Certification Companion Guide:
§ 170.402 Assurances

170.402 Assurances.

1. Condition of Certification requirement.
   1. A health IT developer must provide assurances satisfactory to the Secretary that the health IT developer will not take any action that constitutes information blocking as defined in 42 U.S.C. 300jj-52 and § 171.103 on and after April 5, 2021, unless for legitimate purposes as specified by the Secretary; or any other action that may inhibit the appropriate exchange, access, and use of electronic health information.
   2. A health IT developer must ensure that its health IT certified under the ONC Health IT Certification Program conforms to the full scope of the certification criteria.
   3. A health IT developer must not take any action that could interfere with a user’s ability to access or use certified capabilities for any purpose within the full scope of the technology’s certification.
   4. A health IT developer of a certified Health IT Module that is part of a health IT product which electronically stores EHI must certify to the certification criterion in § 170.315(b)(10).
   5. A health IT developer must not inhibit its customer’s timely access to interoperable health IT certified under the Program.
2. Maintenance of Certification requirements.
   1. A health IT developer must retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for:
      1. A period of 10 years beginning from the date a developer’s Health IT Module(s) is first certified under the Program; or
      2. If for a shorter period of time, a period of  years from the effective date that removes all of the certification criteria to which the developer’s health IT is certified from the Code of Federal Regulations.
   2. 1. By December 31, 2023, a health IT developer must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in § 170.315(b)(10).
      2. On and after December 31, 2023, a health IT developer that must comply with the requirements of paragraph (a)(4) of this section must provide all of its customers of certified health IT with the health IT certified to the certification criterion in§ 170.315(b)(10).
   3. 1. Update. A health IT developer must update a Health IT Module, once certified to a certification criterion adopted in § 170.315, to all applicable revised certification criteria, including the most recently adopted capabilities and standards included in the revised certification criterion.
      2. Provide. A health IT developer must provide all Health IT Modules certified to a revised certification criterion, including the most recently adopted capabilities and standards included in the revised certification criterion, to its customers of such certified health IT.
      3. Timeliness. A health IT developer must complete the actions specified in paragraphs (b)(3)(i) and (ii) of this section:
         1. Consistent with the timeframes specified in part 170; or
         2. If the developer obtains new customers of health IT certified to the revised criterion after the effective date of the final rule adopting the revised criterion or criteria, then the health IT developer must provide the health IT certified to the revised criterion to such customers within whichever of the following timeframes that expires last:
            1. The timeframe provided in paragraph (b)(3)(iii)(A) of this section; or
            2. No later than 12 months after the purchasing or licensing relationship has been established between the health IT developer and the new customer for the health IT certified to the revised criterion.   
   4. For developers of Health IT Modules certified to § 170.315(b)(11), starting January 1, 2025, and on an ongoing basis thereafter, review and update as necessary source attribute information in § 170.315(b)(11)(iv)(A) and (B), intervention risk management practices described in § 170.315(b)(11)(vi), and summary information provided through § 170.523(f)(1)(xxi).

None. 

Clarifications:

• For the related Attestations Condition and Maintenance of Certification, the Assurances Condition and Maintenance of Certification requirements described in 45 CFR 170.402 apply to all Certified Health IT Developers. There are two compliance options to distinguish between Certified Health IT Developers that meet the condition of § 170.402(a)(4) requiring certification to the § 170.315(b)(10) Electronic Health Information (EHI) Export criterion and must also meet the maintenance requirements of § 170.402(b)(2) to provide the new functionality to their customers, and those Certified Health IT Developers who do not need to certify to the EHI Export criterion.
  • If the condition of § 170.402(a)(4) and the maintenance requirements of § 170.402(b)(2) are applicable, a Certified Health IT Developer can attest to compliance even if they have not yet certified to the § 170.315(b)(10) EHI Export criterion because the permissible certification and deadline for compliance has not yet expired.

Clarifications:

• Actions that would violate the Condition of Certification include failing to fully deploy or enable certified capabilities; imposing limitations (including restrictions) on the use of certified capabilities once deployed; or requiring subsequent developer assistance to enable the use of certified capabilities, contrary to the intended uses and outcomes of those capabilities. (see 85 FR 25719).

Clarifications:

• The Condition of Certification would also be violated if a developer refused to provide documentation, support, or other assistance reasonably necessary to enable the use of certified capabilities for their intended purposes. (see 85 FR 25719)
• Any action that would be likely to substantially impair the ability of one or more users (or prospective users) to implement or use certified capabilities for any purpose within the scope of applicable certification criteria would be prohibited by this Condition of Certification (see 85 FR 25719). Such actions may include imposing limitations or additional types of costs, especially if these were not disclosed when a customer purchased or licensed the certified health IT (see 85 FR 25719).

Clarifications:

• Health IT developers of Certified Health IT Module(s) or products that electronically store EHI must provide all of their customers of certified health IT with health IT certified to the functionality included in § 170.315(b)(10) within 36 months of the final rule’s publication date.
• EHI means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of record are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Associated CCG: § 170.315(b)(10) EHI Export

Clarifications:

There are no additional clarifications. 

Clarifications:

• Where applicable certification criteria are removed from the Code of Federal Regulations before the 10 years have expired, records must only be kept for three years from the date of removal for those certification criteria and related ONC Health IT Certification Program (Certification Program) provisions unless that timeframe would exceed the overall 10-year retention period.
• A health IT developer that does not have any certified products within the Certification Program would no longer have any obligation to retain records and information for the purposes of the Certification Program. However, note that it may be in the Certified Health IT Developer’s best interest to retain its records and information.

Clarifications:

• There are no additional clarifications.

Associated CCG: § 170.315(b)(10) EHI Export

Clarifications:

• There are no additional clarifications.

Clarifications:

• § 170.102 defines provide as “the action or actions taken by a developer of certified Health IT Modules to make the certified health IT available to its customers.”
• A customer, for this purpose, is any individual or entity that has an agreement to purchase or license the developer’s certified health IT. [see 89 FR 1309]

Clarifications:

• Timeframes for updates are outlined throughout part 170 and may be found within criteria requirements under part 170.315 or under standards referenced in part 170 subpart B. Expiration and deadline references may also be found in other sections of part 170 as it relates to the requirements.
• Rather than relying on independent timeliness requirements for previously certified health IT, the maintenance requirements now cross-reference timeframes specified in 45 CFR part 170, while still maintaining the proposed minimum 12-month timeframe for new customers. [see 89 FR 1198]
• The provisions for new customers means the health IT developer has the ability to plan both the certification to revised certification criteria and the execution of contracts and agreements with new customers to ensure that it can meet the above timeline for new customers. [see 89 FR 1310]

Clarifications:

• There are no additional clarifications.

Associated CCG: § 170.315(b)(11) Decision support interventions