Client Portal
UNDER ATTACK?

Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program

  • Home
  • Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program

What Is ONC Health IT Certification and Why It Matters

ONC Health IT Certification refers to the Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program, a U.S. federal program that certifies electronic health record (EHR) systems and other health IT products.

ONC certification is designed to ensure that health IT products meet national standards for:

  • Security

  • Privacy

  • Interoperability

  • Data exchange

  • Auditability

While ONC certification applies primarily to software products, it has significant implications for the organizations that implement, configure, and rely on those systems.

In practice, ONC certification sets a baseline expectation for how health data should be protected and managed in modern healthcare environments.

Who ONC Certification Applies To

ONC certification is most relevant for:

Health IT Vendors

  • EHR and EMR vendors

  • Patient engagement platforms

  • Health information exchange (HIE) solutions

  • Clinical data and interoperability platforms

  • Health data analytics and reporting tools

Healthcare Organizations Using Certified Technology

  • Clinics and physician practices

  • Hospitals and health systems

  • Behavioral health and specialty providers

  • Organizations participating in federal healthcare programs

  • Entities subject to HIPAA and HITECH

Even if you are not the software vendor, how you configure and operate ONC-certified systems directly impacts compliance, security, and audit readiness.

What Information Is In Scope for ONC Certification

ONC-certified systems handle electronic protected health information (ePHI) and related healthcare data, including:

  • Patient medical records

  • Clinical notes and diagnoses

  • Prescriptions and medication data

  • Lab results and imaging data

  • Patient demographics and identifiers

  • Care coordination and interoperability data

Because these systems store and transmit sensitive health data, security and privacy controls are central to ONC certification requirements.

How ONC Certification Relates to HIPAA and HITECH

ONC certification does not replace HIPAA or HITECH.

Instead:

  • HIPAA defines privacy and security requirements for PHI

  • HITECH strengthens enforcement and breach accountability

  • ONC certification ensures the technology itself supports those requirements

Using ONC-certified software does not automatically make an organization HIPAA-compliant—but it does ensure the platform includes features such as:

  • Audit logging

  • Access controls

  • Secure authentication

  • Encryption capabilities

  • Interoperability safeguards

Organizations remain responsible for proper configuration, access management, and operational security.

What ONC Certification Requires From an IT & Security Perspective

Although ONC certification focuses on software products, it establishes clear expectations that affect IT operations.

Key areas include:

 

Access Controls & Identity Management

  • Unique user identification

  • Role-based access controls

  • Authentication mechanisms

  • Secure administrative access

 

Audit Logging & Monitoring

  • System activity logging

  • User access tracking

  • Ability to generate audit reports

  • Support for incident investigation

 

Data Protection & Encryption

  • Secure data storage

  • Protection of data in transit

  • Safeguards for interoperability and data exchange

  • Support for secure APIs

 

Interoperability & Secure Data Exchange

  • Standards-based data sharing

  • Secure interfaces between systems

  • Controls to prevent unauthorized access during data exchange

 

Configuration & Operational Responsibility

ONC certification assumes:

  • Systems are configured securely

  • Access is reviewed regularly

  • Security features are enabled and monitored

  • Staff are trained on proper use

Certification does not protect you if these steps are skipped.

Why ONC Certification Matters for SMBs

or small and mid-sized healthcare organizations, ONC certification often:

  • Enables participation in federal programs

  • Supports payer and partner requirements

  • Reduces friction during audits and assessments

  • Improves security and operational consistency

However, many SMBs mistakenly assume that using certified software equals compliance. In reality, most enforcement issues arise from:

  • Poor access management

  • Disabled security features

  • Inadequate logging or monitoring

  • Weak vendor oversight

  • Lack of documented processes

The Reality of ONC Certification

Here’s the key point most organizations miss:

ONC certification ensures the tool is capable of supporting compliance—not that your organization is compliant.

Security, privacy, and compliance depend on:

  • How systems are configured

  • Who has access

  • How data is monitored

  • How incidents are handled

  • How vendors are managed

That responsibility always stays with the organization.

How We Help With ONC Certification and Healthcare Compliance

Our cyber risk and compliance assessments help organizations:

  • Evaluate ONC-certified system configurations

  • Identify gaps between technology capabilities and actual use

  • Align EHR security with HIPAA and HITECH

  • Improve audit readiness and incident response

  • Reduce operational and regulatory risk

We focus on how systems actually work in real healthcare environments, not theoretical certifications.

How SMBs Can Prepare for ONC-Related Compliance Expectations

Here is a practical, high-impact roadmap.

Step 1: Confirm Which Systems Are ONC-Certified


Document:

  • EHR and health IT platforms in use
  • Certification status and scope
  • Security features available within each system

    • Step 2: Review System Configuration and Access Controls


    Ensure:

  • Role-based access is enforced
  • MFA is enabled where possible
  • Administrative access is limited
  • User access is reviewed regularly

    • Step 3: Validate Logging, Monitoring, and Audit Readiness


    Confirm:

  • Audit logs are enabled
  • Logs are retained appropriately
  • Monitoring processes exist
  • Incidents can be investigated effectively

    • Step 4: Assess Data Exchange and Interoperability Security


    Review:

  • Interfaces with external systems
  • API access controls
  • Data-sharing agreements
  • Vendor responsibilities

    • Step 5: Align ONC Technology With HIPAA and HITECH Requirements


    ONC-certified systems should support:

  • HIPAA Security Rule safeguards
  • HITECH breach response expectations
  • Risk assessments and documentation

    • Technology enables compliance—but operations complete it.

    Start My Risk Assessment

    Trigger Question Answers

    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Get In Touch
    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

    Take Control of Your Healthcare Technology Risk

    ONC certification is an important foundation—but it’s only one piece of the puzzle.

    Understand where your technology helps, where it falls short, and what to fix to protect patient data and your organization.

    Start My Risk Assessment

    Talk to an Executive Advisor Today

    Client Portal
    UNDER ATTACK?