The Office of the National Coordinator for Health Information Technology Health IT Playbook

Section 2

Certified Health IT

In this section

Learn:

How can certified health IT help my practice?

Certified health IT can help your practice by:

  • Making electronic prescribing available, which is safer, cheaper, and more convenient for clinicians and patients
  • Supporting electronic transitions of care, closing referral loops, and giving clinicians straightforward and secure access to their patients’ records from outside organizations
  • Making the process for patients to get their personal health information less time-consuming and tedious for all parties while maintaining confidentiality
  • Automating the process of sending data to immunization registries
  • Facilitating reporting of electronic clinical quality measures to the Centers for Medicare & Medicaid Services (CMS)

Certified EHR

The Office of the National Coordinator for Health Information Technology (ONC) oversees the Health IT Certification Program for health IT modules — including electronic health records (EHR). The certification program sets several nationwide standards including:

  • Health IT standards
  • Implementation specifications
  • Certification criteria

Certified health IT plays a vital role in establishing a nationwide, connected, and interoperable health information infrastructure. Health IT modules certified under the ONC Health IT Certification Program are listed on ONC’s Certified Health IT Product List (CHPL).

How certified health IT benefits your practice

Certain health care payment programs — including the Promoting Interoperability Programs for hospitals and the Merit-based Incentive Payment System (MIPS) under the Quality Payment Program for eligible clinicians (formerly the EHR Incentive or Meaningful Use programs) — require the use of certified health IT. CMS calls the minimum set of required certification functionalities that program participants must use to meet the requirements of these incentive programs Certified EHR Technology (CEHRT).

Using certified health IT — including standards-based application programming interfaces (APIs), electronic exchange of clinical care documents, and other standards-based transactions such as e-prescribing — improves care coordination. Certification provides a baseline assurance that a health IT module will perform clinical care and data exchange functions in accordance with interoperability standards and user-centered design. The benefits of standard data capture and interoperable exchange of information include enhanced patient safety, usability, privacy, and security.

Standards incorporated into the ONC Health IT Certification Program include vocabulary code sets, like SNOMED-CT®, that ensure consistent clinical terminology between systems. Standards for structuring clinical content include the Consolidated Clinical Document Architecture (C-CDA), which is discussed in section 1 of this playbook. The C-CDA allows different EHR systems to send and receive a patient’s clinical care summary while retaining the same meaning across systems. Other standards for exchanging patients’ health information include the Fast Healthcare Interoperability Resources (FHIR®) standard, which enables the APIs.

To date, ONC has issued 3 editions of health IT certification criteria:

  • 2011 Edition (retired)
  • 2014 Edition (retired)
  • 2015 Edition

The 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule) made several changes to the existing 2015 Edition Health IT Certification Criteria and adopted new program requirements from the 21st Century Cures Act. Specifically, the ONC Cures Act Final Rule:

  • Introduced a small number of new certification criteria
  • Revised several existing certification criteria
  • Removed several certification criteria

While all of the existing and newly added criteria are part of the 2015 Edition, ONC refers to them collectively as the 2015 Edition Cures Update on the CHPL and in program resources. This helps to distinguish changes to the ONC Health IT Certification Program adopted by the Final Rule.

Each edition builds on the previous version by adopting newer standards and more advanced health IT functions. The goal: continually move toward nationwide interoperability, improved clinical care, and better health information exchange.

Many programs and organizations encourage or require the use of health IT certified under the ONC Health IT Certification Program — in addition to the Promoting Interoperability Programs. Check out this list of programs that reference the certification program.

Certification Program Overview

Public Health IT Certification Program Overview

Overview
Describes ONC’s certification program; includes key players, operations, and structure

Who it’s for
Clinicians, health IT implementers

When it’s used
To learn the basics of ONC’s health IT certification program

Download Certification Program Overview [PDF – 351 KB]

How do ONC and CMS work together to help your practice?

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law as part of the American Recovery and Reinvestment Act (ARRA). The HITECH Act established ONC as the principal federal entity charged with coordinating nationwide efforts to implement and use the most advanced health information technology and electronic exchange of health information.

The HITECH Act also established the EHR Incentive programs, or Meaningful Use programs (now known as the Promoting Interoperability Programs). In the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), Congress made meaningful use of CEHRT (now known as Promoting Interoperability) part of MIPS for eligible clinicians.

Administered by CMS, the incentive programs encourage eligible professionals, hospitals, and critical access hospitals to adopt, implement, and use CEHRT.

How to establish eligibility

To participate in the CMS incentive programs, clinicians must demonstrate their “meaningful use” of CEHRT. That means meeting certain requirements — such as proving that you record patient information using CEHRT, have completed a security risk assessment, and have not knowingly and willfully limited or restricted the compatibility or interoperability of your CEHRT.

ONC and CMS established these requirements so that clinicians can electronically send and receive patient care information in a consistent, usable manner. Other programs that call for using CEHRT include MIPS and Advanced Alternative Payment Models (APMs).

The 2015 Edition Final Rule and subsequent ONC Cures Act Final Rule updated the ONC Health IT Certification Program to support clinicians in a wide range of health care settings across the care continuum in their efforts to increase care coordination, engage with patients, and improve outcomes.

Improving clinician access to certified technology will help make patient data consistently available to the right people at the right time and place.

What certified health IT will I need to participate in certain CMS programs?

To learn about what certified health IT you will need in order to participate in certain CMS programs, please visit the CMS website.

Health IT certification criteria

In 2020, ONC adopted the 2015 Edition Cures Update — a more recent collection of certification criteria that modifies the 2015 Edition. Read more about the 2015 Edition Cures Update Health IT Certification Criteria.

A certification criterion defines the specific function that the health IT, including the functionalities within an electronic health record (EHR), will perform. Sometimes certification criteria require that a functionality be performed using a specific standard. For example, the 2015 Edition “transitions of care” certification criterion certifies that a health IT module creates summary of care records that adhere to the Consolidated Clinical Document Architecture (C-CDA) standard, as well as send and receive transition of care and referral summaries.

The 2015 Edition Cures Update builds on the health IT functionalities found in the 2015 Edition by upgrading standards and adding new functionalities that foster innovation and open new market opportunities. It also gives clinicians and patients more choices for electronic health information (EHI) access and exchange.

Learn more about the 2015 Edition Cures Update

The following will help you learn more about the 2015 Edition Cures Update.

2015 Edition Cures Update Base Electronic Health Record (EHR) Definition

The 2015 Edition Cures Update certification criteria facilitate greater interoperability for several clinical health information purposes and enable health information exchange through new and revised certification criteria, standards, and implementation specifications. Certified health IT that satisfies the base EHR definition has been developed to have, at a minimum, a key set of capabilities. View the 2015 Edition Cures Update Base EHR Definition.

2015 Edition Cures Update Certification Criteria

You can check out the new, revised, time-limited, and removed certification criteria under the 2015 Edition Cures Update in these health IT certification categories: clinical, care coordination, clinical quality measures, privacy and security, patient engagement, public health, design and performance, transport methods, and other protocols. View the 2015 Edition Cures Update Certification Criteria.

United States Core Data for Interoperability (USCDI)

The United States Core Data for Interoperability (USCDI) is a standardized set of health data classes and constituent data elements for nationwide interoperable health information exchange. Find more information on the USCDI page. Future versions of USCDI will include new data elements and data classes that advance interoperability and health IT standards with the intent to minimize the burden of use for all users. Download the USCDI fact sheet [PDF – 337 KB].

What are the Conditions and Maintenance of Certification?

The ONC Cures Act Final Rule finalized the Conditions and Maintenance of Certification, which are initial and ongoing requirements that health IT developers and their certified health IT modules must meet under the ONC Health IT Certification Program. Learn more about the Conditions and Maintenance of Certification.

You may be particularly interested in learning about the requirements related to:

  • Information blocking
  • Communications
  • Real world testing

Information Blocking

This requirement prohibits any health IT developer participating in the program from taking any action that constitutes information blocking as defined by the law. To learn more about information blocking, see section 2.4 of this playbook.

Communications

This requirement bars any health IT developer from prohibiting or restricting communications about certified health IT modules related to:

  • The usability, interoperability, and security of the developer’s health IT
  • Users’ experiences when using the health IT
  • The manner in which a user of the health IT has used the technology
  • The developer’s business practices related to exchanging EHI

To comply with the accompanying Maintenance of Certification, health IT developers who currently prohibit or restrict these practices must notify their customers annually that they won’t enforce any communication or contract/agreement provision that violates the Communication Condition of Certification. The health IT developer must continue to notify all customers annually until the developer removes or voids any contractual provisions that violate the Condition of Certification.

Real World Testing

This requirement means that health IT developers with particular certified health IT modules must successfully test the real world use of their technology for interoperability in the types of settings where the technology would be marketed. To meet the requirement, health IT developers must annually make Real World Testing plans and testing results publicly available.

What is the ONC certified health IT product list?

The Certified Health IT Product List, or CHPL (pronounced “chapel”), is the authoritative and comprehensive list of health IT modules that are certified through the ONC Health IT Certification Program. All products listed on CHPL have been tested by an ONC-Authorized Testing Laboratory (ONC-ATL) and certified by an ONC-Authorized Certification Body (ONC-ACB) to meet criteria adopted by the Secretary of the U.S. Department of Health and Human Services (HHS).

CHPL is designed to give users a streamlined interface experience along with comprehensive search functionality and the capability to compare health IT products by certification criteria.

What can CHPL do for you?

Health IT modules appear on CHPL after they’ve been tested and certified under the ONC Health IT Certification Program. Clinicians attesting that they’re using Certified EHR technology (CEHRT) for programs such as Promoting Interoperability and the Quality Payment Program administered by CMS can use CHPL to create a unique CMS EHR Certification ID to identify their certified health IT modules. During attestation, eligible clinicians and hospitals share their CMS EHR Certification ID with CMS. CHPL generates this identifier once the clinician or hospital selects all the certified health IT modules that satisfy the base EHR definition.

CHPL also supports data accessibility of health IT certifications — in both human- and machine-readable formats. Examples include:

  • Publicly available surveillance data results of certified products to ensure they continue performing as expected in real-world care settings
  • Detailed information about any completed usability testing of a health IT module

The downloadable CHPL user guide below provides information on how to:

  • Understand the data available on CHPL
  • Create a CMS EHR Certification ID
  • Search for and compare certified health IT products
  • Identify and understand certified products listed in CHPL that do not comply with certification requirements and regulations
  • Register for a CHPL API key

Download the CHPL User Guide [PDF – 971 KB].

Understand the capabilities of certified health IT

A lack of reliable information about the additional costs and fees of competing health IT products makes it hard for health IT buyers to understand and estimate the various costs and potential implementation issues. That’s why ONC requires health IT developers to include mandatory disclosures that will help buyers and users better understand the additional costs or fees of health IT products.

Developers must display their disclosures prominently on their websites and in their marketing materials. In addition, you can find links to these disclosures on ONC’s Certified Health IT Product List.

Mandatory health IT developer disclosure statements

Under ONC’s enhanced transparency requirements, health IT developers must fully disclose all known material information concerning additional types of costs and fees that users may be required to pay when implementing or using developers’ technology.

Developers must describe this information — in detailed, plain language — on their websites and in their marketing materials. This lets clinicians and users identify and understand the specific types of costs and fees that may apply.

Surveillance transparency in certified health IT

Surveillance and oversight activities have a significant role in the ONC Health IT Certification Program, as they are critical to providing assurance that certified health IT modules function as intended in a production environment and don’t present safety and/or public health risks. CHPL lets clinicians view the surveillance activities by ONC-ACBs, the results of surveillance, and corrective action plans for health IT found to have non-conformities. Surveillance data results offer clinicians a way to ensure that their certified health IT modules are meeting certification requirements and performing as expected.

This transparency helps potential health IT buyers assess how products perform in real-world settings. It also alerts existing customers to potential issues — and the plans to resolve them.

When certified health IT products don’t perform as expected in real-world care settings

An accredited certification body must be authorized by ONC to begin issuing health IT certifications for products that meet ONC Health IT Certification Program requirements. Once authorized, an accredited certification body is referred to as an ONC-ACB.

When an ONC-ACB determines that a health IT product doesn’t comply with its certification requirements, it deems that health IT product non-conforming. Working with its ONC-ACB, the product developer must:

  1. Create an appropriate corrective-action plan
  2. Fix the identified non-conformity or deficiency
  3. Bring the product back into compliance

Nonconformities are updated on CHPL every week. In implementing their corrective action plans, developers often resolve many non-conformities or deficiencies quickly, and CHPL will reflect that updated information. This includes the date and a description of how the developer resolved the problem.

If the developer can’t resolve the issue in accordance with the corrective action plan, an ONC-ACB will follow its procedures to suspend or withdraw the product’s certification. Learn more about the corrective action process.

In certain situations where a health IT module has a potential or known non-conformity that could present a serious risk to public health or safety — or could pose special challenges for ONC-ACBs’ surveillance — ONC can choose to directly review the product’s conformity to program requirements. This process is called direct review.

ONC’s direct review complements ONC-ACB surveillance and is aimed at promoting health IT developer accountability for the performance, reliability, and safety of health IT. ONC can also initiate direct review if it has a reasonable belief that a health IT developer hasn’t complied with a Conditions and Maintenance of Certification requirement.

Surveillance, direct review, and the corrective-action process play a significant role in the ONC Health IT Certification Program. They provide vital transparency and accountability about certified health IT products, their capabilities, and the certification process itself.

We encourage clinicians to use this information to evaluate and compare products and to monitor issues affecting their certified health IT.

How APIs can help your practice

If you’ve ever booked a flight, reserved a hotel room, or purchased a concert ticket online, you’ve used an application programming interface (API). APIs have rapidly become integral to our personal and business worlds.

At their most basic level, APIs let one software application talk to another. When, for example, you go to an airline’s website to search for available flights, you’re using an API that IT developers built to let your web browser access the airline’s database and ticketing system.

Without that API-enabled website, you’d have to talk to a customer service rep every time you wanted to book a flight. APIs make booking travel more convenient and efficient.

You can use the following resources to learn more about how APIs can help your practice:

When API meets EHR

Just as APIs have dramatically changed travel planning, API-enabled EHRs can revolutionize the health care system to decrease burden. Health IT developers can use APIs to build apps and other innovative software products, benefiting both patients and clinicians.

These apps have the potential to integrate information from multiple EHRs and precisely target clinicians’ needs — well beyond what’s currently available. Clinicians will have new and powerful apps that help them take care of their patients even more effectively.

Health care payment innovations — including Alternative Payment Models — will depend on exchanging, aggregating, and analyzing health information. APIs will help clinicians exchange health information with other clinicians efficiently and integrate information from multiple sources in a scalable way. Analytic and other tools that use APIs will also play an important role in clinicians’ ability to succeed in innovative health care payment models.

Recognizing the growing importance of APIs, the 2015 Edition Health IT Certification Criteria introduced several API-based certification criteria. These criteria are now helping clinicians access and exchange the health information in EHRs more easily.

ONC recently finalized a new rule to build on the 2015 Edition API requirements. This new rule supports seamless and secure access to, and exchange and use of, electronic health information (EHI), as required by the 21st Century Cures Act. The finalized regulation calls on the health care industry to adopt standardized APIs, which would help individuals securely and easily access structured EHI using smartphone applications.

To learn more about the Final Rule and its API requirements, check out the following resources:

Help us stop information blocking

Help the U.S. Department of Health and Human Services identify and stop instances of information blocking. Report complaints via our online Information Blocking Portal.

What is information blocking?

Regulations implementing section 4004 of the 21st Century Cures Act (Cures Act) define information blocking by a health care provider, as well as by a developer of certified health IT, a health information network, or a health information exchange. In general, information blocking is a practice that is not required by law and is likely to interfere with the access, exchange, or use of electronic health information (EHI). Certain categories of reasonable and necessary practices specified by the Secretary of Health and Human Services (HHS) are regulatory exceptions that are not considered information blocking.

What is Information Blocking? Text description below.

What are examples of practices that could constitute information blocking?

Section 4004 of the Cures Act describes certain practices that could constitute information blocking:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health IT
  • Implementation of health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI
  • Implementation of health IT in ways that are likely to:
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or transitioning between health IT systems
    • Lead to fraud, waste, or abuse — or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT

To see more examples of practices that could constitute information blocking, read the ONC Cures Act Final Rule.

What are the information blocking exceptions?

Section 4004 of the Cures Act authorizes the Secretary of HHS to identify reasonable and necessary activities that do not constitute information blocking.

In the Final Rule, HHS identified 8 categories of reasonable and necessary activities (PDF – 580 KB) that do not constitute information blocking, provided certain conditions are met. These are known as “exceptions.” The exceptions support seamless and secure access, exchange, and use of EHI and offer actors (PDF – 249 KB) — health care providers, health IT developers of certified health IT, health information networks, and health information exchanges — certainty that practices that meet the conditions of an exception will not be considered information blocking.

A practice that does not meet the conditions of an exception would not automatically constitute information blocking. Such practices would not have guaranteed protection from civil monetary penalties or appropriate disincentives and would be evaluated on a case-by-case basis to determine whether information blocking had occurred.

Deciding if information blocking occurred in a particular case would be based on whether:

  • The individual or entity engaging in the practice was an “actor”
  • The claim involved EHI, as defined in 45 CFR 171.102
  • The actor met the requisite knowledge standard
  • The practice rose to the level of an interference under 45 CFR 171
  • The practice was required by law
  • The actor’s practice met the conditions of an exception under 45 CFR 171

The exceptions are divided into 2 classes:

  • Exceptions that involve not fulfilling requests to access, exchange, or use EHI
  • Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Information Blocking Exceptions. Text description below.

Exceptions that involve not fulfilling requests to access, exchange, or use EHI

Preventing Harm Exception: It is not information blocking when an actor engages in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. The Preventing Harm Exception’s conditions are stated in 45 CFR 171.201.

Privacy Exception: It is not information blocking when an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

Security Exception: It is not information blocking when an actor interferes with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

Infeasibility Exception: It is not information blocking when an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

Health IT Performance Exception: It is not information blocking when an actor implements a practice that is likely to interfere with the access, exchange, or use of EHI in order to maintain or improve health IT performance, provided certain conditions are met.

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

Content and Manner Exception: It is not information blocking when an actor limits the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

Costs Exception: It is not information blocking when an actor charges fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

Licensing Exception: It is not information blocking when an actor licenses interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

What are the potential penalties or disincentives for information blocking?

Section 4004 of the Cures Act authorizes enforcement against actors who are found to have committed information blocking.

  • Health IT developers of certified health IT and health information networks or health information exchanges that the Inspector General determines after an investigation to have committed information blocking shall be subject to a civil monetary penalty for all such violations. The penalty, determined by the Secretary of HHS, may not exceed $1 million per violation. Such determination shall take into account factors such as the nature and extent of the information blocking and harm resulting from such information blocking. This includes, where applicable, the number of patients affected, the number of providers affected, and the number of days the information blocking persisted.
  • Health care providers determined by the Inspector General to have committed information blocking shall be referred to the appropriate agency. These providers shall be subject to appropriate disincentives using authorities under applicable federal law, as the Secretary of HHS sets forth through notice and comment rulemaking.

Complaints

If you believe that you or your patients have been subject to information blocking by another actor — whether another health care provider, a health IT developer of certified health IT, or a health information network or exchange — you can report it through the online Information Blocking Portal.

As specified by the Cures Act, information blocking claims and information that ONC receives in connection with a claim or suggestion of information blocking are generally protected from disclosure under the Freedom of Information Act.

We will review your complaint under ONC’s available authorities. Depending on the nature of your claim, we may contact you for additional information or, to the extent necessary and permitted by law, share the information you provided with other appropriate government agencies, such as the HHS Office of Inspector General.

For more information on information blocking and the ONC Cures Act Final Rule, check out these resources:

How to address health IT complaints and issues

If you have complaints about certified health IT products that may not be performing as they are certified to or that you believe may pose a danger to public health or safety, ONC recommends taking the following steps:

Step 1 — Contact the Developer

We recommend that you first work with your health IT developer to resolve any issues of potential noncompliance with certification requirements, including the Conditions and Maintenance of Certification.

Many issues can be resolved at this step.

Resources

Use these resources to help you look up certified health IT modules and understand certification requirements:

Step 2 — Contact the ONC-ACB

If the issue isn’t resolved at Step 1, we recommend that you contact the ONC-Authorized Certification Body (ONC-ACB). You can find the ONC-ACB for a certified health IT module by searching the CHPL.

The ONC-ACB will:

  • Check to see if the reported issue is applicable to 1 or more certified capabilities
  • Work with you and the developer to get more information — and may perform surveillance to determine if non-conformities exist
  • Report findings on the CHPL if non-conformities are found and require the developer to implement a corrective action plan
  • Report to ONC any information concerning potential non-conformities to the Conditions and Maintenance of Certification
ONC-ACB contact emails:

Step 3 — Contact ONC

If neither Step 1 nor Step 2 resolves the issue, you may provide feedback to ONC via the Health IT Feedback and Inquiry Portal.

ONC will check to see if the Health IT module in question is certified. If it is, we will refer the matter to the appropriate ONC-ACB.

Feedback

To provide feedback to ONC through the Health IT Feedback and Inquiry Portal, choose the ONC Health IT Certification category. Consider including the product name and version or the certification’s CHPL ID.

Section 2 Recap

Take steps towards improving your practice with certified health IT.

  • Learn about certification criteria
  • Review certified health IT products
  • Use APIs to ease information exchange
  • Understand information blocking
  • Report EHR issues

Content last updated on: March 12, 2021