standard specified in Sec.  
170.205(a)(2)(i)(B);
    (iii) One of the standards specified in Sec.  170.205(a)(2)(ii);
    (iv) At a minimum, the version of the standard specified in Sec.  
170.205(a)(2)(iii); and
    (v) The standard specified in Sec.  170.205(a)(2)(iv).


Sec.  170.306  Specific certification criteria for Complete EHRs or EHR 
Modules designed for an inpatient setting.

    The Secretary adopts the following certification criteria for 
Complete EHRs or EHR Modules designed to be used in an inpatient 
setting. Complete EHRs or EHR Modules must include the capability to 
perform the following functions electronically and in accordance with 
all applicable standards and implementation specifications adopted in 
this part:
    (a) Computerized provider order entry. Enable a user to 
electronically record, store, retrieve, and manage, at a minimum, the 
following order types:
    (1) Medications;
    (2) Laboratory;
    (3) Radiology/imaging;
    (4) Blood bank;
    (5) Physical therapy;
    (6) Occupational therapy;
    (7) Respiratory therapy;
    (8) Rehabilitation therapy;
    (9) Dialysis;
    (10) Provider consults; and
    (11) Discharge and transfer.
    (b) Record demographics. Enable a user to electronically record, 
modify, and retrieve patient demographic data including preferred 
language, insurance type, gender, race, ethnicity, date of birth, and 
date and cause of death in the event of mortality.
    (c) Clinical decision support.
    (1) Implement rules. Implement automated, electronic clinical 
decision support rules (in addition to drug-drug and drug-allergy 
contraindication checking) according to a high priority hospital 
condition that use demographic data, specific patient diagnoses, 
conditions, diagnostic test results and/or patient medication list.
    (2) Alerts. Automatically and electronically generate and indicate 
in real-time, alerts and care suggestions based upon clinical decision 
support rules and evidence grade.
    (3) Alert statistics. Automatically and electronically track, 
record, and generate reports on the number of alerts responded to by a 
user.
    (d) Electronic copy of health information. Enable a user to create 
an electronic copy of a patient's clinical information, including, at a 
minimum, diagnostic test results, problem list, medication list, 
medication allergy list, immunizations, procedures, and discharge 
summary in:
    (1) Human readable format; and
    (2) On electronic media or through some other electronic means in 
accordance with:
    (i) One of the standards specified in Sec.  170.205(a)(1);
    (ii) The standard specified in Sec.  170.205(a)(2)(i)(A), or, at a 
minimum, the version of the standard specified in Sec.  
170.205(a)(2)(i)(B);
    (iii) One of the standards specified in Sec.  170.205(a)(2)(ii);
    (iv) At a minimum, the version of the standard specified in Sec.  
170.205(a)(2)(iii); and
    (v) The standard specified in Sec.  170.205(a)(2)(iv).
    (e) Electronic copy of discharge information. Enable a user to 
create an electronic copy of the discharge instructions and procedures 
for a patient, in human readable format, at the time of discharge on 
electronic media or through some other electronic means.
    (f) Exchange clinical information and summary record.
    (1) Electronically receive and display. Electronically receive a 
patient's summary record from other providers and organizations 
including, at a minimum, diagnostic test results, problem list, 
medication list, medication allergy list, immunizations, procedures, 
and discharge summary in accordance with Sec.  170.205(a) and upon 
receipt of a patient summary record formatted in an alternate standard 
specified in Sec.  170.205(a)(1), display it in human readable format.
    (2) Electronically transmit. Enable a user to electronically 
transmit a patient's summary record to other providers and 
organizations including, at a minimum, diagnostic results, problem 
list, medication list, medication allergy list, immunizations, 
procedures, and discharge summary in accordance with:
    (i) One of the standards specified in Sec.  170.205(a)(1);
    (ii) The standard specified in Sec.  170.205(a)(2)(i)(A), or, at a 
minimum, the version of the standard specified in Sec.  
170.205(a)(2)(i)(B);
    (iii) One of the standards specified in Sec.  170.205(a)(2)(ii);
    (iv) At a minimum, the version of the standard specified in Sec.  
170.205(a)(2)(iii); and
    (v) The standard specified in Sec.  170.205(a)(2)(iv).
    (g) Reportable lab results. Electronically record, retrieve, and 
transmit reportable clinical lab results to public health agencies in 
accordance with the standard specified in Sec.  170.205(f)(1) and, at a 
minimum, the version of the standard specified in Sec.  170.205(f)(2).

    Dated: December 28, 2009.
Kathleen Sebelius,
Secretary.
[FR Doc. E9-31216 Filed 12-30-09; 4:15 pm]
BILLING CODE 4150-45-P