Read about OpenEMR's Response to the COVID-19 Pandemic at

Message Digest & Encryption

Hello there,

I was wondering if someone could answer the questions about the certification requirements for OpenEMR, I haven’t been able to find an answer to:

  1. Create a message digest in accordance with the standard specified in §170.210©(2). More details are here.
  2. Message-level. Encrypt and integrity protect message contents in accordance with the standards specified in §170.210(a)(2) and ©(2). More details are here.

Thanks! from

Thanks, that’s what I was looking for…

Seems that one of the related criteria (170.315(d)(8) Integrity) is explicitly requiring SHA-2 algorithm for hashing.

Can anyone please confirm that the latest OpenEMR is compliant with this requirement?

170.315(d)(8) Integrity – The hashing algorithm listed was SHA-1. The minimum version required is SHA-2. You will need to update your product to support one of the following SHA-2 algorithms in order to be granted certification to (d)(8):

o SHA-224,
o SHA-256
o SHA-384
o SHA-512
o SHA-512/224
o SHA-512/256

I’m not sure about messaging but it would appear that user passwords use sha-1.

If you look in openemr/library/authentication/ you can find it in the password_hashing.php file. I imagine it wouldn’t be too much of an undertaking to move to switch to sha-2.

1 Like

hi @igorjovanovic,

that’s for 2015 CEHRT but not part of the base EHR definition which is what we are shooting for this year. OpenEMR did achieve 2014 CEHRT which supports 170.314(d)(8)

Thanks @stephenwaite,

So, the answer to my / sha-2 question is yes?

Hi @igorjovanovic ,

If I’m understanding this correctly OpenEMR is currently compliant with 170.314(d)(8) under meaningful use 2.

You’re looking for compliance with 170.315(d)(8), under meaningful use 3. I believe meaningful use 3 requirements were only finalized earlier this month.

Meaningful Use 3 compliance/certification is in the works. It’s just a matter of finding the developer hours to get it all implemented.

Is your question more about the status of meaningful use 3 or SHA-2 messaging specifically? If it’s something you need sooner rather than later, google summer of code is about to start. You could see if one of participants wants to take on updating from SHA-1 to SHA-2 as part of their project.

Are you on slack? If you have more questions about meaningful use and certification maybe we could start a slack channel to discuss further:

Many thanks Rachel!

Yes, we’re interested in implementing SHA-2 as per 170.315 (d)(8) and are willing to dedicate developer hours for the task.

Can you share more details, including the requirements?


the ink isn’t dry on the cures act and it’s not yet published in the federal register so there’s no up to date info for testing but there’s this:

Hi Igor,

So reading the below link, which may not be the most up to date given the recent finalization:

“Technical outcome – The health IT can create a message digest using a hashing algorithm with security strength equal or greater than SHA-2.”

“Technical outcome – The health IT must be able to verify, in accordance with a hashing algorithm with security strength equal or greater than SHA-2, that information has not been altered or changed in any way.”

Under the clarification section:

  • This criterion is intended to support the HIPAA Security Rule implementation specification provided at 45 CFR 164.312 (e)(2)(i) “[i]mplement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.” Because this certification criterion specifies a capability that certified health IT must include, we do not believe that it is necessary or appropriate for us to address whether hashing is applicable to public and private networks. [see also 75 FR 44620]
  • Certification only ensures that a Health IT Module can create hashes using SHA-2, and it does not require the use of SHA-2. For example, users of certified health IT may find it appropriate to continue to use SHA-1 for backwards compatibility if their security risk analysis justifies the risk. [see also 80 FR 62657]

If you look a the bolded portion, it seems that the requirement states that you need to be able to use SHA2, but it doesn’t need to force the clinician to use it. I’m also interpreting that you don’t need to go back and apply it retroactively to older messages.