ONC Certification & Compliance Checklist (2026)

1Tell us where to send it
Your name and work email — nothing more.
2Check your inbox
Your checklist arrives in seconds, not days.
3Use it with your team
Editable and ready to share — make it your own.

A peek inside

See exactly what you're getting

Free PDF

Spotsaas · 2026

ONC Certification & Compliance Checklist

✓ Certification verification

✓ Key certification criteria to confirm

✓ Program-readiness questions

✓ Compliance maintenance cycle

Get the checklist →

What it is

The ONC Certification and Compliance Checklist is a buyer-and-administrator guide for confirming that an EHR meets ONC certification requirements and supports the programs that depend on it — Promoting Interoperability, MIPS, and the Cures Act API and information-blocking rules. Its key reframe is that Certified Electronic Health Record Technology (CEHRT) isn't a one-time stamp: it ties to specific certification criteria, real-world testing, and attestation. The checklist helps you verify a product's certification, plan your eCQM reporting, and avoid information-blocking exposure.

The document is structured around certification verification, the key certification criteria to confirm, program-readiness questions, and a compliance-maintenance cycle. Verification starts concretely: confirm the product is listed on the ONC Certified Health IT Product List (CHPL) with its CHPL ID, verify it's certified to the current ONC criteria (the ONC Cures Act Update / §170.315) you actually need, check that the certified version matches what you'll deploy rather than an older listed build, and confirm the standardized FHIR API certification (§170.315(g)(10)) for patient and app access.

Beyond the certification stamp, the checklist drives at program readiness — the reason certification matters in the first place. It asks whether the certified version supports every eCQM you plan to report for MIPS or Promoting Interoperability, whether the EHR can produce a Security Risk Analysis trail and support HIPAA safeguards, whether the vendor enables rather than restricts standardized API and EHI access, and how certification updates are delivered and on whose schedule. The compliance-maintenance cycle reflects the reality that certification is ongoing, with real-world testing and update obligations that continue long after purchase.

What it's used for

Practices and administrators use this checklist to verify certification before purchase and to maintain program readiness after deployment. Because certification is a precondition for major incentive and reporting programs, getting it wrong has direct financial and regulatory consequences.

✓ Verifying the product is listed on the ONC Certified Health IT Product List (CHPL) with its CHPL ID, rather than trusting a vendor's certification claim.
✓ Confirming the EHR is certified to the current ONC criteria (Cures Act Update / §170.315) you actually need, not an outdated criteria set.
✓ Checking that the certified version matches the build you'll deploy, since a listed certification on an older version doesn't cover what you run.
✓ Confirming the standardized FHIR API certification (§170.315(g)(10)) so patient and third-party app access meets the Cures Act requirements.
✓ Planning eCQM reporting for MIPS and Promoting Interoperability by confirming the certified version supports every measure you intend to report.
✓ Confirming the EHR produces a Security Risk Analysis trail and supports HIPAA safeguards, tying certification to your broader compliance obligations.
✓ Establishing a compliance-maintenance cycle so certification updates, real-world testing, and attestation obligations are tracked over time rather than assumed handled.

Who uses it

ONC certification matters to the people responsible for buying the EHR, attesting to incentive programs, and staying clear of regulatory exposure, and the checklist coordinates their verification.

Practice administrators and EHR buyersThey verify certification on the CHPL before purchase and confirm the certified version matches what they'll deploy, protecting program eligibility from day one.

Compliance and privacy officersThey tie certification to the Security Risk Analysis, HIPAA safeguards, and information-blocking obligations, ensuring the EHR keeps the organization compliant.

Quality and reporting managersThey confirm the certified version supports every eCQM the practice plans to report for MIPS and Promoting Interoperability and plan the reporting accordingly.

IT and integration leadsThey verify the standardized FHIR API certification and confirm the vendor enables rather than restricts API and EHI access.

Provider leadership and attesting cliniciansThey depend on certified technology to attest successfully to incentive programs and avoid penalties tied to missing or outdated certification.

Context & good to know

ONC certification exists because federal incentive and reporting programs need a way to guarantee that an EHR can actually do what those programs require — exchange data, report quality measures, and provide standardized API access. Certified Electronic Health Record Technology (CEHRT) is the prerequisite for participating in MIPS and Promoting Interoperability, which is why verification belongs at the front of any EHR purchase. The most common and costly mistake is assuming a vendor's 'ONC certified' claim covers your situation, when in fact certification ties to specific criteria, specific versions, and specific real-world testing that you have to confirm match your needs.

The version-matching trap is subtle and expensive. A product can be listed on the CHPL with a valid certification while the build a practice actually deploys is an older or different version that doesn't carry that certification — meaning the organization could attest against technology that isn't actually certified for what it's running. The checklist's insistence on confirming the certified version matches the deployed build, and on locating the precise CHPL ID, exists to close this gap. The standardized FHIR API certification (§170.315(g)(10)) is singled out because it underpins the Cures Act's patient and app-access requirements and the information-blocking rules.

Certification is also not static, which is why the compliance-maintenance cycle is part of the checklist rather than an afterthought. The ONC program includes real-world testing and ongoing obligations, certification criteria evolve with updates like the Cures Act Update, and vendors deliver certification updates on their own schedules — meaning a practice that verified everything at purchase can drift out of readiness if it doesn't track updates and re-confirm eCQM support over time. Whether the certified product is Epic, eClinicalWorks, or Azalea Health, the practical posture is the same: verify rigorously on the CHPL up front, tie certification to your eCQM and HIPAA obligations, confirm the vendor enables rather than restricts EHI access, and maintain the verification on a recurring cycle.

✓ Independent · vendors can't pay to rank

Built on verified data, not vendor spin

Every Spotsaas resource draws on the Spotsaas Score — a blend of verified review ratings, review volume, and feature depth across 74 EHR software tools. Refreshed regularly; data as of June 2026.

FAQ

Questions, answered

What is ONC certification and why does it matter?

ONC certification confirms that an EHR meets specific federal criteria for capabilities like data exchange, quality reporting, and standardized API access. It matters because Certified Electronic Health Record Technology (CEHRT) is a prerequisite for participating in programs like MIPS and Promoting Interoperability — without it, a practice can't attest successfully or qualify for incentives.

What is the CHPL and how do I use it?

The CHPL is the ONC Certified Health IT Product List, the official public registry of certified products. You use it to confirm a product is genuinely certified, find its CHPL ID, and verify it's certified to the specific criteria (§170.315) you need. Checking the CHPL directly is more reliable than trusting a vendor's certification claim.

Why does the deployed version of the EHR matter for certification?

Because a product can be listed on the CHPL while the build you actually deploy is an older or different version that doesn't carry that certification. If you attest against technology that isn't certified for the version you're running, you risk program ineligibility. The checklist makes you confirm the certified version matches your deployment to close this gap.

What is the §170.315(g)(10) FHIR API certification?

It's the ONC certification criterion for a standardized FHIR API that supports patient and third-party app access to electronic health information. It underpins the Cures Act's patient-access requirements and the information-blocking rules, so confirming this certification is essential if you need to provide compliant API access to patients and apps.

What is an eCQM and how does certification relate to reporting?

An eCQM is an electronic clinical quality measure used in programs like MIPS and Promoting Interoperability. The certified version of your EHR must support every eCQM you plan to report, since reporting relies on certified measure logic. The checklist has you confirm eCQM support during certification verification so your reporting plans are actually achievable.

Is ONC certification a one-time event?

No. Certification ties to ongoing obligations including real-world testing and attestation, criteria evolve through updates like the Cures Act Update, and vendors deliver certification updates on their own schedules. A practice that verified everything at purchase can drift out of readiness, which is why the checklist includes a compliance-maintenance cycle to track updates over time.

How does ONC certification relate to information blocking?

The Cures Act information-blocking rules require organizations not to unreasonably restrict access, exchange, or use of electronic health information, and the standardized FHIR API certification supports compliant access. The checklist asks whether the vendor enables rather than restricts API and EHI access, tying certification to staying clear of information-blocking exposure.

Does ONC certification cover HIPAA compliance?

Not directly — they're distinct. Certification confirms capabilities for federal programs, while HIPAA governs the privacy and security of PHI. They overlap where certification expects the EHR to support a Security Risk Analysis trail and HIPAA safeguards, but a certified EHR still requires correct configuration, a signed BAA, and your own risk analysis to be HIPAA compliant.

What programs require CEHRT?

Primarily MIPS (the Merit-based Incentive Payment System) and Promoting Interoperability. Successful participation and attestation in these programs depends on using Certified Electronic Health Record Technology, which is why verifying certification before purchase protects your eligibility for these incentive and reporting programs.

What should I ask a vendor about certification updates?

Ask how certification updates are delivered and on whose schedule, since criteria evolve and you need updates that keep you compliant without disrupting operations. Also confirm the vendor enables standardized API and EHI access rather than restricting it, and that the certified version you'll run is the one listed on the CHPL with its CHPL ID.

Keep exploring