ONC Certification

ONC Certification Details

This Health IT Module is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.

Developer Organization Name
Kipu Health

Date Certified
Jan 20, 2026

Product Name and Version
Kipu Health V15

Certification ID
15.04.04.3254.Kipu.01.00.0.260120

View Certification (PDF)

Certification and Criteria

  • 170.315 (b)(10): Electronic Health Information Export (Cures Update)
  • 170.315 (d)(1): Authentication, Access Control, Authorization
  • 170.315 (d)(5): Automatic Access Time-out
  • 170.315 (d)(7): End-User Device Encryption
  • 170.315 (d)(9): Trusted Connection
  • 170.315 (d)(11): Disclosure Recording Compliance
  • 170.315 (d)(12): Encrypt Authentication Credentials
  • 170.315 (d)(13): Multi-Factor Authentication
  • 170.315 (g)(4): Quality Management System
  • 170.315 (g)(5): Accessibility-Centered Design

Costs and Fees

At present, utilizing ONC incurs no extra charges or fees apart from the continuous monthly and annual expenses specified in the contractual obligations. Unless listed below, the usage of certified functionality is included:

Additional Fees:

For population export there is a fee per Medical Record Number to be assessed only if the full export is requested.

EHI Export

The patient export feature supports both single patient and population level exports. Single patient exports can be generated directly within the application. You can access this export from the client’s chart by selecting the Export to JSON button located in the top right corner of the chart. Population level exports require submitting a request to Kipu. All exported data is provided in JSON format.

EHI Export Documentation (PDF)

MFA

Kipu allows Super Admins to enforce two key login-security controls: automatic password expiration and two-factor authentication. Passwords can be configured to expire after a set number of days (to comply with HIPAA or internal policy) and users can be notified in advance of the expiration. For MFA, when enabled, users will be required, especially when logging in from a new device or browser, to request and enter a six-digit code sent via SMS or email (as configured in their profile). Admins can also set how often the two-factor check must be repeated.

Real World Testing Plan

Under the ONC Health IT Certification Program (Certification Program), health IT developers are required to conduct Real World Testing of their certified health IT (45 CFR 170.405). The Office of the National Coordinator for Health Information Technology (ONC) issues Real World Testing resources to clarify health IT developers’ responsibilities for conducting Real World Testing, to identify topics and specific elements of Real World Testing that ONC considers a priority, and to assist health IT developers in developing their Real World Testing plans.