Conditions & Maintenance of Certification

The 21^st Century Cures Act (Section 4002) requires the Secretary of Health and Human Services (HHS) to establish Conditions and Maintenance of Certification requirements for the ONC Health IT Certification Program. ONC has finalized the Conditions and Maintenance of Certification requirements to express initial requirements and ongoing requirements for health IT developers and their Certified Health IT Module(s). There are seven Conditions of Certification with accompanying Maintenance of Certification Requirements. ONC has not yet established an EHR Reporting Program for the seventh Conditions and Maintenance of Certification requirement; the EHR reporting criteria submission. Once ONC establishes such program, we will undertake rulemaking to propose and implement the associated Condition and Maintenance of Certification requirements for health IT developers.

The Conditions and Maintenance of Certification requirements, except for the Information Blocking and Assurances Conditions and Maintenance of Certification requirements, apply only to actions and behaviors of health IT developers related to their certified health IT as well as to the certified health IT itself. The Information Blocking and Assurances Conditions and Maintenance of Certification require that a health IT developer is responsible to ensure that all of its health IT and related actions and behaviors do not constitute information blocking or inhibit the appropriate access, exchange, and use of electronic health information (EHI).

The Conditions and Maintenance of Certification requirements are defined in Subpart D of the 21^st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). Furthermore, compliance dates have been updated per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency.

Regulation	Condition of Certification	Maintenance of Certification	Certification Companion Guide (CCG)	CCG Last Updated
Information Blocking	A health IT developer may not take any actions that constitutes “information blocking” as defined in Section 3022(a) of the Public Health Service Act (PHSA) and § 171.103 on or after April 5, 2021.	There are no accompanying Maintenance of Certification requirements beyond compliance with the Condition.	Guide	03-11-2024
Assurances	A health IT developer must: Provide assurances that it will not take any action that constitutes information blocking, or any other action that may inhibit the appropriate exchange, access, and use of electronic health information, Ensure full compliance and unrestricted implementation of certification criteria capabilities, Not take any action to interfere with a user’s ability to access or use certified capabilities, Certify a health IT product which electronically stores EHI to the §170.315(b)(10) criteria, and Not inhibit its customer’s timely access to interoperable health IT certified under the Program.	A health IT developer must: For a period of 10 years beginning from the date of certification, retain all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program, and Certify to the criterion in § 170.315(b)(10) by December 31, 2023, if a health IT product electronically stores EHI. Update a Health IT Module, once certified to a certification criterion, to all applicable revised certification criteria, including the most recently adopted capabilities and standards. Provide all Health IT Modules certified to a revised certification criterion to its customers of such certified health IT. Update and provide these updates in a timely manner as specified. For those certified to § 170.315(b)(11), starting January 1, 2025 and ongoing thereafter, review and update source attribute information, intervention risk management practices, and summary information.	Guide	03-11-2024
Communications	A health IT developer may not prohibit or restrict communication regarding the following subjects for Certified Health IT Modules: The usability of its health IT, The interoperability of its health IT, The security of the health IT, Relevant information regarding users’ experiences when using its health IT, The business practices of developers of health IT related to exchanging EHI, and The manner in which a user of the health IT has used such technology.	A health IT developer must: Notify all customers it will not enforce any communication or contract provision contravening the Communication Conditions of Certification requirements annually, beginning in calendar year 2021, up to an until the health IT developer amends the contract or agreement to remove or void the contravening contractual provisions, and Not establish, renew, or enforce any contract or agreement that contravenes the Communications Condition of Certification requirement, and must amend the contract or agreement when it is next modified for other reasons or renewed, as of June 30, 2020 to remove or void contravening contractual provisions.	Guide	03-11-2024
Application Programming Interfaces (APIs)	A health IT developer of a Health IT Module certified to any certification criteria adopted in § 170.315(g)(7) through (g)(10) must: Publish APIs and allow health information from such technology to be accessed, exchanged, and used without special effort, Publish complete business and technical documentation, via a publicly accessible hyperlink, Publish all terms and conditions for its certified API technology including material information and API Fees, Abide by permitted/prohibited API fees and keep for inspection detailed records of any fees charged with respect to the certified API technology, and Abide by openness and pro-competitive conditions.	A health IT developer of a Health IT Module that meets the requirements outlined in the Condition of Certification must comply with the following requirements: Authenticity verification and registration for production use, Service Base Uniform Resource Locator (URL) and related organizational details publication by December 31, 2024, Rollout of (g)(10)-Certified APIs by December 31, 2022, and Compliance to API Conditions of Certification for existing certified API technology by April 5, 2021.	Guide	03-11-2024
Real World Testing	A health IT developer with Health IT Module(s) certified to § 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7) through (10), and (h) must: successfully test the real world use of the technology for interoperability in the type of setting in which such technology would be marketed.	A health IT developer that meets the requirements outlined in the Condition of Certification must: Submit its Real World Testing plan to its ONC-Authorized Certification Body (ONC-ACB) by a date that enables the ONC-ACB to publish the plan on the Certified Health IT Products List (CHPL) no later than December 15 of each calendar year. Initial Real World Testing plans may be posted through December 15, 2021. Report its Real World Testing results to its ONC-ACB by a date that enables the ONC-ACB to publish the results on the CHPL no later than March 15 of each calendar year. Results from initial Real World Testing from the 2022 performance year may be posted through March 15, 2023, Standards Version Advancement Process A health IT developer with health IT certified to § 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7) through (10), and/or (h) is permitted to update its certified health IT criteria to newer versions of standards than what has been incorporated by reference in § 170.299 if the newer versions of the standard(s) has been approved for use in the ONC Health IT Certification Program by the national coordinator. A health IT developer seeking to have its health IT certified to § 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7) through (10), and/or (h) may certify to a newer version of any adopted standard(s) without first obtaining certification to the standard(s) and implementation specifications that have been incorporated by reference in § 170.299 if the newer version of the standard(s) has been approved for use in the ONC Health IT Certification Program by the National Coordinator.	Guide	03-11-2024
Attestation	A health IT developer must attest, as applicable, to compliance with the Conditions and Maintenance of Certification related to: (1) Information Blocking, (2) Assurances, (3) Communications, (4) API, and (5) Real World Testing.	A health IT developer must submit their attestations every six months as of the first attestation window beginning on April 1, 2022.	Guide	03-11-2024
Insights Condition	A health IT developer must submit for each reporting period: Responses for specified measures, and/or An attestation response that it does not meet minimum reporting qualifications or have health IT certified to the criteria specified in each measure.	A health IT developer must provide responses to the Insights Condition of Certification annually for any Health IT Module that has or has had an active certification at any time under the Certification Program during the prior six months. A health IT developer must provide responses for measures specified in: § 170.407(a)(3)(i), (iii), (iv)(A) and (B), and (vi) of beginning July 2027; § 170.407(a)(3)(ii)(A) through (C), (iv)(C), (v), (vi)(A) and (B), and (vii) of beginning July 2028; and § 170.407 (a)(3)(ii)(D), (vii)(A) beginning July 2029.	Coming soon

Certification of Health IT

Health Information Technology Advisory Committee (HITAC)

Health Equity

HTI-1 Final Rule

Information Blocking

Interoperability

Patient Access to Health Records

Clinical Quality and Safety

Health IT and Health Information Exchange Basics

Health IT in Health Care Settings

Health IT Resources

Laws, Regulation, and Policy

ONC Funding Opportunities

ONC HITECH Programs

Privacy, Security, and HIPAA

Scientific Initiatives

Standards & Technology

Usability and Provider Burden

Key Links

Conditions & Maintenance of Certification

Connect with us: