8 Key Categories of ONC’s EHR Certification Requirements for the USA

The list of healthcare organizations fined for failing to comply with EHR certification requirements is constantly growing. And believe us, it’s not the kind of list you would like to be on.

After the $57.25 million scandal with Greenway’s EHR system, other companies that didn’t learn the lesson got fined. In 2020, Konica Minolta Healthcare Americas was penalized for false claims about the meaningful use of its EHR products. The company had to pay a $500,000 penalty.

Therefore, if you deal with implementing EMR system use or providing EHR health information technology (HIT), make sure to play by the rules.

Electronic health records solutions must comply with the EHR certification requirements for the USA. The requirements for an EHR to meet the certification standards are pretty strict. Based on the latest health IT edition there are 8 ONC’s certification criteria for EHRs. Each includes subcategories detailing what exactly an EHR owner must do to stay compliant. 

It’s necessary to implement healthcare data segmentation, record all customer details, and follow other electronic health record certification requirements. Want to know more about key EHR certification requirements?

Discover the main EHR certification criteria with an explanation on how to satisfy them in our article.


Empeek team of experts is ready to help you take your business to the next level.

What is EHR Certification and Why it is Important?

We have already explained what is an EHR system and its main applications. Now, it’s time to talk about the legal aspects. Since EHR products process highly secure personal information, special certification is essential.

EHR certification definition and the story behind

EHR certification demonstrates that a specific electronic health record system meets high-level security, functionality, and technical requirements. It started as a part of the program launched by the Office of the National Coordinator for Health Information Technology (ONC) to encourage proper EHR use in hospitals.

The ONC EHR certification requirements were further refined by the Centers for Medicare and Medicaid Services (CMS). In 2011, the CMS initiated the Promoting Interoperability Programs that incentivized eligible hospitals, critical access hospitals, and eligible professionals for EHR adoption. They started to receive reimbursement for implementing expensive EHRs under two conditions: When the system met the ONC EHR certification requirements and was used as intended (“meaningful use”). This has considerably boosted EHR adoption resulting in over 95% implementation of electronic records across US hospitals.

8 Key Categories of ONC’s EHR Certification Requirements for the USA 1

Why are electronic health record certification requirements so crucial

The ONC certification gives software vendors and healthcare organizations a clear roadmap on what EHR software to use. For hospitals supporting Medicare/Medicaid and receiving EHR reimbursement, it is mandatory.

For software vendors, it isn’t forced. Nevertheless, most software providers strive to meet the certification requirements for EHR. This enables them to stay competitive and have their products included on the Certified Health IT Product List. When an EHR system is on this list, this means it’s ONC certified, standardized, reliable, and easy-to-use. In other words, it is more likely to be chosen by software adopters and win over the market.

Besides, certifying your EHR software by ONC, you improve its interoperability, usability, and security. The list of requirements for EHR certification is a universal industry standard that guides healthcare organizations and software vendors. Once you follow it, you can be sure that the certified electronic health records product would operate properly.

List of Requirements for ONC’s EHR Certification

The latest EHR certification requirements for medical practices are provided in the 2015 Edition Health IT Certification Criteria. Overall, there are fifty-eight criteria split into eight broad categories.

8 Key Categories of ONC’s EHR Certification Requirements for the USA 2

Find the groups of requirements for certified EHR technology with key criteria to follow below.

#1. Clinical Processes. Must-have EHR modules and features

This category of electronic health record certification requirements specifies what functionality must be available in an EHR. The listed features are necessary to qualify for the certification and label the software as a full-fledged EHR. Here are the most critical components:

  • Computerized provider order entry (CPOE) for medications, laboratory, or diagnostic imaging. You will need to include at least one of these technologies to meet the Edition Base EHR definition. CPOE enables healthcare providers to enter treatment instructions (such as medication, laboratory, or radiology orders) and deliver them electronically instead of paper, fax, or phone
  • Drug-drug, drug-allergy interaction checks. This capability is intended to automatically provide real-time information on possible medication interactions or contraindications when the medications are ordered
  • Demographic data, including race and ethnicity, preferred language, date of birth, sex, sexual orientation, gender identity
  • Problem list indicating the current patient’s health problems, chronic conditions, injuries, and other relevant details
  • Medication list with all previous and current patient’s medications
  • Medication allergy list with all known medication allergies for every patient
  • Clinical Decision Support (CDS) capabilities for helping physicians to choose the right treatment based on data. A CDS system can include drug selection, clinical guidelines, patient data reports, diagnostic support, appropriate use criteria, and other features
  • Drug-formulary and preferred drug list indicating what medications are recommended for a specific patient based on their health insurance and the hospital policy
  • Smoking status
  • Family health history
  • Patient-specific education resources such as articles, videos, or images that can help the patient make more informed health decisions
  • Implantable device lists with unique device identifiers to track currently and previously used devices
  • Social, psychological, and behavioral patient data such as stress level, financial resource strain, education, depression, physical activity level, social connection and isolation, alcohol use, etc.

Implementing these capabilities in your EHR, you become a step closer to ONC compliance and incentive programs. They make up the core functionality of an EHR, so you would have them in the health record management software anyway.

#2. Care Coordination. Rules of patient data transmission

The second certification criterion category governs the principles of patient data transmission. Software vendors and healthcare organizations need to make sure an EHR system supports the HL7 Consolidated Clinical Document Architecture (C-CDA) standard. It also must follow either IHE XDR, SMTP, POP3, or IMAP4 protocol for data transmission. 

For certifying your EHR software by the ONC, you will need to prove that the mentioned standards are followed during the transition of care between teams, patient record compilation from external sources, electronic prescribing, data export, care summary transition.

#3. Clinical quality measurement (CQM). Reporting outcomes of patient care

These certification requirements for EHR help to ensure the quality of care through accountability. In particular, an EHR must be able to record, export, calculate, and import CQM data in a standardized format (C-CDA). Clinical quality measures usually evaluate the effectiveness of healthcare services, patient engagement, care coordination, the ratio of providers to patients, etc. The system must also be able to filter these data at the patient and aggregate level for comprehensive evaluation and research.

#4. Privacy and security. Right data protection practices

As for EHR privacy and security issues, the security portion of the requirements for certified EHR technology specifies what access to personal health information is appropriate. First of all, only users with valid credentials can access patients’ information for legitimate needs. Apart from this, an EHR must support the following features:

  • Record who, when, and where accessed patient data and prevent users from deleting the logs
  • Create reports of audit trail events
  • Allow patients to request corrections and amendments to their personal health information (Under HIPAA)

Read a HIPAA-compliant EHR system case study

  • Support automated access time-out
  • Enable emergency access to critical patient data (e.g., treatment history, allergies, medications)
  • Encrypt patient data on end-user devices such as laptops, tablets, or smartphones
  • Ensure data integrity
  • Inform users that the data is transmitted securely (e.g., show a lock symbol)
  • Record the data disclosures made for payment, treatment, or healthcare operations

#5. Patient engagement. Smooth patient experience

If you wondered how does EHR improve patient care, the system must be easy-to-use and allow patients to manage their health information. In particular, the software must enable patients to view, download, and transmit their health data online to a third party in the HL7 C-CDA format. Health data means Common Clinical Data Set, laboratory tests, diagnostic images, admission dates and locations.

For ONC compliance, patients must also be able to securely exchange messages with clinicians. Besides, an EHR must support patient-generated health data (PGHD) capabilities for shared treatment decision-making.


Let us help you achieve greater business results - our software development experts push the limits to deliver the most advanced solutions.

#6. Public health. Public health reporting

Public health data exchange is one of the key tasks of EHRs. By automatically sharing electronic public health data, healthcare organizations help improve the quality of healthcare services and treatment. To meet EHR certification criteria, software must submit electronic public health data to at least two of these registries: Immunization Registries, Syndromic Surveillance Systems, Cancer registries, Public Health Agencies on Electronic Case Reporting, Antimicrobial Use and Resistance Reporting, Health Care Surveys, and Reportable Laboratory Tests and Values/Results.

Note that these registries support different data transmission formats. L7 CDA, SNOMED, and LOINC are the most common options.

#7. Design and performance. Making reporting simple

Clinicians that take part in Centers for Medicare and Medicaid (CMS) payment programs have to send tons of reports for the CMS. To minimize the risk of human error and simplify the reporting, an EHR must meet specific criteria:

  • Automatically create reports with numerator and measure calculation
  • Meet user-center design requirements (e.g., ISO and NISTIR)
  • Identify the quality management systems used for certified EHRs and make sure they meet the QMS standards implemented on the federal level or by any standards-developing organization 
  • Identify if any accessibility design standards are used
  • Provide data exchange capabilities for the smooth transition of care and referral summaries between organizations

#8. Electronic exchange. Following the Direct Project for messaging

The last section of ONC EHR certification requirements states that EHRs must adopt the Direct Project, an open government project guided by the ONC. It was launched to develop a simple and cost-effective way to transport patient health information over the internet. You can see how it works in the picture below.

8 Key Categories of ONC’s EHR Certification Requirements for the USA 3

Direct employs a Public Key Infrastructure (PKI) to encrypt messages for sending them via EHRs or other EMR interfaces. To implement it, software engineers need to cooperate with a Health Information Service Provider (HISP) and meet the standard protocols, messaging formats, and data processing requirements. Successful EHR data migration is an integral part of a successful system launch.

Final Thoughts

EHR systems, just like any other healthcare technology, are challenging to develop and implement. Health organizations adopting them and software providers need to ensure ultimate security and regulatory compliance. There are tons of nuances to consider. Therefore, if you aren’t sure how to meet the EHR certification requirements, finding a tech partner may crack the problem.

Empeek specializes in custom EHR/EMR development for software providers and healthcare organizations. We always play by the book and launch solutions meeting the EHR certification requirements and other healthcare standards, like HIPAA, HL7, and GDPR.

Want to get a quote for your EHR project? Drop us a line, and we’ll get back shortly.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Views: 449
Written by:
Alex Shpachuk Alex Shpachuk CEO
Alex Shpachuk is the owner and strategic partner of Empeek. His effective leadership and a visionary approach to the future of healthcare turned the company into a dynamic environment attracting the brightest minds with the common vision for product impact and service excellence. With over a decade of experience in software engineering and comprehensive knowledge of designing and deploying tailor-made solutions for healthcare providers, Alex channels his passion for software development and consulting into the written word.

Posts you may like

View All Posts

Contact Us

Image preloader

Meet Empeek!

Scheduling a call made easy! Pick suitable time and let's get started

Book a call

Reliable Software delivery partner is closer than you think

  • HIPAA & GDPR compliance
  • 4.9 Rating on clutch
  • A winning tech stack
  • In-house team of versatile experts
  • Proven expertise in healthtech development

Alternatively, contact us directly: