Skip to main content
U.S. flag

An official website of the United States government

Return to Search

#45 Question [12-13-045-1] Is a health care provider permitted by the HIPAA Privacy Rule to allow an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance?

Guidance for an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance

Final

Issued by: Office of the National Coordinator (ONC) of Health Information Technology

#45 Question [12-13-045-1]

Is a health care provider permitted by the HIPAA Privacy Rule to allow an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance?

Yes. Under the Office of the National Coordinator (ONC) HIT Certification Program rules at 45 CFR 170 Subpart E, ONC-ACBs are authorized to perform EHR technology certification on behalf of ONC. An ONC-ACB is also required as a condition of its accreditation and ONC-authorization to perform surveillance on the EHR technology it certifies to ensure the EHR technology continues to perform in an acceptable manner in the field. In this capacity, ONC-ACBs meet the definition of a “health oversight agency” in the HIPAA Privacy Rule, and a health care provider is permitted to disclose PHI (without patient authorization and without a business associate agreement) to an ONC-ACB during the limited time and as necessary for the ONC-ACB to perform the required on-site surveillance of the certified EHR technology. 45 CFR 164.501, 164.512(d)(1)(iii). 

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.