45 CFR 170.523 - Principles of proper conduct for ONC-ACBs.
An ONC-ACB shall:
(a) Maintain its accreditation, or if a new ONC-AA is approved by the National Coordinator, obtain accreditation from the new ONC-AA within 12 months or a reasonable period specified by the National Coordinator and maintain such accreditation;
(b) Attend all mandatory ONC training and program update sessions;
(c) Maintain a training program that includes documented procedures and training requirements to ensure its personnel are competent to certify HIT;
(d) Report to ONC within 15 days any changes that materially affect its:
(1) Legal, commercial, organizational, or ownership status;
(2) Organization and management including key certification personnel;
(3) Policies or procedures;
(5) Personnel, facilities, working environment or other resources;
(6) ONC authorized representative (point of contact); or
(7) Other such matters that may otherwise materially affect its ability to certify HIT.
(e) Allow ONC, or its authorized agent(s), to periodically observe on site (unannounced or scheduled), during normal business hours, any certifications performed to demonstrate compliance with the requirements of the ONC HIT Certification Program;
(f) Provide ONC, no less frequently than weekly, a current list of Complete EHRs and/or EHR Modules that have been certified, which includes, at a minimum:
(1) The Complete EHR or EHR Module developer name (if applicable);
(2) The date certified;
(3) The product version;
(4) The unique certification number or other specific product identification;
(5) The clinical quality measures to which a Complete EHR or EHR Module has been certified;
(6) Where applicable, any additional software a Complete EHR or EHR Module relied upon to demonstrate its compliance with a certification criterion or criteria adopted by the Secretary; and
(7) Where applicable, the certification criterion or criteria to which each EHR Module has been certified.
(8) A hyperlink to the test results used to certify the Complete EHRs and/or EHR Modules that can be accessed by the public.
(g) Retain all records related to the certification of Complete EHRs and/or EHR Module(s) for a minimum of 5 years;
(h) Only certify HIT, including Complete EHRs and/or EHR Module(s), that has been tested, using test tools and test procedures approved by the National Coordinator, by a/an:
(1) NVLAP-accredited testing laboratory; or
(2) ONC-ATCB when:
(i) Certifying previously certified EHR Module(s) if the certification criterion or criteria to which the EHR Module(s) was previously certified have not been revised and no new certification criteria are applicable to the EHR Module(s); or
(ii) Performing gap certification.
(i) Submit an annual surveillance plan to the National Coordinator and annually report to the National Coordinator its surveillance results; and
(j) Promptly refund any and all fees received for:
(1) Requests for certification that are withdrawn while its operations are suspended by the National Coordinator;
(2) Certifications that will not be completed as a result of its conduct; and
(3) Previous certifications that it performed if its conduct necessitates the recertification of Complete EHRs and/or EHR Module(s);
(k) Ensure adherence to the following requirements when issuing a certification to a Complete EHR and/or EHR Module(s):
(1) A Complete EHR or EHR Module developer must conspicuously include the following on its Web site and in all marketing materials, communications statements, and other assertions related to the Complete EHR or EHR Module's certification:
(i) “This [Complete EHR or EHR Module] is [specify Edition of EHR certification criteria] compliant and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services”;
(ii) The information an ONC-ACB is required to report to the National Coordinator under paragraph (f) of this section for the specific Complete EHR or EHR Module at issue; and
(iii) Any additional types of costs that an EP, EH, or CAH would pay to implement the Complete EHR's or EHR Module's capabilities in order to attempt to meet meaningful use objectives and measures. EHR technology self-developers are excluded from this requirement.
(2) A certification issued to a pre-coordinated, integrated bundle of EHR Modules shall be treated the same as a certification issued to a Complete EHR for the purposes of paragraph (k)(1) of this section, except that the certification must also indicate each EHR Module that is included in the bundle; and
(3) A certification issued to a Complete EHR or EHR Module based solely on the applicable certification criteria adopted by the Secretary at subpart C of this part must be separate and distinct from any other certification(s) based on other criteria or requirements.
Title 45 published on 2014-10-01
The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR Part 170 after this date.