Does a certified Complete EHR or certified EHR Module need to be retested and/or recertified every time it is patched or updated?
No. In general, modifications such as security patches, updates to “minimum standards” code sets1 (e.g., RxNorm, LOINC), CQM updates (i.e., FAQ #42, question 2), and other similar improvements to the version of an EHR technology listed on the Certified HIT Products List (CHPL) may be implemented without any additional action on the EHR technology developer's part so long as the EHR technology developer does not change the EHR technology version listed on the CHPL. To note, EPs, EHs, and CAHs that possess the certified version that includes these modifications would continue to select that version from the CHPL to generate a CMS EHR ID for attestation purposes.
If an EHR technology developer creates a newer version of the EHR technology that is listed on the CHPL and wishes to continue to market this newer version as "certified" it will need to contact its ONC-ACB and, at a minimum, submit an inherited certified status (ICS) request (i.e., attestation) to get this newer version issued a certification (76 FR 1306). This process is meant to expedite the reissuance of a certification to a newer version of an already certified Complete EHR or certified EHR Module. When submitting an ICS request the EHR technology developer must describe why the newer version does not adversely affect any certified capabilities. Similarly, upon receipt of an ICS request, an ONC–ACB must review the attestation to determine (in its judgment) whether the modifications described could have adversely affected any certified capabilities (and that retesting may be necessary) or whether to issue a certification to the newer version of the previously certified Complete EHR or certified EHR Module.
We encourage EHR technology developers to remain in contact with their ONC-ACB even when they do not necessarily need to seek a new certification under our regulations. An ONC-ACB is responsible for the certifications it issues and is empowered to initiate surveillance actions on any EHR technology it has certified. In our 2014 surveillance guidance, we encouraged ONC-ACBs to initiate surveillance actions if an EHR technology has received five or more inherited certified status requests. That said, an ONC-ACB may initiate surveillance based on other reasons.