#08 Question [09-10-008-2]
If an EHR Module addresses multiple certification criteria (thus providing multiple capabilities), does it need to be tested and certified to the applicable privacy and security certification criteria as a whole or for each capability?
An EHR Module could provide a single capability required by one certification criterion or it could provide all capabilities but one required by the certification criteria for a Complete EHR. In other words, for example, we would call HIT tested and certified to one certification criterion an "EHR Module" and HIT tested and certified to nine certification criteria an "EHR Module," where ten certification criteria are required for a Complete EHR.
We now provide two different answers to this question based on the Edition of EHR certification criteria in question.
2011 Edition EHR Certification Criteria Answer:
If an EHR Module addresses multiple certification criteria the EHR Module as a whole would be tested and certified to all privacy and security certification criteria unless the EHR Module is presented for testing and certification, and the presenter can demonstrate and provide documentation to the ONC–ATCB or ONC-ACB that a privacy and security certification criterion is inapplicable or that it would be technically infeasible for the EHR Module to be tested and certified in accordance with such certification criterion (see 45 CFR 170.450(c)(2) and 170.550(e)(2)).
2014 Edition EHR Certification Criteria Answer:
Pursuant to the changes made to the ONC HIT Certification Program rules at 45 CFR 170.550(e), ONC-ACBs are not required to assess the privacy and security criteria adopted at 45 CFR 170.314(d) when EHR technology is presented for certification to the 2014 Edition EHR certification criteria as an EHR Module. Under the ONC HIT Certification Program rules for EHR Module certification, an EHR technology developer has the choice whether to seek certification of its EHR Module to any of the privacy and security criteria adopted at 45 CFR 170.314(d).