-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Abbie Watson edited this page Oct 21, 2025
·
16 revisions
Welcome to the honeycomb wiki!
| Criterion | Module Name | Requirements |
|---|---|---|
| §170.315.a.1 | order-catalog |
Computerized provider order entry—medications Enable a user to record, change, and access medication orders. Optional "reason for order" field. |
| §170.315.a.2 | order-catalog |
Computerized provider order entry—laboratory Enable a user to record, change, and access laboratory orders. Optional "reason for order" field. |
| §170.315.a.3 | clinical-lists |
Computerized provider order entry—diagnostic imaging Enable a user to record, change, and access diagnostic imaging orders. Optional "reason for order" field. |
| §170.315.a.4 | drug-interactions |
Drug-drug, drug-allergy interaction checks for CPOE Before a medication order is completed during CPOE, interventions must automatically indicate drug-drug and drug-allergy contraindications. Enable severity level adjustments limited to specific users or system admin function. |
| §170.315.a.5 | drug-formulary |
Patient demographics and observations Enable a user to record, change, and access patient demographic data including race, ethnicity, preferred language, sex, sex parameter for clinical use, sexual orientation, gender identity, name to use, pronouns, and date of birth. Inpatient setting: record preliminary cause of death and date of death. |
| §170.315.a.9 | — |
Clinical decision support (CDS) Enable CDS interventions during user interaction. Enable configuration of interventions by limited users. Support evidence-based decision support and linked referential CDS. Enable review of source attributes. Expired January 1, 2025. |
| §170.315.a.12 | family-health-history |
Family health history Enable a user to record, change, and access a patient's family health history in accordance with familial concepts in the specified standard. |
| §170.315.a.14 | implantable-devices |
Implantable device list Record Unique Device Identifiers (UDI) for implantable devices. Parse device identifier and production identifiers. Obtain and display device descriptions and GUDID attributes including brand name, model, company, MRI safety info, and latex content. |
| §170.315.a.15 | social-determinants |
Social, psychological, and behavioral data Enable recording of patient social, psychological, and behavioral data including financial resource strain, education, stress, depression, physical activity, alcohol use, social connection/isolation, and exposure to intimate partner violence. Must allow patient to decline. |
| §170.315.b.1 | pacio-core |
Transitions of care Send and receive transition of care/referral summaries via edge protocol. Validate and display C-CDA documents. Create transition summaries formatted per C-CDA standards including all required data classes, encounter diagnoses, cognitive/functional status, and patient matching data. |
| §170.315.b.2 | pacio-core |
Clinical information reconciliation and incorporation Upon receipt of transition summaries, match to correct patient. Enable reconciliation of medication, allergy, and problem lists by simultaneously displaying data from multiple sources, creating reconciled lists, and automatically updating upon user confirmation. |
| §170.315.b.3 | e-prescribing |
Electronic prescribing Enable prescription-related electronic transactions including NewRx, change, cancel, refill, fill status notifications, and medication history. Transmit reason for prescription using diagnosis elements. Limit oral liquid meds to mL units. Use leading zeroes, no trailing zeroes. |
| §170.315.b.7 | — |
Security tags—summary of care—send Enable user to create summary record tagged as restricted and subject to re-disclosure restrictions per specified standard at document, section, and entry level. |
| §170.315.b.8 | secure-messaging |
Security tags—summary of care—receive Enable receiving summary records tagged as restricted. Preserve privacy markings to ensure fidelity to tagging based on consent and sharing/re-disclosure restrictions. |
| §170.315.b.9 | — |
Care plan Enable recording, changing, accessing, creating, and receiving care plan information per Care Plan document template including Health Status Evaluations and Outcomes Section and Interventions Section. |
| §170.315.b.10 | — |
Electronic Health Information export Enable single patient and patient population exports of all EHI in computable format. User can execute at any time without developer assistance. Include publicly accessible hyperlink to export format. |
| §170.315.b.11 | — |
Decision support interventions Enable evidence-based and predictive decision support interventions. Support configuration, electronic feedback data collection, and intervention selection. Comprehensive source attributes required for predictive DSI including fairness, validity, external validation, and ongoing maintenance. |
| §170.315.c.1 | — |
Clinical quality measures—record and export Record all data necessary to calculate each CQM. Enable user to export data file in specified format at any time ranging from one to multiple patients. |
| §170.315.c.2 | — |
Clinical quality measures—import and calculate Enable import of CQM data file and calculate each CQM presented for certification. |
| §170.315.c.3 | — |
Clinical quality measures—report Enable electronic creation of data file for CQM transmission per QRDA Category I (inpatient) and Category III (ambulatory) implementation guides. |
| §170.315.c.4 | quality-measures |
Clinical quality measures—filter Record specified data (TIN, NPI, provider type, practice address, patient insurance, age, sex, race/ethnicity, problems). Filter CQM results by these data elements and create data file or display in human-readable format. |
| §170.315.d.1 | accounts-management / hipaa-compliance |
Authentication, access control, and authorization Verify user identity against unique identifier. Establish type of access permitted and actions user can perform with technology. |
| §170.315.d.2 | — |
Auditable events and tamper-resistance Record actions related to EHI per specified standard. Record audit log status and encryption status. Default to enabled. Protect audit log from changes. Enable detection of audit log alterations. |
| §170.315.d.3 | — |
Audit report(s) Enable user to create audit report for specific time period and sort entries per specified data elements. |
| §170.315.d.4 | request-for-corrections |
Amendments Enable user to select record affected by patient's amendment request. For accepted amendments, append to record or include link. For denied amendments, append request and denial. |
| §170.315.d.5 | — |
Automatic access time-out Automatically stop user access after predetermined inactivity period. Require re-authentication to resume access. |
| §170.315.d.6 | — |
Emergency access Permit identified set of users to access EHI during emergency. |
| §170.315.d.7 | — |
End-user device encryption Technology storing EHI on end-user devices must encrypt data after use stops, OR prevent EHI from being locally stored. Use specified encryption standard. |
| §170.315.d.8 | — |
Integrity Create message digest per specified standard. Verify electronically exchanged health information has not been altered. |
| §170.315.d.9 | — |
Trusted connection Establish trusted connection using message-level (encrypt and integrity protect) or transport-level methods per specified standards. |
| §170.315.d.10 | — |
Auditing actions on health information By default, record actions related to EHI. If disabling permitted, restrict to limited users. Recorded actions must not be changeable/deletable. Enable detection of alterations. |
| §170.315.d.11 | — |
Accounting of disclosures Record disclosures made for treatment, payment, and health care operations per specified standard. |
| §170.315.d.12 | — |
Encrypt authentication credentials Health IT developer attests whether Health IT Module encrypts stored authentication credentials per specified standard. |
| §170.315.d.13 | multi-factor-auth |
Multi-factor authentication Health IT developer attests whether Health IT Module supports multi-factor authentication using industry-recognized standards and describes use cases supported. |
| §170.315.e.1 | — |
View, download, and transmit to 3rd party Patients must be able to view, download, and transmit their health information. View all USCDI data. Download ambulatory/inpatient summary in human-readable and C-CDA format. Transmit via email and encrypted method. Support timeframe selection. Record activity history log. Enable requests for restrictions (required by Jan 1, 2026). |
| §170.315.e.3 | pacio-core |
Patient health information capture Enable user to identify, record, and access information directly shared by patient. Reference and link to patient health information documents. |
| §170.315.f.1 | immunization-registry |
Transmission to immunization registries Create immunization information for electronic transmission per specified standards for historical and administered vaccines. Enable request, access, and display of patient's immunization history and forecast from registry. |
| §170.315.f.2 | syndromic-surveillance |
Transmission to public health agencies—syndromic surveillance Create syndrome-based public health surveillance information for electronic transmission per specified standard. |
| §170.315.f.3 | lab-test-reporting |
Transmission to public health agencies—reportable laboratory tests Create reportable laboratory tests and values/results for electronic transmission per specified standard. |
| §170.315.f.4 | cancer-registry-reporting |
Transmission to cancer registries Create cancer case information for electronic transmission per specified standard. |
| §170.315.f.5 | case-reporting |
Transmission to public health agencies—electronic case reporting Up to Dec 31, 2025: Functional eCR - consume trigger codes, match patient encounters, create case report with USCDI data. After Dec 31, 2025: Standards-based eCR - consume RCTC value set, create eICR per HL7 FHIR or CDA IG, receive and process reportability response, transmit case report. |
| §170.315.f.6 | antimicrobial-reporting |
Transmission to public health agencies—antimicrobial use and resistance reporting Create antimicrobial use and resistance reporting information for electronic transmission per specified standard. |
| §170.315.f.7 | — |
Transmission to public health agencies—health care surveys Create health care survey information for electronic transmission per specified standard. |
| §170.315.g.1 | quality-measures |
Automated numerator recording For each Promoting Interoperability percentage-based measure, create report enabling user to review patients/actions eligible for numerator with sufficient detail to match to denominator limitations. |
| §170.315.g.3 | — |
Safety-enhanced design Apply user-centered design processes to specified capabilities. Minimum 10 test participants. Submit process documentation and NISTIR 7742 sections including participant demographics, tasks tested, metrics (success, failures, performance time, satisfaction), results, and test scenarios. |
| §170.315.g.4 | — |
Quality management system Identify QMS used in development, testing, implementation, and maintenance that is established by Federal government or SDO, or is mapped to such QMS. |
| §170.315.g.5 | — |
Accessibility-centered design Identify health IT accessibility-centered design standard or law used in development, testing, implementation, and maintenance of each capability. |
| §170.315.g.6 | ccda-export |
Consolidated CDA creation performance Demonstrate C-CDA creation including reference match, document-template conformance, vocabulary conformance, and completeness verification for all USCDI data. |
| §170.315.g.7 | — |
Application access—patient selection API must receive request to uniquely identify patient and return ID/token for subsequent data requests. Include public documentation of API syntax, parameters, and configuration requirements. |
| §170.315.g.8 | — |
Application access—data category request API must respond to requests for individual USCDI data categories in computable format. Support date-specific and date-range requests. Include public documentation. |
| §170.315.g.9 | — |
Application access—all data request API must respond to requests for all USCDI data at once and return in C-CDA format following CCD template. Support date-specific and date-range requests. Include public documentation. |
| §170.315.g.10 | — |
Standardized API for patient and population services Respond to single patient and population data requests per US Core and FHIR standards. Support search operations. Enable app registration. Establish secure connections. Support authentication/authorization for patient, user, and system scopes with refresh tokens (minimum 3 months). Enable patient revocation within 1 hour. Support token introspection. Provide complete public documentation. |
| §170.315.h.1 | — |
Direct Project Send and receive health information per Applicability Statement for Secure Health Transport including "wrapped" messages and delivery notification. |
| §170.315.h.2 | — |
Direct Project, Edge Protocol, and XDR/XDM Send and receive health information per Direct standard, XDS metadata profiles, and both edge protocol methods. Include delivery notification. |
- All health IT must perform capabilities in accordance with applicable standards and implementation specifications adopted in 45 CFR part 170.
- Health IT developers must update Health IT Modules certified to revised certification criteria and provide updates to customers per dates identified in 45 CFR part 170 subpart B.
- Criteria marked with specific dates indicate compliance deadlines (e.g., "required by January 1, 2026" or "up to and including December 31, 2025").
- Criteria designated as "inpatient setting only" or "ambulatory setting only" have limited applicability.