ONC Certification Compliance Documentation for Vizlitics Inc
This document provides details on the ONC Compliance by Vizlitics Inc for its Cancer Insights product. Text in blue provides details on the efforts undertaken by Vizlitics Inc.
To ensure minimum standards for safe and effective healthcare software, you and your Apps must meet the below list of ONC certification criteria.
Vizlitics team has made concerted effort to follow and implement technology to be in compliance with ONC Guidelines. The documentation below lists out the compliance steps that Vizlitics has undertaken as part of Cancer Insights app.
For each App you submit, you must provide one of the following for Epic, Community Members, and users to review:
Vizlitics has appended to this document its implementation of ONC guidelines in the Cancer Insights app.
Epic or Community Members may review documentation supplied by you at any time to ensure you meet these criteria. If documentation you supply is missing or inaccurate, Epic or Community Members may take action on your App, including notifying users of your Appís non-compliance, or suspending your App until the issue can be resolved.
Cancer Insights allows users to export their medical history as pdf files. User can export individual or complete data as per their requirement. All exported data is downloadable in the form of PDF files. CCD Documents are available on demand for users to download
45 CFR 170.315 (d)(1) (Authentication, Access Control, Authorization): "Verify against a unique identifier(s) (e.g., username or number) that a user seeking access to electronic health information is the one claimed; and [...] establish the type of access to electronic health information a user is permitted based on the unique identifier(s) provided"↩
Cancer Insights offers a comprehensive suite of authentication, access control and authorization capability. Cancer Insights app requires each user to use a verified email id and phone number to setup the account with a strong password. The Phone number is used to send a passcode during account setup process. User logs into the Cancer Insights app by typing a valid user and password combination. All access to the medical records through Cancer Insights is managed through authenticated and authorized access to app.
45 CFR 170.315 (d)(2) (Auditable Events and Tamper-resistance): "The health IT records actions pertaining to electronic health information [...] when health IT is in use; changes to user privileges when health IT is in use; and records the date and time [each action occurs]. [...] The health IT records the audit log status [...] when the audit log status is changed and records the date and time each action occurs. [...] The health IT records the information [...] when the encryption status of locally stored electronic health information on end-user devices is changed and records the date and time each action occurs.↩
Cancer Insights logs all actions performed by the end user including date/time of login, records read, records edited/updated. Only the user entering the record has edit access to it. Also, any authorized user who is part of the care team has access to view/edit the record.
45 CFR 170.315 (d)(5) (Automatic Access Time-out): "Automatically stop user access to health information after a predetermined period of inactivity. [...] Require user authentication in order to resume or regain the access that was stopped."↩
Cancer Insights has an auto time-out function that logs-out an inactive user after certain period of inactivity
45 CFR 170.315 (d)(7) (End-user Device Encryption): "Technology that is designed to locally store electronic health information on end-user devices must encrypt the electronic health information stored on such devices after use of the technology on those devices stops [or] technology is designed to prevent electronic health information from being locally stored on end-user devices after use of the technology on those devices stops."↩
Cancer Insights does not store data on End-User device. All access to data is given as part of the connectivity of Cancer Insights App to secure cloud servers through an authenticated token, HTTPS and SSL protocols
EMR data retrieved by Cancer Insights is read only
45 CFR 170.315 (d)(9) (Trusted Connection): "Health IT needs to provide a level of trusted connection using either 1) encrypted and integrity message protection or 2) a trusted connection for transport."↩
EHR data is secured both at rest (in-device) and in motion (during transport). Cancer Insights uses OAUTH2, HTTPS protocol during transit and a unique token is generated for the course of active use by the user to ensure trusted access.†
45 CFR 170.315 (g)(3) (Safety-enhanced Design): "User-centered design processes must be applied to each capability technology."↩ Cancer Insights follows a well-defined user experience design philosophy to create engaging and empowering user experience.
45 CFR 170.315 (g)(4) (Quality Management System): "For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified."↩
Cancer Insights design, development, testing and maintenance follows a rigorous QMS process that is deeply embed in every aspect of product creation and rollout. The technical team has undergone extensive learning and hands on session to ensure high quality product is built, delivered and supported
45 CFR 170.315 (g)(5) (Accessibility-centered Design): "The use of a health IT accessibility-centered design standard or law in the development, testing, implementation and maintenance of that capability must be identified."↩
Cancer Insights offers accessibility features that enable users with certain disabilities to use the app
45 CFR 170.315 (g)(7) (Application Access - Patient Selection): " The technology must be able to receive a request with sufficient information to uniquely identify a patient and return an ID or other token that can be used by an application to subsequently execute requests for that patientís data."↩ Through a unique patient authentication and authorization process as well as key patient identifiers, we ensure that a unique token is created and all requests refer to that token and patient ID for subsequent data requests.
45 CFR 170.315 (g)(8) (Application Access - Data Category Request): "Respond to requests for patient data (based on an ID or other token) for each of the individual data categories specified in the Common Clinical Data Set and return the full set of data for that data category (according to the specified standards, where applicable) in a computable format."↩
We leverage EPIC FHIR APIs to request patient data for each individual category in an applicable format
45 CFR 170.315 (g)(9) (Application Access - All Data Request): "Respond to requests for patient data (based on an ID or other token) for all of the data categories specified in the Common Clinical Data Set at one time and return such data (according to the specified standards, where applicable) in a summary record formatted [...] following the CCD document template."↩
We leverage EPIC FHIR APIs to request data in an applicable format
45 CFR 170.523 (k)(1) (Pricing Transparency): "Any additional types of costs that an EP, EH, or CAH would pay to implement the Complete EHR's or EHR Module's capabilities in order to attempt to meet meaningful use objectives and measures."↩
Vizlitics provides complete pricing transparency into its product implementation and use
45 CFR 170.523 (n) (Complaint Process): "Submit a list of complaints received to the National Coordinator on a quarterly basis each calendar year that includes the number of complaints received, the nature/substance of each complaint, and the type of complainant for each complaint."↩
Vizlitics documents any and all complaints and promptly submits them to National Coordinator