(a) Certification scope. When certifying Health IT Module(s), an ONC-ACB must certify in accordance with the applicable certification criteria adopted by the Secretary at subpart C of this part.

(b) Health IT product scope options. An ONC-ACB must provide the option for an Health IT Module(s) to be certified solely to the applicable certification criteria adopted by the Secretary at subpart C of this part.

(c) Gap certification. An ONC-ACB may provide the option for and perform gap certification of previously certified Health IT Module(s).

(d) Upgrades and enhancements. An ONC-ACB may provide an updated certification to a previously certified Health IT Module(s).

(e) Standards updates. ONC-ACBs must provide an option for certification of Health IT Modules consistent with §171.405(b)(7) or (8) to any one or more of the criteria referenced in §170.405(a) based on newer versions of standards included in the criteria which have been approved by the National Coordinator for use in certification.

(f) [Reserved]

(g) Health IT module dependent criteria. When certifying a Health IT Module to the 2015 Edition health IT certification criteria, an ONC-ACB must certify the Health IT Module in accordance with the certification criteria at:

(1) Section 170.315(g)(3) if the Health IT Module is presented for certification to one or more listed certification criteria in §170.315(g)(3);

(2) Section 170.315(g)(4);

(3) Section 170.315(g)(5); and

(4) Section 170.315(g)(6) if the Health IT Module is presented for certification with C-CDA creation capabilities within its scope. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, §170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, §170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each so long as all applicable C-CDA document templates have been evaluated as part of §170.315(g)(6) for the scope of the certification sought.

(5) Section 170.315(b)(10) when a health IT developer presents a Health IT Module for certification that can store electronic health information at the time of certification by the product, of which the Health IT Module is a part.

(h) Privacy and security certification framework

(1) General rule. When certifying a Health IT Module to the 2015 Edition health IT certification criteria, an ONC-ACB can only issue a certification to a Health IT Module if the privacy and security certification criteria in paragraphs (h)(3)(i) through (ix) of this section have also been met (and are included within the scope of the certification).

(2) Testing. In order to be issued a certification, a Health IT Module would only need to be tested once to each applicable privacy and security criterion in paragraphs (h)(3)(i) through (ix) of this section so long as the health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification, except for the following:

(i) A Health IT Module presented for certification to §170.315(e)(1) must be separately tested to §170.315(d)(9); and

(ii) A Health IT Module presented for certification to §170.315(e)(2) must be separately tested to §170.315(d)(9).

(3) Applicability.

(i) Section 170.315(a)(1) through (3), (5), (12), (14), and (15) are also certified to the certification criteria specified in §170.315(d)(1) through (7), (d)(12), and (13).

(ii) Section 170.315(a)(4), (9), (10), and (13) are also certified to the certification criteria specified in §170.315(d)(1) through (3), and (d)(5) through (7), (d)(12), and (13).

(iii) Section 170.315(b)(1) through (3) and (6) through (9) are also certified to the certification criteria specified in §170.315(d)(1) through (3) and (d)(5) through (8), (12), and (13);

(iv) Section 170.315(c) is also certified to the certification criteria specified in §170.315(d)(1), (d)(2)(i)(A), (B), (d)(2)(ii) through (v), (d)(3), (5), (12), and (13);

(v) Section 170.315(e)(1) is also certified to the certification criteria specified in §170.315(d)(1) through (3), (5), (7), (9), (12), and (13);

(vi) Section 170.315(e)(2) and (3) is also certified to the certification criteria specified in §170.315(d)(1), (d)(2)(i)(A) and (B), (d)(2)(ii) through (v), (d)(3), (5), (9), (12), and (13);

(vii) Section 170.315(f) is also certified to the certification criteria specified in §170.315(d)(1) through (3), (7), (12), and (13);

(viii) Section 170.315(g)(7) through (10) is also certified to the certification criteria specified in §170.315(d)(1), (9), (12), and (13); and (d)(2)(i)(A) and (B), (d)(2)(ii) through (v), or (d)(10);

(ix) Section 170.315(h) is also certified to the certification criteria specified in §170.315(d)(1), (d)(2)(i)(A) and (B), (d)(2)(ii) through (v), (d)(3), (12), and (13); and

(i) [Reserved]

(j) Direct Project transport method. An ONC-ACB can only issue a certification to a Health IT Module for §170.315(h)(1) if the Health IT Module's certification also includes §170.315(b)(1).

(k) Inherited certified status. An ONC-ACB must accept requests for a newer version of a previously certified Health IT Module(s) to inherit the certified status of the previously certified Health IT Module(s) without requiring the newer version to be recertified.

(1) Before granting certified status to a newer version of a previously certified Health IT Module(s), an ONC-ACB must review an attestation submitted by the developer(s) of the Health IT Module(s) to determine whether any change in the newer version has adversely affected the Health IT Module(s)' capabilities for which certification criteria have been adopted.

(2) An ONC-ACB may grant certified status to a newer version of a previously certified Health IT Module(s) if it determines that the capabilities for which certification criteria have been adopted have not been adversely affected.

(l) Conditions of certification attestations. Ensure that the health IT developer of the Health IT Module has met its responsibilities under subpart D of this part.

(m) Time-limited certification and certification status for certain 2015 Edition certification criteria. An ONC-ACB may only issue a certification to a Health IT Module and permit continued certified status for:

(1) Section 170.315(a)(10) and (13) and §170.315(e)(2) for the period before January 1, 2022.

(2) Section 170.315(b)(6) for the period before December 31, 2023.

(3) Section 170.315(g)(8) for the period before December 31, 2022.

[76 FR 1325, Dec. 7, 2011, as amended at 77 FR 54291, Sept. 4, 2012; 79 FR 54480, Sept. 11, 2014; 80 FR 62757, Oct. 16, 2015; 85 FR 25952, May 1, 2020; 85 FR 70085, Nov. 4, 2020]


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.