Skip to main content
U.S. flag

An official website of the United States government

Return to Search

#38 Question [2-13-038-1] How will compliance to the ONC Applicability Statement for Secure Health Transport standard adopted at 45 CFR 170.202(a), and included in such certification criteria as “Transitions of Care” (45 CFR 170.314(b)(1) and (2)) be tested and certified with respect to header protection specified in RFC 5751 section 3.1 (more commonly referred to as “message wrapping”)?

Guidance for how will compliance to the ONC Applicability Statement for Secure Health Transport standard adopted at 45 CFR 170.202(a), and included in such certification criteria as “Transitions of Care” (45 CFR 170.314(b)(1) and (2)) be tested and certified with respect to header protection specified in RFC 5751 section 3.1

Final

Issued by: Office of the National Coordinator (ONC) of Health Information Technology

#38 Question [2-13-038-1]

How will compliance to the ONC Applicability Statement for Secure Health Transport standard adopted at 45 CFR 170.202(a), and included in such certification criteria as “Transitions of Care” (45 CFR 170.314(b)(1) and (2)) be tested and certified with respect to header protection specified in RFC 5751 section 3.1 (more commonly referred to as “message wrapping”)?

The ONC Applicability Statement for Secure Health Transport standard 1 adopted at 45 CFR 170.202(a) requires that Security/Trust Agents “(STAs)”2 support S/MIME v3.2 as specified by RFC 5751 3 [January 2010 version]. RFC 5751 details a method called “message wrapping” for protecting information contained in the header fields of a message, such as the “Subject.” In implementing the ONC Applicability Statement for Secure Health Transport standard and per its reference to RFC 5751, STAs:

  • MAY employ message wrapping when sending Direct messages, and
  • SHOULD be able to appropriately process any wrapped messages received.

We expect testing and certification to follow these requirements with respect to message wrapping. Since the requirements are not absolute (i.e., neither capability is a “MUST”), an STA implementation submitted for testing and certification that indicates it does not perform these functions will not “fail” testing. However, such an STA will still be subject to tests related to the proper sending and receiving of “unwrapped” Direct messages.

While RFC 5751 does not require (with a “MUST”) that STAs be capable of processing wrapped messages that are received, the use of “SHOULD” in the RFC indicates that support of such capability is recommended. From an interoperability perspective, we note that if an STA chooses not to support wrapped messages it risks not being able to handle both types of messages that could be sent by others – wrapped and unwrapped. Thus, we strongly encourage all STA implementations submitted for testing and certification to support processing of both wrapped and unwrapped messages upon receipt. We understand that testing will accommodate this approach and include appropriate tests for implementations that indicate they support receiving wrapped messages.

Last updated: 02/06/13

1. Version 1.1 was adopted in the 2014 Edition Standards and Certification Criteria Final Rule and is accessible at: http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov_dir…

2. Which are Message Transfer Agents, Message Submission Agents, or Message User Agents supporting security and trust for a transaction conforming to the Applicability Statement for Secure Health Transport

3. https://tools.ietf.org/html/rfc5751Web Site Disclaimers

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.