So reading the below link, which may not be the most up to date given the recent finalization:
“Technical outcome – The health IT can create a message digest using a hashing algorithm with security strength equal or greater than SHA-2.”
“Technical outcome – The health IT must be able to verify, in accordance with a hashing algorithm with security strength equal or greater than SHA-2, that information has not been altered or changed in any way.”
Under the clarification section:
- This criterion is intended to support the HIPAA Security Rule implementation specification provided at 45 CFR 164.312 (e)(2)(i) “[i]mplement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.” Because this certification criterion specifies a capability that certified health IT must include, we do not believe that it is necessary or appropriate for us to address whether hashing is applicable to public and private networks. [see also 75 FR 44620]
Certification only ensures that a Health IT Module can create hashes using SHA-2, and it does not require the use of SHA-2. For example, users of certified health IT may find it appropriate to continue to use SHA-1 for backwards compatibility if their security risk analysis justifies the risk. [see also 80 FR 62657]
If you look a the bolded portion, it seems that the requirement states that you need to be able to use SHA2, but it doesn’t need to force the clinician to use it. I’m also interpreting that you don’t need to go back and apply it retroactively to older messages.