Difference between revisions of "OpenEMR Certification Stage III Meaningful Use"

From OpenEMR Project Wiki
Line 170: Line 170:
:'''d6.''' Emergency access ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d6 forum] | [[Emergency access (MU3)|wiki]]):
:'''d6.''' Emergency access ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d6 forum] | [[Emergency access (MU3)|wiki]]):
:'''d7.''' End-user device encryption ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d7 forum] | [[End-user device encryption (MU3)|wiki]]): (estimated work to complete: low) '''(BradyMiller)'''
:'''d7.''' End-user device encryption ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d7 forum] | [[End-user device encryption (MU3)|wiki]]): (estimated work to complete: low) '''(BradyMiller)'''
:'''d8.''' Integrity ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d8 forum] | [[Integrity (MU3)|wiki]]): (estimated work to complete: low/moderate) '''(BradyMiller)''' First thing to do is to change sha1() calls to hash calls for sha3-516 (able to use sha3 because of this: https://csrc.nist.gov/publications/detail/fips/180/4/final ) (add a checksum field in the api log table which checksums all the fields going into the pertinent row) (remove log_validator table; remove checksum column from log table (and remove the function that builds this; this will improve performance of log engine also)(actually need to keep the checksum table in log table (or else will break log auditing for pre 6.0 log entries), but will no longer use it); when validate do hash on log entries and compare to checksum stored in log_comment_encrypt; also add a checksum when manually add a new event to the log(now makes checksum blank) and also when added in auditSQLAuditTamper; note auditSQLAuditTamper also likely need encryption of comments)
:'''d8.''' Integrity ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d8 forum] | [[Integrity (MU3)|wiki]]): (estimated work to complete: low/moderate) '''(BradyMiller)''' First thing to do is to change sha1() calls to hash calls for sha3-516 (able to use sha3 because of this: https://csrc.nist.gov/publications/detail/fips/180/4/final ) (add a checksum field in the api log table which checksums all the fields going into the pertinent row) (remove log_validator table; remove checksum column from log table (and remove the function that builds this; this will improve performance of log engine also)(actually need to keep the checksum table in log table (or else will break log auditing for pre 6.0 log entries), but will no longer use it); when validate do hash on log entries and compare to checksum stored in log_comment_encrypt (already being done in the audit_log_tamper_report.php); also add a checksum when manually add a new event to the log(now makes checksum blank) and also when added in auditSQLAuditTamper; note auditSQLAuditTamper also likely need encryption of comments)(and don't forget to convert all the other sha1 uses to sha3-516)
:'''d9.''' Trusted connection ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d9 forum] | [[Trusted connection (MU3)|wiki]]):
:'''d9.''' Trusted connection ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d9 forum] | [[Trusted connection (MU3)|wiki]]):
:'''d10.''' Auditing actions on health information ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d10 forum] | [[Auditing actions on health information (MU3)|wiki]]):
:'''d10.''' Auditing actions on health information ([https://community.open-emr.org/tags/intersection/2015-onc-cert/2015-onc-cert-d10 forum] | [[Auditing actions on health information (MU3)|wiki]]):

Revision as of 06:10, 21 September 2020

Overview

Links:

Forums and Discussion


Funding Barometer

Not Funded Certification Test Funds Development Funds Expended Funds

Required to Pay for Testing and Certification

$1000 $5000 $10,000 $13,000

Required to support development efforts and timely delivery

$2,500 $5,000 $10,000 $12,500 $15,000 $20,000 $25,000 $30,000 $35,000 $40,000 $45,000 $50,000 $55,000 $60,000 $65,000 $70,000 $75,000


Legend Description:
  • Not Funded - Unfunded Goal.
  • Certification Test Cost - Funds available to pay for Certification Testing
  • Development - Funds available for development work
  • Expended Funds - Funds that have been spent.



Fund Drive for OpenEMR 2015 Certification

Please help OpenEMR obtain 2015 Edition CEHRT


DONATE HERE


Completion Barometer

  • This barometer is tracking the progress of the 2015 ONC Ambulatory EHR Certification (ie. Stage 3 MU) project. See below Certification Criteria section for criteria titles and further details on progress tracking.
a1* a2* a5* a9* a12* a14* b1 b6 b10 c1 c2 c3 d1* d2* d3* d4* d5* d6* d7* d8* d9* d12* d13* g2 g3 g4 g5 g6 g7* g8 g9 g10 h1


Legend Description:
  • Not Yet Analyzed - Has not been analyzed yet.
  • Not Ready - Not ready for certification testing and waiting for somebody to work on this.
  • Not Ready (actively working on) - Not ready for certification testing, but are actively working on this.
  • Ready - Ready for certification testing.
  • Failed Test - Issues found during certification testing.
  • Certification Pass - Passed certification and in official codebase.
  • * - Self-declaratiion (this involves self-declaration rather than formal testing with the testing body).


Certification Criteria Reference and Tracking

  • Owner(s) - This is the "current" person/group(s) that are working on the criteria (or building block) and can be found in parenthesis next to the item.
  • Building Blocks:
  • CCDA (Jerry Padgett)
  • FHIR (Jerry Padgett)
  • API
  • FINALIZED means items is finalized (has been checked thoroughly and has an associated wiki page detailing why it is ready) and is ready to self-declare or test.

Clinical (170.315(a))

a1. Computerized provider order entry (CPOE) – medications (forum | wiki):
a2. CPOE – laboratory (forum | wiki):
a3. CPOE – diagnostic imaging (forum | wiki):
a4. Drug-drug, drug-allergy interaction checks for CPOE (forum | wiki):
a5. Demographics (forum | wiki): (estimated work to complete: low) (Thuyet Tran)
a6. Problem list (forum | wiki):
a7. Medication list (forum | wiki):
a8. Medication allergy list (forum | wiki):
a9. Clinical decision support (forum | wiki): (estimated work to complete: low)
a10. Drug-formulary and preferred drug list checks (forum | wiki):
a11. Smoking status (forum | wiki):
a12. Family health history (forum | wiki): (estimated work to complete: low)
a13. Patient-specific education resources (forum | wiki):
a14. Implantable device list (forum | wiki): (estimated work to complete: moderate) (Rachel Ellison)
a15. Social, psychological, and behavioral data (forum | wiki):

Care Coordination (170.315(b))

b1. Transitions of care (forum | wiki): CCDA (estimated work to complete: moderate)
b2. Clinical information reconciliation and incorporation (forum | wiki):
b3. Electronic prescribing (forum | wiki):
b4. Common Clinical Data Set summary record – create (forum | wiki):
b5. Common Clinical Data Set summary record – receive (forum | wiki):
b6. Data export (forum | wiki): CCDA (estimated work to complete: moderate)
b7. Data segmentation for privacy – send (forum | wiki):
b8. Data segmentation for privacy – receive (forum | wiki):
b9. Care plan (forum | wiki):
b10. Electronic health information (EHI) export (forum | wiki): CCDA FHIR (estimated work to complete: moderate)
b11. Electronic prescribing (forum | wiki):
b12. Data segmentation for privacy – send (forum | wiki):
b13. Data segmentation for privacy – receive (forum | wiki):

Clinical Quality Measures (170.315(c))

c1. Clinical quality measures (CQMs) – record and export (forum | wiki): (estimated work to complete: high) (Thuyet Tran)
c2. CQMs – import and calculate (forum | wiki): (estimated work to complete: high) (Thuyet Tran)
c3. CQMs – report criterion (forum | wiki): (estimated work to complete: high) (Thuyet Tran)
c4. CQMs – filter (forum | wiki):

Privacy and Security (170.315(d))

d1. Authentication, access control, and authorization (forum | wiki):
d2. Auditable events and tamper-resistance (forum | wiki): (estimated work to complete: low/moderate) (BradyMiller)
d3. Audit report(s) (forum | wiki): (estimated work to complete: low/moderate) (BradyMiller)
d4. Amendments (forum | wiki):
d5. Automatic access time-out (forum | wiki):
d6. Emergency access (forum | wiki):
d7. End-user device encryption (forum | wiki): (estimated work to complete: low) (BradyMiller)
d8. Integrity (forum | wiki): (estimated work to complete: low/moderate) (BradyMiller) First thing to do is to change sha1() calls to hash calls for sha3-516 (able to use sha3 because of this: https://csrc.nist.gov/publications/detail/fips/180/4/final ) (add a checksum field in the api log table which checksums all the fields going into the pertinent row) (remove log_validator table; remove checksum column from log table (and remove the function that builds this; this will improve performance of log engine also)(actually need to keep the checksum table in log table (or else will break log auditing for pre 6.0 log entries), but will no longer use it); when validate do hash on log entries and compare to checksum stored in log_comment_encrypt (already being done in the audit_log_tamper_report.php); also add a checksum when manually add a new event to the log(now makes checksum blank) and also when added in auditSQLAuditTamper; note auditSQLAuditTamper also likely need encryption of comments)(and don't forget to convert all the other sha1 uses to sha3-516)
d9. Trusted connection (forum | wiki):
d10. Auditing actions on health information (forum | wiki):
d11. Accounting of disclosures (forum | wiki):
d12. Encrypt authentication credentials certification criterion (forum | wiki): FINALIZED
d13. Multi-factor authentication (MFA) criterion (forum | wiki):

Patient Engagement (170.315(e))

e1. View, download, and transmit to 3rd party (forum | wiki):
e2. Secure messaging (forum | wiki):
e3. Patient health information capture (forum | wiki): (estimated work to complete: low)

Public Health (170.315(f))

f1. Transmission to immunization registries (forum | wiki):
f2. Transmission to public health agencies – syndromic surveillance (forum | wiki):
f3. Transmission to public health agencies – reportable laboratory tests and value/results (forum | wiki):
f4. Transmission to cancer registries (forum | wiki):
f5. Transmission to public health agencies – electronic case reporting (forum | wiki):
f6. Transmission to public health agencies – antimicrobial use and resistance reporting (forum | wiki):
f7. Transmission to public health agencies – health care surveys (forum | wiki):

Utilization (170.315(g))

g1. Automated numerator recording (forum | wiki):
g2. Automated measure calculation (forum | wiki): (estimated work to complete: moderate/high)
g3. Safety-enhanced design (forum | wiki): (estimated work to complete: moderate/high)
g4. Quality management system (forum | wiki): (estimated work to complete: low/moderate)
g5. Accessibility-centered design (forum | wiki): (estimated work to complete: low/moderate)
g6. Consolidated CDA creation performance (forum | wiki): (g6 is considered completed when b1 and b6 is completed)
g7. Application access – patient selection (forum | wiki): API FHIR (estimated work to complete: low)
g8. Application access – data category request (forum | wiki): API FHIR (estimated work to complete: moderate/high)
g9. Application access – all data request (forum | wiki): API CCDA (estimated work to complete: moderate/high)
g10. Standardized API for patient and population services (forum | wiki): FHIR (estimated work to complete: moderate/high) (Jerry Padgett)
g11. Consent management for application programming interfaces (forum | wiki):

Transport methods and other protocols (170.315(h))

h1. Direct Project (forum | wiki): (estimated work to complete: low/moderate)
h2. Direct Project, Edge Protocol, and XDR/XDM (forum | wiki):


Instance Specific Requirements Tracking

This will track the settings that a instance needs to use to fulfill ONC 2015.
  • Required global settings
  • Administration->Globals->Security->Hash Algorithm for Authentication->SHA512 (ONC 2015)
  • Administration->Globals->Security->Hash Algorithm for Token->SHA512 (ONC 2015)
  • Administration->Globals->Logging->Audit Logging SELECT Query->On
  • Administration->Globals->Logging->Enable Audit Log Encryption->On
  • Administration->Globals->Logging->Printing Log Option->Log entire document


Acknowledgment Tracking

Brady Miller - Encrypt authentication credentials certification criterion
Jerry Padgett - CCDA, FHIR, Standardized API for patient and population services
Rachel Ellison - Implantable device list
Thuyet Tran - Demographics
Yash Raj Bothra - FHIR


Notes

Below is how we derived the items to include in the main barometer:
  • Based on analysis incorporating finalized proposed changes and Cures: drop a6, a7, a8, a11, b4, b5; revise b1, b2, b3, b7, b8, b9, c3, d2, d3, d10, e1, f5, g6, g9; new b10, d12, d13, g10.(note goal is to only list the required items)
  • Note the following OR items: a2 or a3, g1 or g2, h1 or h2
  • EXTRAPOLATED EHR gap items are a1, a2 or a3. EHR non-gap items are a5, a9, a14, b1, b6, c1, g7, g8, g9, h1 or h2.
  • EXTRAPOLATED Bonus items need for MIPS are a12, e3, g1 or g2, c2, c3, (c4 is optional).
  • Above 2 lists distill to a1, a2 or a3, a5, a9, a12, a14, b1, b6, c1, c2, c3, e3, g1 or g2, g7, g8, g9, h1 or h2
  • Cures specific items are: a1, a2 or a3, a5, a9, a14, b1(standard or cures(cures is mandatory after 5/2/22)), c1, g7, g8 or g10(g10 is mandatory after 5/2/22), g9(standard or cures(cures is mandatory after 5/2/22)), h1 or h2
  • New distilled list including cures stuff that is mandatory after 5/22/22: a1, a2 or a3, a5, a9, a12, a14, b1(cures version), b6, c1, c2, c3, e3, g1 or g2, g7, g9(cures version), g10(cures), h1 or h2
  • Dependency items also needed are b10, d1-d9, d12, d13, g3-g6(g6 is considered completed when b1 and b6 is completed)
  • Final listing (above 2 lists combined): a1, a2 or a3(will do a2), a5, a9, a12, a14, b1(cures version), b6, b10, c1, c2, c3, d1-d9, d12, d13, e3, g1 or g2(will do g2), g3-g6(g6 is considered completed when b1 and b6 is completed), g7, g9(cures version), g10(cures), h1 or h2(will do h1)
  • Final adjustment after discussion with testing body: e3 not needed, g8 is needed, no more gap certification eligibility
  • The real Final listing (above 2 lists integrated): a1, a2 or a3(will do a2), a5, a9, a12, a14, b1(cures version), b6, b10, c1, c2, c3, d1-d9, d12, d13, g1 or g2(will do g2), g3-g6(g6 is considered completed when b1 and b6 is completed), g7, g8, g9(cures version), g10(cures), h1 or h2(will do h1)