§ 170.406 Attestations

Updated on 03-11-2024
Version # Description of Change Version Date
1.0

Initial publication
06-15-2020
1.1

Updated compliance date per the Interim Final Rule with Comment Period (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency.
11-02-2020
1.2

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements. 
03-12-2021
1.3

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements and a link to the Attestations Fact Sheet.
03-30-2022
1.4

Updated to provide additional clarity on a noncompliance to a Condition and Maintenance of Certification, as well as on the attestation options for the Assurances Condition and Maintenance of Certification.
04-20-2022
1.5

Updated Attestations window.
08-29-2022
1.6

Updates to reflect changes outlined in Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule
02-08-2024
Regulation Text
Regulation Text

§ 170.406 Attestations —

  1. Condition of Certification requirement. A health IT developer, or its authorized representative that is capable of binding the health IT developer, must provide the Secretary an attestation of compliance with the following Conditions and Maintenance of Certification requirements:
    1. Section 170.401;
    2. Section 170.402, but only for § 170.402(a)(4) and (b)(2) if the health IT developer certified a Health IT Module(s) that is part of a health IT product which can store electronic health information;
    3. Section 170.403;
    4. Section 170.404 if the health IT developer has a Health IT Module(s) certified to any of the certification criteria adopted in § 170.315(g)(7) through (10); and such health IT developer must also ensure that health IT allows for health information to be exchanged, accessed, and used, in the manner described in § 170.404; and
    5. Section 170.405 if a health IT developer has a Health IT Module(s) certified to any one or more ONC Certification Criteria for Health IT in § 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7) through (10), and (h).
  2. Maintenance of Certification requirement.
    1. A health IT developer, or its authorized representative that is capable of binding the health IT developer, must provide the attestation specified in paragraph (a) of this section semiannually for any Health IT Modules that have or have had an active certification at any time under the ONC Health IT Certification Program during the prior six months.
    2. [Reserved].
Standard(s) Referenced
Standards Referenced

None

Revision History
Version # Description of Change Version Date
1.0

Initial publication
06-15-2020
1.1

Updated compliance date per the Interim Final Rule with Comment Period (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency.
11-02-2020
1.2

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements. 
03-12-2021
1.3

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements and a link to the Attestations Fact Sheet.
03-30-2022
1.4

Updated to provide additional clarity on a noncompliance to a Condition and Maintenance of Certification, as well as on the attestation options for the Assurances Condition and Maintenance of Certification.
04-20-2022
1.5

Updated Attestations window.
08-29-2022
1.6

Updates to reflect changes outlined in Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule
02-08-2024
Regulation Text
Regulation Text

§ 170.406 Attestations —

  1. Condition of Certification requirement. A health IT developer, or its authorized representative that is capable of binding the health IT developer, must provide the Secretary an attestation of compliance with the following Conditions and Maintenance of Certification requirements:
    1. Section 170.401;
    2. Section 170.402, but only for § 170.402(a)(4) and (b)(2) if the health IT developer certified a Health IT Module(s) that is part of a health IT product which can store electronic health information;
    3. Section 170.403;
    4. Section 170.404 if the health IT developer has a Health IT Module(s) certified to any of the certification criteria adopted in § 170.315(g)(7) through (10); and such health IT developer must also ensure that health IT allows for health information to be exchanged, accessed, and used, in the manner described in § 170.404; and
    5. Section 170.405 if a health IT developer has a Health IT Module(s) certified to any one or more ONC Certification Criteria for Health IT in § 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7) through (10), and (h).
  2. Maintenance of Certification requirement.
    1. A health IT developer, or its authorized representative that is capable of binding the health IT developer, must provide the attestation specified in paragraph (a) of this section semiannually for any Health IT Modules that have or have had an active certification at any time under the ONC Health IT Certification Program during the prior six months.
    2. [Reserved].
Standard(s) Referenced
Standards Referenced

None

Certification Companion Guide: Attestations

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product certification. The CCG is not a substitute for the requirements outlined in regulation and related ONC final rules. It extracts key portions of ONC final rules’ preambles and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Regulations page for links to all final rules or consult other regulatory references as noted. The CCG is for public use and should not be sold or redistributed.

Link to Attestations Fact Sheet
Attestations Resource Guide
Attestation Requirements

The health IT developer must provide an attestation of compliance with the Conditions and Maintenance of Certification requirements found in 45 CFR § 170.401, 170.402, 170.403, 170.404, and 170.405. For additional details related to the attestation requirements of each Condition and Maintenance of Certification specific to § 170.401 through 170.405 please refer to the specific Condition’s CCG.

Certification Requirements

Applicability: Applies to all health IT developers of certified health IT.

Attestation Requirements

The health IT developer must provide an attestation of compliance with the Conditions and Maintenance of Certification requirements found in 45 CFR § 170.401, 170.402, 170.403, 170.404, and 170.405. For additional details related to the attestation requirements of each Condition and Maintenance of Certification specific to § 170.401 through 170.405 please refer to the specific Condition’s CCG.

Certification Requirements

Applicability: Applies to all health IT developers of certified health IT.

Condition Explanations and Clarifications

Applies to Entire Condition

Clarifications:

  • Certified Health IT Developers will attest twice a year to compliance with the Condition(s) and Maintenance of Certification requirements.
    • § 170.401 Information blocking
    • § 170.402 Assurances
    • § 170.403 Communications
    • § 170.404 Application programming interfaces
    • § 170.405 Real World Testing
  • Developers will be able to submit their attestations within a designated 30-day window twice a year for purposes of compliance, with developers attesting for the period of the previous six months during that window.
    • These attestation windows occur during the months of April and October. April attestations will cover the months of October–March, while October attestations will cover April–September. Note that ONC extends the October attestation window to allow developers to submit their attestations through October 31.
  • Attestations will be submitted to ONC-Authorized Certification Bodies (ONC-ACBs), and ONC will then make the attestations status publicly available through the Certified Health IT Product List (CHPL).
    • ONC will provide a web-based form and method for health IT developers to submit attestations in an efficient manner for ONC-ACBs’ review.
    • ONC will provide a method for developers to indicate their compliance, noncompliance, or the inapplicability of each Condition and Maintenance of Certification as it applies to all or each of their Health IT Modules certified under the Certification Program.
  • Certified Health IT Developers provide their attestation based on the Conditions and Maintenance of Certification that apply to them for all their active certification(s) during a specified attestation period. A requirement is either applicable to the Certified Health IT Developer for one or more of its active certification(s), or it is not.
    • Certified Health IT Developers must indicate noncompliance for a Condition and Maintenance of Certification requirement if they were not compliant with the requirement at any point during the specified attestation period, regardless of the status of a corrective action plan (CAP) under the Certification Program.
    • Certified Health IT Developers who have completed or are undergoing corrective actions are unlikely to trigger ONC Direct Review for a noncompliance selection if it has already been fully addressed through corrective actions to regain Certification Program compliance. 
  • All attestations must be approved and submitted by an officer, employee, or other representative the developer has authorized to make a binding attestation(s) on behalf of the Certified Health IT Developer.

Clarifications:

  • Certified Health IT Developers will attest twice a year to compliance with the Condition(s) and Maintenance of Certification requirements.
    • § 170.401 Information blocking
    • § 170.402 Assurances
    • § 170.403 Communications
    • § 170.404 Application programming interfaces
    • § 170.405 Real World Testing
  • Developers will be able to submit their attestations within a designated 30-day window twice a year for purposes of compliance, with developers attesting for the period of the previous six months during that window.
    • These attestation windows occur during the months of April and October. April attestations will cover the months of October–March, while October attestations will cover April–September. Note that ONC extends the October attestation window to allow developers to submit their attestations through October 31.
  • Attestations will be submitted to ONC-Authorized Certification Bodies (ONC-ACBs), and ONC will then make the attestations status publicly available through the Certified Health IT Product List (CHPL).
    • ONC will provide a web-based form and method for health IT developers to submit attestations in an efficient manner for ONC-ACBs’ review.
    • ONC will provide a method for developers to indicate their compliance, noncompliance, or the inapplicability of each Condition and Maintenance of Certification as it applies to all or each of their Health IT Modules certified under the Certification Program.
  • Certified Health IT Developers provide their attestation based on the Conditions and Maintenance of Certification that apply to them for all their active certification(s) during a specified attestation period. A requirement is either applicable to the Certified Health IT Developer for one or more of its active certification(s), or it is not.
    • Certified Health IT Developers must indicate noncompliance for a Condition and Maintenance of Certification requirement if they were not compliant with the requirement at any point during the specified attestation period, regardless of the status of a corrective action plan (CAP) under the Certification Program.
    • Certified Health IT Developers who have completed or are undergoing corrective actions are unlikely to trigger ONC Direct Review for a noncompliance selection if it has already been fully addressed through corrective actions to regain Certification Program compliance. 
  • All attestations must be approved and submitted by an officer, employee, or other representative the developer has authorized to make a binding attestation(s) on behalf of the Certified Health IT Developer.

Paragraph (a) Condition of Certification requirement

Clarifications:

  • The Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. 
  • There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.

Clarifications:

  • The Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. 
  • There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.

Paragraph (b) Maintenance of Certification requirement

Clarifications:

  • There are no additional clarifications.

Clarifications:

  • There are no additional clarifications.