45 CFR 170.523 - Principles of proper conduct for ONC-ACBs.

Beta! The text on the eCFR tab represents the unofficial eCFR text at ecfr.gov.
§ 170.523 Principles of proper conduct for ONC-ACBs.

An ONC-ACB shall:

(a) Maintain its accreditation, or if a new ONC-AA is approved by the National Coordinator, obtain accreditation from the new ONC-AA within 12 months or a reasonable period specified by the National Coordinator and maintain such accreditation;

(b) Attend all mandatory ONC training and program update sessions;

(c) Maintain a training program that includes documented procedures and training requirements to ensure its personnel are competent to certify health IT;

(d) Report to ONC within 15 days any changes that materially affect its:

(1) Legal, commercial, organizational, or ownership status;

(2) Organization and management including key certification personnel;

(3) Policies or procedures;

(4) Location;

(5) Personnel, facilities, working environment or other resources;

(6) ONC authorized representative (point of contact); or

(7) Other such matters that may otherwise materially affect its ability to certify health IT.

(e) Allow ONC, or its authorized agent(s), to periodically observe on site (unannounced or scheduled), during normal business hours, any certifications performed to demonstrate compliance with the requirements of the ONC Health IT Certification Program;

(f) Provide ONC, no less frequently than weekly, a current list of Health IT Modules, Complete EHRs, and/or EHR Modules that have been certified that includes, at a minimum:

(1) For the 2015 Edition health IT certification criteria and subsequent editions of health IT certification criteria:

(i) The Health IT Module developer name; product name; product version; developer Web site, physical address, email, phone number, and contact name;

(ii) The ONC-ACB Web site, physical address, email, phone number, and contact name, contact function/title;

(iii) The ATL Web site, physical address, email, phone number, and contact name, contact function/title;

(iv) Location and means by which the testing was conducted (e.g., remotely with health IT developer at its headquarters location);

(v) The date(s) the Health IT Module was tested;

(vi) The date the Health IT Module was certified;

(vii) The unique certification number or other specific product identification;

(viii) The certification criterion or criteria to which the Health IT Module has been certified, including the test procedure and test data versions used, test tool version used, and whether any test data was altered (i.e., a yes/no) and for what purpose;

(ix) The way in which each privacy and security criterion was addressed for the purposes of certification;

(x) The standard or mapping used to meet the quality management system certification criterion;

(xi) The standard(s) or lack thereof used to meet the accessibility-centered design certification criterion;

(xii) Where applicable, the hyperlink to access an application programming interface (API)'s documentation and terms of use;

(xiii) Where applicable, which certification criteria were gap certified;

(xiv) Where applicable, if a certification issued was a result of an inherited certified status request;

(xv) Where applicable, the clinical quality measures to which the Health IT Module has been certified;

(xvi) Where applicable, any additional software a Health IT Module relied upon to demonstrate its compliance with a certification criterion or criteria adopted by the Secretary;

(xvii) Where applicable, the standard(s) used to meet a certification criterion where more than one is permitted;

(xviii) Where applicable, any optional capabilities within a certification criterion to which the Health IT Module was tested and certified;

(xix) Where applicable, and for each applicable certification criterion, all of the information required to be submitted by Health IT Module developers to meet the safety-enhanced design certification criterion. Each user-centered design element required to be reported must be at a granular level (e.g., task success/failure));

(xx) A hyperlink to the disclosures required by § 170.523(k)(1) for the Health IT Module;

(xxi) The attestation required by § 170.523(k)(2);

(xxii) When applicable, for each instance in which a Health IT Module failed to conform to its certification and for which corrective action was instituted under § 170.556 (provided no provider or practice site is identified):

(A) The specific certification requirements to which the technology failed to conform, as determined by the ONC-ACB;

(B) A summary of the deficiency or deficiencies identified by the ONC-ACB as the basis for its determination of non-conformity;

(C) When available, the health IT developer's explanation of the deficiency or deficiencies;

(D) The dates surveillance was initiated and completed;

(E) The results of randomized surveillance, including pass rate for each criterion in instances where the Health IT Module is evaluated at more than one location;

(F) The number of sites that were used in randomized surveillance;

(G) The date of the ONC-ACB's determination of non-conformity;

(H) The date on which the ONC-ACB approved a corrective action plan;

(I) The date corrective action began (effective date of approved corrective action plan);

(J) The date by which corrective action must be completed (as specified by the approved corrective action plan);

(K) The date corrective action was completed; and

(L) A description of the resolution of the non-conformity or non-conformities.

(2) For the 2014 Edition EHR certification criteria:

(i) The Complete EHR or EHR Module developer name (if applicable);

(ii) The date certified;

(iii) The product version;

(iv) The unique certification number or other specific product identification;

(v) The clinical quality measures to which a Complete EHR or EHR Module has been certified;

(vi) Where applicable, any additional software a Complete EHR or EHR Module relied upon to demonstrate its compliance with a certification criterion or criteria adopted by the Secretary;

(vii) Where applicable, the certification criterion or criteria to which each EHR Module has been certified; and

(viii) A hyperlink to the test results used to certify the Complete EHRs and/or EHR Modules that can be accessed by the public.

(ix) A hyperlink to the disclosures required by § 170.523(k)(1) for the Complete EHRs and/or EHR Modules; and

(x) The attestation required by § 170.523(k)(2); and

(xi) When applicable, for each instance in which a Complete EHR or EHR Module failed to conform to its certification and for which corrective action was instituted under § 170.556 (provided no provider or practice site is identified):

(A) The specific certification requirements to which the technology failed to conform, as determined by the ONC-ACB;

(B) A summary of the deficiency or deficiencies identified by the ONC-ACB as the basis for its determination of non-conformity;

(C) When available, the health IT developer's explanation of the deficiency or deficiencies;

(D) The dates surveillance was initiated and completed;

(E) The results of randomized surveillance, including pass rate for each criterion in instances where the Complete EHR or EHR Module is evaluated at more than one location;

(F) The number of sites that were used in randomized surveillance;

(G) The date of the ONC-ACB's determination of non-conformity;

(H) The date on which the ONC-ACB approved a corrective action plan;

(I) The date corrective action began (effective date of approved corrective action plan);

(J) The date by which corrective action must be completed (as specified by the approved corrective action plan);

(K) The date corrective action was completed; and

(L) A description of the resolution of the non-conformity or non-conformities.

(g) Records retention.

(1) Retain all records related to the certification of Complete EHRs and Health IT Modules to an edition of certification criteria for a minimum of 3 years from the effective date that removes the applicable edition from the Code of Federal Regulations; and

(2) Make the records available to HHS upon request during the retention period described in paragraph (g)(1) of this section;

(h) Only certify health IT, including Complete EHRs and/or Health IT Module(s), that has been tested, using test tools and test procedures approved by the National Coordinator, by a/an:

(1) NVLAP-accredited testing laboratory; or

(2) ONC-ATCB when:

(i) Certifying previously certified Health IT Module(s) if the certification criterion or criteria to which the Health IT Module(s) was previously certified have not been revised and no new certification criteria are applicable to the Health IT Module(s); or

(ii) Performing gap certification.

(i) Surveillance plan. Submit an annual surveillance plan to the National Coordinator and, in accordance with its surveillance plan, its accreditation, and § 170.556:

(1) Conduct surveillance of certified Complete EHRs and Health IT Modules; and

(2) Report, at a minimum, on a quarterly basis to the National Coordinator the results of its surveillance.

(j) Promptly refund any and all fees received for:

(1) Requests for certification that are withdrawn while its operations are suspended by the National Coordinator;

(2) Certifications that will not be completed as a result of its conduct; and

(3) Previous certifications that it performed if its conduct necessitates the recertification of Complete EHRs and/or Health IT Module(s);

(k) Ensure adherence to the following requirements when issuing any certification and during surveillance of Complete EHRs and Health IT Modules the ONC-ACB has certified.

(1) Mandatory disclosures. A Health IT developer must conspicuously include the following on its Web site and in all marketing materials, communications statements, and other assertions related to the Complete EHR or Health IT Module's certification:

(i) The disclaimer “This [Complete EHR or Health IT Module] is [specify Edition of EHR certification criteria] compliant and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.”

(ii) The following information an ONC-ACB is required to report to the National Coordinator:

(A) For a Health IT Module certified to 2015 Edition health IT certification criteria, the information specified by paragraphs (f)(1)(i), (vi), (vii), (viii), (xv), and (xvi) of this section as applicable for the specific Health IT Module.

(B) For a Complete EHR or EHR Module certified to 2014 Edition health IT certification criteria, the information specified by paragraphs (f)(2)(i) through (vii) of this section as applicable for the specific Complete EHR or EHR Module.

(iii) In plain language, a detailed description of all known material information concerning:

(A) Additional types of costs that a user may be required to pay to implement or use the Complete EHR or Health IT Module's capabilities, whether to meet meaningful use objectives and measures or to achieve any other use within the scope of the health IT's certification.

(B) Limitations that a user may encounter in the course of implementing and using the Complete EHR or Health IT Module's capabilities, whether to meet meaningful use objectives and measures or to achieve any other use within the scope of the health IT's certification.

(iv) The types of information required to be disclosed under paragraph (k)(iii) of this section include but are not limited to:

(A) Additional types of costs or fees (whether fixed, recurring, transaction-based, or otherwise) imposed by a health IT developer (or any third-party from whom the developer purchases, licenses, or obtains any technology, products, or services in connection with its certified health IT) to purchase, license, implement, maintain, upgrade, use, or otherwise enable and support the use of capabilities to which health IT is certified; or in connection with any data generated in the course of using any capability to which health IT is certified.

(B) Limitations, whether by contract or otherwise, on the use of any capability to which technology is certified for any purpose within the scope of the technology's certification; or in connection with any data generated in the course of using any capability to which health IT is certified.

(C) Limitations, including but not limited to technical or practical limitations of technology or its capabilities, that could prevent or impair the successful implementation, configuration, customization, maintenance, support, or use of any capabilities to which technology is certified; or that could prevent or limit the use, exchange, or portability of any data generated in the course of using any capability to which technology is certified.

(v) Health IT self-developers are excluded from the requirements of paragraph (k)(1)(iii) of this section.

(2) Transparency attestation. As a condition of a Complete EHR or Health IT Module's certification to any certification criterion, a health IT developer must make one of the following attestations:

(i) An attestation that it will voluntarily and timely provide, in plain writing and in a manner calculated to inform, any part (including all of) the information required to be disclosed under paragraph (k)(1) of this section,

(A) to all customers, prior to providing or entering into any agreement to provide any certified health IT or related product or service (including subsequent updates, add-ons, or additional products or services during the course of an on-going agreement);

(B) to any person who requests or receives a quotation, estimate, description of services, or other assertion or information from the developer in connection with any certified health IT or any capabilities thereof; and

(C) to any person, upon request.

(ii) An attestation by the developer that it has been asked to make the voluntary transparency attestation described by paragraph (k)(2)(i) of this section and has elected not to make such attestation.

(3) A certification issued to a pre-coordinated, integrated bundle of Health IT Modules shall be treated the same as a certification issued to a Complete EHR for the purposes of paragraph (k)(1) of this section, except that the certification must also indicate each Health IT Module that is included in the bundle; and

(4) A certification issued to a Complete EHR or Health IT Module based solely on the applicable certification criteria adopted by the Secretary at subpart C of this part must be separate and distinct from any other certification(s) based on other criteria or requirements.

(l) Display the ONC Certified health IT Certification and Design Mark on all certifications issued under the ONC Health IT Certification Program in a manner that complies with the Criteria and Terms of Use for the ONC Certified health IT Certification and Design Mark, and ensure that use of the mark by health IT developers whose products are certified under the ONC Health IT Certification Program is compliant with the Criteria and Terms of Use for the ONC Certified health IT Certification and Design Mark.

(m) Adaptations and updates. On a quarterly basis each calendar year, obtain a record of:

(1) All adaptations of certified Complete EHRs and certified Health IT Modules; and

(2) All updates made to certified Complete EHRs and certified Health IT Modules affecting the capabilities in certification criteria to which the “safety-enhanced design” criteria apply.

(n) Complaints reporting. Submit a list of complaints received to the National Coordinator on a quarterly basis each calendar year that includes the number of complaints received, the nature/substance of each complaint, and the type of complainant for each complaint.

[76 FR 1325, Dec. 7, 2011, as amended at 76 FR 72642, Nov. 25, 2011; 77 FR 54291, Sept. 4, 2012; 79 FR 54479, Sept. 11, 2014; 80 FR 62755, Oct. 16, 2015; 80 FR 76872, Dec. 11, 2015]

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code
U.S. Code: Title 5 - GOVERNMENT ORGANIZATION AND EMPLOYEES
U.S. Code: Title 42 - THE PUBLIC HEALTH AND WELFARE

Title 45 published on 2015-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR Part 170 after this date.

  • 2015-10-16; vol. 80 # 200 - Friday, October 16, 2015
    1. 80 FR 62602 - 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Final rule.
      These regulations are effective January 14, 2016, except for § 170.523(m) and (n), which are effective on April 1, 2016. The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of January 14, 2016.
      45 CFR Part 170