ONC Certified Health IT

ONC Regulations for Certified Health IT

Recent changes to ONC’s Certified Health IT Program, brought about by the 21st Century Cures Act, include a prohibition on so-called “information blocking”. These regulations, which took effect on April 5, 2021, place several additional requirements on Health IT vendors, and cover new participants not previously covered under the ONC’s Program.

At their core, the regulations are designed to promote interoperability through the use of standards-based APIs, including FHIR, by limiting information blocking for requests from 3rd parties – with certain limited and allowed exceptions – across the healthcare system. The law applies to a broader set of “actors” than past ONC regulations, and applies to nearly every provider and health IT vendor, as well as most health information networks (HINs), including groups that may not use the term HIN but meet the definition.

Interpreting these new regulations, which are already in effect, while also complying with them at scale – and in a secure and compliant manner – can be a large undertaking, particularly for new actors.

Our unique team has the sub-specializations necessary to interpret and implement these complex regulations. Our team is trusted year-after-year by health IT vendors, providers, health information networks, and multiple government agencies in quickly and effectively planning and assessing compliance with government programs. We specialize in helping companies use regulated technologies to achieve the business and compliance objectives by assisting in planning, architecting, designing, securing and scaling policies and technologies for healthcare interoperability.

Recent Changes

New Cures Act requirements include:

  • NCPDP Script 2017071
  • EHI export (bulk export, standardized API for population services);
  • New Privacy & Security Transparency Attestations for Certification Criteria:
    • Encrypt Authentication Credentials
    • Multi-factor Authentication Conditions for Certification and Maintenance
What We Cover
  • 21st Century Cures Act Requirements; USCDI
  • Information Blocking Rule and Exceptions
  • Direct Messaging; FHIR APIs
  • On-Going 2015 Edition Criteria:
    • ePrescribing
    • Lab Results Interfaces
    • Security and Audit Log requirements
    • Others
USCDI banner

USCDI includes the following new required data classes and data elements:

  • Provenance
  • Clinical Notes
  • Pediatric Vital Signs

CMS Regulations – Interoperability & Patient Access Rule

The recent Interoperability & Patient Access Rule (CMS-9115-F) from CMS includes several new requirements derived from the Cures Act which align closely with the ONC’s Rule. These include:

  • Patient Access Application Programming Interface (API): Payers are required to make claims, encounter, cost, and a sub-set of clinical information available via standards-based APIs (HL7 FHIR) through third -party applications of the patient’s choice.
  • Provider Directory API: Payers must make standardized information about provider networks available through a published provider directory API.
  • Payer-to-Payer Data Exchange: Payers are required upon a patient’s request to send their interoperable clinical data in a specific format (USCDI Version 1) to other payers.
  • Public Reporting and Information Blocking: CMS will publicly report eligible clinicians (EC), hospitals (EH), and critical access hospitals (CAH) that may be information blocking based on how they attested to certain Promoting Interoperability Program prevention of information blocking requirements.
  • Admission, Discharge and Transfer Event Notifications: Hospitals must, as a condition of participation, send real-time event notifications about admission, discharge, and transfers to other providers.