§ 170.407 Insights

Updated on 04-29-2025
Revision History
Version # Description of Change Version Date
1.0

Initial Publication

08-13-2024
1.1

Updated to provide additional clarity on the Insights Condition and Maintenance of Certification requirements.

01-17-2025
Regulation Text
Regulation Text

§ 170.407 Insights Condition and Maintenance of Certification —

(a) Condition of Certification.

  1. Measure responses.  A health IT developer must submit (to the independent entity designated by the Secretary) for each reporting period pursuant to paragraph (b) of this section:
    1. Responses for the measures specified in this section, which must include:
      1. Data aggregated at the product level (across versions);
      2. Documentation related to the data sources and methodology used to generate measures; and
      3. Percentage of total customers (e.g., hospital sites, individual clinician users) represented in provided data; or
    2. A response (attestation) that it does not:
      1. Meet the minimum reporting qualifications requirement in paragraph (a)(2) of this section; or
      2. Have health IT certified to the certification criteria specified in each measure in paragraphs (a)(3)(i) through (vii) of this section; or
      3. Have any users using the certified health IT specified in each measure in paragraphs (a)(3)(i) through (vii) of this section during the reporting period.
  2. Minimum reporting qualifications requirement.  At least 50 hospital sites or 500 individual clinician users across the developer's certified health IT.
  3. Measures.
    1. Individuals’ access to electronic health information through certified health IT.  If a health IT developer has a Health IT Module certified to § 170.315(e)(1) or (g)(10) or both, then the health IT developer must submit responses for the number of unique individuals who access electronic health information (EHI) overall and by different methods of access through certified health IT.
    2. Consolidated clinical document architecture (C-CDA) problems, medications, and allergies reconciliation and incorporation through certified health IT. If a health IT developer has a Health IT Module certified to § 170.315(b)(2), then the health IT developer must submit responses for:
      1. Encounters;
      2. Unique patients with an encounter;
      3. C-CDA documents obtained (unique and overall); and
      4. C-CDA documents reconciled and incorporated both through manual and automated processes.
    3. Applications supported through certified health IT. If a health IT developer has a Health IT Module certified to § 170.315(g)(10), then the health IT developer must submit responses on how their certified health IT is supporting the application ecosystem, by providing the following information for applications that are connected to their certified health IT including:
      1. Application Name(s);
      2. Application Developer Name(s);
      3. Intended Purpose(s) of Application;
      4. Intended Application User(s); and
      5. Application Status.
    4. Use of FHIR in apps through certified health IT. If a health IT developer has a Health IT Module certified to § 170.315(g)(10), then the health IT developer must submit responses on the number of requests made to distinct certified health IT deployments that returned FHIR resources, number of distinct certified health IT deployments active at any time, the number of distinct deployments active at any time that returned FHIR resources in response to API calls from apps connected to certified health IT, including stratifying responses by the following:
      1. User type;
      2. FHIR resource; and
      3. US Core Implementation Guide version.
    5. Use of FHIR bulk data access through certified health IT. If a health IT developer has a Health IT Module certified to § 170.315(g)(10), then the health IT developer must submit responses for the total number of FHIR bulk data access requests completed through the certified health IT, and the number of distinct deployments of the certified health IT active at any time overall, and by whether at least one bulk data download request was completed.
    6. Immunization administrations electronically submitted to immunization information systems through certified health IT. If a health IT developer has a Health IT Module certified to § 170.315(f)(1), then the health IT developer must submit responses for the use of certified health IT to electronically send immunizations administered to immunization information systems (IIS), including stratifying responses based on the following subgroups:
      1. IIS; and
      2. Age group.
    7. Immunization history and forecasts through certified health IT. If a health IT developer has a Health IT Module certified to § 170.315(f)(1), then the health IT developer must submit responses for the use of certified health IT to query immunization history and forecast information from immunization information systems (IIS), including stratifying responses based on the following subgroup:
      1. IIS.
      2. [Reserved]

(b) Maintenance of Certification requirement.

  1. A health IT developer must provide responses to the Insights Condition of Certification specified in paragraph (a) of this section annually for any Health IT Module that has or has had an active certification at any time under the ONC Health IT Certification Program during the prior six months:
    1.  A health IT developer must provide responses for measures specified in:
      1. Paragraphs (a)(3)(i), (iii), (iv)(A) and (B), and (vi) of this section beginning July 2027;
      2. Paragraphs (a)(3)(ii)(A) through (C), (iv)(C), (v), (vi)(A) and (B), and (vii) of this section beginning July 2028; and
      3. Paragraph (a)(3)(ii)(D), (vii)(A) of this section beginning July 2029.
    2. [Reserved].
  2. [Reserved].
Standard(s) Referenced
Standards Referenced

None. 

Certification Companion Guide: Insights

This Certification Companion Guide (CCG) is an informative document designed to assist Certified Health IT Developers meet the Condition(s) and Maintenance of Certification requirements. The CCG is not a substitute for the requirements outlined in regulation and related ONC final rules. It extracts key portions of ONC final rules’ preambles and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the ONC Regulations page for links to all final rules or consult other regulatory references as noted. The CCG is for public use and should not be sold or redistributed.

Attestation Requirements

No attestation is required for the Insights Condition and Maintenance of Certification alongside other Conditions and Maintenance of Certification requirements in 45 CFR § 170.406. For additional details related to the attestation requirements, please refer to the Attestations Condition and Maintenance of Certification CCG.

Certification Requirements

Applicability: Applies to all health IT developers of certified health IT.

Condition Explanations and Clarifications
  • Certified Health IT developers are required to report responses for a measure and related metrics if the developer meets each of the following criteria:
    1. Has at least 50 hospital sites or 500 individual clinician users across their certified health IT;
    2. Has any Health IT Module certified to the certification criteria specified in each measure; and
    3. Has any users using the certified health IT associated with the measure.
  • Developers who do not meet the qualifications above will submit a response (attestation) to indicate that they do not meet the minimum reporting qualifications for a measure.

  • Certified Health IT developers shall make the required and optional documentation available via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps.

There are no additional clarifications. 


The measure specification sheets provide granular definitions and other information needed to operationalize the metrics to ensure they are implemented in a consistent manner across health IT developers. For more detail please see the latest version of the measure specification sheets on the Insights Condition Resources.

  • For the Individuals’ access to electronic health information through certified health IT measure under § 170.407(a)(3)(i), individuals’ access to EHI via technology certified to the “standardized API for patient population services” certification criterion under § 170.315(g)(10) is counted when an individual had at least one FHIR resource returned during the reporting period.
  • For the Consolidated clinical document architecture (C-CDA) problems, medications, and allergies reconciliation and incorporation through certified health IT measure under § 170.407(a)(3)(ii), the metric that counts the number of unique patients with an associated C-CDA document is modified to count the number of unique patients with an encounter and associated C-CDA document instead. Pre-processes for reconciliation and incorporation defines automated processes to include any automated process that uses methods beyond capabilities required as a part of certification to § 170.315(b)(2) to reduce the effort required to perform manual (by a clinician or their delete) or fully automated reconciliation and incorporation of information in the Health IT Module.
  • For the Use of FHIR in apps through certified health IT measure under § 170.407(a)(3)(iv), types of users the endpoint serves are categorized as either patient-facing (endpoints that serve patients accessing their electronic health information (EHI) via certified API technology) or non-patient-facing (endpoints that serve other types of users to access EHI via certified API technology or both patient-facing and non-patient-facing.
  • For the Immunization administrations electronically submitted to immunization information systems through certified health IT measure under § 170.407(a)(3)(vi), there is a metric that separately counts the number of immunizations administered electronically that are submitted to IISs and returned with an acknowledgement that has an error of severity level E.  The metric is reported overall, and by IIS and age category.
  • For the Immunization history and forecasts through certified health IT measure under § 170.407(a)(3)(vii), there is a metric that separately reports on the number of query responses received from IISs with acknowledgement with the error of severity level E.  The metric is reported overall and by IIS.


There are no additional clarifications.