Skip to content

Health IT Feedback and Inquiry Portal: API Conditions and Maintenance of Certification at § 170.404

This section contains anonymized feedback and inquiries, related to the API Conditions and Maintenance of certification requirements at § 170.404, that ONC has handled through the ONC Health IT Feedback Portal. The inquiries are organized by date under headers that mirror the organization of paragraphs in the Code of Federal Regulations at 45 CFR § 170.404.

Attention

The date headers provide important context as some information may have changed since the time of an inquiry and response.

Applies to Entire Criterion

2023 Inquiries

Stakeholder Inquiry: We have been contacted by a developer asking for our FHIR documentation and access to our API. This developer does not currently have any business partnership or share any mutual customers with us. Are we obligated to work with them to provide documentation and access to our FHIR API? Can we ask them to engage with us on their FHIR development only when both companies have mutual customers?

ASTP Response: Certified API Developers (i.e., health IT developers with Health IT Modules certified to any of the § 170.315(g)(7) through (10) certification criteria) must conform to the API Condition and Maintenance of Certification requirements. Such requirements include:

  • publishing complete business and technical documentation via a publicly accessible hyperlink that allows any person to directly access the information without any preconditions or additional steps
  • granting certain rights, as detailed in 45 CFR 170.404(a)(4)(ii)(A), to API Users, including access and use of certified API technology in a production environment
  • for § 170.315(g)(10)-certified Health IT Modules, registering and enabling all applications for production use within five business days of completing verification of an API User’s authenticity

More information about the API Condition and Maintenance of Certification requirements is available in the § 170.404 Application Programming Interfaces Certification Companion Guide.

Paragraph (a)(1): API Condition Of Certification General Requirements

2024 Inquiries

Stakeholder Inquiry: Can you provide details on the practical meaning of “without special effort?”

ASTP Response: As described in the condition of certification requirement at 45 CFR 170.404(a)(1), a Certified API Developer must publish APIs and allow electronic health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs. API access without special effort requires the APIs and the health care ecosystem in which they are deployed to be standardized, transparent, and pro-competitive (85 FR 25739). The § 170.315(g)(10) criterion as well as the API condition and maintenance of certification requirements facilitate Health IT Modules to enable API access without special effort by requiring the attributes of standardization, transparency, and pro-competitiveness.

Paragraph (a)(3)(i): API Fees - General Conditions

2024 Inquiries

Stakeholder Inquiry: For applications that fall outside the SMART App Launch and FHIR Bulk Data Access IG scopes, such as third-party data aggregators accessing data without direct app interaction by a patient or provider, is there an obligation to support such integrations? If not, can fees for such integrations be levied at the discretion of the Certified API Developer without the constraints defined under the API Conditions of Certification (§ 170.404)?

ASTP Response: Health IT Modules certified to the § 170.315(g)(10) criterion must support the single patient API capabilities and multiple patient API capabilities specified in the requirements in the § 170.315(g)(10) criterion. Additionally, the API Conditions and Maintenance of Certification requirements at § 170.404 describe behavioral requirements for Certified API Developers regarding support and maintenance of health IT certified to certain API criteria, including the § 170.315(g)(10) criterion. Certified API Developers must without exception conform to the API Conditions and Maintenance of Certification requirements, including the fees conditions specified in § 170.404(a)(3).

Paragraph (a)(3)(iv): API Fees - Permitted Fee (Value-Added Services)

2024 Inquiries

Stakeholder Inquiry: We are inquiring about requirements and expectations for offering value-added services for certified API technology as defined in the API Condition and Maintenance of Certification requirements (170.404).

Can we offer value-added services to only app developers that meet particular criteria that we define?

ASTP Response: The API Condition of certification requirements at § 170.404(a)(3)(iv) permit Certified API Developers to charge fees to an API User for value-added services related to certified API technology, so long as such services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with certified API technology. For fees for value-added services, the Certified API Developer must comply with the requirements at § 170.404(a)(3)(i)(B), including that such fees are based on objective and verifiable criteria that are uniformly applied to all similarly situated API Information Sources and API Users.

Additional information and related examples are available in the ONC Cures Act Final Rule (85 FR 25760).

2021 Inquiries

Stakeholder Inquiry: If an EHR developer’s API includes both certified and non-certified capabilities, does the entire API fall within the requirements of § 170.404?

  • Can an API be certified if it also contains non-certified capabilities so long as it also meets the certification criteria?
  • Can the EHR developer charge for value-added services through an “app store” for the non-certified portion of such APIs?

ASTP Response: The fees conditions at 45 CFR 170.404(a)(3) all relate to fees administered by Certified API Developers for certified API technology. According to 45 CFR 170.404(c), certified API technology “means the capabilities of Health IT Modules that are certified to any of the API-focused certification criteria adopted in § 170.315(g)(7) through (10).” The certification criteria in the ONC Health IT Certification Program include the minimum technical requirements Health IT Modules must support; health IT developers are not prohibited from exceeding the certification requirements included in the API-focused certification criteria at 45 CFR 170.315(g)(7) through (10).

According to 45 CFR 170.404(a)(3)(iv), “A Certified API Developer is permitted to charge fees to an API User for value-added services related to certified API technology, so long as such services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with certified API technology.” Additionally, we clarified in the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule) that “To the degree that a health IT developer administers an “app store” and offers value-added services associated with certified API technology, the Condition of Certification covers its practices related to certified API technology only. Conversely, this Condition of Certification would not apply to any practices that do not involve certified API technology. However, health IT developers would need to be mindful of any applicable information blocking rules that may apply to their app store practices given applicable facts and circumstances” (85 FR 25760).

If a Certified Health IT Developer does not abide by applicable Conditions and Maintenance of Certification requirements, the nonconformities can be addressed through the Certified Health IT Complaint Process.

While we read and responded to this question as being specifically about the fees conditions at 45 CFR 170.404, for fees administered by Certified API Developers for certified API technology, we note in closing that health IT developers need to remain mindful that practices that do not violate 45 CFR 170.404 could still implicate the information blocking definition (45 CFR 171,103). For example, a practice that does not involve certified API technology would not be directly addressed by 45 CFR 170.404 but could implicate the information blocking regulations. To be certain their fees or other business practices will not be considered information blocking as defined in 45 CFR 171.103, the developer can choose to conform their practices to the conditions of relevant information blocking exception(s) such as the Fees Exception (45 CFR 171.302) and Licensing Exception (45 CFR 171.303).

We are not able to provide individualized advice on whether a specific fact pattern would or would not satisfy an exception or constitute information blocking.

Anyone who believes they may have experienced or observed information blocking by any health care provider, health IT developer of Certified Health IT, or health information network or health information exchange is encouraged to share their concerns with us through the Information Blocking Portal on ONC’s website, HealthIT.gov.

Paragraph (a)(4): API Openness And Pro-Competitive Conditions

2024 Inquiries

Stakeholder Inquiry: In situations where a third-party developer using 'Clinician Access for EHR Launch' requests API access, but no mutual clients are found between them and the practice (API Information Sources) during the vendor verification process: Is there an obligation to accommodate the registration request under the g.10 certification, or is it permissible to deny such requests based on the absence of mutual clients?

ASTP Response: As specified in the API Conditions of Certification at § 170.404(a)(4), a Certified API Developer must grant an API Information Source the independent ability to permit an API User to interact with the certified API technology deployed by the API Information Source. This requirement supports API Information Sources having the sole authority and autonomy to permit API Users to interact with the API technology deployed by the API Information Source in a non-discriminatory manner.

In general, ONC does not prescribe the registration paradigm that Certified API Developers create for themselves and their customers. Apps supporting the "Clinician Access for EHR Launch" capability set are tightly integrated with the Health IT Modules deployed by API Information Sources. Accordingly, registration for these apps could more often fall to the API Information Source.

Additional background information and guidance for the API Conditions of Certification requirement at § 170.404(a)(4) and application registration for apps focusing on the "Clinician Access for EHR Launch" capability set is available in the ONC Cures Act Final Rule (85 FR 25762) and API Conditions and Maintenance of Certification Certification Companion Guide.

Paragraph (b)(2): Service base URL publiciation

2024 Inquiries

Stakeholder Inquiry: My question is regarding the Service Base URL requirements from HTI-1 due by 12/31/24. We currently have multiple certified health IT modules. Data is sent to our (g)(10) certified API from both of these modules. One of our products is being withdrawn from the CHPL at the end of 2024, but we do have some clients who may still be using that product into 2025.

Are we required to publish service base URLs and Organization details for ALL customers, including customers whose data is coming from a non-certified Health IT module, or does this requirement only apply to customers with certified health IT?

ASTP Response: The API Maintenance of Certification requirement at 45 CFR 170.404(b)(2) requires that for all Health IT Modules certified to § 170.315(g)(10), a Certified API Developer must publish, at no charge, the service base URLs and related organization details that can be used by patients to access their electronic health information, by December 31, 2024. This includes all customers regardless of whether the Health IT Modules certified to § 170.315(g)(10) are centrally managed by the Certified API Developer or locally deployed by an API Information Source.

The scope of this requirement includes the Certified API Developer and its customers of Health IT Modules certified to § 170.315(g)(10). The scope of this requirement does not include a Certified API Developer's customer if the Health IT Modules provided to that customer are not certified to § 170.315(g)(10). For the situation described in this inquiry, if a Certified API Developer withdrawals their certification of a Health IT Module certified to § 170.315(g)(10) then the Certified API Developer is not required to publish service base URLs according to § 170.404(b)(2) for that Health IT Module.


Stakeholder Inquiry: Can ASTP clarify how the requirements at 45 CFR 170.404(b)(2) apply for parent/child Organization relationships using Orgnaization.partOf? In the User Access Brands spec, you can have the endpoint on the parent Organziation, and omit it for the child Organization. The endpoint for the child org can be determined by following the .partOf reference to the Parent.

ASTP Response: Thank you for your inquiry. As finalized in the HTI-1 Final Rule at § 170.404(b)(2), Certified API Developers must publish the service base URLs and related organization details that can be used by patients to access their electronic health information for all Health IT Modules certified to § 170.315(g)(10). By December 31, 2024, publication of these service base URLs and organization details must conform to the format detailed in the paragraphs under § 170.404(b)(2), including publication of service base URLs and organization details in a FHIR® format and collected into a Bundle FHIR resource. For the time period between when the HTI-1 Final Rule is effective (March 11, 2024) and December 31, 2024, Certified API Developers may fulfill their obligations at §170.404(b)(2) by publicly publishing a link to the service base URLs for all their customers in a machine-readable format at no charge (89 FR 1287).

We encourage Certified API Developers to consider options beyond the minimum requirements when possible, and to publish organization details in a way that best supports API Users (e.g., third party application developers) in presenting details that patients can easily recognize and connect to.

To clarify how the service base URL requirements at §170.404(b)(2) apply when Certified API Developers choose to represent parent/child organization relationships, we provide the following § 170.404 clarification that we'll also publish in the § 170.404 Certification Companion Guide (CCG):

Certified API Developers can utilize the "Organization.partOf" data element in the FHIR "Organization" resource to represent parent/child organization relationships that make up organization hierarchies. A child organization may use the same service base URL (i.e., FHIR endpoint) as its parent organization. For the purposes of Certification Program service base URL publication requirements, it is not required that a child "Organization" resource include an "Organization.endpoint" element if its parent "Organization" resource, referenced through the "Organization.partOf" element, already contains the applicable endpoint information in its own "Organization.endpoint" element.


Stakeholder Inquiry: Regarding the updated service base URL publication requirements adopted with HTI-1, we are seeking further clarification on the granularity that is expected for publishing “facility or organization level identifiers” as referred to in the final rule preamble (https://www.federalregister.gov/d/2023-28857/p-1183).

We understand through the above referenced clarification that there is not a need or expectation to publish endpoints at an individual provider level, but are still a bit unclear on the level of granularity expected for a “facility or organization” level. For example, this could theoretically be interpreted as either an integrated delivery network (IDN) organizational level which would likely consist of many different individual hospitals and other facilities, or as an individual physical facility (e.g., hospital or clinic) level.

Is there a more specific definition for this that ONC can provide to guide developers, or is this determination left up to the developer provided that all endpoints serviced by the developer that are used for patient access purposes are published?

ASTP Response: The Maintenance of Certification requirements for service base URL publication at 45 CFR 170.404(b)(2) require that, at a minimum, the service base URLs and related organization details are published at the Certified API Developer customer level.

If, for example, a Certified API Developer licenses their § 170.315(g)(10)-certified Health IT Module to an integrated delivery network (IDN) that deploys that module across many different individual facilities, it would be minimally expected that the IDN's name, location and a related facility identifier be published alongside the patient access service base URLs(s) for this customer to meet the publication requirements at § 170.404(b)(2).

Similarly if, for example, a Certified API Developer licenses their § 170.315(g)(10)-certified Health IT Module to an individual provider who deploys that module across their practice, it would be minimally expected that the provider's practice name, location and a related facility identifier for that practice be published alongside the patient access service base URLs(s) for this customer to meet the publication requirements at § 170.404(b)(2).

More information on the § 170.404(b)(2) requirements can be found in the Application Programming Interfaces Certification Companion Guide and the API Resource Guide.

We encourage Certified API Developers to consider options beyond the minimum requirements when possible, and to publish organization details at a level of granularity that best supports API Users (e.g., third party application developers) in presenting details that patients can easily recognize and connect to. As an example in the case of a large IDN with many different individual hospitals and facilities that a patient might visit, Certified API Developers can consider leveraging additional Organization resource features in the FHIR® specification like the Organization.partOf element in the FHIR Organization resource to represent the different IDN sub-organizations to provide more granular information.

Finally, we also encourage Certified API Developers to considering following related FHIR community work in the endpoint discovery space, such as the recently published User-access Brands and Endpoints FHIR specification which provides guidance for ensuring "a consistent and recognizable user experience when connecting users to health records across various platforms and services."


Stakeholder Inquiry: Regarding your Service Base URL Publication requirements:

  • What are the options for a provider practice level identifier?
  • The ONC references a facility identifier. Typically, each hospital has its own CMS Certification Number (CCN). The ONC mentions a health system ID number. What is that number?

ASTP Response: ONC does not specify a particular facility, provider, or health system identifier that is required to meet our updated Service Base URL publication requirements at 45 CFR 170.404(b)(2) finalized in the HTI-1 rule. Certified API Developers have flexibility to choose any facility level identifier for each of the organizations (i.e., API Information Sources) deploying their 170.315(g)(10)-certified Health IT Modules.

To your first question, if you choose to meet a facility level identifier requirement by publishing a collection of individual provider identifiers for a particular API Information Source, a widely used provider level identifier is the National Provider Identifier (NPI). To support interoperability, we encourage Certified API Developers choosing to publish individual provider identifiers to use the most relevant and widely usable individual identifiers such as NPIs. Another example of a provider level identifier would be a provider's state license number.

To your second question, our mention of "health system ID" number is meant to be a generic reference. A CMS Certification Number (CCN) counts as a health system or API Information Source facility identifier to meet our requirement at 170.404(b)(2)(ii)(B). Another example of a health system or API Information Source facility identifier would be an organization level NPI.

As we indicated in HTI-1 at 89 FR 1288, "[f]acility level identifiers, for the purposes of certification to our Endpoint publication requirements, include identifiers such as: a National Provider Identifier (NPI), Clinical Laboratory Improvement Amendments (CLIA) number, CMS Certification Number (CCN), or other health system ID. Support for one of these identifier types is sufficient, meaning Certified API Developers are not required to publish individual NPIs as a floor for certification. Different identifiers may be used depending on the customers a Certified API Developer has." ONC does not specifically define "other health system ID" but instead provides flexibility to developers as to which identifier is used.

2023 Inquiries

Stakeholder Inquiry: I have questions about the regulatory text in the ONC Cures Act Final Rule found here: https://www.federalregister.gov/d/2020-07419/p-1405.

Should this list be published on CHPL? We see the "place" for the information on CHPL, but we are seeing that many EHRs have very little to no information published and most don't have their customer list. Is this a violation of the requirements? Are there any exceptions to publishing this information?

ASTP Response: Thank you for your inquiry. In order to interact with a FHIR RESTful API, an app needs to know the “FHIR Service Base URL,” which is often referred to colloquially as a “FHIR server's endpoint.” The public availability and easy accessibility of this information is a central necessity to assuring the use of FHIR-based APIs without special effort for patient access apps. As per the API Maintenance of Certification requirement at 45 CFR 170.404(b)(2), a Certified API Developer must publish the service base URLs for all Health IT Modules certified to § 170.315(g)(10) that can be used by patients to access their electronic health information (EHI). The Certified API Developer must publicly publish the service base URLs for all of its customers regardless of whether the Health IT Modules certified to § 170.315(g)(10) are centrally managed by the Certified API Developer or locally deployed by an API Information Source, and in a machine-readable format at no charge.

For a Health IT Module certified to § 170.315(g)(10), a hyperlink to the list of service base URLs is published with the product information on the ONC Certified Health IT Product List (CHPL). The hyperlink to the list of service base URLs can be found in the "Service Base URL List" attribute under a CHPL product's details regarding the § 170.315(g)(10) criterion.

For more information about the API Maintenance of Certification requirements, please see the API Conditions & Maintenance of Certification Certification Companion Guide.

To be open and transparent to the public, developers must provide a hyperlink to the list of service base URLs to be published with the product on the ONC Certified Health IT Product List (CHPL). Certified API Developers are encouraged to use a standardized format when publishing the service base URLs for all of its customers. ONC recommends Certified API Developers leverage the HL7 FHIR 4.0.1 “Endpoint” resource, or profiles of this resource such as the Validated Healthcare Directory Implementation Guide STU1 “vhdir-endpoint” profile, to represent service base URLs that can be used by patients to access their health information. ONC also encourages developers to provide as much information about the service base URLs as available, including the API Information Source’s organization details, such as name, location, and provider identifiers (e.g., NPI, CCN, or health system ID). These steps will help industry coalesce around standards that enable application developers to more easily and consistently provide patients access to their electronic health information.

There are no exceptions to the requirement that Certified API Developers must publish service base URLs for all Health IT Modules certified to § 170.315(g)(10) that can be used by patients to access their EHI.

2022 Inquiries

Stakeholder Inquiry: If an EHR vendor chooses to obtain and integrate a 3rd party solution that is certified to 170.315(g)(10), who is responsible for publish the service base URLs?

ASTP Response: The API Maintenance of Certification requirement at § 170.404(b)(2) requires a Certified API Developer to publish the service base URLs for all Health IT Modules certified to § 170.315(g)(10) that can be used by patients to access their electronic health information. This includes publishing the service base URLs for all of its customers regardless of whether the Health IT Modules certified to § 170.315(g)(10) are centrally managed by the Certified API Developer or locally deployed by an API Information Source.

ONC provides discussion regarding Certified API Developer publication of service base URLs in the ONC Cures Act Final Rule (85 FR 25765): "We believe that Certified API Developers will have adequate relationships with API Information Sources in the process of providing Health IT Modules certified to § 170.315(g)(10) and will be able to collect and publish all service base URLs that support patient access on behalf of their customers. Furthermore, we note that API Information Sources would be obligated to share such service base URLs with Certified API Developers to avoid violating the Technical Interference Information Blocking provisions ..."

The ONC Cures Act Final Rule at 85 FR 25813 provides an example which discusses API Information Sources providing Certified API Developers service base URLs in the context of Information Blocking.

Paragraph (b)(3): Rollout of (g)(10)-Certified APIs

2022 Inquiries

Stakeholder Inquiry: According to the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Cures Act Final Rule) timeline, ONC Cures Update Certification Criteria must be made available by 12/31/2022. Can you clarify what "made available" means?

ASTP Response: The API Maintenance of Certification requirement at 45 CFR 170.404(b)(3) requires that a Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must deploy to all of their API Information Sources (e.g., customers) API technology certified to the criterion in § 170.315(g)(10) no later than December 31, 2022.

The Maintenance of Certification requirement also includes the deadline of December 31, 2022 for Certified Health IT Developers to upgrade and certify API technology to § 170.315(g)(10) and to deploy to production.

Additional context and background discussion of this Maintenance of Certification requirement is also available in the ONC Cures Act Proposed Rule (84 FR 7495), Final Rule (85 FR 25765), and Interim Final Rule (85 FR 70072), as well as the § 170.404 Application Programming Interfaces Certification Companion Guide.

We encourage all Certified Health IT Developers to work with their ONC-ACBs and customers to develop a certification and roll-out strategy to meet ONC Health IT Certification Program requirements by the required regulatory deadlines.


Stakeholder Inquiry: If an EHR system that is currently certified to (g)(7)-(g)(9) is unable to get certified to (g)(10) by January 1, 2023, what is the outcome with respect to their certification?

  • If they then certify to (g)(10) at some point in CY 2023 how is their CHPL entry effected?
  • If they are not certified to (g)(10) by April 2023, for bi-annual ONC attestations, how do they answer the attestation of APIs now that they are not certified on (g)(10)?
  • Finally, to comply with the ONC attestations, if an EHR is certified to (g)(10), must this (g)(10) functionality be deployed into ALL customer production sites by December 31, 2022 to meet the ONC attestation compliance for API, or is acceptable (i.e., can mark “Yes” on the attestation) to have it certified by December 31, 2022 but with an incomplete installation into production setting for all customers until later in CY 2023?

ASTP Response: The API Maintenance of Certification requirement at 45 CFR 170.404(b)(3) requires that a Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must deploy to all of their API Information Sources (e.g., customers) API technology certified to the criterion in § 170.315(g)(10) by no later than December 31, 2022.

The Maintenance of Certification requirement also includes the deadline of December 31, 2022 for Certified Health IT Developers to upgrade and certify API technology to § 170.315(g)(10) and to deploy to production.

Additional context and background discussion of the Maintenance of Certification requirement is available in the ONC Cures Act Proposed Rule (84 FR 7495), Final Rule (85 FR 25765), and Interim Final Rule (85 FR 70072), as well as the § 170.404 Application Programming Interfaces Certification Companion Guide.

Certified Health IT Modules must meet Cures Update compliance (i.e., certified to all eligible and applicable Cures Update criteria) in order to receive the “2015 Edition Cures Update” designation on their CHPL listings. All Certified Health IT Modules with an active certification status must meet this designation by the compliance date of December 31, 2022. Please see our Cures Update Fact Sheet, 2015 Edition Cures Update Reference, and 2015 Edition Cures Update Key Dates resources for additional information on the 2015 Edition Cures Update and the compliance deadlines.

Additionally, if a Certified Health IT Developer does not comply with the Conditions and Maintenance of Certification requirements, ONC may initiate the Direct Review process to ensure Certified Health IT Developers remedy the issue and regain compliance with Certification Program requirements in a timely manner. ONC could take the more serious step of terminating the affected certification(s) and/or issuing a certification ban to the Certified Health IT Developer if identified issues are not corrected.

We encourage all Certified Health IT Developers to work with their ONC-ACBs and customers to develop a certification and roll-out strategy to meet all ONC Health IT Certification Program requirements by the required regulatory deadlines.


Stakeholder Inquiry: Can you provide some more information on what the requirement below entails?

A Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must provide all API Information Sources with such certified API technology deployed with certified API technology certified to the certification criterion in § 170.315(g)(10) by no later than December 31, 2022.

ASTP Response: The API Maintenance of Certification requirement at 45 CFR 170.404(b)(3) requires that "A Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must provide all API Information Sources with such certified API technology with certified API technology certified to the criterion in § 170.315(g)(10) by no later than December 31, 2022."

If a health IT developer currently has Health IT Modules certified to 45 CFR 170.315(g)(8) under the ONC Health IT Certification Program, it must meet this Maintenance of Certification requirement no later than December 31, 2022, to continue participating in the ONC Health IT Certification Program. Failure to comply with a Condition and Maintenance of Certification requirement could result in a Certified Health IT Module being non-compliant, and ONC could initiate Direct Review (45 CFR 170.580(a)(2)(iii)) and pursue corrective actions to enforce the requirement. ONC’s goal is to work with Certified Health IT Developers to remedy any non-conformities in a timely manner, but failure to conform with requirements of the ONC Health IT Certification Program can ultimately result in terminating the affected Health IT Modules and/or issuing a certification ban to the Certified Health IT Developer. For more information on Direct Review, please visit http://www.healthit.gov/Direct-Review and our Direct Review fact sheet.

We encourage health IT developers to work with their ONC-ACB and customers to develop a certification and roll-out strategy to meet ONC Health IT Certification Program requirements by the required regulatory deadlines.

2021 Inquiries

Stakeholder Inquiry: Do all products have to be HL7® FHIR capable by Dec 31, 2022, or just the certified products?

ASTP Response: The API compliance requirement for certified products is contained in 45 CFR 170.404: API Conditions and Maintenance of Certification requirements. According to 170.404(b)(3):

“A Certified API Developer with certified API technology previously certified to the certification criterion in § 170.315(g)(8) must provide all API Information Sources with such certified API technology deployed with certified API technology certified to the certification criterion in § 170.315(g)(10) by no later than December 31, 2022.”

According to these requirements, if a health IT developer had technology that was previously certified to § 170.315(g)(8), it must be upgraded and certified to the requirements in § 170.315(g)(10) by the compliance deadline of December 31, 2022. Please consider reviewing the Certification Companion Guide for § 170.404 for more information.