ONC Clarifies Ongoing Surveillance of Certified EHRs

The Office of the National Coordinator for HIT is clarifying that ONC-ACBs, which are the designated firms that certify electronic health records products as meeting meaningful use criteria, are authorized to conduct ongoing surveillance of certified systems, and protected information may be accessible.


The Office of the National Coordinator for HIT is clarifying that ONC-ACBs, which are the designated firms that certify electronic health records products as meeting meaningful use criteria, are authorized to conduct ongoing surveillance of certified systems, and protected information may be accessible.

This surveillance can include capabilities related to safety, as part of ONC-ACBs’ health oversight activity permitted under HIPAA, according to ONC. Here is a recent frequently asked question on the subject:

#45 Question [12-13-045-1] Is a health care provider permitted by the HIPAA Privacy Rule to allow an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance?

Answer: Yes. Under the Office of the National Coordinator (ONC) HIT Certification Program rules at 45 CFR 170 Subpart E, ONC-ACBs are authorized to perform EHR technology certification on behalf of ONC. An ONC-ACB is also required as a condition of its accreditation and ONC-authorization to perform surveillance on the EHR technology it certifies to ensure the EHR technology continues to perform in an acceptable manner in the field. In this capacity, ONC-ACBs meet the definition of a “health oversight agency” in the HIPAA Privacy Rule, and a health care provider is permitted to disclose PHI (without patient authorization and without a business associate agreement) to an ONC-ACB during the limited time and as necessary for the ONC-ACB to perform the required on-site surveillance of the certified EHR technology. 45 CFR 164.501, 164.512(d)(1)(iii).