B1. How is a Health IT Module certified?
Developers and Vendors wishing to certify a Health IT Module(s) first contacts an ONC -Authorized Testing Laboratory (ONC-ATL) to have their product tested. Once their product is determined to satisfy all applicable certification criteria adopted by the Secretary, the Developer or Vendor then contacts an ONC-Authorized Certification Body (ONC-ACB) to have their product certified.
B2. What is the role of the ONC-Approved Accreditor (ONC-AA), and how is the ONC-AA chosen?
The ONC-AA accredits certification bodies for the ONC Health IT Certification Program, and oversees the ONC-Authorized Certification Bodies (ONC-ACBs).
The National Coordinator may approve only one ONC-AA at a time. The ONC-AA’s status will expire not later than 3 years from the date its status was approved by the National Coordinator. The National Coordinator will accept requests for ONC-AA status at least 180 days before the current ONC-AA's status is set to expire.
The National Coordinator will publish a notice in the Federal Register to announce the period during which organizations may submit requests for ONC-AA status. An organization must submit a timely request in writing to the National Coordinator which includes the information required at §170.503 and §170.504 of the Establishment of the Permanent Certification Program Final Rule [PDF - 534 KB].
In June 2011, ANSI was selected as the first ONC-AA; effective June 2017, ANSI started their third 3-year term as the ONC- Approved Accreditor.
B3. What is the role of ONC-Authorized Certification Bodies (ONC-ACBs) in the ONC Health IT Certification Program and how do organizations apply to become an ONC-ACB?
ONC-ACBs certify Health IT Modules have been successfully tested by an ONC – Authorized Testing Laboratory (ONC-ATL) against the certification criteria adopted by the Secretary. ONC-ACBs submit certified Health IT Modules for posting on the Certified Health IT Product List (CHPL).
An organization seeking to apply to become an ONC-ACB must submit an application to the ONC-Approved Accreditor (ONC-AA) to seek accreditation. Contact information for the ONC-AA can be found here
Once the organization is accredited, they must apply to ONC to become an ONC-ACB. An application for ONC-ACB status may be submitted to the National Coordinator at any time.
The application process is highlighted in the Establishment of the Permanent Certification Program for Health Information Technology [PDF - 534 KB] in sections 170.525, 170.530, and 170.535.
Additional instructions can be found here.
B4. What rules do ONC-ACBs have to follow, and where can I find a list of ONC-Authorized Certification Bodies (ONC-ACBs)?
The Principles of Proper Conduct for ONC-ACBs are detailed in 170.523 of the Establishment of the Permanent Certification Program for Health Information Technology [PDF - 534 KB]. A list of the ONC-ACBs is available here.
An ONC-ACB must provide remote certification for both development and deployment sites.
B5. How long does an ONC-ACB’s status last, and how do ONC-ACBs renew their status?
An ONC-ACB's status will expire three years from the date it was granted by the National Coordinator. To renew its status, an ONC–ACB is required to submit a renewal request which contains any updates to the information requested in the initial application to the National Coordinator 60 days prior to the expiration of its status.
B6. How can I submit a Health IT related complaint?
Before submitting a complaint related to problems with certified health IT products, start by contacting the product's developer or vendor. If the developer/vendor is unable to resolve the issue and you think the issue relates to the product’s certified capabilities, then contact the appropriate ONC-Authorized Certification Bodies (ONC-ACBs) which should be able to work with you and the developer to resolve most issues. If you have contacted the vendor or developer as well as the ONC-ACB and still have outstanding issues, please submit your complaint via the Health IT Feedback Form.
Additional information regarding the Health IT Complaint Process can be found
B7. What does the ONC Certified HIT Certification and Design Mark represent?
The ONC Certified HIT Mark Certification and Design (Mark) is available to represent products that have been certified by an ONC-ACB under the ONC Health IT Certification Program and meet the 2014 Edition or 2015 Edition Standards and Certification Criteria. This means that a product was tested in accordance with the ONC-Approved Test Method, and certified in accordance with the standards and certification criteria adopted by the Secretary and all other requirements of the ONC Health IT Certification Program.
ONC-ACBs may grant the use of the Mark (on behalf of ONC) to developers or vendors who have certified HIT under the ONC HIT Certification Program.
For more information, please see the Criteria and Terms of Use for the ONC Certified HIT Certification and Design Mark [PDF - 201 KB].
B8. What is gap certification?
Gap certification is the certification of a previously certified Complete EHR or EHR Module(s) to:
- All applicable new and/or revised certification criteria adopted by the Secretary based on the test results of an ONC-Authorized Testing Laboratory (ONC-ATL); and
- All other applicable certification criteria adopted by the Secretary based on the test results used to previously certify the Complete EHR or EHR Module(s).
B9. What happens to Health IT Modules when new standards and certification criteria are released?
ONC-Authorized Certification Bodies (ONC-ACBs) may certify Complete EHRs and/or Health IT Module(s) to a newer version of certain identified minimum standards specified below if the Secretary has accepted a newer version of an adopted minimum standard.
Applicability of an accepted newer version of an adopted minimum standard:
- ONC-ACBs are not required to certify Health IT Module(s) according to newer versions of an adopted minimum standard accepted by the Secretary until the incorporation by reference provision of the adopted version is updated in the Federal Register with a newer version.
- Certified EHR Technology may be upgraded to comply with newer versions of an adopted minimum standard accepted by the Secretary without adversely affecting the certification status of the Certified EHR Technology.
B10. What is inherited certification status?
An ONC-Authorized Certification Body (ONC-ACB) must accept requests for a newer version of a previously certified Complete EHR or EHR Module(s) to inherit the certified status of the previously certified Complete EHR or EHR Module(s) without requiring the newer version to be recertified.
B11. How does inherited certification status work?
Before granting certified status to a newer version of a previously certified Complete EHR or EHR Module(s), an ONC-Authorized Certification Body (ONC-ACB) must review an attestation submitted by the developer of the Complete EHR or EHR Module(s) to determine whether any change in the newer version has adversely affected the Complete EHR's or EHR Module(s)' capabilities for which certification criteria have been adopted.
An ONC-ACB may grant certified status to a newer version of a previously certified Complete EHR or EHR Module(s) if it determines that the capabilities for which certification criteria have been adopted have not been adversely affected.
B12. How does inherited certification status work for EHR Module(s)?
An ONC-Authorized Certification Body (ONC-ACB) must accept requests for a newer version of a previously certified EHR Module(s) to inherit the certified status of the previously certified EHR Module(s) without requiring the newer version to be recertified.
- Before granting certified status to a newer version of a previously certified EHR Module(s), an ONC-ACB must review an attestation submitted by the developer(s) of the EHR Module(s) to determine whether any change in the newer version has adversely affected the EHR Module(s)' capabilities for which certification criteria have been adopted.
- An ONC-ACB may grant certified status to a newer version of a previously certified EHR Module(s) if it determines that the capabilities for which certification criteria have been adopted have not been adversely affected.
B13. How does privacy and security certification work for Health Module certification?
EHR Module(s) shall be certified to all privacy and security certification criteria adopted by the Secretary, unless the EHR Module(s) is presented for certification in one of the following manners:
- The EHR Modules are presented for certification as a pre-coordinated, integrated bundle of EHR Modules, which would otherwise meet the definition of and constitute a Complete EHR, and one or more of the constituent EHR Modules is demonstrably responsible for providing all of the privacy and security capabilities for the entire bundle of EHR Modules; or
- An EHR Module is presented for certification, and the presenter can demonstrate and provide documentation to the ONC-Authorized Certification Body (ONC-ACB) that a privacy and security certification criterion is inapplicable or that it would be technically infeasible for the EHR Module to be certified in accordance with such certification criterion.