In the first part of the blog series, we presented a broad view of the two categories on which the 21st Century Cures Act Final Rules are based – an open technology ecosystem and information blocking.

The reporting period has been extended to help healthcare IT vendors prioritize COVID19 responses; however, it’s crucial to start planning and preparing to meet the requirements to avoid last-minute hassles.

In the second part of the series, we will break down the new certification criteria focused on the broader themes of interoperability and authentication.

Seamless exchange of EHI

This new criterion will enable the export of electronic health information of patients during standard workflows or migration of healthcare IT systems. A provision is also to be included to export the data without any assistance from the healthcare IT vendor. To overcome any privacy concerns, the healthcare vendor must restrict access to a chosen few users who will export the data. The exported data has to be formatted with structure and syntax that is easily identifiable by any healthcare IT system (recipient). This new criterion alludes to the importance the ONC has placed on ensuring privacy and enabling greater accessibility of EHI as patients move from provider to provider. This criterion will also serve to curb any anti-competitive behaviors among healthcare IT vendors.

Fortified authentication measures

There are two new criteria on authentication – encryption of authentication credentials and multi-factor authentication (MFA). Healthcare IT vendors need to attest as “Yes” that their system encrypts stored authentication credentials. If they attest as “No,” they should state, for example, that their healthcare IT system does not support authentication credentials. In the same vein, they need to attest as “Yes” to supporting authentication using multiple elements of the user’s identity. If they attest as “No,” they should provide context as to why, for example, that their system does not support multi-factor authentication since it is engaged in system-to-system public health reporting, and hence MFA is not applicable. These criteria will ensure confidentiality and authenticity of data, as well as protect against cybercrimes.

An open interface for an easy transition

This criterion is regarding the standardization of Application Programming Interface (API) for patient and population services. It will enable healthcare IT developers to publish the APIs and allow EHI to be easily transported and used wherever required to offer optimum care. Along with the API, FHIR (Fast Healthcare Interoperability Resources) server endpoints for all customers are required to be publicly available. This criterion will create a more open environment for healthcare IT vendors to collaborate and communicate safely. There will no longer be any silos of EHI, allowing seamless transmission across devices, anywhere in the world.

Besides these, the USDCI, which provides more comprehensive patient information, will now replace the Common Clinical Data Set (CCDS). We will discuss this in greater detail in the next blog in the series.

Begin the journey now…

Better outcomes are not easy. They need a relentless focus on offering best-in-class care and ensuring that health data travels wherever it will be most useful for the patient. These final rules will ensure greater transparency and security for all in the healthcare ecosystem, and not just for the patients. As leaders in healthcare transformation, HealthAsyst can offer the guidance and remediation support required to meet these requirements and ensure the deadlines are met way ahead of time. Please write to us at to start the countdown to compliance.

Note: The New Certification Criteria is true as on date November 18, 2020. Any updates to the New Certification Criteria will reflect on this blog as it takes place.

With inputs from I.V. Chandra Mouli, Senior Manager (QA)

Sridhar R.

Sridhar has spent close to a decade in helping some of the leading healthcare technology organizations in software setup, implementation, planning and training. He has also served as an advisor for several organizations helping them complete EHR Incentives Program Implementation for MU, PQRS, HEDIS, MIPS, MACRA, CPC+ VBC.
Close Menu