Many health IT vendors breathe a sigh of relief after achieving ONC Health IT Certification. It feels like a major compliance hurdle cleared. But here’s the reality: that certification doesn’t make you HIPAA compliant.
A misunderstanding like this is more than just a technicality. It can have real consequences.
ONC and HIPAA serve different purposes. ONC Certification ensures your technology meets national standards for interoperability, patient access, and performance transparency. HIPAA ensures your organization protects the privacy and security of protected health information (PHI). Mistaking one for the other can lead to gaps in protection, operational risk, and regulatory exposure.
ONC: A Technical Standard
The U.S. Department of Health and Human Services (HHS) Office of the Assistant Secretary for Technology Policy (ASTP) and its Office of the National Coordinator for Health Information Technology (ONC) manage the Health IT Certification Program—a product-focused initiative. It validates that your software can share data with other systems, supports patient access and record export, and enables the reporting of clinical quality measures. It evaluates software capabilities based on specific technical and functional criteria.
However, ONC Certification does not assess how an organization governs access to that data, how it trains its workforce, or whether it is prepared to respond to security incidents. It does not evaluate your policies, vendor relationships, or employee conduct.
HIPAA: An Operational Mandate
HIPAA compliance is broader. It applies to how your organization collects, uses, stores, and discloses PHI. It requires administrative and technical safeguards, business associate agreements, workforce training, and breach response planning.
HIPAA does not assume your systems are secure simply because they are certified. It asks whether your entire organization, people, processes, and technology functions in a way that protects patient information.
Where They Do—and Do Not—Overlap
ONC and HIPAA do intersect in certain technical areas—but even where they align, the scope and intent are often different. ONC Certification evaluates whether a product includes specific features. HIPAA asks whether those features are implemented, governed, and actively monitored within your organization.
In a comparison of 69 criteria drawn from ONC Certification and HIPAA regulatory requirements:
- 67% (46 criteria) are not covered at all by ONC Certification
- 19% (13 criteria) are only partially addressed, often as optional functionality or general best practices
- 14% (10 criteria) have substantive overlap, where both programs require similar technical safeguards
This means the vast majority of HIPAA compliance obligations—including workforce training, vendor risk management, breach response, and privacy governance—are beyond the scope of ONC’s Certification Program.
The table lists 69 similar criteria between HIPAA and ONC Health IT.
Vendors may equate ONC Certification with regulatory compliance because certification requires time, technical rigor, and official third-party impartial validation. Clients may also assume that “certified” means secure. However, neither is true.
HIPAA compliance involves more than product features. It demands operational safeguards, evaluating threats, drafting policies, signing agreements, and training staff. Even with these elements in place, ONC certification alone does not mean vendors have met HIPAA’s legal and procedural requirements.
If your organization relies solely on ONC Certification to demonstrate compliance, critical requirements may be left unaddressed. Without a documented risk analysis, your security posture is unproven. If your staff haven’t been trained in privacy practices, errors can lead to unauthorized disclosures. If business associate agreements aren’t in place, vendors may expose your data without accountability.
These aren’t speculative concerns. They are the root causes of many enforcement actions from the HHS Office for Civil Rights (OCR).
Take Action to Close the Gap
ONC Certification is a critical milestone. It validates your technology. But it doesn’t validate your handling of PHI in accordance with HIPAA. You must ensure that your privacy and security practices comply with HIPAA’s regulatory standards.
Start by reviewing your organization’s HIPAA Security and Privacy Rule readiness. Conducting a formal risk assessment. Reviewing all third-party agreements that involve PHI. Ensuring your staff understand HIPAA requirements. And assess your ability to detect, investigate, and report potential breaches.
And if you need help you can start by scheduling a FREE Consultation with a Drummond HIPAA expert.