The Office of the National Coordinator for Health Information Technology (“ONC”) has operationalized regulatory requirements to improve transparency in health information technology (“health IT”). The regulations, which were finalized in October 2015, clarified in December 2016, and effective as of January 14, 2016, apply to all health IT products and services certified to the 2014 Edition as well as the newly issued 2015 Edition standards, which include the certification criteria for Meaningful Use.

The goal of the requirements, according to the ONC, is to make developers more accountable for the cost, benefits, and limitations of their health IT. The ONC regulations include disclosure, certification, and oversight provisions to increase accountability among health IT developers.

To improve access to the information, ONC has launched a website to efficiently aggregate the health IT product information. By going to, prospective customers can assess the full range of health IT products in a centralized, transparent marketplace. With access to this information through the ONC’s Certification Program, customers will be able to better assess a partnership with a health IT developer on the front-end, including an assessment of possible implementation challenges and the resulting costs.

Disclosure Statements

Developers must publish disclosure statements on their websites and in marketing materials that, using plain language, allows prospective customers to identify and understand the product or service. The disclosure statements must include all known, material product restrictions including technical and contractual restrictions that a prospective customer may face when implementing or using the technology offering.


Developers may also submit an attestation that they will be transparent in their business practices and regarding the costs and performance of the certified health IT products and services. The transparency attestation includes an affirmative duty to disclose relevant technology information to any requestor, any person who requests or receives a quotation for the health IT product or service, and to all customers prior to entering into any agreement to provide any certified health IT product or service. The attestation also binds developers to transparency during the ongoing customer relationship, such as when the developer offers an add-on or updates a product or service.

Whether a developer submits an attestation will be public information, and according to, “[n]early all developers who pledged to make electronic health records work better for patients and providers . . .” submitted a transparency attestation.


ONC-Authorized Certification Bodies (“ONC-ACB”) are conducting surveillance over certified health IT products and services to ensure compliance with these new disclosure and transparency requirements. The surveillance will take place on a randomized schedule and in response to specific complaints and will include field testing outside of a controlled setting, such as in a clinician’s office. ONC-ACBs will submit reports of noncompliance to be published on the Certified Health IT Product List (CHPL), and non-compliant developers risk losing their health IT certifications.

To avoid losing the health IT certification, a developer of a non-compliant product or service must submit a corrective action plan to cure the identified non-conformity and bring the product back into compliance. Under 45 C.F.R. 150.556(d)(3), a corrective action plan requires:

  • A description of the non-conformities and deficiencies;
  • To what extent the problem affects the developer’s other customers and users;
  • Means to address any deficiencies for all potentially affected customers and users;
  • Means to alert customers about any deficiencies and the deficiencies’ resolution; and
  • A timeframe to complete the corrective action plan.

Because corrective action plans are published on the CHPL, the ONC warns that “[v]isitors to the CHPL should exercise care and consider relevant factors as they evaluate the certified health IT products that have (or have not) been placed under corrective action.” In particular, the ONC suggests that visitors understand that non-conformities are not necessarily fatal defects in the health IT product or service and that many non-conformities are in fact resolved quickly.

As noted in an April 2016 Congressional Report on the Feasibility of Mechanisms to Assist Providers in Comparing and Selecting Certified EHR Technology Products, the Federal Health IT Strategic Plan, and the Shared Nationwide Interoperability Roadmap, the federal government is taking steps to encourage health IT products and services while protecting consumers and providers by ensuring accessibility and transparency. The ONC’s regulatory efforts requiring disclosures, encouraging attestations, and conducting compliance surveillance are part of that ongoing effort.

Originally, this post was an alert sent to the American Health Lawyers Association’s (AHLA) Health and Information Technology Practice Group Members. It appears here with permission. For more information, visit AHLA’s website.