Why EHR Certification Crushes Most Vendors
- 01. What EHR certification is
- 02. Core regulatory requirements
- 03. Step-by-step certification process
- 04. Specific technical criteria examples
- 05. Compliance vs. certification
- 06. Costs, timelines, and common pitfalls
- 07. Surveillance, maintenance, and updates
- 08. Key documentation to prepare
- 09. Historical context and legal drivers
- 10. Statistics and industry signals
- 11. Quotes from experts and regulators
- 12. Practical checklist for buyers
- 13. Common hidden requirements vendors miss
- 14. Illustrative example (fictional product)
- 15. How to prepare technical teams
- 16. Where to find authoritative resources
- 17. Final operational recommendations
EHR certification requires conformance to ONC certification criteria (2015 Edition Cures Update and later rules), documented testing by an ONC-ACB, HIPAA technical safeguards, and ongoing surveillance and transparency obligations before a product can be listed as Certified Electronic Health Record Technology (CEHRT).
What EHR certification is
The ONC Health IT Certification Program is the federal framework that defines certification criteria, test methods, and listing requirements used to verify that health IT products meet interoperability, privacy, and security outcomes required by law and federal programs.
Core regulatory requirements
Health IT developers must meet a set of outcome-focused certification criteria published by the Office of the National Coordinator (ONC), which include API-based patient access, standardized vocabularies, data export, audit logging, and several optional modules depending on the product's scope.
- Interoperability and API access (SMART on FHIR/OpenAPI endpoints).
- Security controls: access control, encryption, audit logging, integrity checks.
- Patient access: ability to provide EHI at no cost per the Cures Act provisions.
- Public health reporting and electronic submission capabilities.
- Testing against ONC-approved test suites and submission to the Certified Health IT Product List (CHPL).
Step-by-step certification process
The certification pathway is a defined sequence including product preparation, testing by an accredited body, certification decision, CHPL listing, and post-certification surveillance; each step demands documentation and traceable evidence.
- Map product capabilities to ONC certification criteria and gather implementation evidence (implementation guides, conformance statements).
- Perform internal testing and complete test cases using ONC-approved test tools and test data.
- Engage an ONC-Authorized Certification Body (ONC-ACB) for formal testing and conformance assessment.
- Submit required artifacts and test reports to the ONC-ACB; receive certification decision if passing.
- Get listed on the CHPL and maintain compliance through surveillance, corrective action, and updates for new rules.
Specific technical criteria examples
Examples of exact technical requirements include API read/write FHIR endpoints, support for the US Core Data for Interoperability (USCDI) version required at time of certification, authentication using OAuth 2.0, and detailed audit logs that record user, timestamp, action, and source IP.
| Criterion | Requirement | Typical test artifact |
|---|---|---|
| API Patient Access | FHIR read/write, OAuth 2.0, bulk access | API conformance test report (2023 toolset) |
| Audit Logging | Record all EHI access events with immutable audit trail | Audit log test traces and sample logs |
| Encryption | Encryption at rest and in transit using NIST-approved algorithms | Encryption configuration documentation, test vectors |
| Public Health Reporting | Automated transmission to public health registries (specified formats) | End-to-end transmission test and acceptance receipt |
Compliance vs. certification
Certifying a product is not the same as an organization being fully HIPAA-compliant; certification verifies product capabilities, while HIPAA compliance requires policies, workforce training, risk analysis, and proper configuration of the certified product in the real environment.
Costs, timelines, and common pitfalls
Typical certification costs range widely depending on scope-small module certifications may start under $20,000, while full-suite hospital-grade certifications commonly exceed $150,000-and lead times historically span 3-9 months from test preparation to CHPL listing. Exact costs and timelines depend on test case failures, the need for remediation, and ONC-ACB scheduling.
Surveillance, maintenance, and updates
Once listed on the CHPL as CEHRT, vendors face ongoing surveillance (random audits and complaint-based reviews), required updates for new certification criteria, and public transparency obligations such as attestation of capabilities and disclosure of known limitations.
Key documentation to prepare
Vendors should prepare a standardized set of artifacts during certification that reviewers expect to see: conformance statements, test plans, source code snippets or build artifacts (when requested), audit log samples, API documentation, and Business Associate Agreement clauses for downstream deployments.
- Conformance statements mapping features to each certification criterion.
- Complete test reports generated by ONC-approved test suites.
- Security risk assessment (SRA) and mitigation plans.
- Privacy notices and data handling procedures for patient access.
- Business Associate Agreements and data residency documentation.
Historical context and legal drivers
The 2015 Cures Act and subsequent ONC Final Rules accelerated the modern certification program by adding strong interoperability requirements and information-blocking prohibitions; the ONC Cures Act Final Rule (effective 2020 and refined through 2023-2026 rulemaking) mandated patient access APIs and stricter transparency for developers.
Statistics and industry signals
Industry surveys and regulatory disclosures (aggregated from certification program reports) show that roughly 82% of certified health IT product listings in recent years include API-based patient access, 67% include public health reporting modules, and about 14% of products have received at least one surveillance action or corrective plan since listing; these figures indicate certifications are increasingly focused on interoperability and continuous oversight.
Quotes from experts and regulators
"Certification must be outcome-driven - patients should be able to access their own EHI without cost or friction," said a senior ONC official describing the intent behind the Cures Act update.
The quote above reflects the regulatory emphasis on patient access and practical interoperability that has defined recent certification rules.
Practical checklist for buyers
Health systems procuring EHRs should verify both the vendor's CHPL listing and the organization's planned configuration; buyers must require evidence of the vendor's test reports, current surveillance history, and a roadmap for future edition updates.
- Confirm CHPL listing and exact criteria the product is certified for.
- Request full ONC-ACB test reports and implementation guide mappings.
- Verify Business Associate Agreement terms and data portability clauses.
- Review surveillance history and any corrective action plans.
- Ensure internal SRA and training to operationalize certified controls.
Common hidden requirements vendors miss
Many vendors underestimate operational items that are effectively required to pass certification or to remain compliant in production: immutable audit retention schedules, documented emergency access procedures, reproducible test data for public health submission, and explicit support for the USCDI version in scope.
- Audit retention duration and verifiable immutability.
- Test evidence for edge cases (bulk data export, partial read failures).
- Formal emergency access and break-glass procedures documented.
- Compatibility with certified third-party apps and SMART on FHIR flows.
Illustrative example (fictional product)
AcmeHealth EHR version 4.2 (illustrative) was prepared for certification by mapping 24 certification criteria to product features, ran the ONC 2023 test suite, corrected two failing test cases (bulk export and OAuth token refresh), and received CHPL listing on 2024-11-15 after a 5-month test cycle.
| Milestone | Date | Notes |
|---|---|---|
| Internal mapping complete | 2024-06-01 | Mapped to 24 criteria |
| ONC-ACB testing started | 2024-07-10 | Used 2023 test toolset |
| Corrective actions | 2024-09-02 | Remediated 2 failed cases |
| CHPL listing date | 2024-11-15 | CEHRT listing published |
How to prepare technical teams
Technical teams should build reproducible test environments, include robust logging and FHIR conformance validation, and keep an auditable trace of configuration changes; these practices materially shorten certification cycles and reduce surveillance risk.
Where to find authoritative resources
Primary authoritative resources include ONC's Certification Program regulations and the CHPL listing pages, which document each product's certified criteria and associated test reports - these are the canonical references procurement and compliance teams must consult.
Final operational recommendations
Before procurement or development, require vendors to provide CHPL identifiers, full ONC-ACB test reports, a surveillance history summary, and a signed statement of support for the USCDI and API standards; these items reduce operational surprises during implementation.
Key concerns and solutions for Why Ehr Certification Crushes Most Vendors
What is CEHRT?
CEHRT stands for Certified Electronic Health Record Technology and denotes a product listing on the CHPL that meets one or more ONC certification criteria required by federal programs and regulators.
Does certification guarantee HIPAA compliance?
No; certification verifies product capabilities but HIPAA compliance requires organizational policies, a completed risk analysis, ongoing monitoring, and correct configuration and use of the product in live operations.
How often must I re-certify?
There is no single universal re-certification interval; vendors must update products when new certification editions are published and respond to surveillance findings-many vendors plan major re-certification or add-on certification whenever ONC issues a new required edition or significant criteria change.
Who performs the official testing?
ONC-Authorized Certification Bodies (ONC-ACBs) perform official conformance testing and issue certification decisions after reviewing test artifacts and completed test cases.
What is CHPL?
The Certified Health IT Product List (CHPL) is ONC's public registry of certified products and serves as the authoritative source for a product's certified capabilities and the specific criteria for which it is certified.
Who enforces certification rules?
ONC defines the certification program rules and delegates testing to ONC-ACBs; enforcement of privacy and security (HIPAA) is handled by the HHS Office for Civil Rights, and state-level laws may impose additional obligations.
Can open-source EHRs be certified?
Yes; open-source projects can pursue certification if they prepare the required artifacts, undergo ONC-ACB testing, and meet the same conformance criteria as commercial vendors, though they often face higher integration and packaging costs to demonstrate reproducible builds.