OC-Go: Additional Costs and ONC Certification Disclosures
VirtuallyBetter Health, LLC · 1 Boars Head Ln Ste B6, Charlottesville, VA 22903 · vbhealth.net
ONC Disclaimer
Certification Information
| Developer (Company) Name | VirtuallyBetter Health, LLC |
| Product Name | OC-Go |
| Version | 4 |
| Certification Number | 15.05.05.3266.VBHT.01.00.0.260609 |
| Certification Date | June 9, 2026 |
| Criteria Certified |
§170.315(b)(10) Electronic Health Information Export §170.315(d)(12) Encrypt Authentication Credentials §170.315(d)(13) Multi-factor Authentication §170.315(g)(4) Quality Management System §170.315(g)(5) Accessibility-Centered Design |
| Clinical Quality Measures (CQMs) | None — CQMs are not included in the scope of this certification. |
| Relied Upon Software | None |
Electronic Health Information Export — Format Documentation
OC-Go supports electronic health information (EHI) export for both individual patients and the full patient population in accordance with §170.315(b)(10). The export is available to authorized administrator users (editor role) at any time without developer assistance, via the Research Tools section of the OC-Go clinician portal.
Single-patient exports and full population exports are produced in comma-separated values (CSV) format. The export includes all structured patient health data: assignments, text responses, SUDs scale readings, multiple-choice responses, journal entries, and file references for media captures. Binary media files (videos, images) are not included in the export file; their storage references are included as URL strings in the media_reference column.
The following table documents the structure and content of every column in the export file:
| patient_id | Internal numeric identifier for the patient |
| patient_name | Patient display name |
| patient_email | Patient email address |
| clinician_name | Name of the clinician who created the assignment |
| assignment_id | Internal numeric identifier for the assignment |
| activity_name | Name of the assigned activity (therapy exercise or psychoeducational module) |
| due_date | Assignment due date (YYYY-MM-DD) |
| assignment_status | One of: not attempted, attempted but not completed, completed |
| assignment_created_at | ISO 8601 timestamp when the assignment was created |
| step_title | Title of the individual step within the activity |
| step_type | Integer code for the step type (see step type reference below) |
| step_type_label | Human-readable step type name |
| is_journal | yes if the step is flagged as a journal entry; no otherwise |
| response_text | Patient's text response, SUDs numeric score, or MCQ selection(s). Populated for step types 3 (Text Response), 6 (SUDs Scale), and 7 (Multiple Choice). Empty for all other step types. |
| media_reference | URL reference to the patient-uploaded video or image file. Populated for step types 4 (Video Capture) and 5 (Image Capture). Empty for all other step types. |
| response_date | ISO 8601 timestamp of the patient's response submission |
Step type reference: 0 = Text/Instructions (display only), 1 = Video (display only), 2 = Image Display (display only), 3 = Text Response, 4 = Video Capture, 5 = Image Capture, 6 = SUDs Scale, 7 = Multiple Choice, 9 = Audio (display only). Display-only steps produce no patient response and appear in the export only when the assignment has at least one response step.
VirtuallyBetter Health maintains this export format documentation and updates it whenever the export format changes. The export format is versioned with each certified release of OC-Go.
Multi-Factor Authentication — Supported Use Cases
OC-Go supports multi-factor authentication (MFA) for all users in accordance with §170.315(d)(13), using industry-recognized standards for multi-element identity verification.
| Clinician Portal | Mandatory two-factor authentication for all clinician accounts. After entering a valid email address and password (first factor: something you know), the system sends a time-limited 6-digit one-time passcode to the clinician's registered email address. The clinician must enter this code to complete sign-in (second factor: something you have — access to the registered email account). Sessions remain active for 30 days after successful MFA. All clinician accounts are required to use MFA; it cannot be bypassed or disabled. |
| Patient Mobile Application | The patient-facing mobile application (iOS and Android) does not expose or store protected health information (PHI). Patient authentication combines device-level authentication (first factor: device PIN, Face ID, or Touch ID — something you know or something you are, enforced by the iOS/Android platform) with application-level password authentication (second factor: something you know). This leverages the native multi-factor security model of the underlying mobile platform. |
Additional Costs
Last updated: June 2026
