The ONC Health IT Certification Program (Certification Program) is a voluntary program that outlines specific standards and functionality defined in regulation to which developers can certify conformance. In turn, providers can use these certified products in the delivery of care and information sharing, and use these products to meet incentive program requirements, such as CMS’s Promoting Interoperability program.
Developers that make the decision to participate in the Certification Program have several steps to consider as they go through the process of certification. The following outlines at a high level the process of obtaining and maintaining certification. This list is meant to demonstrate the various elements and moving parts that make up participation in the Certification Program and does not capture the full extent of the requirements for participation. Please refer to a developer’s ONC-ACB or the regulation outlined in 45 CFR Part 170 for further details. For more details regarding the Certification Program, please review this overview.
Available Criteria for Certification
The Certification Program outlines several criteria that are available for use in the certification of a developer’s health IT module or product. It is up to the developer to determine for what criteria they wish to seek certification. For example, based on the needs of its customers or desire to meet requirements for incentive programs that leverage certified health IT, a developer may determine what criteria are most appropriate for their products. For example, several external programs reference the Base EHR Definition as a list of requirements for certified technology. Developers should review relevant regulatory programs that may influence their certification decisions.
Review active Certification Criteria for Health IT
Registration with an ONC-ACB and ONC-ATL
ONC-Authorized Testing Laboratories (ONC-ATLs) are authorized by ONC to test Health IT Modules’ conformance to criterion requirements under the Certification Program. ONC-Authorized Certification Bodies (ONC-ACBs) are authorized by ONC to make certification decisions based on the health IT’s conformity to Certification Program requirements. Once a certification is issued by an ONC-ACB, the ONC-ACB is required to ensure continued conformity of the certified health IT, which may include surveillance activities. Developers must register with an ONC-ACB and ONC-ATL to test and assess conformance to the requirements of the Certification Program.
Dependent Criteria
Under the Certification Program, a Health IT Module presented for certification certify for specific criteria as outlined in regulation that relate to privacy, security, design, and performance requirements for the Health IT Module. For a full list of all dependencies for certification, review the Master Table of Related and Required Criteria.
Privacy and Security Criteria
A Health IT Module presented for certification must be tested to a mandatory minimum set of identified privacy and security certification criteria for an ONC-Authorized Certification Body (ONC-ACB) to issue the Health IT Module a certification. The privacy and security criteria requirements are outlined under the 170.315(d) paragraph, with guidance on each criterion found on the test method page.
Review the guidelines for certifying to Privacy and Security criteria
Design and Performance Criteria
Depending on the criteria to which a Health IT Module is certified, developers must also certify to the following criteria:
- 170.315(g)(3) Safety enhanced design
- 170.315(g)(4) Quality management system
- 170.315(g)(5) Accessibility-centered design
- 170.315(g)(6) C-CDA creation performance
Developers should review the specific criteria for which they are seeking certification to understand
EHI Export Criteria
If a developer presents a Health IT Module for certification that stores or causes to be stored any EHI, either within the module itself or as part of the product of which the module is a part, they must certify to 170.315(b)(10) EHI export.
Review (b)(10) certification requirements
Conditions and Maintenance of Certification
ONC has finalized the Conditions and Maintenance of Certification requirements to express initial requirements and ongoing requirements for health IT developers and their Certified Health IT Module(s). Some of these requirements are criterion-dependent, meaning that Certified Health IT developers only need to meet those requirements if they are certified to specific criteria. Other Conditions and Maintenance of Certification requirements apply to all developers with certified health IT products.
Review the Conditions and Maintenance of Certification Requirements
Post Certification Assessment Activities
In addition to the Maintenance of Certification requirements, ONC-ACBs work with developers to ensure certified Health IT Modules meet several post-certification requirements, including but not limited to mandatory disclosures, records of updates made to products and as needed, surveillance of these products to ensure ongoing conformance.
Review Oversight and Surveillance activities