§ 170.402 Assurances

Updated on 03-11-2024
Version # Description of Change Version Date
1.0

Initial publication
06-15-2020
1.1

Updated compliance dates per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency 
11-02-2020
1.2

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements. 
03-12-2021
1.3

Updated to provide additional clarity on the attestation options for the Assurances Condition and Maintenance of Certification.
04-20-2022
1.4

Updates to reflect changes outlined in Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule
03-11-2024
Regulation Text
Regulation Text

170.402 Assurances.

  1. Condition of Certification requirement.
    1. A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103 on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information.
    2. A health IT developer must ensure that its health IT certified under the ONC Health IT Certification Program conforms to the full scope of the certification criteria.
    3. A health IT developer must not take any action that could interfere with a user’s ability to access or use certified capabilities for any purpose within the full scope of the technology’s certification.
    4. A health IT developer of a certified Health IT Module that is part of a health IT product which electronically stores EHI must certify to the certification criterion in § 170.315(b)(10).
    5. A health IT developer must not inhibit its customer’s timely access to interoperable health IT certified under the Program.
  2. Maintenance of Certification requirements.
    1. A health IT developer must retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for:
      1. A period of 10 years beginning from the date a developer’s Health IT Module(s) is first certified under the Program; or
      2. If for a shorter period of time, a period of  years from the effective date that removes all of the certification criteria to which the developer’s health IT is certified from the Code of Federal Regulations.
    2.  
      1. By December 31, 2023, a health IT developer must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
      2. On and after December 31, 2023, a health IT developer that must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in§ 170.315(b)(10).
    3.  
      1. Update. A health IT developer must update a Health IT Module, once certified to a certification criterion adopted in § 170.315, to all applicable revised certification criteria, including the most recently adopted capabilities and standards included in the revised certification criterion.
      2. Provide. A health IT developer must provide all Health IT Modules certified to a revised certification criterion, including the most recently adopted capabilities and standards included in the revised certification criterion, to its customers of such certified health IT.
      3. Timeliness. A health IT developer must complete the actions specified in paragraphs (b)(3)(i) and (ii) of this section:
        1. Consistent with the timeframes specified in part 170; or
        2. If the developer obtains new customers of health IT certified to the revised criterion after the effective date of the final rule adopting the revised criterion or criteria, then the health IT developer must provide the health IT certified to the revised criterion to such customers within whichever of the following timeframes that expires last:
          1. The timeframe provided in paragraph (b)(3)(iii)(A) of this section; or
          2. No later than 12 months after the purchasing or licensing relationship has been established between the health IT developer and the new customer for the health IT certified to the revised criterion.   
    4. For developers of Health IT Modules certified to § 170.315(b)(11), starting January 1, 2025, and on an ongoing basis thereafter, review and update as necessary source attribute information in § 170.315(b)(11)(iv)(A) and (B), intervention risk management practices described in § 170.315(b)(11)(vi), and summary information provided through § 170.523(f)(1)(xxi).
Standard(s) Referenced
Standards Referenced

None

Revision History
Version # Description of Change Version Date
1.0

Initial publication
06-15-2020
1.1

Updated compliance dates per the Interim Final Rule (IFR), Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency 
11-02-2020
1.2

Updated to provide additional clarity on the Attestations Condition and Maintenance of Certification requirements. 
03-12-2021
1.3

Updated to provide additional clarity on the attestation options for the Assurances Condition and Maintenance of Certification.
04-20-2022
1.4

Updates to reflect changes outlined in Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule
03-11-2024
Regulation Text
Regulation Text

170.402 Assurances.

  1. Condition of Certification requirement.
    1. A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103 on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information.
    2. A health IT developer must ensure that its health IT certified under the ONC Health IT Certification Program conforms to the full scope of the certification criteria.
    3. A health IT developer must not take any action that could interfere with a user’s ability to access or use certified capabilities for any purpose within the full scope of the technology’s certification.
    4. A health IT developer of a certified Health IT Module that is part of a health IT product which electronically stores EHI must certify to the certification criterion in § 170.315(b)(10).
    5. A health IT developer must not inhibit its customer’s timely access to interoperable health IT certified under the Program.
  2. Maintenance of Certification requirements.
    1. A health IT developer must retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for:
      1. A period of 10 years beginning from the date a developer’s Health IT Module(s) is first certified under the Program; or
      2. If for a shorter period of time, a period of  years from the effective date that removes all of the certification criteria to which the developer’s health IT is certified from the Code of Federal Regulations.
    2.  
      1. By December 31, 2023, a health IT developer must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
      2. On and after December 31, 2023, a health IT developer that must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in§ 170.315(b)(10).
    3.  
      1. Update. A health IT developer must update a Health IT Module, once certified to a certification criterion adopted in § 170.315, to all applicable revised certification criteria, including the most recently adopted capabilities and standards included in the revised certification criterion.
      2. Provide. A health IT developer must provide all Health IT Modules certified to a revised certification criterion, including the most recently adopted capabilities and standards included in the revised certification criterion, to its customers of such certified health IT.
      3. Timeliness. A health IT developer must complete the actions specified in paragraphs (b)(3)(i) and (ii) of this section:
        1. Consistent with the timeframes specified in part 170; or
        2. If the developer obtains new customers of health IT certified to the revised criterion after the effective date of the final rule adopting the revised criterion or criteria, then the health IT developer must provide the health IT certified to the revised criterion to such customers within whichever of the following timeframes that expires last:
          1. The timeframe provided in paragraph (b)(3)(iii)(A) of this section; or
          2. No later than 12 months after the purchasing or licensing relationship has been established between the health IT developer and the new customer for the health IT certified to the revised criterion.   
    4. For developers of Health IT Modules certified to § 170.315(b)(11), starting January 1, 2025, and on an ongoing basis thereafter, review and update as necessary source attribute information in § 170.315(b)(11)(iv)(A) and (B), intervention risk management practices described in § 170.315(b)(11)(vi), and summary information provided through § 170.523(f)(1)(xxi).
Standard(s) Referenced
Standards Referenced

None

Certification Companion Guide: Assurances

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product certification. The CCG is not a substitute for the requirements outlined in regulation and related ONC final rules. It extracts key portions of ONC final rules’ preambles and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Regulations page for links to all final rules or consult other regulatory references as noted. The CCG is for public use and should not be sold or redistributed.

Attestation Requirements

Outlined below is a summary of the attestation requirements for the Assurances Condition and Maintenance of Certification (45 CFR § 170.402). This attestation is a part of the Attestations Condition and Maintenance of Certification requirements and will be available for developers to attest alongside the other attestation requirements in 45 CFR § 170.406 beginning on April 1, 2022, and semiannually thereafter. For additional details related to the attestation requirements please refer to the Attestations Condition and Maintenance of Certification CCG.

  • The health IT developer provides assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
  • The health IT developer ensures full compliance and unrestricted implementation of certification criteria capabilities.
  • The health IT developer did not take any action to interfere with a user’s ability to access or use certified capabilities.
  • The health IT developer of a certified Health IT Module that is part of a health IT product that electronically stores EHI is certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer retains all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for a period of 10 years beginning from the date of certification or, if for a shorter period of time, a period of three years from the effective date that removes all of the certification criteria from the Code of Federal Regulations.
  • Within, on, and after, December 31, 2023, a health IT developer that meets applicable requirements must provide all customers of its certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer updates to all applicable revised certification criteria, including the most recently adopted capabilities and standards included in the revised criterion.
  • The health IT developer provides all Health IT Modules certified to a revised certification criterion, including the most recently adopted capabilities and standards included in the revised certification criterion, to its customers of such certified health IT.
  • The health IT developer updates and provides these updates to its customers consistent with the timeframes specified in § 170.406(b)(3)(iii).
  • For developers of Health IT Modules certified to § 170.315(b)(11), starting January 1, 2025, and on an ongoing basis thereafter, the health IT developer reviews and updates as necessary source attribute information in § 170.315(b)(11)(iv)(A) and (B), intervention risk management practices described in § 170.315(b)(11)(vi), and summary information provided through § 170.523(f)(1)(xxi).
Certification Requirements

Applicability of Conditions: Sections 170.402 (a)(1)-(3) and (a)(5) apply to all Certified Health IT Developers. Section 170.402 (a)(4) applies to all developers of certified health IT, which electronically stores EHI and must certify to § 170.315(b)(10). Sections 170.402 (b)(1) and (b)(3) apply to all Certified Health IT Developers. Section 170.402 (b)(2) applies to all Certified Health IT Developers certified to § 170.315(b)(10). Section 170.402(b)(4) applies to all health IT developers of certified health IT certified to § 170.315(b)(11). 

Attestation Requirements

Outlined below is a summary of the attestation requirements for the Assurances Condition and Maintenance of Certification (45 CFR § 170.402). This attestation is a part of the Attestations Condition and Maintenance of Certification requirements and will be available for developers to attest alongside the other attestation requirements in 45 CFR § 170.406 beginning on April 1, 2022, and semiannually thereafter. For additional details related to the attestation requirements please refer to the Attestations Condition and Maintenance of Certification CCG.

  • The health IT developer provides assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information (EHI).
  • The health IT developer ensures full compliance and unrestricted implementation of certification criteria capabilities.
  • The health IT developer did not take any action to interfere with a user’s ability to access or use certified capabilities.
  • The health IT developer of a certified Health IT Module that is part of a health IT product that electronically stores EHI is certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer retains all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for a period of 10 years beginning from the date of certification or, if for a shorter period of time, a period of three years from the effective date that removes all of the certification criteria from the Code of Federal Regulations.
  • Within, on, and after, December 31, 2023, a health IT developer that meets applicable requirements must provide all customers of its certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
  • The health IT developer updates to all applicable revised certification criteria, including the most recently adopted capabilities and standards included in the revised criterion.
  • The health IT developer provides all Health IT Modules certified to a revised certification criterion, including the most recently adopted capabilities and standards included in the revised certification criterion, to its customers of such certified health IT.
  • The health IT developer updates and provides these updates to its customers consistent with the timeframes specified in § 170.406(b)(3)(iii).
  • For developers of Health IT Modules certified to § 170.315(b)(11), starting January 1, 2025, and on an ongoing basis thereafter, the health IT developer reviews and updates as necessary source attribute information in § 170.315(b)(11)(iv)(A) and (B), intervention risk management practices described in § 170.315(b)(11)(vi), and summary information provided through § 170.523(f)(1)(xxi).
Certification Requirements

Applicability of Conditions: Sections 170.402 (a)(1)-(3) and (a)(5) apply to all Certified Health IT Developers. Section 170.402 (a)(4) applies to all developers of certified health IT, which electronically stores EHI and must certify to § 170.315(b)(10). Sections 170.402 (b)(1) and (b)(3) apply to all Certified Health IT Developers. Section 170.402 (b)(2) applies to all Certified Health IT Developers certified to § 170.315(b)(10). Section 170.402(b)(4) applies to all health IT developers of certified health IT certified to § 170.315(b)(11). 

Condition Explanations and Clarifications

Applies to Entire Condition

Clarifications:

  • For the related Attestations Condition and Maintenance of Certification, the Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.
    • If the condition of § 170.402(a)(4) and the maintenance requirements of § 170.402(b)(2) are applicable, a Certified Health IT Developer can attest to compliance even if they have not yet certified to the § 170.315(b)(10) EHI Export criterion because the permissible certification and deadline for compliance has not yet expired.

Clarifications:

  • For the related Attestations Condition and Maintenance of Certification, the Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.
    • If the condition of § 170.402(a)(4) and the maintenance requirements of § 170.402(b)(2) are applicable, a Certified Health IT Developer can attest to compliance even if they have not yet certified to the § 170.315(b)(10) EHI Export criterion because the permissible certification and deadline for compliance has not yet expired.

Paragraph (a)(2) Full compliance

Clarifications:

  • Actions that would violate the Condition of Certification include failing to fully deploy or enable certified capabilities; imposing limitations (including restrictions) on the use of certified capabilities once deployed; or requiring subsequent developer assistance to enable the use of certified capabilities, contrary to the intended uses and outcomes of those capabilities. (see 85 FR 25719).

Clarifications:

  • Actions that would violate the Condition of Certification include failing to fully deploy or enable certified capabilities; imposing limitations (including restrictions) on the use of certified capabilities once deployed; or requiring subsequent developer assistance to enable the use of certified capabilities, contrary to the intended uses and outcomes of those capabilities. (see 85 FR 25719).

Paragraph (a)(3) Unrestricted implementation

Clarifications:

  • The Condition of Certification would also be violated if a developer refused to provide documentation, support, or other assistance reasonably necessary to enable the use of certified capabilities for their intended purposes. (see 85 FR 25719)
  • Any action that would be likely to substantially impair the ability of one or more users (or prospective users) to implement or use certified capabilities for any purpose within the scope of applicable certification criteria would be prohibited by this Condition of Certification (see 85 FR 25719). Such actions may include imposing limitations or additional types of costs, especially if these were not disclosed when a customer purchased or licensed the certified health IT (see 85 FR 25719).

Clarifications:

  • The Condition of Certification would also be violated if a developer refused to provide documentation, support, or other assistance reasonably necessary to enable the use of certified capabilities for their intended purposes. (see 85 FR 25719)
  • Any action that would be likely to substantially impair the ability of one or more users (or prospective users) to implement or use certified capabilities for any purpose within the scope of applicable certification criteria would be prohibited by this Condition of Certification (see 85 FR 25719). Such actions may include imposing limitations or additional types of costs, especially if these were not disclosed when a customer purchased or licensed the certified health IT (see 85 FR 25719).

Paragraph (a)(4) EHI and § 170.315(b)(10) certification

Clarifications:

  • Health IT developers of Certified Health IT Module(s) or products that electronically store EHI must provide all of their customers of certified health IT with health IT certified to the functionality included in § 170.315(b)(10) within 36 months of the final rule's publication date.
  • EHI means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of record are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Associated CCG: § 170.315(b)(10) EHI Export

Clarifications:

  • Health IT developers of Certified Health IT Module(s) or products that electronically store EHI must provide all of their customers of certified health IT with health IT certified to the functionality included in § 170.315(b)(10) within 36 months of the final rule's publication date.
  • EHI means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of record are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Associated CCG: § 170.315(b)(10) EHI Export

Paragraph (a)(5) Timely access

Clarifications:

  • There are no additional clarifications. 

Clarifications:

  • There are no additional clarifications. 

Paragraph (b)(1) Records and information retention

Clarifications:

  • Where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for three years from the date of removal for those certification criteria and related ONC Health IT Certification Program (Certification Program) provisions unless that timeframe would exceed the overall 10-year retention period.
  • A health IT developer that does not have any certified products within the Certification Program would no longer have any obligation to retain records and information for the purposes of the Certification Program. However, note that it may be in the Certified Health IT Developer’s best interest to retain its records and information.

Clarifications:

  • Where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for three years from the date of removal for those certification criteria and related ONC Health IT Certification Program (Certification Program) provisions unless that timeframe would exceed the overall 10-year retention period.
  • A health IT developer that does not have any certified products within the Certification Program would no longer have any obligation to retain records and information for the purposes of the Certification Program. However, note that it may be in the Certified Health IT Developer’s best interest to retain its records and information.

Paragraph (b)(2) (b)(10) updates

Clarifications:

  • There are no additional clarifications.

Associated CCG: § 170.315(b)(10) EHI Export

Clarifications:

  • There are no additional clarifications.

Associated CCG: § 170.315(b)(10) EHI Export

Paragraph (b)(3)(i) Update

Clarifications:

  • There are no additional clarifications.

Clarifications:

  • There are no additional clarifications.

Paragraph (b)(3)(ii) Provide

Clarifications:

  • § 170.102 defines provide as “the action or actions taken by a developer of certified Health IT Modules to make the certified health IT available to its customers.”
  • A customer, for this purpose, is any individual or entity that has an agreement to purchase or license the developer’s certified health IT. [see 89 FR 1309]

Clarifications:

  • § 170.102 defines provide as “the action or actions taken by a developer of certified Health IT Modules to make the certified health IT available to its customers.”
  • A customer, for this purpose, is any individual or entity that has an agreement to purchase or license the developer’s certified health IT. [see 89 FR 1309]

Paragraph (b)(3)(iii) Timeliness 

Clarifications:

  • Timeframes for updates are outlined throughout part 170 and may be found within criteria requirements under part 170.315 or under standards referenced in part 170 subpart B. Expiration and deadline references may also be found in other sections of part 170 as it relates to the requirements.
  • Rather than relying on independent timeliness requirements for previously certified health IT, the maintenance requirements now cross-reference timeframes specified in 45 CFR part 170, while still maintaining the proposed minimum 12-month timeframe for new customers. [see 89 FR 1198]
  • The provisions for new customers means the health IT developer has the ability to plan both the certification to revised certification criteria and the execution of contracts and agreements with new customers to ensure that it can meet the above timeline for new customers. [see 89 FR 1310]

Clarifications:

  • Timeframes for updates are outlined throughout part 170 and may be found within criteria requirements under part 170.315 or under standards referenced in part 170 subpart B. Expiration and deadline references may also be found in other sections of part 170 as it relates to the requirements.
  • Rather than relying on independent timeliness requirements for previously certified health IT, the maintenance requirements now cross-reference timeframes specified in 45 CFR part 170, while still maintaining the proposed minimum 12-month timeframe for new customers. [see 89 FR 1198]
  • The provisions for new customers means the health IT developer has the ability to plan both the certification to revised certification criteria and the execution of contracts and agreements with new customers to ensure that it can meet the above timeline for new customers. [see 89 FR 1310]

Paragraph (b)(4) § 170.315(b)(11) Ongoing updates

Clarifications:

  • There are no additional clarifications.

Associated CCG: § 170.315(b)(11) Decision support interventions

Clarifications:

  • There are no additional clarifications.

Associated CCG: § 170.315(b)(11) Decision support interventions