• About InfoGard

  The Company

  • Overview
  • What We Do
  • Credentials
  • Independent Third Party
  • Careers
  • Contact Us

  Clients

  • Our Customers
  • Customer Testimonials

  Management Team

  • Company Management
  • Company Advisors
• Sectors We Serve

  Healthcare IT

  • EHR Testing & Certification
  • ONC-ATCB Certification
  • Hospital EHR Certification
  • Hospital Meaningful Use Incentive Payment Security Risk Analysis
  • Electronic Prescriptions for Controlled Substances (EPCS)
  • HIPAA Security & Privacy Assessments
  • SecureEHR
  • Breach Safe Harbor Certification
  • CalHIPSO
  • Penetration Test Services for Healthcare
  • Healthcare Vulnerability Scan Service
  • Medical Device Validation
  • Services for Security Technology Vendors
  • Healthcare Security and Privacy Offerings

  Federally Mandated Security

  • FIPS 140-2
  • Common Criteria Validation
  • Postal Systems
  • FIPS 201 (NPIVP) Card Command Validation

  Financial Services

  • Hardware Security Module
  • PCI Pin Entry Device Security
  • PCI Approved Scanning Vendor Validation
  • MasterCard PTS
  • Australian Payments Clearing Association
• Problems We Solve

  Problems We Solve

  • Healthcare
  • Smart Card/ID
  • Financial Industry
  • Federal Government

  Security Technology

  • Cryptographic Knowledge
  • Comprehensive Network Assessments
  • System Security Assessments
  • Compliance Assessments
  • FIPS 140-2
• Blog, News, & Events
  • Blog
  • Conferences
  • News
• Resources

  Resources by Sectors

  • Federally Mandated Security
  • Financial Services
  • Healthcare IT

  General Resources

  • Network Security Assessment
  • GSA Schedule
  • FAQ About EHR & HHS Safe Harbor Certification
  • Meaningful Use & Certification
  • About Breach Safe Harbor
  • Useful Links

FAQ About EHR & HHS Safe Harbor Certification

Home > Resources > FAQ About EHR & HHS Safe Harbor Certification

What are your qualifications as a certifier?

InfoGard is an Authorized Testing and Certification Body (ATCB) selected for the Electronic Health Records (EHR) certification program by the Office of the National Coordinator for Health Information Technology (ONC), Department of Health and Human Services (HHS).

Why should we select InfoGard Laboratories as our certifier?

InfoGard can perform the necessary evaluations to offer both EHR meaningful use certification and secureEHR certifications at the same time.

Why would we conduct a SecureEHR Gap Analysis on our product?

Recent polls indicate that preventing breaches of PHI security are the number one concern of health IT decision-makers. Systems that comply with the HHS Guidelines for rendering Protected Health Information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals prevent breaches from occurring. Access to PHI which is so protected by an unauthorized individual does not constitute a breach under the HHS regulations. SecureEHR services offered by InfoGard provide strong assurance the PHI was protected in accordance with the guidelines.

What are your basic prices?

InfoGard’s prices are available here. The price for SecureEHR services is very dependent on the product/system design process and documentation. To determine if a product or system qualifies under the HHS Guidelines requires a detailed analysis. See a description of the process here.

What is the company’s lead time between the request for evaluation and certification?

Once we have the required information, InfoGard can complete an EHR Meaningful Use certification within 2 weeks. Similar to pricing, the schedule for SecureEHR services is very dependent on customer design and documentation.

Can you provide a description of the EHR Meaningful Use evaluation process?

A customized test plan is developed for each EHR Vendor using the current NIST testing requirements. InfoGard Project Managers, Security Engineers and Testing Technicians are available to help interpret testing requirements and assist each Vendor to prepare for the testing event. Testing may be conducted either at the customer’s site or remotely in one or two days, depending on the scope of the required certification. When testing is successfully completed, the InfoGard Certification Body reviews the test report and submits the certification to the ONC for posting on the ONC-CHPL website which is updated weekly.

What if my product was not designed to comply with the HHS Guidelines?

InfoGard’s trusted third-party role precludes us from performing design. However, for 18 years we have provided software and hardware products Vendors “design for compliance” assistance. In addition, InfoGard is involved in the development of testing requirements for FIPS 140-3, the next generation cryptographic standard. As a result, we can help Vendors ensure that products are planned so they will not require modification to comply with FIPS 140-3.

What deliverables will be provided at the end of the certification process?

A certification that the evaluated EHR product complies with the requirements established by ONC will be provided both by InfoGard and the ONC. Information about the certifications can found at the HHS Temporary Certification FAQ. Paragraph C8 provides specific information.

How are non-conformances treated during the evaluation?

Non-conformances are either major or minor. If the evaluation reveals only minor non-conformances, the evaluation will continue and the evaluator will decide on certification pending an acceptable corrective action agreed upon over the telephone. Objective evidence of corrective action must be submitted before the evaluations can continue. In the case of a major non-conformance, the Vendor will be notified and the Vendor and InfoGard will mutually decide on the practicality of continuing the evaluation.

What is InfoGard’s policy on client confidentiality?

In accordance with our NVLAP accreditation from NIST and Principles of Proper Conduct for ONC-ATCBs, InfoGard keeps client information confidential in accordance with ISO/IEC Guide 65. In addition, InfoGard and its employees are governed by non-disclosure agreements established with each Vendor.