- (a) When certifying Health IT Module(s), an ONC-ACB must certify in accordance with the applicable certification criteria adopted by the Secretary at subpart C of this part.
- (b) An ONC-ACB must provide the option for an Health IT Module(s) to be certified solely to the applicable certification criteria adopted by the Secretary at subpart C of this part.
- (c) Gap certification. An ONC-ACB may provide the option for and perform gap certification of previously certified Health IT Module(s).
- (d) An ONC-ACB may provide an updated certification to a previously certified Health IT Module(s).
- (e) [Reserved]
(f) When certifying an Health IT Module to the 2014 Edition EHR certification criteria, an ONC-ACB must certify the Health IT Module in accordance with the certification criteria at:
- (1) Section 170.314(g)(1) or (2) if the Health IT Module has capabilities presented for certification that would support a meaningful use objective with a percentage-based measure;
- (2) Section 170.314(g)(3) if the Health IT Module is presented for certification to one or more listed certification criteria in § 170.314(g)(3); and
- (3) Section 170.314(g)(4).
(g) When certifying a Health IT Module to the 2015 Edition health IT certification criteria, an ONC-ACB must certify the Health IT Module in accordance with the certification criteria at:
- (1) Section 170.315(g)(3) if the Health IT Module is presented for certification to one or more listed certification criteria in § 170.315(g)(3);
- (2) Section 170.315(g)(4);
- (3) Section 170.315(g)(5); and
- (4) Section 170.315(g)(6) if the Health IT Module is presented for certification with C-CDA creation capabilities within its scope. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, § 170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each. If the scope of certification sought includes multiple certification criteria that require C-CDA creation, § 170.315(g)(6) need only be tested in association with one of those certification criteria and would not be expected or required to be tested for each so long as all applicable C-CDA document templates have been evaluated as part of § 170.315(g)(6) for the scope of the certification sought.
- (h) Privacy and security certification framework - (1) General rule. When certifying a Health IT Module to the 2015 Edition health IT certification criteria, an ONC-ACB can only issue a certification to a Health IT Module if the privacy and security certification criteria in paragraphs (h)(3)(i) through (viii) of this section have also been met (and are included within the scope of the certification).
(2) In order to be issued a certification, a Health IT Module would only need to be tested once to each applicable privacy and security criterion in paragraphs (h)(3)(i) through (viii) of this section so long as the health IT developer attests that such privacy and security capabilities apply to the full scope of capabilities included in the requested certification, except for the following:
- (i) A Health IT Module presented for certification to § 170.315(e)(1) must be separately tested to § 170.315(d)(9); and
- (ii) A Health IT Module presented for certification to § 170.315(e)(2) must be separately tested to § 170.315(d)(9).
(3) Applicability.
- (i) Section 170.315(a) is also certified to the certification criteria specified in § 170.315(d)(1) through (7);
- (ii) Section 170.315(b) is also certified to the certification criteria specified in § 170.315(d)(1) through (3) and (d)(5) through (8);
- (iii) Section 170.315(c) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), and (5);
- (iv) Section 170.315(e)(1) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), (5), (7), and (9);
- (v) Section 170.315(e)(2) and (3) is also certified to the certification criteria specified in § 170.315(d)(1) through (3), (5), and (9);
- (vi) Section 170.315(f) is also certified to the certification criteria specified in § 170.315(d)(1) through (3) and (7);
- (vii) Section 170.315(g)(7), (8) and (9) is also certified to the certification criteria specified in § 170.315(d)(1) and (9); and (d)(2) or (10);
- (viii) Section 170.315(h) is also certified to the certification criteria specified in § 170.315(d)(1) through (3); and
(4) Methods to demonstrate compliance with each privacy and security criterion. One of the following methods must be used to meet each applicable privacy and security criterion listed in paragraph (h)(3) of this section:
- (i) Directly, by demonstrating a technical capability to satisfy the applicable certification criterion or certification criteria; or
- (ii) Demonstrate, through system documentation sufficiently detailed to enable integration, that the Health IT Module has implemented service interfaces for each applicable privacy and security certification criterion that enable the Health IT Module to access external services necessary to meet the privacy and security certification criterion.
- (i) [Reserved]
- (j) Direct Project transport method. An ONC-ACB can only issue a certification to a Health IT Module for § 170.315(h)(1) if the Health IT Module's certification also includes § 170.315(b)(1).
(k) Inherited certified status. An ONC-ACB must accept requests for a newer version of a previously certified Health IT Module(s) to inherit the certified status of the previously certified Health IT Module(s) without requiring the newer version to be recertified.
- (1) Before granting certified status to a newer version of a previously certified Health IT Module(s), an ONC-ACB must review an attestation submitted by the developer(s) of the Health IT Module(s) to determine whether any change in the newer version has adversely affected the Health IT Module(s)' capabilities for which certification criteria have been adopted.
- (2) An ONC-ACB may grant certified status to a newer version of a previously certified Health IT Module(s) if it determines that the capabilities for which certification criteria have been adopted have not been adversely affected.
[76 FR 1325, Dec. 7, 2011, as amended at 77 FR 54291, Sept. 4, 2012; 79 FR 54480, Sept. 11, 2014; 80 FR 62757, Oct. 16, 2015]