Conditions & Maintenance of Certification

The 21st Century Cures Act (Section 4002) requires the Secretary of Health and Human Services (HHS) to establish Conditions and Maintenance of Certification requirements for the ONC Health IT Certification Program. ONC has finalized the Conditions and Maintenance of Certification requirements to express initial requirements and ongoing requirements for health IT developers and their certified Health IT Module(s). There are seven Conditions of Certification with accompanying Maintenance of Certification Requirements. We have not yet established an EHR Reporting Program for the seventh Conditions and Maintenance of Certification requirement; the EHR reporting criteria submission. Once we establish such program, we will undertake rulemaking to propose and implement the associated Condition and Maintenance of Certification requirements for health IT developers.

The Conditions and Maintenance of Certification requirements, except for the Information Blocking and Assurances Conditions and Maintenance of Certification requirements, apply only to actions and behaviors of health IT developers related to their certified health IT as well as to the certified health IT itself. The Information Blocking and Assurances Conditions and Maintenance of Certification require that a health IT developer is responsible to ensure that all of its health IT and related actions and behaviors do not constitute information blocking or inhibit the appropriate access, exchange, and use of electronic health information (EHI).

The Conditions and Maintenance of Certification requirements are defined in Subpart D of the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule).

Regulation

Condition of Certification (CoC)

Maintenance of Certification (MoC)

Certification Companion Guide (CCG)

 

CCG Last Updated

Information Blocking

A health IT developer may not take any actions that constitutes “information blocking” as defined in Section 3022(a) of the Public Health Service Act (PHSA) and § 171.103.

There are no accompanying MoC requirements beyond compliance with the Condition.

Guide

06-15-2020

Assurances

A health IT developer must:

  1. Provide assurances that it will not take any action that constitutes information blocking, or any other action that may inhibit the appropriate exchange, access, and use of electronic health information,

  2. Ensure full compliance and unrestricted implementation of certification criteria capabilities,

  3. Not take any action to interfere with a user’s ability to access or use certified capabilities, and

  4. Certify a health IT product which electronically stores EHI to the §170.315(b)(10) criteria.

A health IT developer must:

  1. For a period of 10 years beginning from the date of certification, retain all records and information necessary that demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program, and

  2. Certify to the criterion in § 170.315(b)(10) within 36 months of May 1, 2020, if a health IT product electronically stores EHI.

Guide

06-15-2020

Communications

A health IT developer may not prohibit or restrict communication regarding the following subjects for certified Health IT Modules:

  1. The usability of its health IT,

  2. The interoperability of its health IT,

  3. The security of the health IT,

  4. Relevant information regarding users’ experiences when using its health IT,

  5. The business practices of developers of health IT related to exchanging EHI, and

  6. The manner in which a user of the health IT has used such technology.

A health IT developer must:

  1. Notify all customers within six months of the effective date that of the ONC Cures Act Final Rule that any communication or contract, or agreement provision that violates the Communication Condition of Certification will not be enforced by the health IT developer, and

  2. Notify all customers annually up to and until the health IT developer amends the contract or agreement to remove or void any contractual provisions that violate the Condition of Certification.

Guide

06-15-2020

Application Programming Interfaces (APIs)

A health IT developer of a Health IT Module certified to any certification criteria adopted in § 170.315(g)(7) through (g)(10) must:

  1. Publish APIs and allow health information from such technology to be accessed, exchanged, and used without special effort,

  2. Publish complete business and technical documentation, via a publicly accessible hyperlink,

  3. Publish all terms and conditions for its certified API technology

    1. Material Information

    2. API Fees,

  4. Keep for inspection detailed records of any fees charged with respect to the certified API technology, and

  5. Abide by openness and pro-competitive conditions.

A health IT developer of a Health IT Module that meets the requirements outlined in the Condition of Certification must comply with the following requirements:

  1. Authenticity verification and registration for production use,

  2. Service Base Uniform Resource Locator (URL) publication,

  3. Rollout of (g)(10)-Certified APIs, and

  4. Transparency of Existing API Documentation.

Guide

06-15-2020

Real World Testing

A health IT developer with Health IT Module(s) certified to § 170.315(b), (c)(1) through (3), (e)(1), (f), (g)(7) through (10), and (h) must: successfully test the real world use of the technology for interoperability in the type of setting in which such technology would be marketed.

A health IT developer that meets the requirements outlined in the Condition of Certification must:

  1. Submit its real world testing plan to its ONC-Authorized Certification Bodies (ONC-ACB) by a date that enables the ONC-ACB to publish the plan on the Certified Health IT Products List (CHPL) no later than December 15 of each calendar year,

  2. Report its real world testing results to its ONC-ACB by a date that enables the ONC-ACB to publish the results on the CHPL no later than March 15 of each calendar year,

  3. Update its certified health IT to be compliant to § 170.315(b)(1), (e)(1), (g)(6), (f)(5), and/or (g)(9) by the ONC Cures Act Final Rule's effective date and provide customers of previously certified health IT with certified health IT that meets § 170.315(b)(1), (e)(1), (g)(6), (f)(5), and/or (g)(9) no later than May 2, 2022,

  4. Update its certified health IT to be compliant to § 170.315(b)(1), (b)(2), (b)(9), (e)(1), (g)(6), and/or (g)(9) and provide customers of previously certified health IT with certified health IT that meets § 170.315(b)(1), (b)(2), (b)(9), (e)(1), (g)(6), and/or (g)(9) no later than May 2, 2022,

  5. Update its certified health IT to be compliant to § 170.315(b)(3) and provide customers of previously certified health IT with certified health IT that meets § 170.315(b)(3) no later than May 2, 2022, and

  6. Update its certified health IT to be compliant to § 170.315(b)(7) and/or § 170.315(b)(8) and provide customers of previously certified health IT with certified health IT that meets § 170.315(b)(7) and/or § 170.315(b)(8) no later than May 2, 2022.

Guide

06-15-2020

Attestation

A health IT developer must attest, as applicable, to compliance with the Conditions and Maintenance of Certification related to:

(1) Information Blocking,

(2) Assurances,

(3) Communications,

(4) API, and

(5) Real World Testing.

A health IT developer must submit their attestations every six months.

Guide

06-15-2020

 

Content last reviewed on June 25, 2020
Was this page helpful?