§ 170.402 Assurances

Updated on 04-20-2022
Version # Description of Change Version Date
1.0

Initial Publication
06-15-2020
1.1

Updated compliance dates per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency 
11-02-2020
1.2

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements. 
03-12-2021
1.3

Updated to provide additional clarity on the attestation options for the Assurances Condition and Maintenance of Certification.
04-20-2022
Regulation Text
Regulation Text

170.402 Assurances.

  1. Condition of Certification requirement.
    1. A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103 on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information.
    2. A health IT developer must ensure that its health IT certified under the ONC Health IT Certification Program conforms to the full scope of the certification criteria.
    3. A health IT developer must not take any action that could interfere with a user’s ability to access or use certified capabilities for any purpose within the full scope of the technology’s certification.
    4. A health IT developer of a certified Health IT Module that is part of a health IT product which electronically stores EHI must certify to the certification criterion in § 170.315(b)(10).
  2. Maintenance of Certification requirements.
    1. A health IT developer must retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for:
      1. A period of 10 years beginning from the date a developer’s Health IT Module(s) is first certified under the Program; or
      2. If for a shorter period of time, a period of  years from the effective date that removes all of the certification criteria to which the developer’s health IT is certified from the Code of Federal Regulations.
    2.  
      1. By December 31, 2023, a health IT developer must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
      2. On and after December 31, 2023, a health IT developer that must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in§ 170.315(b)(10).
Standard(s) Referenced
Standards Referenced

None

Revision History
Version # Description of Change Version Date
1.0

Initial Publication
06-15-2020
1.1

Updated compliance dates per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency 
11-02-2020
1.2

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements. 
03-12-2021
1.3

Updated to provide additional clarity on the attestation options for the Assurances Condition and Maintenance of Certification.
04-20-2022
Regulation Text
Regulation Text

170.402 Assurances.

  1. Condition of Certification requirement.
    1. A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103 on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information.
    2. A health IT developer must ensure that its health IT certified under the ONC Health IT Certification Program conforms to the full scope of the certification criteria.
    3. A health IT developer must not take any action that could interfere with a user’s ability to access or use certified capabilities for any purpose within the full scope of the technology’s certification.
    4. A health IT developer of a certified Health IT Module that is part of a health IT product which electronically stores EHI must certify to the certification criterion in § 170.315(b)(10).
  2. Maintenance of Certification requirements.
    1. A health IT developer must retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for:
      1. A period of 10 years beginning from the date a developer’s Health IT Module(s) is first certified under the Program; or
      2. If for a shorter period of time, a period of  years from the effective date that removes all of the certification criteria to which the developer’s health IT is certified from the Code of Federal Regulations.
    2.  
      1. By December 31, 2023, a health IT developer must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
      2. On and after December 31, 2023, a health IT developer that must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in§ 170.315(b)(10).
Standard(s) Referenced
Standards Referenced

None

Certification Companion Guide: Assurances

This Certification Companion Guide (CCG) is an informative document designed to assist Certified Health IT Developers to meet the Conditions and Maintenance of Certification requirements. The CCG is not a substitute for the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule). It extracts key portions of the ONC Cures Act Final Rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Cures Act Final Rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

Link to Final Rule Preamble
Link to Interim Final Rule
Attestation Requirements

Outlined below is a summary of the attestation requirements for the Assurances Condition and Maintenance of Certification (45 CFR § 170.402). This attestation is a part of the Attestations Condition and Maintenance of Certification requirements and will be available for developers to attest alongside the other attestation requirements in 45 CFR § 170.406 beginning on April 1, 2022, and semiannually thereafter. For additional details related to the attestation requirements please refer to the Attestations Condition and Maintenance of Certification CCG.

  • The health IT developer provides assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
  • The health IT developer ensures full compliance and unrestricted implementation of certification criteria capabilities.
  • The health IT developer did not take any action to interfere with a user’s ability to access or use certified capabilities.
  • The health IT developer of a certified Health IT Module that is part of a health IT product that electronically stores EHI is certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer retains all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for a period of 10 years beginning from the date of certification or, if for a shorter period of time, a period of three years from the effective date that removes all of the certification criteria from the Code of Federal Regulations.
  • Within, on, and after, December 31, 2023, a health IT developer that meets applicable requirements must provide all customers of its certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
Certification Requirements

Applicability of Conditions: Sections 170.402 (a)(1)-(3) apply to all Certified Health IT Developers. Section 170.402 (a)(4) applies to all Certified Health IT Developers certified to § 170.315(b)(10). Section 170.402 (b)(1) applies to all Certified Health IT Developers. Section 170.402 (b)(2) applies to all Certified Health IT Developers certified to § 170.315(b)(10).

Attestation Requirements

Outlined below is a summary of the attestation requirements for the Assurances Condition and Maintenance of Certification (45 CFR § 170.402). This attestation is a part of the Attestations Condition and Maintenance of Certification requirements and will be available for developers to attest alongside the other attestation requirements in 45 CFR § 170.406 beginning on April 1, 2022, and semiannually thereafter. For additional details related to the attestation requirements please refer to the Attestations Condition and Maintenance of Certification CCG.

  • The health IT developer provides assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
  • The health IT developer ensures full compliance and unrestricted implementation of certification criteria capabilities.
  • The health IT developer did not take any action to interfere with a user’s ability to access or use certified capabilities.
  • The health IT developer of a certified Health IT Module that is part of a health IT product that electronically stores EHI is certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer retains all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for a period of 10 years beginning from the date of certification or, if for a shorter period of time, a period of three years from the effective date that removes all of the certification criteria from the Code of Federal Regulations.
  • Within, on, and after, December 31, 2023, a health IT developer that meets applicable requirements must provide all customers of its certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
Certification Requirements

Applicability of Conditions: Sections 170.402 (a)(1)-(3) apply to all Certified Health IT Developers. Section 170.402 (a)(4) applies to all Certified Health IT Developers certified to § 170.315(b)(10). Section 170.402 (b)(1) applies to all Certified Health IT Developers. Section 170.402 (b)(2) applies to all Certified Health IT Developers certified to § 170.315(b)(10).

Condition Explanations and Clarifications

Applies to Entire Condition 

Clarifications:

  • For the related Attestations Condition and Maintenance of Certification, the Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.
    • If the condition of § 170.402(a)(4) and the maintenance requirements of § 170.402(b)(2) are applicable, a Certified Health IT Developer can attest to compliance even if they have not yet certified to the § 170.315(b)(10) EHI Export criterion because the permissible certification and deadline for compliance has not yet expired.

Applies to Entire Condition 

Clarifications:

  • For the related Attestations Condition and Maintenance of Certification, the Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.
    • If the condition of § 170.402(a)(4) and the maintenance requirements of § 170.402(b)(2) are applicable, a Certified Health IT Developer can attest to compliance even if they have not yet certified to the § 170.315(b)(10) EHI Export criterion because the permissible certification and deadline for compliance has not yet expired.

Paragraph (a)(2) Full compliance

Clarifications:

  • Actions that would violate the Condition of Certification include failing to fully deploy or enable certified capabilities; imposing limitations (including restrictions) on the use of certified capabilities once deployed; or requiring subsequent developer assistance to enable the use of certified capabilities, contrary to the intended uses and outcomes of those capabilities. (see 85 FR 25719).

Paragraph (a)(2) Full compliance

Clarifications:

  • Actions that would violate the Condition of Certification include failing to fully deploy or enable certified capabilities; imposing limitations (including restrictions) on the use of certified capabilities once deployed; or requiring subsequent developer assistance to enable the use of certified capabilities, contrary to the intended uses and outcomes of those capabilities. (see 85 FR 25719).

Paragraph (a)(3) Unrestricted implementation

Clarifications:

  • The Condition of Certification would also be violated if a developer refused to provide documentation, support, or other assistance reasonably necessary to enable the use of certified capabilities for their intended purposes. (see 85 FR 25719)
  • Any action that would be likely to substantially impair the ability of one or more users (or prospective users) to implement or use certified capabilities for any purpose within the scope of applicable certification criteria would be prohibited by this Condition of Certification (see 85 FR 25719). Such actions may include imposing limitations or additional types of costs, especially if these were not disclosed when a customer purchased or licensed the certified health IT (see 85 FR 25719).

Paragraph (a)(3) Unrestricted implementation

Clarifications:

  • The Condition of Certification would also be violated if a developer refused to provide documentation, support, or other assistance reasonably necessary to enable the use of certified capabilities for their intended purposes. (see 85 FR 25719)
  • Any action that would be likely to substantially impair the ability of one or more users (or prospective users) to implement or use certified capabilities for any purpose within the scope of applicable certification criteria would be prohibited by this Condition of Certification (see 85 FR 25719). Such actions may include imposing limitations or additional types of costs, especially if these were not disclosed when a customer purchased or licensed the certified health IT (see 85 FR 25719).

Paragraph (a)(4) EHI and § 170.315(b)(10) Certification

Clarifications:

  • Health IT developers of Certified Health IT Module(s) or products that electronically store EHI must provide all of their customers of certified health IT with health IT certified to the functionality included in § 170.315(b)(10) within 36 months of the final rule's publication date.
  • EHI means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of record are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Associated CCG: § 170.315(b)(10) EHI Export

Paragraph (a)(4) EHI and § 170.315(b)(10) Certification

Clarifications:

  • Health IT developers of Certified Health IT Module(s) or products that electronically store EHI must provide all of their customers of certified health IT with health IT certified to the functionality included in § 170.315(b)(10) within 36 months of the final rule's publication date.
  • EHI means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of record are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Associated CCG: § 170.315(b)(10) EHI Export

Paragraph (b)(1) Records and information retention

Clarifications:

  • Where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for three years from the date of removal for those certification criteria and related ONC Health IT Certification Program (Certification Program) provisions unless that timeframe would exceed the overall 10-year retention period.
  • A health IT developer that does not have any certified products within the Certification Program would no longer have any obligation to retain records and information for the purposes of the Certification Program. However, note that it may be in the Certified Health IT Developer’s best interest to retain its records and information.

Paragraph (b)(1) Records and information retention

Clarifications:

  • Where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for three years from the date of removal for those certification criteria and related ONC Health IT Certification Program (Certification Program) provisions unless that timeframe would exceed the overall 10-year retention period.
  • A health IT developer that does not have any certified products within the Certification Program would no longer have any obligation to retain records and information for the purposes of the Certification Program. However, note that it may be in the Certified Health IT Developer’s best interest to retain its records and information.