§ 170.402 Assurances

Version 1.0 Updated on 06-15-2020
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

06-15-2020
Regulation Text
Regulation Text

170.402 Assurances.

  1. Condition of Certification requirement.
    1. A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103 on and after November 2, 2020, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information.
    2. A health IT developer must ensure that its health IT certified under the ONC Health IT Certification Program conforms to the full scope of the certification criteria.
    3. A health IT developer must not take any action that could interfere with a user’s ability to access or use certified capabilities for any purpose within the full scope of the technology’s certification.
    4. A health IT developer of a certified Health IT Module that is part of a health IT product which electronically stores EHI must certify to the certification criterion in § 170.315(b)(10).
  2. Maintenance of Certification requirements.
    1. A health IT developer must retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for:
      1. A period of 10 years beginning from the date a developer’s Health IT Module(s) is first certified under the Program; or
      2. If for a shorter period of time, a period of 3 years from the effective date that removes all of the certification criteria to which the developer’s health IT is certified from the Code of Federal Regulations.
    2.  
      1. Within 36 months of May 1, 2020 a health IT developer must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
      2. On and after May 2, 2023, a health IT developer that must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in§ 170.315(b)(10).
Standard(s) Referenced
Standards Referenced

None

Certification Companion Guide: Assurances

This Certification Companion Guide (CCG) is an informative document designed to assist health IT developers to meet the Conditions and Maintenance of Certification requirements. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the ONC Cures Act Final Rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

Attestation Requirements

Outlined below is a summary of the attestation requirements for the Condition and Maintenance of Certification for § 170.402 Assurances. For additional details related to the requirements please refer to the ONC Cures Act Final Rule.

  • The health IT developer provides assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking on and after November 2, 2020 (with enforcement discretion until February 1, 2020), unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
  • The health IT developer ensures full compliance and unrestricted implementation of certification criteria capabilities.
  • The health IT developer did not take any action to interfere with a user’s ability to access or use certified capabilities.
  • The health IT developer of a certified Health IT Module that is part of a health IT product that electronically stores EHI is certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer retains all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for a period of 10 years beginning from the date of certification or, if for a shorter period of time, a period of three years from the effective date that removes all of the certification criteria from the Code of Federal Regulations.
  • Within, on, and after, May 2, 2023 (with enforcement discretion until August 2, 2023), a health IT developer that meets applicable requirements must provide all customers of its certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
Certification Requirements

Applicability of Conditions: Sections 170.402 (a)(1)-(3) apply to all health IT developers of certified health IT. Section 170.402 (a)(4) applies to all health IT developers of certified health IT certified to § 170.315(b)(10). Section 170.402 (b)(1) applies to all health IT developers of certified health IT. Section 170.402 (b)(2) applies to all health IT developers of certified health IT certified to § 170.315(b)(10).

Condition Explanations and Clarifications

Paragraph (a)(2) Full Compliance

Clarifications:

  • Actions that would violate the Condition of Certification include failing to fully deploy or enable certified capabilities; imposing limitations (including restrictions) on the use of certified capabilities once deployed; or requiring subsequent developer assistance to enable the use of certified capabilities, contrary to the intended uses and outcomes of those capabilities. (see 85 FR 25719).

Paragraph (a)(3) Unrestricted Implementation

Clarifications:

  • The Condition of Certification would also be violated if a developer refused to provide documentation, support, or other assistance reasonably necessary to enable the use of certified capabilities for their intended purposes (see 85 FR 25719).
  • Any action that would be likely to substantially impair the ability of one or more users (or prospective users) to implement or use certified capabilities for any purpose within the scope of applicable certification criteria would be prohibited by this Condition of Certification (see 85 FR 25719). Such actions may include imposing limitations or additional types of costs, especially if these were not disclosed when a customer purchased or licensed the certified health IT (see 85 FR 25719).

Paragraph (a)(4) EHI and § 170.315(b)(10) Certification

Clarifications:

  • Health IT developers of certified Health IT Module(s) or products that electronically store EHI must provide all of their customers of certified health IT with health IT certified to the functionality included in § 170.315(b)(10) within 36 months of the final rule's publication date.
  • EHI means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of record are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include (1) Psychotherapy notes as defined in 45 CFR 164.501; or (2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Associated CCG: § 170.315(b)(10) EHI Export


Paragraph (b)(1)

Clarifications:

  • Where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for three years from the date of removal for those certification criteria and related ONC Health IT Certification program provisions unless that timeframe would exceed the overall 10-year retention period.
  • A health IT developer that does not have any certified products within the Program would no longer have any obligation to retain records and information for the purposes of the Program. However, note that it may be in the health IT developer’s best interest to retain its records and information.

Content last reviewed on June 15, 2020
Was this page helpful?