45 CFR 170.550 - EHR Module certification.

Beta! The text on the eCFR tab represents the unofficial eCFR text at ecfr.gov.
§ 170.550 Health IT Module certification.

(a) When certifying Health IT Module(s), an ONC-ACB must certify in accordance with the applicable certification criteria adopted by the Secretary at subpart C of this part.

(b) An ONC-ACB must provide the option for an Health IT Module(s) to be certified solely to the applicable certification criteria adopted by the Secretary at subpart C of this part.

(c) Gap certification. An ONC-ACB may provide the option for and perform gap certification of previously certified Health IT Module(s).

(d) An ONC-ACB may provide an updated certification to a previously certified Health IT Module(s).

(e) [Reserved]

(f) When certifying an Health IT Module to the 2014 Edition EHR certification criteria, an ONC-ACB must certify the Health IT Module in accordance with the certification criteria at:

(1) Section 170.314(g)(1) or (2) if the Health IT Module has capabilities presented for certification that would support a meaningful use objective with a percentage-based measure;

(2) Section 170.314(g)(3) if the Health IT Module is presented for certification to one or more listed certification criteria in § 170.314(g)(3); and

(3) Section 170.314(g)(4).

(g) When certifying a Health IT Module to the 2015 Edition health IT certification criteria, an ONC-ACB must certify the Health IT Module in accordance with the certification criteria at:

(1) Section 170.315(g)(3) if the Health IT Module is presented for certification to one or more listed certification criteria in § 170.315(g)(3);

(2) Section 170.315(g)(4);

(3) Section 170.315(g)(5); and

(4) Section 170.315(g)(6) if the Health IT Module is presented for certification with C-CDA creation capabilities within its scope. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, § 170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, § 170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each so long as all applicable C-CDA document templates have been evaluated as part of § 170.315(g)(6) for the scope of the certification sought.

(h) Privacy and security certification framework -

(1) General rule. When certifying a Health IT Module to the 2015 Edition health IT certification criteria, an ONC-ACB can only issue a certification to a Health IT Module if the privacy and security certification criteria in paragraphs (h)(3)(i) through (viii) of this section have also been met (and are included within the scope of the certification).

(2) In order to be issued a certification, a Health IT Module would only need to be tested once to each applicable privacy and security criterion in paragraphs (h)(3)(i) through (viii) of this section so long as the health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification, except for the following:

(i) A Health IT Module presented for certification to § 170.315(e)(1) must be separately tested to § 170.315(d)(9); and

(ii) A Health IT Module presented for certification to § 170.315(e)(2) must be separately tested to § 170.315(d)(9).

(3) Applicability.

(i) Section 170.315(a) is also certified to the certification criteria specified in § 170.315(d)(1) through (7);

(ii) Section 170.315(b) is also certified to the certification criteria specified in § 170.315(d)(1) through (3) and (d)(5) through (8);

(iii) Section 170.315(c) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), and (5);

(iv) Section 170.315(e)(1) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), (5), (7), and (9);

(v) Section 170.315(e)(2) and (3) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), (5), and (9);

(vi) Section 170.315(f) is also certified to the certification criteria specified in § 170.315(d)(1) through (3) and (7);

(vii) Section 170.315(g)(7), (8) and (9) is also certified to the certification criteria specified in § 170.315(d)(1) and (9); and (d)(2) or (10);

(viii) Section 170.315(h) is also certified to the certification criteria specified in § 170.315(d)(1) through (3); and

(4) Methods to demonstrate compliance with each privacy and security criterion. One of the following methods must be used to meet each applicable privacy and security criterion listed in paragraph (h)(3) of this section:

(i) Directly, by demonstrating a technical capability to satisfy the applicable certification criterion or certification criteria; or

(ii) Demonstrate, through system documentation sufficiently detailed to enable integration, that the Health IT Module has implemented service interfaces for each applicable privacy and security certification criterion that enable the Health IT Module to access external services necessary to meet the privacy and security certification criterion.

(i) [Reserved]

(j) Direct Project transport method. An ONC-ACB can only issue a certification to a Health IT Module for § 170.315(h)(1) if the Health IT Module's certification also includes § 170.315(b)(1).

(k) Inherited certified status. An ONC-ACB must accept requests for a newer version of a previously certified Health IT Module(s) to inherit the certified status of the previously certified Health IT Module(s) without requiring the newer version to be recertified.

(1) Before granting certified status to a newer version of a previously certified Health IT Module(s), an ONC-ACB must review an attestation submitted by the developer(s) of the Health IT Module(s) to determine whether any change in the newer version has adversely affected the Health IT Module(s)' capabilities for which certification criteria have been adopted.

(2) An ONC-ACB may grant certified status to a newer version of a previously certified Health IT Module(s) if it determines that the capabilities for which certification criteria have been adopted have not been adversely affected.

[76 FR 1325, Dec. 7, 2011, as amended at 77 FR 54291, Sept. 4, 2012; 79 FR 54480, Sept. 11, 2014; 80 FR 62757, Oct. 16, 2015]

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code
U.S. Code: Title 5 - GOVERNMENT ORGANIZATION AND EMPLOYEES
U.S. Code: Title 42 - THE PUBLIC HEALTH AND WELFARE

Title 45 published on 2015-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR Part 170 after this date.

  • 2015-10-16; vol. 80 # 200 - Friday, October 16, 2015
    1. 80 FR 62602 - 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary
      Final rule.
      These regulations are effective January 14, 2016, except for § 170.523(m) and (n), which are effective on April 1, 2016. The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of January 14, 2016.
      45 CFR Part 170