This subpart implements section 3001(c)(5) of the Public Health Service Act and sets forth the rules and procedures related to the ONC Health IT Certification Program for health information technology (health IT) administered by the National Coordinator for Health Information Technology.

[76 FR 1325, Dec. 7, 2011, as amended at 77 FR 54291, Sept. 4, 2012]

(a) This subpart establishes the processes that applicants for ONC-ACB status must follow to be granted ONC-ACB status by the National Coordinator; the processes the National Coordinator will follow when assessing applicants and granting ONC-ACB status; the requirements that ONC-ACBs must follow to maintain ONC-ACB status; and the requirements of ONC-ACBs for certifying Health IT Module(s), and other types of health IT in accordance with the applicable certification criteria adopted by the Secretary in subpart C of this part.

(b) This subpart establishes the processes that applicants for ONC-ATL status must follow to be granted ONC-ATL status by the National Coordinator; the processes the National Coordinator will follow when assessing applicants and granting ONC-ATL status; the requirements that ONC-ATLs must follow to maintain ONC-ATL status; and the requirements of ONC-ATLs for testing Health IT Modules in accordance with the applicable certification criteria adopted by the Secretary in subpart C of this part.

(c) [Reserved]

(d) This subpart establishes the processes the National Coordinator will follow when exercising direct review of certified health IT and related requirements for ONC-ACBs, ONC-ATLs, and developers of health IT certified under the ONC Health IT Certification Program.

[81 FR 72464, Oct. 19, 2016, as amended at 85 FR 25950, May 1, 2020]

For the purposes of this subpart:

Applicant means a single organization or a consortium of organizations that seeks to become an ONC-ACB or ONC-ATL by submitting an application to the National Coordinator for such status.

Deployment site means the physical location where a Health IT Module(s) or other type of health IT resides or is being or has been implemented.

Development site means the physical location where a Health IT Module(s) or other type of health IT was developed.

Gap certification means the certification of a previously certified Health IT Module(s) to:

(1) All applicable new and/or revised certification criteria adopted by the Secretary at subpart C of this part based on test results issued by a NVLAP-accredited testing laboratory under the ONC Health IT Certification Program or an ONC-ATL; and

(2) All other applicable certification criteria adopted by the Secretary at subpart C of this part based on the test results used to previously certify the Complete EHR or Health IT Module(s) under the ONC Health IT Certification Program.

ONC-Authorized Certification Body or ONC-ACB means an organization or a consortium of organizations that has applied to and been authorized by the National Coordinator pursuant to this subpart to perform the certification of Health IT Module(s), and/or other types of health IT under the ONC Health IT Certification Program.

ONC-Authorized Testing Lab or ONC-ATL means an organization or a consortium of organizations that has applied to and been authorized by the National Coordinator pursuant to this subpart to perform the testing of Health IT Modules to certification criteria adopted by the Secretary at subpart C of this part.

Providing or provide an updated certification means the action taken by an ONC-ACB to ensure that the developer of a previously certified Health IT Module(s) shall update the information required by § 170.523(k)(1)(i), after the ONC-ACB has verified that the certification criterion or criteria to which the Health IT Module(s) was previously certified have not been revised and that no new certification criteria are applicable to the Health IT Module(s).

Remote certification means the use of methods, including the use of web-based tools or secured electronic transmissions, that do not require an ONC-ACB to be physically present at the development or deployment site to conduct certification.

[76 FR 1325, Dec. 7, 2011, as amended at 77 FR 54291, Sept. 4, 2012; 81 FR 72464, Oct. 19, 2016; 85 FR 25950, May 1, 2020]

(a) Correspondence and communication with ONC or the National Coordinator shall be conducted by email, unless otherwise necessary or specified.

(1) Consideration for providing notice beyond email, such as by regular, express, or certified mail, will be based on, but not limited to, whether: The party requests use of correspondence beyond email; the party has responded via email to our communications; we have sufficient information from the party to ensure appropriate delivery of any other method of notice; and the matter involves an alleged violation within ONC's purview under § 170.580 that indicates a serious violation under the ONC Health IT Certification Program with potential consequences of suspension, certification termination, or a certification ban.

(2) The official date of receipt of any email between ONC or the National Coordinator and an applicant for ONC-ACB status, an applicant for ONC-ATL status, an ONC-ACB, an ONC-ATL, health IT developer, or a party to any proceeding under this subpart is the date on which the email was sent.

(b) In circumstances where it is necessary for an applicant for ONC-ACB status, an applicant for ONC-ATL status, an ONC-ACB, an ONC-ATL, health IT developer, or a party to any proceeding under this subpart to correspond or communicate with ONC or the National Coordinator by regular, express, or certified mail, the official date of receipt for all parties will be the date of the delivery confirmation to the address on record.

[85 FR 25950, May 1, 2020]

Applicants for ONC-ACB status may seek authorization from the National Coordinator to perform the following types of certification:

(a) Health IT Module certification; and/or

(b) Certification of other types of health IT for which the Secretary has adopted certification criteria under subpart C of this part.

[76 FR 1325, Dec. 7, 2011, as amended at 81 FR 72464, Oct. 19, 2016; 85 FR 25950, May 1, 2020]

Applicants may seek authorization from the National Coordinator to perform the testing of Complete EHRs or Health IT Modules to a portion of a certification criterion, one certification criterion, or many or all certification criteria adopted by the Secretary under subpart C of this part.

[81 FR 72464, Oct. 19, 2016]

(a) ONC-ACB application. Applicants must include the following information in an application for ONC-ACB status and submit it to the National Coordinator for the application to be considered complete.

(1) The type of authorization sought pursuant to § 170.510. For authorization to perform Health IT Module certification, applicants must indicate the specific type(s) of Health IT Module(s) they seek authorization to certify. If qualified, applicants will only be granted authorization to certify the type(s) of Health IT Module(s) for which they seek authorization.

(2) General identifying, information including:

(i) Name, address, city, state, zip code, and Web site of applicant; and

(ii) Designation of an authorized representative, including name, title, phone number, and email address of the person who will serve as the applicant's point of contact.

(3) Documentation that confirms that the applicant has been accredited to ISO/IEC 17065 (for availability, see § 170.599), with an appropriate scope, by any accreditation body that is a signatory to the Multilateral Recognition Arrangement (MLA) with the International Accreditation Forum (IAF).

(4) An agreement, properly executed by the applicant's authorized representative, that it will adhere to the Principles of Proper Conduct for ONC-ACBs.

(b) ONC-ATL application. Applicants must include the following information in an application for ONC-ATL status and submit it to the National Coordinator for the application to be considered complete.

(1) The authorization scope sought pursuant to § 170.511.

(2) General identifying, information including:

(i) Name, address, city, state, zip code, and Web site of applicant; and

(ii) Designation of an authorized representative, including name, title, phone number, and email address of the person who will serve as the applicant's point of contact.

(3) Documentation that confirms that the applicant has been accredited by NVLAP to the ONC Health IT Certification Program, including to ISO/IEC 17025 (incorporated by reference, see § 170.599).

(4) An agreement, properly executed by the applicant's authorized representative, that it will adhere to the Principles of Proper Conduct for ONC-ATLs.

[81 FR 72464, Oct. 19, 2016, as amended at 85 FR 25950, May 1, 2020]

An ONC-ACB shall:

(a) Accreditation. Maintain its accreditation in good standing to ISO/IEC 17065 (incorporated by reference in § 170.599).

(b) Mandatory training. Attend all mandatory ONC training and program update sessions;

(c) Training program. Maintain a training program that includes documented procedures and training requirements to ensure its personnel are competent to certify health IT;

(d) Reporting. Report to ONC within 15 days any changes that materially affect its:

(1) Legal, commercial, organizational, or ownership status;

(2) Organization and management including key certification personnel;

(3) Policies or procedures;

(4) Location;

(5) Personnel, facilities, working environment or other resources;

(6) ONC authorized representative (point of contact); or

(7) Other such matters that may otherwise materially affect its ability to certify health IT.

(e) Onsite observation. Allow ONC, or its authorized agent(s), to periodically observe on site (unannounced or scheduled), during normal business hours, any certifications performed to demonstrate compliance with the requirements of the ONC Health IT Certification Program;

(f) Certified product listing. Provide ONC, no less frequently than weekly, a current list of Health IT Modules, and/or EHR Modules that have been certified that includes, at a minimum:

(1) For the ONC Certification Criteria for Health IT:

(i) The Health IT Module developer name; product name; product version; developer Web site, physical address, email, phone number, and contact name;

(ii) The ONC-ACB Web site, physical address, email, phone number, and contact name, contact function/title;

(iii) The ATL Web site, physical address, email, phone number, and contact name, contact function/title;

(iv) Location and means by which the testing was conducted (e.g., remotely with health IT developer at its headquarters location);

(v) The date(s) the Health IT Module was tested;

(vi) The date the Health IT Module was certified;

(vii) The unique certification number or other specific product identification;

(viii) The certification criterion or criteria to which the Health IT Module has been certified, including the test procedure and test data versions used, test tool version used, and whether any test data was altered (i.e., a yes/no) and for what purpose;

(ix) The way in which each privacy and security criterion was addressed for the purposes of certification;

(x) The standard or mapping used to meet the quality management system certification criterion;

(xi) The standard(s) or lack thereof used to meet the accessibility-centered design certification criterion;

(xii) Where applicable, the hyperlink to access an application programming interface (API)'s documentation and terms of use;

(xiii) Where applicable, which certification criteria were gap certified;

(xiv) Where applicable, if a certification issued was a result of an inherited certified status request;

(xv) Where applicable, the clinical quality measures to which the Health IT Module has been certified;

(xvi) Where applicable, any additional software a Health IT Module relied upon to demonstrate its compliance with a certification criterion or criteria adopted by the Secretary;

(xvii) Where applicable, the standard(s) used to meet a certification criterion where more than one is permitted;

(xviii) Where applicable, any optional capabilities within a certification criterion to which the Health IT Module was tested and certified;

(xix) Where applicable, and for each applicable certification criterion, all of the information required to be submitted by Health IT Module developers to meet the safety-enhanced design certification criterion. Each user-centered design element required to be reported must be at a granular level (e.g., task success/failure));

(xx) A hyperlink to the disclosures required by § 170.523(k)(1) for the Health IT Module;

(xxi) Where applicable, summary information of the intervention risk management practices listed in § 170.315(b)(11)(vi) is submitted by the health IT developer via publicly accessible hyperlink that allows any person to access the summary information directly without any preconditions or additional steps.

(xxii) When applicable, for each instance in which a Health IT Module failed to conform to its certification and for which corrective action was instituted under § 170.556 (provided no provider or practice site is identified):

(A) The specific certification requirements to which the technology failed to conform, as determined by the ONC-ACB;

(B) A summary of the deficiency or deficiencies identified by the ONC-ACB as the basis for its determination of non-conformity;

(C) When available, the health IT developer's explanation of the deficiency or deficiencies;

(D) The dates surveillance was initiated and completed;

(E) The results of randomized surveillance, including pass rate for each criterion in instances where the Health IT Module is evaluated at more than one location;

(F) The number of sites that were used in randomized surveillance;

(G) The date of the ONC-ACB's determination of non-conformity;

(H) The date on which the ONC-ACB approved a corrective action plan;

(I) The date corrective action began (effective date of approved corrective action plan);

(J) The date by which corrective action must be completed (as specified by the approved corrective action plan);

(K) The date corrective action was completed; and

(L) A description of the resolution of the non-conformity or non-conformities.

(2) [Reserved]

(g) Records retention. (1) Retain all records related to the certification of Health IT Modules to the ONC Certification Criteria for Health IT beginning with the codification of those certification criteria in the Code of Federal Regulations through a minimum of 3 years after the end of calendar year that included the effective date of the removal of those certification criteria from the Code of Federal Regulations; and

(2) Make the records available to HHS upon request during the retention period described in paragraph (g)(1) of this section;

(h) Certification decision. Only certify Health IT Modules that have been:

(1) Tested, using test tools and test procedures approved by the National Coordinator, by an:

(i) ONC-ATL;

(ii) ONC-ATL, National Voluntary Laboratory Accreditation Program-accredited testing laboratory under the ONC Health IT Certification Program, and/or an ONC-ATCB for the purposes of performing gap certification; or

(2) Evaluated by it for compliance with a conformance method approved by the National Coordinator.

(i) Surveillance. Conduct surveillance of certified health IT in accordance with its accreditation, § 170.556, and the following requirements:

(1) Submit an annual surveillance plan to the National Coordinator.

(2) Report, at a minimum, on a quarterly basis to the National Coordinator the results of its surveillance, including surveillance results that identify:

(i) The names of health IT developers;

(ii) Names of products and versions;

(iii) Certification criteria and ONC Health IT Certification Program requirements surveilled;

(iv) The type of surveillance (i.e., reactive or randomized);

(v) The dates surveillance was initiated and completed; and

(vi) As applicable, the number of sites that were used in randomized surveillance.

(3) Annually submit a summative report of surveillance results to the National Coordinator.

(j) Refunds. Promptly refund any and all fees received for:

(1) Requests for certification that are withdrawn while its operations are suspended by the National Coordinator;

(2) Certifications that will not be completed as a result of its conduct; and

(3) Previous certifications that it performed if its conduct necessitates the recertification of Complete EHRs and/or Health IT Module(s);

(k) Disclosures. Ensure adherence to the following requirements when issuing any certification and during surveillance of Health IT Modules the ONC-ACB has certified.

(1) Mandatory Disclosures. A health IT developer must conspicuously include the following on its website and in all marketing materials, communications statements, and other assertions related to the Health IT Module's certification:

(i) The disclaimer “This Health IT Module is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.”

(ii) For a Health IT Module certified to the ONC Certification Criteria for Health IT, the information specified by paragraphs (f)(1)(i), (vi) through (viii), (xv), and (xvi) of this section as applicable for the specific Health IT Module.

(iii) In plain language, a detailed description of all known material information concerning additional types of costs or fees that a user may be required to pay to implement or use the Health IT Module's capabilities, whether to meet provisions of HHS programs requiring the use of certified health IT or to achieve any other use within the scope of the health IT's certification. The additional types of costs or fees required to be disclosed include but are not limited to costs or fees (whether fixed, recurring, transaction-based, or otherwise) imposed by a health IT developer (or any third party from whom the developer purchases, licenses, or obtains any technology, products, or services in connection with its certified health IT) to purchase, license, implement, maintain, upgrade, use, or otherwise enable and support the use of capabilities to which health IT is certified; or in connection with any data generated in the course of using any capability to which health IT is certified.

(iv) The types of information required to be disclosed under paragraph (k)(iii) of this section include but are not limited to:

(A) Additional types of costs or fees (whether fixed, recurring, transaction-based, or otherwise) imposed by a health IT developer (or any third-party from whom the developer purchases, licenses, or obtains any technology, products, or services in connection with its certified health IT) to purchase, license, implement, maintain, upgrade, use, or otherwise enable and support the use of capabilities to which health IT is certified; or in connection with any data generated in the course of using any capability to which health IT is certified.

(B)-(C) [Reserved]

(v) Health IT self-developers are excluded from the requirements of paragraph (k)(1)(iii) of this section.

(2)-(3) [Reserved]

(4) A certification issued to a Health IT Module based solely on the applicable certification criteria adopted by the ONC Health IT Certification Program must be separate and distinct from any other certification(s) based on other criteria or requirements.

(l) Certification and Design Mark. Display the ONC Certified health IT Certification and Design Mark on all certifications issued under the ONC Health IT Certification Program in a manner that complies with the Criteria and Terms of Use for the ONC Certified health IT Certification and Design Mark, and ensure that use of the mark by health IT developers whose products are certified under the ONC Health IT Certification Program is compliant with the Criteria and Terms of Use for the ONC Certified health IT Certification and Design Mark.

(m) Adaptations and updates. On a quarterly basis each calendar year, obtain a record of:

(1) All adaptations of certified Health IT Modules;

(2) All updates made to certified Health IT Modules affecting the capabilities in certification criteria to which the “safety-enhanced design” criteria apply;

(3) All uses cases for § 170.315(d)(13);

(4) All updates made to certified Health IT Modules in compliance with § 170.405(b)(3); and

(5) All updates to certified Health IT Modules and all certifications of Health IT Modules issued including voluntary use of newer standards versions per § 170.405(b)(8) or (9). Record of these updates may be obtained by aggregation of ONC-ACB documentation of certification activity.

(n) Complaints reporting. Submit a list of complaints received to the National Coordinator on a quarterly basis each calendar year that includes the number of complaints received, the nature/substance of each complaint, and the type of complainant for each complaint.

(o) Scope reduction. Be prohibited from reducing the scope of a Health IT Module's certification when it is under surveillance or under a corrective action plan.

(p) Real world testing. (1) Review and confirm that applicable health IT developers submit real world testing plans in accordance with § 170.405(b)(1).

(2) Review and confirm that applicable health IT developers submit real world testing results in accordance with § 170.405(b)(2).

(3) Submit real world testing plans by December 15 of each calendar year and results by March 15 of each calendar year to ONC for public availability.

(q) Attestations. Review and submit health IT developer Conditions and Maintenance of Certification requirements attestations made in accordance with § 170.406 to ONC for public availability.

(r) Test results from ONC-ATLs. Accept test results from any ONC-ATL that is:

(1) In good standing under the ONC Health IT Certification Program, and

(2) Compliant with its ISO/IEC 17025 accreditation requirements as required by 170.524(a).

(s) Information for direct review. Report to ONC, no later than a week after becoming aware of, any information that could inform whether ONC should exercise direct review under § 170.580(a).

(t) Health IT Module voluntary standards and implementation specifications updates notices. Ensure health IT developers opting to take advantage of the flexibility for voluntary updates of standards and implementation specifications in certified Health IT Modules per § 170.405(b)(8) provide timely advance written notice to the ONC-ACB and all affected customers.

(1) Maintain a record of the date of issuance and the content of developers' § 170.405(b)(8) notices; and

(2) Timely post content or make publicly accessible via the CHPL each § 170.405(b)(8) notice received, publicly on the CHPL attributed to the certified Health IT Module(s) to which it applies.

(u) Insights. Confirm that developers of certified health IT submit responses for Insights Conditions and Maintenance of Certification requirements in accordance with § 170.407.

[76 FR 1325, Dec. 7, 2011, as amended at 76 FR 72642, Nov. 25, 2011; 77 FR 54291, Sept. 4, 2012; 79 FR 54479, Sept. 11, 2014; 80 FR 62755, Oct. 16, 2015; 80 FR 76872, Dec. 11, 2015; 81 FR 72465, Oct. 19, 2016; 85 FR 25950, May 1, 2020; 85 FR 70084, Nov. 4, 2020; 89 FR 1435, Jan. 9, 2024]

An ONC-ATL shall:

(a) Accreditation. Maintain its NVLAP accreditation for the ONC Health IT Certification Program, including accreditation to ISO/IEC 17025 (incorporated by reference, see § 170.599);

(b) Mandatory training. Attend all mandatory ONC training and program update sessions;

(c) Training program. Maintain a training program that includes documented procedures and training requirements to ensure its personnel are competent to test health IT;

(d) Reporting. Report to ONC within 15 days any changes that materially affect its:

(1) Legal, commercial, organizational, or ownership status;

(2) Organization and management including key testing personnel;

(3) Policies or procedures;

(4) Location;

(5) Personnel, facilities, working environment or other resources;

(6) ONC authorized representative (point of contact); or

(7) Other such matters that may otherwise materially affect its ability to test health IT.

(e) Onsite observation. Allow ONC, or its authorized agent(s), to periodically observe on site (unannounced or scheduled), during normal business hours, any testing performed pursuant to the ONC Health IT Certification Program;

(f) Records retention. (1) Retain all records related to the testing of Health IT Modules to the ONC Certification Criteria for Health IT beginning with the codification of those certification criteria in the Code of Federal Regulations through a minimum of three years after the end of calendar year that included the effective date of the removal of those certification criteria from the Code of Federal Regulations; and

(2) Make the records available to HHS upon request during the retention period described in paragraph (f)(1) of this section;

(g) Approved testing methods. Only test health IT using test tools and test procedures approved by the National Coordinator; and

(h) Refunds. Promptly refund any and all fees received for:

(1) Requests for testing that are withdrawn while its operations are suspended by the National Coordinator;

(2) Testing that will not be completed as a result of its conduct; and

(3) Previous testing that it performed if its conduct necessitates the retesting of Health IT Modules.

[81 FR 72465, Oct. 19, 2016, as amended at 85 FR 25951, May 1, 2020; 89 FR 1435, Jan. 9, 2024]

(a) An applicant for ONC-ACB or ONC-ATL status must submit its application either electronically via email (or Web site submission if available), or by regular or express mail.

(b) An application for ONC-ACB or ONC-ATL status may be submitted to the National Coordinator at any time.

[81 FR 72465, Oct. 19, 2016]

(a) Method of review and review timeframe. (1) Applications will be reviewed in the order they are received.

(2) The National Coordinator is permitted up to 30 days from receipt to review an application that is submitted for the first time.

(b) Application deficiencies. (1) If the National Coordinator identifies an area in an application that requires the applicant to clarify a statement or correct an error or omission, the National Coordinator may contact the applicant to make such clarification or correction without issuing a deficiency notice. If the National Coordinator has not received the requested information after five days, the National Coordinator may issue a deficiency notice to the applicant.

(2) If the National Coordinator determines that deficiencies in the application exist, the National Coordinator will issue a deficiency notice to the applicant and return the application. The deficiency notice will identify the areas of the application that require additional information or correction.

(c) Revised application. (1) An applicant is permitted to submit a revised application in response to a deficiency notice. An applicant may request from the National Coordinator an extension for good cause of the 15-day period provided in paragraph (c)(2) of this section to submit a revised application.

(2) In order for an applicant to continue to be considered for ONC-ACB or ONC-ATL status, the applicant's revised application must address the specified deficiencies and be received by the National Coordinator within 15 days of the applicant's receipt of the deficiency notice, unless the National Coordinator grants an applicant's request for an extension of the 15-day period based on a finding of good cause. If a good cause extension is granted, then the revised application must be received by the end of the extension period.

(3) The National Coordinator is permitted up to 15 days to review a revised application once it has been received and may request clarification of statements and the correction of errors or omissions in a revised application during this time period.

(4) If the National Coordinator determines that a revised application still contains deficiencies, the applicant will be issued a denial notice indicating that the applicant cannot reapply for ONC-ACB or ONC-ATL status for a period of six months from the date of the denial notice. An applicant may request reconsideration of this decision in accordance with § 170.535.

(d) Satisfactory application. (1) An application will be deemed satisfactory if it meets all the application requirements, as determined by the National Coordinator.

(2) The National Coordinator will notify the applicant's authorized representative of its satisfactory application and its successful achievement of ONC-ACB or ONC-ATL status.

(3) Once notified by the National Coordinator of its successful achievement of ONC-ACB or ONC-ATL status, the applicant may represent itself as an ONC-ACB or ONC-ATL (as applicable) and begin certifying or testing (as applicable) health information technology consistent with its authorization.

[76 FR 1325, Dec. 7, 2011, as amended at 81 FR 72465, Oct. 19, 2016]

(a) Basis for reconsideration request. An applicant may request that the National Coordinator reconsider a denial notice only if the applicant can demonstrate that clear, factual errors were made in the review of its application and that the errors' correction could lead to the applicant obtaining ONC-ACB or ONC-ATL status.

(b) Submission requirement. An applicant is required to submit, within 15 days of receipt of a denial notice, a written statement to the National Coordinator contesting the decision to deny its application and explaining with sufficient documentation what factual error(s) it believes can account for the denial. If the National Coordinator does not receive the applicant's reconsideration request within the specified timeframe, its reconsideration request may be rejected.

(c) Reconsideration request review. If the National Coordinator receives a timely reconsideration request, the National Coordinator is permitted up to 15 days from the date of receipt to review the information submitted by the applicant and issue a decision.

(d) Decision. (1) If the National Coordinator determines that clear, factual errors were made during the review of the application and that correction of the errors would remove all identified deficiencies, the applicant's authorized representative will be notified of the National Coordinator's determination and the applicant's successful achievement of ONC-ACB or ONC-ATL status.

(2) If, after reviewing an applicant's reconsideration request, the National Coordinator determines that the applicant did not identify factual errors or that the correction of the factual errors would not remove all identified deficiencies in the application, the National Coordinator may reject the applicant's reconsideration request.

(3) Final decision. A reconsideration decision issued by the National Coordinator is final and not subject to further review.

[76 FR 1325, Dec. 7, 2011, as amended at 81 FR 72466, Oct. 19, 2016]

(a) Acknowledgement and publication. The National Coordinator will acknowledge and make publicly available the names of ONC-ACBs and ONC-ATLs, including the date each was authorized and the type(s) of certification or scope of testing, respectively, each has been authorized to perform.

(b) Representation. Each ONC-ACB or ONC-ATL must prominently and unambiguously identify the scope of its authorization on its Web site and in all marketing and communications statements (written and oral) pertaining to its activities under the ONC Health IT Certification Program.

(c) Renewal. An ONC-ACB or ONC-ATL is required to renew its status every three years. An ONC-ACB or ONC-ATL is required to submit a renewal request, containing any updates to the information requested in § 170.520, to the National Coordinator 60 days prior to the expiration of its status.

(d) Expiration. An ONC-ACB's or ONC-ATL's status will expire three years from the date it was granted by the National Coordinator unless it is renewed in accordance with paragraph (c) of this section.

[81 FR 72466, Oct. 19, 2016]

(a) Certification scope. When certifying Health IT Module(s), an ONC-ACB must certify in accordance with the applicable certification criteria adopted by the Secretary at subpart C of this part.

(b) Health IT product scope options. An ONC-ACB must provide the option for an Health IT Module(s) to be certified solely to the applicable certification criteria adopted by the Secretary at subpart C of this part.

(c) Gap certification. An ONC-ACB may provide the option for and perform gap certification of previously certified Health IT Module(s).

(d) Upgrades and enhancements. An ONC-ACB may provide an updated certification to a previously certified Health IT Module(s).

(e) Standards updates. ONC-ACBs must provide an option for certification of Health IT Modules consistent with § 171.405(b)(7) or (8) to any one or more of the criteria referenced in § 170.405(a) based on newer versions of standards included in the criteria which have been approved by the National Coordinator for use in certification.

(f) [Reserved]

(g) Health IT Module dependent criteria. When certifying a Health IT Module to the ONC Certification Criteria for Health IT, an ONC-ACB must certify the Health IT Module in accordance with the certification criteria at:

(1) Section 170.315(g)(3) if the Health IT Module is presented for certification to one or more listed certification criteria in § 170.315(g)(3);

(2) Section 170.315(g)(4);

(3) Section 170.315(g)(5); and

(4) Section 170.315(g)(6) if the Health IT Module is presented for certification with C-CDA creation capabilities within its scope. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, § 170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, § 170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each so long as all applicable C-CDA document templates have been evaluated as part of § 170.315(g)(6) for the scope of the certification sought.

(5) Section 170.315(b)(10) when a health IT developer presents a Health IT Module for certification that can store electronic health information at the time of certification by the product, of which the Health IT Module is a part.

(h) Privacy and security certification framework—(1) General rule. When certifying a Health IT Module to the ONC Certification Criteria for Health IT, an ONC-ACB can only issue a certification to a Health IT Module if the privacy and security certification criteria in paragraphs (h)(3)(i) through (ix) of this section have also been met (and are included within the scope of the certification).

(2) Testing. In order to be issued a certification, a Health IT Module would only need to be tested once to each applicable privacy and security criterion in paragraphs (h)(3)(i) through (ix) of this section so long as the health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification, except for the following:

(i) A Health IT Module presented for certification to § 170.315(e)(1) must be separately tested to § 170.315(d)(9); and

(ii) A Health IT Module presented for certification to § 170.315(e)(2) must be separately tested to § 170.315(d)(9).

(3) Applicability. (i) Section 170.315(a)(1) through (3), (5), (12), (14), and (15) are also certified to the certification criteria specified in § 170.315(d)(1) through (7), (d)(12), and (13).

(ii) Section 170.315(a)(4), (9), (10), and (13) are also certified to the certification criteria specified in § 170.315(d)(1) through (3), and (d)(5) through (7), (d)(12), and (13).

(iii) Section 170.315(b)(1) through (3) and (6) through (9) are also certified to the certification criteria specified in § 170.315(d)(1) through (3) and (d)(5) through (8), (12), and (13);

(iv) Section 170.315(c) is also certified to the certification criteria specified in § 170.315(d)(1), (d)(2)(i)(A), (B), (d)(2)(ii) through (v), (d)(3), (5), (12), and (13);

(v) Section 170.315(e)(1) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), (5), (7), (9), (12), and (13);

(vi) Section 170.315(e)(2) and (3) is also certified to the certification criteria specified in § 170.315(d)(1), (d)(2)(i)(A) and (B), (d)(2)(ii) through (v), (d)(3), (5), (9), (12), and (13);

(vii) Section 170.315(f) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), (7), (12), and (13);

(viii) Section 170.315(g)(7) through (10) is also certified to the certification criteria specified in § 170.315(d)(1), (9), (12), and (13); and (d)(2)(i)(A) and (B), (d)(2)(ii) through (v), or (d)(10);

(ix) Section 170.315(h) is also certified to the certification criteria specified in § 170.315(d)(1), (d)(2)(i)(A) and (B), (d)(2)(ii) through (v), (d)(3), (12), and (13); and

(i) [Reserved]

(j) Direct Project transport method. An ONC-ACB can only issue a certification to a Health IT Module for § 170.315(h)(1) if the Health IT Module's certification also includes § 170.315(b)(1).

(k) Inherited certified status. An ONC-ACB must accept requests for a newer version of a previously certified Health IT Module(s) to inherit the certified status of the previously certified Health IT Module(s) without requiring the newer version to be recertified.

(1) Before granting certified status to a newer version of a previously certified Health IT Module(s), an ONC-ACB must review an attestation submitted by the developer(s) of the Health IT Module(s) to determine whether any change in the newer version has adversely affected the Health IT Module(s)' capabilities for which certification criteria have been adopted.

(2) An ONC-ACB may grant certified status to a newer version of a previously certified Health IT Module(s) if it determines that the capabilities for which certification criteria have been adopted have not been adversely affected.

(l) Conditions of certification attestations. Ensure that the health IT developer of the Health IT Module has met its responsibilities under subpart D of this part.

(m) Time-limited certification and certification status for certain ONC Certification Criteria for Health IT. An ONC-ACB may only issue a certification to a Health IT Module and permit continued certified status for:

(1) Section 170.315(a)(10) and (13) and § 170.315(e)(2) for the period before January 1, 2022.

(2) Section 170.315(b)(6) for the period before December 31, 2023.

(3) Section 170.315(g)(8) for the period before December 31, 2022.

[76 FR 1325, Dec. 7, 2011, as amended at 77 FR 54291, Sept. 4, 2012; 79 FR 54480, Sept. 11, 2014; 80 FR 62757, Oct. 16, 2015; 85 FR 25952, May 1, 2020; 85 FR 70085, Nov. 4, 2020; 89 FR 1435, Jan. 9, 2024; 89 FR 8549, Feb. 8, 2024]

(a) ONC-ACBs may certify Health IT Module(s) to a newer version of certain identified minimum standards specified at subpart B of this part, unless the Secretary prohibits the use of a newer version for certification.

(b) Applicability of a newer version of a minimum standard. (1) ONC-ACBs are not required to certify Health IT Module(s) according to newer versions of standards adopted and named in subpart B of this part, unless:

(i) The National Coordinator approves a newer version for use in certification and a health IT developer voluntarily elects to seek certification of its health IT in accordance with § 170.405(b)(9) or update its certified health IT to the newer version in accordance with § 170.405(b)(8); or

(ii) The new version is incorporated by reference in § 170.299.

(2) A certified Complete EHR or certified Health IT Module may be upgraded to comply with newer versions of standards identified as minimum standards in subpart B of this part without adversely affecting its certification status, unless the Secretary prohibits the use of a newer version for certification.

[77 FR 54291, Sept. 4, 2012, as amended at 85 FR 25952, May 1, 2020]

(a) In-the-field surveillance. Consistent with its accreditation under 170.523(a) to ISO/IEC 17065 and the requirements of this subpart, an ONC-ACB must initiate surveillance “in the field” as necessary to assess whether a certified Health IT Module continues to conform to the requirements in subparts A, B, C and E of this part once the certified Health IT Module has been implemented and is in use in a production environment.

(1) Production environment. An ONC-ACB's assessment of a certified capability in the field must be based on the use of the capability in a production environment, which means a live environment in which the capability has been implemented and is in use.

(2) Production data. An ONC-ACB's assessment of a certified capability in the field must be based on the use of the capability with production data unless the use of test data is specifically approved by the National Coordinator.

(b) Reactive surveillance. An ONC-ACB must initiate surveillance (including, as necessary, in-the-field surveillance required by paragraph (a) of this section) whenever it becomes aware of facts or circumstances that would cause a reasonable person to question a certified Health IT Module's continued conformity to the requirements of its certification.

(1) Review of required disclosures. When an ONC-ACB performs reactive surveillance under this paragraph, it must verify that the requirements of § 170.523(k)(1) have been followed as applicable to the issued certification.

(2) [Reserved]

(c) Randomized surveillance. During each calendar year surveillance period, an ONC-ACB may conduct in-the-field surveillance for certain randomly selected Health IT Modules to which it has issued a certification.

(1) Scope. When an ONC-ACB selects a certified Health IT Module for randomized surveillance under this paragraph, its evaluation of the certified Health IT Module must include all certification criteria prioritized by the National Coordinator that are part of the scope of the certification issued to the Health IT Module.

(2) [Reserved]

(3) Selection method. An ONC-ACB must randomly select (subject to appropriate weighting and sampling considerations) and certified Health IT Modules for surveillance under this paragraph.

(4) Number and types of locations for in-the-field surveillance. For each certified Health IT Module selected for randomized surveillance under this paragraph, an ONC-ACB must:

(i) Evaluate the certified Health IT Module's capabilities at one or more locations where the certified Health IT Module is implemented and in use in the field.

(ii) Ensure that the locations are selected at random (subject to appropriate weighting and sampling considerations) from among all locations where the certified Health IT Module is implemented and in use in the field.

(d) Corrective action plan and procedures. (1) When an ONC-ACB determines, through surveillance under this section or otherwise, that a Health IT Module does not conform to the requirements of its certification, the ONC-ACB must notify the developer of its findings and require the developer to submit a proposed corrective action plan for the applicable certification criterion, certification criteria, or certification requirement.

(2) The ONC-ACB shall provide direction to the developer as to the required elements of the corrective action plan.

(3) The ONC-ACB shall verify the required elements of the corrective action plan, consistent with its accreditation and any elements specified by the National Coordinator. At a minimum, any corrective action plan submitted by a developer to an ONC-ACB must include:

(i) A description of the identified non-conformities or deficiencies;

(ii) An assessment of how widespread or isolated the identified non-conformities or deficiencies may be across all of the developer's customers and users of the certified Health IT Module;

(iii) How the developer will address the identified non-conformities or deficiencies, both at the locations under which surveillance occurred and for all other potentially affected customers and users;

(iv) How the developer will ensure that all affected and potentially affected customers and users are alerted to the identified non-conformities or deficiencies, including a detailed description of how the developer will assess the scope and impact of the problem, including identifying all potentially affected customers; how the developer will promptly ensure that all potentially affected customers are notified of the problem and plan for resolution; how and when the developer will resolve issues for individual affected customers; and how the developer will ensure that all issues are in fact resolved.

(v) The timeframe under which corrective action will be completed.

(vi) An attestation by the developer that it has completed all elements of the approved corrective action plan.

(4) When the ONC-ACB receives a proposed corrective action plan (or a revised proposed corrective action plan), the ONC-ACB shall either approve the corrective action plan or, if the plan does not adequately address the elements described by paragraph (d)(3) of this section and other elements required by the ONC-ACB, instruct the developer to submit a revised proposed corrective action plan.

(5) Suspension. Consistent with its accreditation to ISO/IEC 17065 and procedures for suspending a certification, an ONC-ACB shall initiate suspension procedures for a Health IT Module:

(i) 30 days after notifying the developer of a non-conformity pursuant to paragraph (d)(1) of this section, if the developer has not submitted a proposed corrective action plan;

(ii) 90 days after notifying the developer of a non-conformity pursuant to paragraph (d)(1) of this section, if the ONC-ACB cannot approve a corrective action plan because the developer has not submitted a revised proposed corrective action plan in accordance with paragraph (d)(4) of this section; and

(iii) Immediately, if the developer has not completed the corrective actions specified by an approved corrective action plan within the time specified therein.

(6) Withdrawal. If a or certified Health IT Module's certification has been suspended, an ONC-ACB is permitted to initiate certification withdrawal procedures for the Health IT Module (consistent with its accreditation to ISO/IEC 17065 and procedures for withdrawing a certification) when the health IT developer has not completed the actions necessary to reinstate the suspended certification.

(e) Reporting of surveillance results requirements—(1) Rolling submission of in-the-field surveillance results. The results of in-the-field surveillance under this section must be submitted to the National Coordinator, at a minimum, on a quarterly basis in accordance with § 170.523(i)(2).

(2) Confidentiality of locations evaluated. The contents of an ONC-ACB's surveillance results submitted to the National Coordinator must not include any information that would identify any user or location that participated in or was subject to surveillance.

(3) Reporting of corrective action plans. When a corrective action plan is initiated for a Health IT Module, an ONC-ACB must report the Health IT Module and associated product and corrective action information to the National Coordinator in accordance with § 170.523(f)(1)(xxii) or (f)(2)(xi), as applicable.

(f) Relationship to other surveillance requirements. Nothing in this section shall be construed to limit or constrain an ONC-ACB's duty or ability to perform surveillance, including in-the-field surveillance, or to suspend or terminate the certification, of any certified Health IT Module as required or permitted by this subpart and the ONC-ACB's accreditation to ISO/IEC 17065.

[80 FR 62758, Oct. 16, 2015, as amended at 80 FR 76872, Dec. 11, 2015; 81 FR 72466, Oct. 19, 2016; 85 FR 25952, May 1, 2020]

(a) ONC-ATL applicability. An ONC-ATL must provide remote testing for both development and deployment sites.

(b) ONC-ACB applicability. An ONC-ACB must provide remote certification for both development and deployment sites.

[81 FR 72466, Oct. 19, 2016]

(a) ONC-ACB good standing. An ONC-ACB must maintain good standing by:

(1) Adhering to the Principles of Proper Conduct for ONC-ACBs;

(2) Refraining from engaging in other types of inappropriate behavior, including an ONC-ACB misrepresenting the scope of its authorization, as well as an ONC-ACB certifying Health IT Module(s) for which it does not have authorization; and

(3) Following all other applicable federal and state laws.

(b) ONC-ATL good standing. An ONC-ATL must maintain good standing by:

(1) Adhering to the Principles of Proper Conduct for ONC-ATLs;

(2) Refraining from engaging in other types of inappropriate behavior, including an ONC-ATL misrepresenting the scope of its authorization, as well as an ONC-ATL testing health IT for which it does not have authorization; and

(3) Following all other applicable federal and state laws.

[81 FR 72466, Oct. 19, 2016; 85 FR 25953, May 1, 2020]

(a) Type-1 violations. The National Coordinator may revoke an ONC-ATL or ONC-ACB's status for committing a Type-1 violation. Type-1 violations include violations of law or ONC Health IT Certification Program policies that threaten or significantly undermine the integrity of the ONC Health IT Certification Program. These violations include, but are not limited to: False, fraudulent, or abusive activities that affect the ONC Health IT Certification Program, a program administered by HHS or any program administered by the federal government.

(b) Type-2 violations. The National Coordinator may revoke an ONC-ATL or ONC-ACB's status for failing to timely or adequately correct a Type-2 violation. Type-2 violations constitute noncompliance with § 170.560.

(1) Noncompliance notification. If the National Coordinator obtains reliable evidence that an ONC-ATL or ONC-ACB may no longer be in compliance with § 170.560, the National Coordinator will issue a noncompliance notification with reasons for the notification to the ONC-ATL or ONC-ACB requesting that the ONC-ATL or ONC-ACB respond to the alleged violation and correct the violation, if applicable.

(2) Opportunity to become compliant. After receipt of a noncompliance notification, an ONC-ATL or ONC-ACB is permitted up to 30 days to submit a written response and accompanying documentation that demonstrates that no violation occurred or that the alleged violation has been corrected.

(i) If the ONC-ATL or ONC-ACB submits a response, the National Coordinator is permitted up to 30 days from the time the response is received to evaluate the response and reach a decision. The National Coordinator may, if necessary, request additional information from the ONC-ATL or ONC-ACB during this time period.

(ii) If the National Coordinator determines that no violation occurred or that the violation has been sufficiently corrected, the National Coordinator will issue a memo to the ONC-ATL or ONC-ACB confirming this determination.

(iii) If the National Coordinator determines that the ONC-ATL or ONC-ACB failed to demonstrate that no violation occurred or to correct the area(s) of non-compliance identified under paragraph (b)(1) of this section within 30 days of receipt of the noncompliance notification, then the National Coordinator may propose to revoke the ONC-ATL or ONC-ACB's status.

(c) Proposed revocation. (1) The National Coordinator may propose to revoke an ONC-ATL or ONC-ACB's status if the National Coordinator has reliable evidence that the ONC-ATL or ONC-ACB has committed a Type-1 violation; or

(2) The National Coordinator may propose to revoke an ONC-ATL or ONC-ACB's status if, after the ONC-ATL or ONC-ACB has been notified of a Type-2 violation, the ONC-ATL or ONC-ACB fails to:

(i) Rebut the finding of a violation with sufficient evidence showing that the violation did not occur or that the violation has been corrected; or

(ii) Submit to the National Coordinator a written response to the noncompliance notification within the specified timeframe under paragraph (b)(2) of this section.

(d) Suspension of an ONC-ATL or ONC-ACB's operations. (1) The National Coordinator may suspend the operations of an ONC-ATL or ONC-ACB under the ONC Health IT Certification Program based on reliable evidence indicating that:

(i) Applicable to both ONC-ACBs and ONC-ATLs. The ONC-ATL or ONC-ACB committed a Type-1 or Type-2 violation;

(ii) Applicable to ONC-ACBs. The continued certification of Health IT Modules by the ONC-ACB could have an adverse impact on the health or safety of patients.

(iii) Applicable to ONC-ATLs. The continued testing of Health IT Modules by the ONC-ATL could have an adverse impact on the health or safety of patients.

(2) If the National Coordinator determines that the conditions of paragraph (d)(1) of this section have been met, an ONC-ATL or ONC-ACB will be issued a notice of proposed suspension.

(3) Upon receipt of a notice of proposed suspension, an ONC-ATL or ONC-ACB will be permitted up to 3 days to submit a written response to the National Coordinator explaining why its operations should not be suspended.

(4) The National Coordinator is permitted up to 5 days from receipt of an ONC-ATL or ONC-ACB's written response to a notice of proposed suspension to review the response and make a determination.

(5) The National Coordinator may make one of the following determinations in response to the ONC-ATL or ONC-ACB's written response or if the ONC-ATL or ONC-ACB fails to submit a written response within the timeframe specified in paragraph (d)(3) of this section:

(i) Rescind the proposed suspension; or

(ii) Suspend the ONC-ATL or ONC-ACB's operations until it has adequately corrected a Type-2 violation; or

(iii) Propose revocation in accordance with paragraph (c) of this section and suspend the ONC-ATL or ONC-ACB's operations for the duration of the revocation process.

(6) A suspension will become effective upon an ONC-ATL or ONC-ACB's receipt of a notice of suspension.

(e) Opportunity to respond to a proposed revocation notice. (1) An ONC-ATL or ONC-ACB may respond to a proposed revocation notice, but must do so within 10 days of receiving the proposed revocation notice and include appropriate documentation explaining in writing why its status should not be revoked.

(2) Upon receipt of an ONC-ATL or ONC-ACB's response to a proposed revocation notice, the National Coordinator is permitted up to 30 days to review the information submitted by the ONC-ACB or ONC-ATL and reach a decision.

(f) Good standing determination. If the National Coordinator determines that an ONC-ATL or ONC-ACB's status should not be revoked, the National Coordinator will notify the ONC-ATL or ONC-ACB's authorized representative in writing of this determination.

(g) Revocation. (1) The National Coordinator may revoke an ONC-ATL or ONC-ACB's status if:

(i) A determination is made that revocation is appropriate after considering the information provided by the ONC-ATL or ONC-ACB in response to the proposed revocation notice; or

(ii) The ONC-ATL or ONC-ACB does not respond to a proposed revocation notice within the specified timeframe in paragraph (e)(1) of this section.

(2) A decision to revoke an ONC-ATL or ONC-ACB's status is final and not subject to further review unless the National Coordinator chooses to reconsider the revocation.

(h) Extent and duration of revocation—(1) Effectuation. The revocation of an ONC-ATL or ONC-ACB is effective as soon as the ONC-ATL or ONC-ACB receives the revocation notice.

(2) ONC-ACB provisions. (i) A certification body that has had its ONC-ACB status revoked is prohibited from accepting new requests for certification and must cease its current certification operations under the ONC Health IT Certification Program.

(ii) A certification body that has had its ONC-ACB status revoked for a Type-1 violation is not permitted to reapply for ONC-ACB status under the ONC Health IT Certification Program for a period of 1 year.

(iii) The failure of a certification body that has had its ONC-ACB status revoked to promptly refund any and all fees for certifications of Health IT Module(s) not completed will be considered a violation of the Principles of Proper Conduct for ONC-ACBs and will be taken into account by the National Coordinator if the certification body reapplies for ONC-ACB status under the ONC Health IT Certification Program.

(3) ONC-ATL provisions. (i) A testing lab that has had its ONC-ATL status revoked is prohibited from accepting new requests for testing and must cease its current testing operations under the ONC Health IT Certification Program.

(ii) A testing lab that has had its ONC-ATL status revoked for a Type-1 violation is not permitted to reapply for ONC-ATL status under the ONC Health IT Certification Program for a period of 1 year.

(iii) The failure of a testing lab that has had its ONC-ATL status revoked to promptly refund any and all fees for testing of health IT not completed will be considered a violation of the Principles of Proper Conduct for ONC-ATLs and will be taken into account by the National Coordinator if the testing lab reapplies for ONC-ATL status under the ONC Health IT Certification Program.

[81 FR 72466, Oct. 19, 2016, as amended at 85 FR 25953, May 1, 2020]

(a) The certified status of Health IT Module(s) certified by an ONC-ACB or tested by an ONC-ATL that had its status revoked will remain intact unless a Type-1 violation was committed by the ONC-ACB and/or ONC-ATL that calls into question the legitimacy of the certifications issued.

(b) If the National Coordinator determines that a Type-1 violation was committed by an ONC-ACB and/or ONC-ATL that called into question the legitimacy of certifications issued to health IT, then the National Coordinator would:

(1) Review the facts surrounding the revocation of the ONC-ACB's or ONC-ATL's status; and

(2) Publish a notice on ONC's Web site if the National Coordinator believes that the Health IT Module(s) certifications were based on unreliable testing and/or certification.

(c) If the National Coordinator determines that Health IT Module(s) certifications were based on unreliable testing and/or certification, the certification status of affected Health IT Module(s) would only remain intact for 120 days after the National Coordinator publishes the notice.

(1) The certification status of affected Health IT Module(s) can only be maintained after the 120-day timeframe by being re-tested by an ONC-ATL in good standing, as necessary, and re-certified by an ONC-ACB in good standing.

(2) The National Coordinator may extend the time that the certification status of affected Health IT Module(s) remains intact as necessary for the proper retesting and recertification of the affected health IT.

[81 FR 72467, Oct. 19, 2016, as amended at 85 FR 25953, May 1, 2020]

(a) Direct review—(1) Purpose. ONC may directly review certified health IT or a health IT developer's actions or practices to determine whether either conform to the requirements of the ONC Health IT Certification Program.

(2) Circumstances that may trigger review—(i) Certified health IT causing or contributing to unsafe conditions. ONC may initiate direct review under this section if it has a reasonable belief that certified health IT may not conform to the requirements of the Program because the certified health IT may be causing or contributing to conditions that present a serious risk to public health or safety, taking into consideration—

(A) The potential nature, severity, and extent of the suspected conditions;

(B) The need for an immediate or coordinated governmental response; and

(C) If applicable, information that calls into question the validity of the health IT's certification or maintenance thereof under the Program.

(ii) Impediments to ONC-ACB oversight of certified health IT. ONC may initiate direct review under this section if it has a reasonable belief that certified health IT may not conform to requirements of the Program and the suspected non-conformity presents issues that—

(A) May require access to confidential or other information that is not available to an ONC-ACB;

(B) May require concurrent or overlapping review by two or more ONC-ACBs; or

(C) May exceed an ONC-ACB's resources or expertise.

(iii) Noncompliance with a Condition and Maintenance of Certification requirement. ONC may initiate direct review under this section if it has a reasonable belief that a health IT developer has not complied with a Condition or Maintenance of Certification requirement under subpart D of this part.

(3) Relationship to ONC-ACBs and ONC-ATLs. (i) ONC's review of certified health IT or a health IT developer's actions or practices is independent of, and may be in addition to, any surveillance of certified health IT conducted by an ONC-ACB.

(ii) ONC may assert exclusive review of certified health IT as to any matters under review by ONC and any similar matters under surveillance by an ONC-ACB.

(iii) ONC's determination on matters under its review is controlling and supersedes any determination by an ONC-ACB on the same matters.

(iv) An ONC-ACB and ONC-ATL shall provide ONC with any available information that ONC deems relevant to its review of certified health IT or a health IT developer's actions or practices.

(v) ONC may end all or any part of its review of certified health IT or a health IT developer's actions or practices under this section at any time and refer the applicable part of the review to the relevant ONC-ACB(s) if ONC determines that doing so would serve the effective administration or oversight of the ONC Health IT Certification Program.

(4) Coordination with the Office of Inspector General. (i) ONC may coordinate its review of a claim of information blocking with the Office of Inspector General or defer to the Office of Inspector General to lead a review of a claim of information blocking.

(ii) ONC may rely on Office of Inspector General findings to form the basis of a direct review action.

(b) Notice—(1) Notice of potential non-conformity—(i) Circumstances that may trigger notice of potential non-conformity. At any time during its review of certified health IT or a health IT developer's actions or practices under paragraph (a) of this section, ONC may send a notice of potential non-conformity if it has a reasonable belief that certified health IT or a health IT developer's actions or practices may not conform to the requirements of the ONC Health IT Certification Program.

(ii) Health IT developer response. (A) The health IT developer must respond to the notice of potential non-conformity by:

(1) Cooperating with ONC and/or a third party acting on behalf of ONC;

(2) Providing ONC and/or a third party acting on behalf of ONC access, including in accordance with paragraph (b)(3) of this section, to the certified health IT under review;

(3) Providing ONC with a written explanation and all supporting documentation addressing the potential non-conformity within 30 days, or within the adjusted timeframe set in accordance with paragraph (b)(1)(ii)(B) of this section.

(B) ONC may adjust the 30-day timeframe specified in paragraph (b)(1)(ii)(A)(3) of this section to be shorter or longer based on factors including, but not limited to:

(1) The type of certified health IT and certification in question;

(2) The type of potential non-conformity to be corrected;

(3) The time required to correct the potential non-conformity; and

(4) Issues of public health or safety.

(iii) ONC determination. After receiving the health IT developer's written explanation and supporting documentation as required by paragraph (b)(1)(ii)(A)(3) of this section, ONC shall do one of the following:

(A) Issue a written determination ending its review.

(B) Request additional information and continue its review in accordance with a new timeframe ONC establishes under (b)(1)(ii)(A)(3) and (b)(1)(ii)(B) of this section.

(C) Substantiate a non-conformity and issue a notice of non-conformity.

(D) Issue a notice of proposed termination if the health IT is under review in accordance with paragraph (a)(2)(i) or (ii) of this section.

(2) Notice of non-conformity—(i) Circumstances that may trigger notice of non-conformity. At any time during its review of certified health IT or a health IT developer's actions or practices under paragraph (a) of this section, ONC may send a notice of non-conformity to the health IT developer if it determines that certified health IT or a health IT developer's actions or practices does not conform to the requirements of the ONC Health IT Certification Program.

(ii) Health IT developer response. (A) The health IT developer must respond to the notice of non-conformity by:

(1) Cooperating with ONC and/or a third party acting on behalf of ONC;

(2) Providing ONC and/or a third party acting on behalf of ONC access, including in accordance with paragraph (b)(3) of this section, to the certified health IT under review;

(3) Providing ONC with a written explanation and all supporting documentation addressing the non-conformity within 30 days, or within the adjusted timeframe set in accordance with paragraph (b)(1)(ii)(B) of this section; and

(4) Providing a proposed corrective action plan consistent with paragraph (c) of this section.

(B) ONC may adjust the 30-day timeframe specified in paragraph (b)(2)(ii)(A)(3) of this section to be shorter or longer based on factors including, but not limited to:

(1) The type of certified health IT and certification in question;

(2) The type of non-conformity to be corrected;

(3) The time required to correct the non-conformity; and

(4) Issues of public health or safety.

(iii) ONC determination. After receiving the health IT developer's response provided in accordance with paragraph (b)(2)(ii) of this section, ONC shall either issue a written determination ending its review or continue with its review under the provisions of this section.

(3) Records access. In response to a notice of potential non-conformity or notice of non-conformity, a health IT developer shall make available to ONC and for sharing within HHS, with other federal departments, agencies, and offices, and with appropriate entities including, but not limited to, third-parties acting on behalf of ONC:

(i) All records related to the development, testing, certification, implementation, maintenance and use of its certified health IT;

(ii) Any complaint records related to the certified health IT;

(iii) All records related to the Condition(s) and Maintenance of Certification requirements, including marketing and distribution records, communications, and contracts; and

(iv) Any other relevant information.

(c) Corrective action plan and procedures—(1) Applicability. If ONC determines that certified health IT or a health IT developer's action or practice does not conform to requirements of the ONC Health IT Certification Program, ONC shall notify the health IT developer of its determination and require the health IT developer to submit a proposed corrective action plan.

(2) ONC shall provide direction to the health IT developer as to the required elements of the corrective action plan, which shall include such required elements as ONC determines necessary to comprehensively and expeditiously resolve the identified non-conformity(ies). The corrective action plan shall, in all cases, at a minimum include the following required elements:

(i) An assessment and description of the nature, severity, and extent of the non-conformity;

(ii) Identification of all potentially affected customers;

(iii) A detailed description of how the health IT developer will promptly ensure that all potentially affected customers are notified of the non-conformity and plan for resolution;

(iv) A detailed description of how and when the health IT developer will resolve the identified non-conformity and all issues, both at the locations where the non-conformity was identified and for all affected customers;

(v) A detailed description of how the health IT developer will ensure that the identified non-conformity and all issues are resolved;

(vi) A detailed description of the supporting documentation that will be provided to demonstrate that the identified non-conformity and all issues are resolved; and

(vii) The timeframe under which all elements of the corrective action plan will be completed.

(viii) An explanation of, and agreement to execute, the steps that will be prevent the non-conformity from re-occurring.

(3) When ONC receives a proposed corrective action plan (or a revised proposed corrective action plan), it shall either approve the proposed corrective action plan or, if the plan does not adequately address all required elements, instruct the health IT developer to submit a revised proposed corrective action plan within a specified period of time.

(4) The health IT developer is responsible for ensuring that a proposed corrective action plan submitted in accordance with paragraph (b)(2)(ii)(A)(4) of this section or a revised corrective action plan submitted in accordance with paragraph (c)(3) of this section adequately addresses all required elements as determined by ONC no later than 90 days after the health IT developer's receipt of a notice of non-conformity.

(5) Health IT developers may request extensions for the submittal and/or completion of corrective action plans. In order to make these requests, health IT developers must submit a written statement to ONC that explains and justifies the extension request. ONC will evaluate each request individually and will make decisions on a case-by-case basis.

(6) Upon fulfilling all of its obligations under the corrective action plan, the health IT developer must submit an attestation to ONC, which serve as a binding official statement by the health IT developer that it has fulfilled all of its obligations under the corrective action plan.

(7) ONC may reinstitute a corrective action plan if it later determines that a health IT developer has not fulfilled all of its obligations under the corrective action plan as attested in accordance with paragraph (c)(6) of this section.

(d) Suspension. (1) ONC may suspend the certification of a Health IT Module at any time if ONC has a reasonable belief that the certified health IT may present a serious risk to public health or safety.

(2) When ONC decides to suspend a certification, ONC will notify the health IT developer of its determination through a notice of suspension.

(i) The notice of suspension will include, but may not be limited to:

(A) An explanation for the suspension;

(B) Information supporting the determination;

(C) The consequences of suspension for the health IT developer and the Health IT Module under the ONC Health IT Certification Program; and

(D) Instructions for appealing the suspension.

(ii) A suspension of a certification will become effective upon the date specified in the notice of suspension.

(3) The health IT developer must notify all potentially affected customers of the identified non-conformity(ies) and suspension of certification in a timely manner.

(4) When a certification is suspended, the health IT developer must cease and desist from any marketing, licensing, and sale of the suspended Health IT Module as “certified” under the ONC Health IT Certification Program from that point forward until such time ONC cancels the suspension in accordance with paragraph (d)(6) of this section.

(5) The certification of any health IT produced by a health IT developer that has the certification of one of its Health IT Modules suspended under the Program is prohibited, unless ONC cancels a suspension in accordance with paragraph (d)(6) of this section.

(6) ONC may cancel a suspension at any time if ONC no longer has a reasonable belief that the certified health IT presents a serious risk to public health or safety.

(e) Proposed termination—(1) Applicability. Excluding situations of noncompliance with a Condition or Maintenance of Certification requirement under subpart D of this part, ONC may propose to terminate a certification issued to a Health IT Module if:

(i) The health IT developer fails to timely respond to any communication from ONC, including, but not limited to:

(A) Fact-finding;

(B) A notice of potential non-conformity within the timeframe established in accordance with paragraph (b)(1)(ii)(A)(3) of this section;

(C) A notice of non-conformity within the timeframe established in accordance with paragraph (b)(2)(ii)(A)(3) of this section; or

(D) A notice of suspension.

(ii) The information or access provided by the health IT developer in response to any ONC communication, including, but not limited to: Fact-finding, a notice of potential non-conformity, or a notice of non-conformity is insufficient or incomplete;

(iii) The health IT developer fails to cooperate with ONC and/or a third party acting on behalf of ONC;

(iv) The health IT developer fails to timely submit in writing a proposed corrective action plan;

(v) The health IT developer fails to timely submit a corrective action plan that adequately addresses the elements required by ONC as described in paragraph (c) of this section;

(vi) The health IT developer does not fulfill its obligations under the corrective action plan developed in accordance with paragraph (c) of this section; or

(vii) ONC concludes that a certified health IT's non-conformity(ies) cannot be cured.

(2) When ONC decides to propose to terminate a certification, ONC will notify the health IT developer of the proposed termination through a notice of proposed termination.

(i) The notice of proposed termination will include, but may not be limited to:

(A) An explanation for the proposed termination;

(B) Information supporting the proposed termination; and

(C) Instructions for responding to the proposed termination.

(3) The health IT developer may respond to a notice of proposed termination, but must do so within 10 days of receiving the notice of proposed termination and must include appropriate documentation explaining in writing why its certification should not be terminated.

(4) Upon receipt of the health IT developer's written response to a notice of proposed termination, ONC has up to 30 days to review the information submitted by the health IT developer and make a determination. ONC may extend this timeframe if the complexity of the case requires additional time for ONC review. ONC will, as applicable:

(i) Notify the health IT developer in writing that it has ceased all or part of its review of the health IT developer's certified health IT.

(ii) Notify the health IT developer in writing of its intent to continue all or part of its review of the certified health IT under the provisions of this section.

(iii) Proceed to terminate the certification of the health IT under review consistent with paragraph (f) of this section.

(f) Termination—(1) Applicability. The National Coordinator may terminate a certification if:

(i) A determination is made that termination is appropriate after considering the information provided by the health IT developer in response to the proposed termination notice;

(ii) The health IT developer does not respond in writing to a proposed termination notice within the timeframe specified in paragraph (e)(3) of this section; or

(iii) A determination is made that the health IT developer is noncompliant with a Condition or Maintenance of Certification requirement under subpart D of this part or for the following circumstances when ONC exercises direct review under paragraph (a)(2)(iii) of this section:

(A) The health IT developer fails to timely respond to any communication from ONC, including, but not limited to:

(1) Fact-finding;

(2) A notice of potential non-conformity within the timeframe established in accordance with paragraph (b)(1)(ii)(A)(3) of this section; or

(3) A notice of non-conformity within the timeframe established in accordance with paragraph (b)(2)(ii)(A)(3) of this section.

(B) The information or access provided by the health IT developer in response to any ONC communication, including, but not limited to: Fact-finding, a notice of potential non-conformity, or a notice of non-conformity is insufficient or incomplete;

(C) The health IT developer fails to cooperate with ONC and/or a third party acting on behalf of ONC;

(D) The health IT developer fails to timely submit in writing a proposed corrective action plan;

(E) The health IT developer fails to timely submit a corrective action plan that adequately addresses the elements required by ONC as described in paragraph (c) of this section;

(F) The health IT developer does not fulfill its obligations under the corrective action plan developed in accordance with paragraph (c) of this section; or

(G) ONC concludes that the non-conformity(ies) cannot be cured.

(2) When ONC decides to terminate a certification, ONC will notify the health IT developer of its determination through a notice of termination.

(i) The notice of termination will include, but may not be limited to:

(A) An explanation for the termination;

(B) Information supporting the determination;

(C) The consequences of termination for the health IT developer and the Health IT Module under the ONC Health IT Certification Program; and

(D) Instructions for appealing the termination.

(ii) A termination of a certification will become effective after the following applicable occurrence:

(A) The expiration of the 10-day period for filing a statement of intent to appeal in paragraph (g)(3)(i) of this section if the health IT developer does not file a statement of intent to appeal.

(B) The expiration of the 30-day period for filing an appeal in paragraph (g)(3)(ii) of this section if the health IT developer files a statement of intent to appeal, but does not file a timely appeal.

(C) A final determination to terminate the certification per paragraph (g)(7) of this section if a health IT developer files an appeal.

(3) The health IT developer must notify all potentially affected customers of the identified non-conformity(ies) and termination of certification in a timely manner.

(4) ONC may rescind a termination determination before the termination becomes effective if ONC determines that termination is no longer appropriate.

(g) Appeal—(1) Basis for appeal. A health IT developer may appeal an ONC determination to suspend or terminate a certification issued to a Health IT Module and/or an ONC determination to issue a certification ban under § 170.581(a)(2) if the health IT developer asserts:

(i) ONC incorrectly applied ONC Health IT Certification Program requirements for a:

(A) Suspension;

(B) Termination; or

(C) Certification ban under § 170.581(a)(2).

(ii) ONC's determination was not sufficiently supported by the information provided by ONC with its determination.

(2) Method and place for filing an appeal. A statement of intent to appeal followed by a request for appeal must be submitted to ONC in writing by an authorized representative of the health IT developer subject to the determination being appealed. The statement of intent to appeal and request for appeal must be filed in accordance with the requirements specified in the notice of:

(i) Termination;

(ii) Suspension; or

(iii) Certification ban under § 170.581(a)(2).

(3) Time for filing a request for appeal. (i) A statement of intent to appeal must be filed within 10 days of a health IT developer's receipt of the notice of:

(A) Suspension;

(B) Termination; or

(C) Certification ban under § 170.581(a)(2).

(ii) An appeal, including all supporting documentation, must be filed within 30 days of the filing of the intent to appeal.

(4) Effect of appeal. (i) A request for appeal stays the termination of a certification issued to a Health IT Module, but the Health IT Module is prohibited from being marketed, licensed, or sold as “certified” during the stay.

(ii) A request for appeal does not stay the suspension of a Health IT Module.

(iii) A request for appeal stays a certification ban issued under § 170.581(a)(2).

(5) Appointment of a hearing officer. The National Coordinator will assign the case to a hearing officer to adjudicate the appeal on his or her behalf.

(i) The hearing officer may not review an appeal in which he or she participated in the initial suspension, termination, or certification ban determination or has a conflict of interest in the pending matter.

(ii) The hearing officer must be trained in a nationally recognized ethics code that articulates nationally recognized standards of conduct for hearing officers/officials.

(6) Adjudication. (i) The hearing officer may make a determination based on:

(A) The written record, which includes the:

(1) ONC determination and supporting information;

(2) Information provided by the health IT developer with the appeal filed in accordance with paragraphs (g)(1) through (3) of this section; and

(3) Information ONC provides in accordance with paragraph (g)(6)(v) of this section; or

(B) All the information provided in accordance with paragraph (g)(6)(i)(A) and any additional information from a hearing conducted in-person, via telephone, or otherwise.

(ii) The hearing officer will have the discretion to conduct a hearing if he/she:

(A) Requires clarification by either party regarding the written record under paragraph (g)(6)(i)(A) of this section;

(B) Requires either party to answer questions regarding the written record under paragraph (g)(6)(i)(A) of this section; or

(C) Otherwise determines a hearing is necessary.

(iii) The hearing officer will neither receive witness testimony nor accept any new information beyond what was provided in accordance with paragraph (g)(6)(i) of this section.

(iv) The default process will be a determination in accordance with paragraph (g)(6)(i)(A) of this section.

(v) ONC will have an opportunity to provide the hearing officer with a written statement and supporting documentation on its behalf that clarifies, as necessary, its determination to suspend or terminate the certification or issue a certification ban.

(7) Determination by the hearing officer. (i) The hearing officer will issue a written determination to the health IT developer within 30 days of receipt of the appeal or within a timeframe agreed to by the health IT developer and ONC and approved by the hearing officer, unless ONC cancels the suspension or rescinds the termination determination.

(ii) The National Coordinator's determination on appeal, as issued by the hearing officer, is final and not subject to further review.

[81 FR 72468, Oct. 19, 2016, as amended at 85 FR 25953, May 1, 2020]

(a) Circumstances that may trigger a certification ban. The certification of any of a health IT developer's health IT is prohibited when:

(1) The certification of one or more of the health IT developer's Health IT Modules is:

(i) Terminated by ONC under the ONC Health IT Certification Program;

(ii) Withdrawn from the ONC Health IT Certification Program by an ONC-ACB because the health IT developer requested it to be withdrawn (for reasons other than to comply with Program requirements) when the health IT developer's health IT was the subject of a potential non-conformity or non-conformity as determined by ONC;

(iii) Withdrawn by an ONC-ACB because of a non-conformity with any of the certification criteria adopted by the Secretary under subpart C of this part;

(iv) Withdrawn by an ONC-ACB because the health IT developer requested it to be withdrawn (for reasons other than to comply with Program requirements) when the health IT developer's health IT was the subject of surveillance for a certification criterion or criteria adopted by the Secretary under subpart C of this part, including notice of pending surveillance; or

(2) ONC determines a certification ban is appropriate per its review under § 170.580(a)(2)(iii).

(b) Notice of certification ban. When ONC decides to issue a certification ban to a health IT developer, ONC will notify the health IT developer of the certification ban through a notice of certification ban. The notice of certification ban will include, but may not be limited to:

(1) An explanation of the certification ban;

(2) Information supporting the certification ban;

(3) Instructions for appealing the certification ban if banned in accordance with paragraph (a)(2) of this section; and

(4) Instructions for requesting reinstatement into the ONC Health IT Certification Program, which would lift the certification ban.

(c) Effective date of certification ban. (1) A certification ban will be effective immediately if banned under paragraph (a)(1) of this section.

(2) For certification bans issued under paragraph (a)(2) of this section, the ban will be effective immediately after the following applicable occurrence:

(i) The expiration of the 10-day period for filing a statement of intent to appeal in § 170.580(g)(3)(i) if the health IT developer does not file a statement of intent to appeal.

(ii) The expiration of the 30-day period for filing an appeal in § 170.580(g)(3)(ii) if the health IT developer files a statement of intent to appeal, but does not file a timely appeal.

(iii) A final determination to issue a certification ban per § 170.580(g)(7) if a health IT developer files an appeal timely.

(d) Reinstatement. The certification of a health IT developer's health IT subject to the prohibition in paragraph (a) of this section may commence once the following conditions are met.

(1) A health IT developer must request ONC's permission in writing to participate in the ONC Health IT Certification Program.

(2) The request must demonstrate that the customers affected by the certificate termination, certificate withdrawal, or noncompliance with a Condition or Maintenance of Certification requirement have been provided appropriate remediation.

(3) For noncompliance with a Condition or Maintenance of Certification requirement, the noncompliance must be resolved.

(4) ONC is satisfied with the health IT developer's demonstration under paragraph (d)(2) of this section that all affected customers have been provided with appropriate remediation and grants reinstatement into the ONC Health IT Certification Program.

[85 FR 25954, May 1, 2020]

(a) Certain material is incorporated by reference into this subpart with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that specified in this section, the Department of Health and Human Services must publish a document in the Federal Register and the material must be available to the public. All approved material is available for inspection at U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology, 330 C Street SW., Washington, DC 20201, call ahead to arrange for inspection at 202-690-7151, and is available from the source listed below. It is also available for inspection at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html.

(b) International Organization for Standardization, Case postale 56, CH·1211, Geneve 20, Switzerland, telephone +41-22-749-01-11, http://www.iso.org.

(1) ISO/IEC GUIDE 65:1996—General Requirements for Bodies Operating Product Certification Systems (First Edition), 1996, “ISO/IEC Guide 65,” IBR approved for § 170.503.

(2) ISO/IEC 17011:2004 Conformity Assessment—General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies (Corrected Version), February 15, 2005, “ISO/IEC 17011,” IBR approved for § 170.503.

(3) ISO/IEC 17025:2005(E)—General requirements for the competence of testing and calibration laboratories (Second Edition), 2005-05-15, “ISO/IEC 17025,” IBR approved for §§ 170.520(b) and 170.524(a).

(4) ISO/IEC 17025:2017(E)—General requirements for the competence of testing and calibration laboratories (Third Edition), 2017-11, “ISO/IEC 17025,” IBR approved for §§ 170.520(b), and 170.524(a).

(5) ISO/IEC 17065:2012(E)—Conformity assessment—Requirements for bodies certifying products, processes and services (First Edition), 2012, “ISO/IEC 17065,” IBR approved for §§ 170.503 and 170.523(a).

[81 FR 72471, Oct. 19, 2016, as amended at 85 FR 25955, May 1, 2020]