45 C.F.R. § 170.315
The Secretary adopts the following certification criteria for health IT. Health IT must be able to electronically perform the following capabilities in accordance with all applicable standards and implementation specifications adopted in this part:
(a) Clinical - (1) Computerized provider order entry - medications.
(2) Computerized provider order entry - laboratory.
(3) Computerized provider order entry - diagnostic imaging.
(ii) Adjustments.
(B) Limit the ability to adjust severity levels in at least one of these two ways:
(1) To a specific set of identified users.
(2) As a system administrative function.
(5) Demographics.
(i) Enable a user to record, change, and access patient demographic data including race, ethnicity, preferred language, sex, sexual orientation, gender identity, and date of birth.
(A) Race and ethnicity. (1) Enable each one of a patient's races to be recorded in accordance with, at a minimum, the standard specified in § 170.207(f)(2) and whether a patient declines to specify race.
(2) Enable each one of a patient's ethnicities to be recorded in accordance with, at a minimum, the standard specified in § 170.207(f)(2) and whether a patient declines to specify ethnicity.
(3) Aggregate each one of the patient's races and ethnicities recorded in accordance with paragraphs (a)(5)(i)(A)(1) and (2) of this section to the categories in the standard specified in § 170.207(f)(1).
(ii) CDS configuration.
(B) Enable interventions:
(1) Based on the following data:
(i) Problem list;
(ii) Medication list;
(iii) Allergy and intolerance list;
(iv) At least one demographic specified in paragraph (a)(5)(i) of this section;
(v) Laboratory tests; and
(vi) Vital signs.
(2) When a patient's medications, allergies and intolerance, and problems are incorporated from a transition of care/referral summary received and pursuant to paragraph (b)(2)(iii)(D) of this section.
(iv) Linked referential CDS.
(A) Identify for a user diagnostic and therapeutic reference information in accordance at least one of the following standards and implementation specifications:
(1) The standard and implementation specifications specified in § 170.204(b)(3).
(2) The standard and implementation specifications specified in § 170.204(b)(4).
(v) Source attributes. Enable a user to review the attributes as indicated for all CDS resources:
(A) For evidence-based decision support interventions under paragraph (a)(9)(iii) of this section:
(1) Bibliographic citation of the intervention (clinical research/guideline);
(2) Developer of the intervention (translation from clinical research/guideline);
(3) Funding source of the intervention development technical implementation; and
(4) Release and, if applicable, revision date(s) of the intervention or reference source.
(10) Drug-formulary and preferred drug list checks. The requirements specified in one of the following paragraphs (that is, paragraphs (a)(10)(i) and (a)(10)(ii) of this section) must be met to satisfy this certification criterion:
(13) Patient-specific education resources.
(i) Identify patient-specific education resources based on data included in the patient's problem list and medication list in accordance with at least one of the following standards and implementation specifications:
(14) Implantable device list.
(ii) Parse the following identifiers from a Unique Device Identifier:
(B) The following identifiers that compose the Production Identifier:
(1) The lot or batch within which a device was manufactured;
(2) The serial number of a specific device;
(3) The expiration date of a specific device;
(4) The date a specific device was manufactured; and
(5) For an HCT/P regulated as a device, the distinct identification code required by 21 CFR 1271.290(c).
(iii) Obtain and associate with each Unique Device Identifier:
(A) A description of the implantable device referenced by at least one of the following:
(1) The “GMDN PT Name” attribute associated with the Device Identifier in the Global Unique Device Identification Database.
(2) The “SNOMED CT® Description” mapped to the attribute referenced in in paragraph (a)(14)(iii)(A)(1) of this section.
(B) The following Global Unique Device Identification Database attributes:
(1) “Brand Name”;
(2) “Version or Model”;
(3) “Company Name”;
(4) “What MRI safety information does the labeling contain?”; and
(5) “Device required to be labeled as containing natural rubber latex or dry natural rubber (21 CFR 801.437).”
(iv) Display to a user an implantable device list consisting of:
(v) For each Unique Device Identifier recorded for a patient, enable a user to access:
(15) Social, psychological, and behavioral data. Enable a user to record, change, and access the following patient social, psychological, and behavioral data:
(ii) Validate and display - (A) Validate C-CDA conformance - system performance. Demonstrate the ability to detect valid and invalid transition of care/referral summaries received and formatted in accordance with the standards specified in § 170.205(a)(3), (4), and (5) for the Continuity of Care Document, Referral Note, and (inpatient setting only) Discharge Summary document templates. This includes the ability to:
(1) Parse each of the document types.
(2) Detect errors in corresponding “document-templates,” “section-templates,” and “entry-templates,” including invalid vocabulary standards and codes not specified in the standards adopted in § 170.205(a)(3), (4), and (5).
(3) Identify valid document-templates and process the data elements required in the corresponding section-templates and entry-templates from the standards adopted in § 170.205(a)(3), (4), and (5).
(4) Correctly interpret empty sections and null combinations.
(5) Record errors encountered and allow a user through at least one of the following ways to:
(i) Be notified of the errors produced.
(ii) Review the errors produced.
(C) Display section views. Allow for the individual display of each section (and the accompanying document header information) that is included in a transition of care/referral summary received and formatted in accordance with the standards adopted in § 170.205(a)(3), (4), and (5) in a manner that enables the user to:
(1) Directly display only the data within a particular section;
(2) Set a preference for the display order of specific sections; and
(3) Set the initial quantity of sections to be displayed.
(iii) Create. Enable a user to create a transition of care/referral summary formatted in accordance with the standard specified in § 170.205(a)(3), (4), and (5) using the Continuity of Care Document, Referral Note, and (inpatient setting only) Discharge Summary document templates that includes, at a minimum:
(A) (1) The data classes expressed in the standard in § 170.213 and in accordance with § 170.205(a)(4), (5), and paragraphs (b)(1)(iii)(A)(3)(i) through (iii) of this section, or
(2) The Common Clinical Data Set in accordance with § 170.205(a)(4) and paragraph (b)(1)(iii)(A)(3)(i) through (iv) of this section for the period until May 2, 2022, and
(3) The following data classes:
(i) Assessment and plan of treatment. In accordance with the “Assessment and Plan Section (V2)” of the standard specified in § 170.205(a)(4); or in accordance with the “Assessment Section (V2)” and “Plan of Treatment Section (V2)” of the standard specified in § 170.205(a)(4).
(ii) Goals. In accordance with the “Goals Section” of the standard specified in § 170.205(a)(4).
(iii) Health concerns. In accordance with the “Health Concerns Section” of the standard specified in § 170.205(a)(4).
(iv) Unique device identifier(s) for a patient's implantable device(s). In accordance with the “Product Instance” in the “Procedure Activity Procedure Section” of the standard specified in § 170.205(a)(4).
(B) Encounter diagnoses. Formatted according to at least one of the following standards:
(1) The standard specified in § 170.207(i).
(2) At a minimum, the version of the standard specified in § 170.207(a)(4).
(G) Patient matching data. First name, last name, previous name, middle name (including middle initial), suffix, date of birth, address, phone number, and sex. The following constraints apply:
(1) Date of birth constraint - (i) The year, month and day of birth must be present for a date of birth. The technology must include a null value when the date of birth is unknown.
(ii) Optional. When the hour, minute, and second are associated with a date of birth the technology must demonstrate that the correct time zone offset is included.
(2) Phone number constraint. Represent phone number (home, business, cell) in accordance with the standards adopted in § 170.207(q)(1). All phone numbers must be included when multiple phone numbers are present.
(3) Sex constraint. Represent sex in accordance with the standard adopted in § 170.207(n)(1).
(iii) Reconciliation. Enable a user to reconcile the data that represent a patient's active medication list, allergies and intolerance list, and problem list as follows. For each list type:
(D) Upon a user's confirmation, automatically update the list, and incorporate the following data expressed according to the specified standard(s) on and after May 2, 2022:
(1) Medications. At a minimum, the version of the standard specified in § 170.213;
(2) Allergies and intolerance. At a minimum, the version of the standard specified in § 170.213; and
(3) Problems. At a minimum, the version of the standard specified in § 170.213.
(3) Electronic prescribing.
(i) For technology certified prior to May 2, 2022, subject to the real world testing provisions at § 170.405(b)(5),
(A) Enable a user to perform the following prescription-related electronic transactions in accordance with, at a minimum, the version of the standard specified in § 170.207(d)(3) as follows:
(1) Create new prescriptions (NEWRX).
(2) Change prescriptions (RXCHG, CHGRES).
(3) Cancel prescriptions (CANRX, CANRES).
(4) Refill prescriptions (REFREQ, REFRES).
(5) Receive fill status notifications (RXFILL).
(6) Request and receive medication history information (RXHREQ, RXHRES).
(ii) For technology certified subsequent to June 30, 2020:
(A) Enable a user to perform the following prescription-related electronic transactions in accordance with the standard specified in § 170.205(b)(1) and, at a minimum, the version of the standard specified in § 170.207(d)(3) as follows:
(1) Create new prescriptions (NewRx).
(2) Request and respond to change prescriptions (RxChangeRequest, RxChangeResponse).
(3) Request and respond to cancel prescriptions (CancelRx, CancelRxResponse).
(4) Request and respond to renew prescriptions (RxRenewalRequest, RxRenewalResponse).
(5) Receive fill status notifications (RxFill).
(6) Request and receive medication history (RxHistoryRequest, RxHistoryResponse).
(7) Relay acceptance of a transaction back to the sender (Status).
(8) Respond that there was a problem with the transaction (Error).
(9) Respond that a transaction requesting a return receipt has been received (Verify).
(B) Optionally, enable a user to perform the following prescription-related electronic transactions in accordance with the standard specified in § 170.205(b)(1) and, at a minimum, the version of the standard specified in § 170.207(d)(3) as follows:
(1) Create and respond to new prescriptions (NewRxRequest, NewRxResponseDenied).
(2) Receive fill status notifications (RxFillIndicator).
(3) Ask the Mailbox if there are any transactions (GetMessage).
(4) Request to send an additional supply of medication (Resupply).
(5) Communicate drug administration events (DrugAdministration).
(6) Request and respond to transfer one or more prescriptions between pharmacies (RxTransferRequest, RxTransferResponse, RxTransferConfirm).
(7) Recertify the continued administration of a medication order (Recertification).
(8) Complete Risk Evaluation and Mitigation Strategy (REMS) transactions (REMSInitiationRequest, REMSInitiationResponse, REMSRequest, and REMSResponse).
(9) Electronic prior authorization transactions (PAInitiationRequest, PAInitiationResponse, PARequest, PAResponse, PAAppealRequest, PAAppealResponse, PACancelRequest, and PACancelResponse).
(C) For the following prescription-related transactions, the technology must be able to receive and transmit the reason for prescription using the diagnosis elements: <Diagnosis> <Primary> or <Secondary>:
(1) Required transactions:
(i) Create new prescriptions (NewRx).
(ii) Request and respond to change prescriptions (RxChangeRequest, RxChangeResponse).
(iii) Cancel prescriptions (CancelRx).
(iv) Request and respond to renew prescriptions (RxRenewalRequest, RxRenewalResponse).
(v) Receive fill status notifications (RxFill).
(vi) Receive medication history (RxHistoryResponse).
(2) Optional transactions:
(i) Request to send an additional supply of medication (Resupply)
(ii) Request and respond to transfer one or more prescriptions between pharmacies (RxTransferRequest, RxTransferResponse)
(iii) Complete Risk Evaluation and Mitigation Strategy (REMS) transactions (REMSInitiationRequest, REMSInitiationResponse, REMSRequest, and REMSResponse).
(iv) Electronic prior authorization (ePA) transactions (PAInitiationRequest, PAInitiationResponse, PARequest, PAResponse, PAAppealRequest, PAAppealResponse and PACancelRequest, PACancelResponse).
(6) Data export - (i) General requirements for export summary configuration.
(B) Limit the ability of users who can create export summaries in at least one of these two ways:
(1) To a specific set of identified users.
(2) As a system administrative function.
(ii) Creation. Enable a user to create export summaries formatted in accordance with the standard specified in § 170.205(a)(4) using the Continuity of Care Document document template that includes, at a minimum:
(B) Encounter diagnoses. Formatted according to at least one of the following standards:
(1) The standard specified in § 170.207(i).
(2) At a minimum, the version of the standard specified in § 170.207(a)(4).
(iii) Timeframe configuration.
(B) Consistent with the date and time period specified in paragraph (b)(6)(iii)(A) of this section, enable a user to do each of the following:
(1) Create export summaries in real-time;
(2) Create export summaries based on a relative date and time (e.g., the first of every month at 1:00 a.m.); and
(3) Create export summaries based on a specific date and time (e.g., on 10/24/2015 at 1:00 a.m.).
(7) Security tags - summary of care - send. Enable a user to create a summary record formatted in accordance with the standard adopted in § 170.205(a)(4) that is tagged as restricted and subject to restrictions on re-disclosure according to the standard adopted in § 170.205(o)(1) at the:
(8) Security tags - summary of care - receive.
(i) Enable a user to receive a summary record that is formatted in accordance with the standard adopted in § 170.205(a)(4) that is tagged as restricted and subject to restrictions on re-disclosure according to the standard adopted in § 170.205(o)(1) at the:
(9) Care plan. Enable a user to record, change, access, create, and receive care plan information in accordance with:
(10) Electronic Health Information export - (i) Single patient electronic health information export.
(C) Limit the ability of users who can create export file(s) in at least one of these two ways:
(1) To a specific set of identified users
(2) As a system administrative function.
(ii) Patient population electronic health information export. Create an export of all the electronic health information that can be stored at the time of certification by the product, of which the Health IT Module is a part.
(ii) Export. A user must be able to export a data file at any time the user chooses and without subsequent developer assistance to operate:
(4) Clinical quality measures - filter.
(ii) Filter CQM results at the patient and aggregate levels by each one and any combination of the data listed in paragraph (c)(4)(iii) of this section and be able to:
(iii) Data.
(2) Auditable events and tamper-resistance - (i) Record actions. Technology must be able to:
(4) Amendments. Enable a user to select the record affected by a patient's request for amendment and perform the capabilities specified in paragraph (d)(4)(i) or (ii) of this section.
(ii) Denied amendment. For a denied amendment, at a minimum, append the request and denial of the request in at least one of the following ways:
(5) Automatic access time-out.
(7) End-user device encryption. The requirements specified in one of the following paragraphs (that is, paragraphs (d)(7)(i) and (d)(7)(ii) of this section) must be met to satisfy this certification criterion.
(i) Technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of the technology on those devices stops.
(8) Integrity.
(9) Trusted connection. Establish a trusted connection using one of the following methods:
(10) Auditing actions on health information.
(12) Encrypt authentication credentials. Health IT developers must make one of the following attestations and may provide the specified accompanying information, where applicable:
(13) Multi-factor authentication. Health IT developers must make one of the following attestations and, as applicable, provide the specified accompanying information:
(e) Patient engagement - (1) View, download, and transmit to 3rd party.
(i) Patients (and their authorized representatives) must be able to use internet-based technology to view, download, and transmit their health information to a 3rd party in the manner specified below. Such access must be consistent and in accordance with the standard adopted in § 170.204(a)(1) and may alternatively be demonstrated in accordance with the standard specified in § 170.204(a)(2).
(A) View. Patients (and their authorized representatives) must be able to use health IT to view, at a minimum, the following data:
(1) The data classes expressed in the standards in § 170.213 (which should be in their English (i.e., non-coded) representation if they associate with a vocabulary/code set), and in accordance with § 170.205(a)(4) and (a)(5), and paragraphs (e)(1)(i)(A)(3)(i) through (iii) of this section, or
(2) The Common Clinical Data Set in accordance with § 170.205(a)(4) and paragraphs (e)(1)(i)(A)(3)(i) through (iv) of this section for the period until May 2, 2022.
(3) The following data classes:
(i) Assessment and plan of treatment. In accordance with the “Assessment and Plan Section (V2)” of the standard specified in § 170.205(a)(4); or in accordance with the “Assessment Section (V2)” and “Plan of Treatment Section (V2)” of the standard specified in § 170.205(a)(4).
(ii) Goals. In accordance with the “Goals Section” of the standard specified in § 170.205(a)(4).
(iii) Health concerns. In accordance with the “Health Concerns Section” of the standard specified in § 170.205(a)(4).
(iv) Unique device identifier(s) for a patient's implantable device(s). In accordance with the “Product Instance” in the “Procedure Activity Procedure Section” of the standards specified in § 170.205(a)(4).
(4) Ambulatory setting only. Provider's name and office contact information.
(5) Inpatient setting only. Admission and discharge dates and locations; discharge instructions; and reason(s) for hospitalization.
(6) Laboratory test report(s). Laboratory test report(s), including:
(i) The information for a test report as specified all the data specified in 42 CFR 493.1291(c)(1) through (7);
(ii) The information related to reference intervals or normal values as specified in 42 CFR 493.1291(d); and
(iii) The information for corrected reports as specified in 42 CFR 493.1291(k)(2).
(7) Diagnostic image report(s).
(B) Download. (1) Patients (and their authorized representatives) must be able to use technology to download an ambulatory summary or inpatient summary (as applicable to the health IT setting for which certification is requested) in the following formats:
(i) Human readable format; and
(ii) The format specified in accordance to the standard specified in § 170.205(a)(4) and (5) following the CCD document template.
(2) When downloaded according to the standard specified in § 170.205(a)(4) and (5) following the CCD document template, the ambulatory summary or inpatient summary must include, at a minimum, the following data (which, for the human readable version, should be in their English representation if they associate with a vocabulary/code set):
(i) Ambulatory setting only. All of the data specified in paragraph (e)(1)(i)(A)(1), (2), (4), and (5) of this section.
(ii) Inpatient setting only. All of the data specified in paragraphs (e)(1)(i)(A)(1), and (3) through (5) of this section.
(3) Inpatient setting only. Patients (and their authorized representatives) must be able to download transition of care/referral summaries that were created as a result of a transition of care (pursuant to the capability expressed in the certification criterion specified in paragraph (b)(1) of this section).
(C) Transmit to third party. Patients (and their authorized representatives) must be able to:
(1) Transmit the ambulatory summary or inpatient summary (as applicable to the health IT setting for which certification is requested) created in paragraph (e)(1)(i)(B)(2) of this section in accordance with both of the following ways:
(i) Email transmission to any email address; and
(ii) An encrypted method of electronic transmission.
(2) Inpatient setting only. Transmit transition of care/referral summaries (as a result of a transition of care/referral as referenced by (e)(1)(i)(B)(3)) of this section selected by the patient (or their authorized representative) in both of the ways referenced (e)(1)(i)(C)(1)(i) and (ii) of this section).
(D) Timeframe selection. With respect to the data available to view, download, and transmit as referenced paragraphs (e)(1)(i)(A), (B), and (C) of this section, patients (and their authorized representatives) must be able to:
(1) Select data associated with a specific date (to be viewed, downloaded, or transmitted); and
(2) Select data within an identified date range (to be viewed, downloaded, or transmitted).
(ii) Activity history log.
(A) When any of the capabilities included in paragraphs (e)(1)(i)(A) through (C) of this section are used, the following information must be recorded and made accessible to the patient (or his/her authorized representative):
(1) The action(s) (i.e., view, download, transmission) that occurred;
(2) The date and time each action occurred in accordance with the standard specified in § 170.210(g);
(3) The user who took the action; and
(4) Where applicable, the addressee to whom an ambulatory summary or inpatient summary was transmitted.
(3) Patient health information capture. Enable a user to:
(f) Public health - (1) Transmission to immunization registries.
(i) Create immunization information for electronic transmission in accordance with:
(3) Transmission to public health agencies - reportable laboratory tests and values/results. Create reportable laboratory tests and values/results for electronic transmission in accordance with:
(4) Transmission to cancer registries. Create cancer case information for electronic transmission in accordance with:
(5) Transmission to public health agencies - electronic case reporting.
(iii) Case report creation. Create a case report for electronic transmission:
(B) That includes, at a minimum:
(1) The data classes expressed in the standards in § 170.213, and in accordance with § 170.205(a)(4) and (5), or
(2) The Common Clinical Data Set in accordance with § 170.205(a)(4) for the period until May 2, 2022.
(3) Encounter diagnoses. Formatted according to at least one of the following standards:
(i) The standard specified in § 170.207(i).
(ii) At a minimum, the version of the standard specified in § 170.207(a)(4).
(4) The provider's name, office contact information, and reason for visit.
(5) An identifier representing the row and version of the trigger table that triggered the case report.
(3) Safety-enhanced design.
(iii) One of the following must be submitted on the user-centered design processed used:
(iv) The following information/sections from NISTIR 7742 must be submitted for each capability to which user-centered design processes were applied:
(4) Quality management system.
(i) For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:
(5) Accessibility-centered design. For each capability that a Health IT Module includes and for which that capability's certification is sought, the use of a health IT accessibility-centered design standard or law in the development, testing, implementation and maintenance of that capability must be identified.
(6) Consolidated CDA creation performance. The following technical and performance outcomes must be demonstrated related to Consolidated CDA creation. The capabilities required under paragraphs (g)(6)(i) through (v) of this section can be demonstrated in tandem and do not need to be individually addressed in isolation or sequentially.
(i) This certification criterion's scope includes:
(C) The following data classes:
(1) Assessment and plan of treatment. In accordance with the “Assessment and Plan Section (V2)” of the standard specified in § 170.205(a)(4); or in accordance with the “Assessment Section (V2)” and “Plan of Treatment Section (V2)” of the standard specified in § 170.205(a)(4).
(2) Goals. In accordance with the “Goals Section” of the standard specified in § 170.205(a)(4).
(3) Health concerns. In accordance with the “Health Concerns Section” of the standard specified in § 170.205(a)(4).
(4) Unique device identifier(s) for a patient's implantable device(s). In accordance with the “Product Instance” in the “Procedure Activity Procedure Section” of the standard specified in § 170.205(a)(4).
(ii) Reference C-CDA match.
(iii) Document-template conformance.
(iv) Vocabulary conformance.
(7) Application access - patient selection. The following technical outcome and conditions must be met through the demonstration of an application programming interface (API).
(ii) Documentation - (A) The API must include accompanying documentation that contains, at a minimum:
(1) API syntax, function names, required and optional parameters and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns.
(2) The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s).
(8) Application access - data category request. The following technical outcome and conditions must be met through the demonstration of an application programming interface.
(i) Functional requirements.
(ii) Documentation - (A) The API must include accompanying documentation that contains, at a minimum:
(1) API syntax, function names, required and optional parameters and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns.
(2) The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s).
(9) Application access - all data request. The following technical outcome and conditions must be met through the demonstration of an application programming interface.
(i) Functional requirements.
(A) (1) Respond to requests for patient data (based on an ID or other token) for all of the data classes expressed in the standards in § 170.213 at one time and return such data (according to the specified standards, where applicable) in a summary record formatted in accordance with § 170.205(a)(4) and (5) following the CCD document template, and as specified in paragraphs (g)(9)(i)(A)(3)(i) through (iii) of this section, or
(2) The Common Clinical Data Set in accordance with paragraphs (g)(9)(i)(A)(3)(i) through (iv) of this section for the period until May 2, 2022, and
(3) The following data classes:
(i) Assessment and plan of treatment. In accordance with the “Assessment and Plan Section (V2)” of the standards specified in § 170.205(a)(4); or in accordance with the “Assessment Section (V2)” and “Plan of Treatment Section (V2)” of the standards specified in § 170.205(a)(4).
(ii) Goals. In accordance with the “Goals Section” of the standards specified in § 170.205(a)(4).
(iii) Health concerns. In accordance with the “Health Concerns Section” of the standards specified in § 170.205(a)(4).
(iv) Unique device identifier(s) for a patient's implantable device(s). In accordance with the “Product Instance” in the “Procedure Activity Procedure Section” of the standards specified in § 170.205(a)(4).
(ii) Documentation - (A) The API must include accompanying documentation that contains, at a minimum:
(1) API syntax, function names, required and optional parameters and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns.
(2) The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s).
(10) Standardized API for patient and population services. The following technical outcomes and conditions must be met through the demonstration of application programming interface technology.
(i) Data response.
(ii) Supported search operations.
(iv) Secure connection.
(v) Authentication and authorization - (A) Authentication and authorization for patient and user scopes - (1) First time connections - (i) Authentication and authorization must occur during the process of granting access to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) and standard adopted in § 170.215(b).
(ii) An application capable of storing a client secret must be issued a refresh token valid for a period of no less than three months.
(2) Subsequent connections. (i) Access must be granted to patient data in accordance with the implementation specification adopted in § 170.215(a)(3) without requiring re-authorization and re-authentication when a valid refresh token is supplied by the application.
(ii) An application capable of storing a client secret must be issued a new refresh token valid for a new period of no less than three months.
(viii) Documentation.
(A) The API(s) must include complete accompanying documentation that contains, at a minimum:
(1) API syntax, function names, required and optional parameters supported and their data types, return variables and their types/structures, exceptions and exception handling methods and their returns.
(2) The software components and configurations that would be necessary for an application to implement in order to be able to successfully interact with the API and process its response(s).
(3) All applicable technical requirements and attributes necessary for an application to be registered with a Health IT Module's authorization server.
(2) Direct Project, Edge Protocol, and XDR/XDM - (i) Able to send and receive health information in accordance with:
[80 FR 62747, Oct. 16, 2015, as amended at 80 FR 76871, Dec. 11, 2015; 85 FR 25941, May 1, 2020]