While talking to some of our customers who we had helped achieve the ONC 2015 certification, we realized there is a sense of relief that the deadlines for ONC 2015 Cures Act Final Rule have been extended.

The compliance requirements for the April 5, 2021 deadline seems deceptively straightforward enough to make one complacent. All you need to do is to provide just a few assurances that you will not indulge in Information Blocking or that your product is in compliance with the certification criteria, and that’s it.

Well, if this is your assessment as well, then we suggest you read on.

Demystifying assurance

Under the code of federal regulation (CFR) title 45 subpart D, certain requirements have been set forth for healthcare IT vendors participating in the ONC Health IT Certification Program.

We have tried to demystify only those aspects of ‘Assurance’ covered under subpart 170.402 that have implications for the April 5, 2021 deadline.

There are two reasons to provide these assurances:

a). Condition of Certification (CoC)

b). Maintenance of Certification (MoC)

CoC requires assurance from the IT vendor that:

a) They will not take any action that constitutes information blocking

b) Their product conforms to the full scope of the certification criteria

c)They would allow users to access or use certified capabilities

d) If the product stores electronic health information, then the product must certify to certification criteria 315 (b) (10), which pertains to Electronic Health Information export

Under MoC, the product vendor is required to maintain all records necessary to demonstrate compliance for 10 years from the date of certification. (Other conditions under MoC pertain to EHI export, for which the deadline is extended).


As we look at these requirements, we see two kinds of implications. The first is in direct relation to information blocking. The product vendor will be liable for a penalty of up to $ 1,000,000 if found guilty of Information blocking.

The second implication is, not meeting the conditions of CoC. If we carefully consider point (c) under CoC, it requires the certified features to be made available to the users. This means that it is not good enough for your product to be just certified by the certification body. The features have to work in the real world.

We have come across several scenarios where the certified vendor products had to be re-worked, as many criteria that were certified, were never meant to be used in the real world. Here lies the significance of the April 5 deadline – you now have time to fix any criteria that might be broken or you are taking the risk of giving false assurance and thereby becoming liable for the implications.


The key takeaway is that although the compliance requirement of the April 5 deadline looks simple; it may not be so. Even if the certified features of your product are not currently in use in the real world, it is best to get them tested and ready for use, before giving the assurance.

To understand the attestation requirements and to get more details on the update, please visit https://www.healthit.gov/condition-ccg/assurances

To get help with compliance with the Cures Act requirements, please write to itservices@healthasyst.com

Click here to read all the blogs in the Compliance series.

Cartoon vector created by vectorjuice – www.freepik.com


  • Bhupesh Nadkarni brings with him over 20 years of rich experience in IT services industry with expertise in Healthcare and Manufacturing domains.

Close Menu