170.450—EHR module testing and certification.
(a)
When testing and certifying EHR Modules, an ONC-ATCB must test and certify in accordance with the applicable certification criterion or certification criteria adopted by the Secretary at subpart C of this part.
(b)
An ONC-ATCB must provide the option for an EHR Module or a bundle of EHR Modules to be tested and certified solely to the applicable certification criteria adopted by the Secretary at subpart C of this part.
(c) Privacy and security testing and certification.
EHR Modules shall be tested and certified to all privacy and security certification criteria adopted by the Secretary unless the EHR Module(s) is/are presented for testing and certification in one of the following manners:
(1)
The EHR Module(s) is/are presented for testing and certification as a pre-coordinated, integrated bundle of EHR Modules, which would otherwise meet the definition of and constitute a Complete EHR (as defined in 45 CFR 170.102 ), and one or more of the constituent EHR Modules is/are demonstrably responsible for providing all of the privacy and security capabilities for the entire bundle of EHR Module(s); or
(2)
An EHR Module is presented for testing and certification, and the presenter can demonstrate and provide documentation to the ONC-ATCB that a privacy and security certification criterion is inapplicable or that it would be technically infeasible for the EHR Module to be tested and certified in accordance with such certification criterion.
(d) Inherited certified status.
An ONC-ATCB must accept requests for a newer version of a previously certified EHR Module or bundle of EHR Modules to inherit the previously certified EHR Module's or bundle of EHR Modules certified status without requiring the newer version to be retested and recertified.
(1)
Before granting certified status to a newer version of a previously certified EHR Module or bundle of EHR Modules, an ONC-ATCB must review an attestation submitted by the developer of the EHR Module or presenter of the bundle of EHR Modules to determine whether the newer version has adversely affected any previously certified capabilities.
(2)
An ONC-ATCB may grant certified status to a newer version of a previously certified EHR Module or bundle of EHR Modules if it determines that previously certified capabilities have not been adversely affected.