Enforcement Discretion Notices

Dated: November 24, 2025

On October 1, 2025, through November 12, 2025, the Assistant Secretary for Technology Policy (ASTP) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively, “ASTP/ONC”) experienced a lapse in appropriations. ASTP/ONC has determined that this lapse in appropriations impacted the ability of entities to comply with certain regulatory requirements.

In the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule (89 FR 1192), ASTP/ONC made updates to the ONC Health IT Certification Program (Certification Program), including new and updated standards, implementation specifications, and certification criteria in 45 CFR Part 170, including establishing a new baseline version of the United States Core Data for Interoperability (USCDI). The HTI-1 Final Rule required that for all certification criteria in § 170.315, a health IT developer with a Health IT Module certified to any revised certification criterion, as defined in § 170.102, shall update the Health IT Module and shall provide such update to their customers in accordance with the dates identified for each revised certification criterion and applicable standard (89 FR 1307, 1429). This requirement to “update” and “provide” such updated technology is described in § 170.402(b)(3).

For each of the certification criteria listed below, the HTI-1 Final Rule required updates by January 1, 2026.[1]

• The “patient demographics and observations” criterion in § 170.315(a)(5);
• The “family health history” criterion in § 170.315(a)(12);
• The “social, psychological, and behavioral data” criterion in § 170.315(a)(15);
• The “transitions of care” criterion in § 170.315(b)(1);
• The “clinical information reconciliation and incorporation” criterion in § 170.315(b)(2);
• The “care plan” criterion in § 170.315(b)(9);
• The “decision support interventions” criterion in § 170.315(b)(11);
• The “clinical quality measures (CQM) – filter” criterion in § 170.315(c)(4);
• The “view, download, and transmit to 3rd party” criterion in § 170.315(e)(1);
• The “transmission to immunization registries” criterion in § 170.315(f)(1);
• The “transmission to public health agencies – reportable laboratory tests and values/results” criterion in § 170.315(f)(3);
• The “transmission to cancer registries” criterion in § 170.315(f)(4);
• The “consolidated CDA creation performance” criterion in § 170.315(g)(6);
• The “application access – all data request” criterion in § 170.315(g)(9); and
• The “standardized application programming interface (API) for patient and population services” criterion in § 170.315(g)(10).

Given the lapse in appropriations, health IT developers’ ability to certify their Health IT Modules to these revised criteria was substantially impacted. During the entirety of the lapse in appropriations, the ASTP/ONC website was unavailable, including access to testing tools and other resources. Additionally, ASTP/ONC staff were unavailable to provide operational or program support for ONC-ACBs, ONC-ATLs, and health IT developers. Therefore, ASTP/ONC is exercising the following enforcement discretion:

1. ASTP/ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with the January 1, 2026 compliance date for required updates to Health IT Modules certified to the certification criteria listed above. ASTP/ONC will also not exercise its direct review authority under 45 CFR 170.580 with respect to a developer with Health IT Module(s) certified to the certification criteria listed above and the requirements to “update” and “provide,” per 45 CFR 170.402(b)(3), their health IT certified to those criteria, until March 1, 2026.
2. ASTP/ONC will not, prior to March 1, 2026, initiate an enforcement action under 45 CFR 170.565 against an ONC-ACB based on non-compliance with 45 CFR 170.550 for certifying a Health IT Module that is presented for certification to a certification criterion listed above where the health IT developer has not completed required updates by January 1, 2026.

This enforcement discretion will be in effect beginning January 1, 2026, and will remain in effect until March 1, 2026. Health IT developers with Health IT Modules certified to the criteria listed above will, in effect, have through February 28, 2026, to complete updates required under the HTI-1 Final Rule to those criteria.

ID:EDN2025.06

[1] For additional information on required updates for certification criteria, please see https://www.healthit.gov/topic/certification-ehrs/onc-certification-criteria-health-it-regulatory-update-deadline.

Dated: November 24, 2025

On October 1, 2025, through November 12, 2025, the Assistant Secretary for Technology Policy (ASTP) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively, “ASTP/ONC”) experienced a lapse in appropriations. ASTP/ONC has determined that this lapse in appropriations impacted the ability of entities to comply with certain regulatory requirements.

In the ONC Cures Act Final Rule (85 FR 25642), we finalized the “Attestations” Condition and Maintenance of Certification requirements (45 CFR 170.406). A health IT developer, or its authorized representative that is capable of binding the health IT developer, must provide to the Secretary of Health and Human Services (HHS) an attestation of compliance with the following Conditions and Maintenance of Certification requirements in 45 CFR part 170, subpart D:

• Information blocking (§ 170.401);
• Assurances (§ 170.402), subject to more limited requirements if the health IT developer certified a Health IT Module(s) that is part of a health IT product which can store electronic health information;
• Communications (§170.403);
• Application programming interfaces (APIs) (§ 170.404), if the health IT developer has a Health IT Module(s) certified to certain certification criteria; and such health IT developer must also ensure that health IT allows for health information to be exchanged, accessed, and used, in the manner described in § 170.404; and
• Real world testing (§ 170.405), if the health IT developer has a Health IT Module(s) certified to certain certification criteria.

Under § 170.406(b)(1), a health IT developer, or its authorized representative that is capable of binding the health IT developer, must provide the attestation, as recited above (hereinafter referred to simply as “attestation”), semiannually for any Health IT Modules that have or have had an active certification at any time under the ONC Health IT Certification Program (Certification Program) during the prior six months. Per Certification Program guidance, a health IT developer is required to submit its attestation to an ONC-Authorized Certification Body (ACB) within a designated 30-day window twice a year (every six months). These attestation windows occur during the months of April and October. April attestations cover the months of October–March, while October attestations cover April–September.[1]

Health IT developers’ attestations were due by October 31, 2025. This deadline, however, was impacted by the lapse in appropriations. During the entirety of the lapse in appropriations, the ASTP/ONC website for attestation submissions and related compliance resources was unavailable. Additionally, ASTP/ONC staff were unavailable to provide operational or program support for ONC-ACBs or health IT developers and their authorized representatives. Therefore, ASTP/ONC is exercising the following enforcement discretion:

1. ASTP/ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.406 until January 1, 2026. Specifically, ASTP/ONC will not exercise its direct review authority over a health IT developer’s obligation to submit their semiannual attestation that would have been due by October 31, 2025, until January 1, 2026, for such attestation.
2. ASTP/ONC will not conclude that an ONC-ACB has failed to review and submit health IT developer attestations to ASTP/ONC as required by 45 CFR 170.523(q), failed to ensure that health IT developers meet their attestation responsibilities as required by 45 CFR 170.550(l), or violated the good standing provisions of 45 CFR 170.560(a); or take any enforcement action under 45 CFR 170.565 against an ONC-ACB if an ONC-ACB does not review and submit health IT developers’ attestations originally due to ASTP/ONC by October 31, 2025, until January 1, 2026.

This enforcement discretion will be in effect immediately and will remain in effect until January 1, 2026. The effect of this enforcement discretion gives health IT developers and ONC-ACBs through December 31, 2025, to ensure submission of attestations for the period covering April 2025 through September 2025. The deadline for the April 2026 attestation submission, covering the period from October 2025 through March 2026, will remain the same (April 30, 2026).

For additional information on the attestation requirements, please see the Certification Companion Guide for Attestations and the Attestations Resource Guide.

ID:EDN2025.05

[1] https://www.healthit.gov/condition-ccg/attestations

Dated: July 31, 2025

On January 31, 2025, President Donald J. Trump signed Executive Order (EO) 14192, “Unleashing Prosperity Through Deregulation.” Section 1 of EO 14192 states that it is the policy of the Administration to significantly reduce the private expenditures required to comply with federal regulations to secure America’s economic prosperity and national security and the highest possible quality of life for each citizen.

In consideration of potential future deregulatory actions under the Office of the National Coordinator for Health Information Technology (ONC) authorities and consistent with EO 14192, ONC has identified certain regulatory requirements for which the exercise of enforcement discretion would reduce burden and costs for regulated entities.

In the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule, we finalized an updated certification criterion under the ONC Health IT Certification Program (“Certification Program”) for electronic case reporting (eCR) to public health authorities (“transmission to public health agencies – electronic case reporting;” (45 CFR 170.315(f)(5)). Specifically, in paragraph (f)(5)(ii), we incorporated by cross-reference the use of either the HL7 clinical document architecture (CDA) eICR standard or the Fast Healthcare Interoperability Resources (FHIR) eCR standard for certification to the criterion with a required effective date of January 1, 2026 (89 FR 1226-31).

In relation to these new requirements, ONC is exercising the following enforcement discretion:

For Calendar Year 2025

1. ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from certified health IT not complying with the adopted standards finalized in 45 CFR 170.315(f)(5), so long as the certified health IT remains conformant with either 45 CFR 170.315(f)(5)(i) or the requirements in (f)(5)(ii) as follows:
   1. (ii)(A) Consume and process case reporting trigger codes and identify a reportable patient visit or encounter based on a match with a trigger code value set (e.g., table).
   2. (ii)(B) Create a case report.
   3. (ii)(C) Receive, consume, and process a case report response.
   4. (ii)(D) Transmit a case report electronically to a system capable of receiving a case report.
2. ONC will not take any enforcement action under 45 CFR 170.565 against an ONC-ACB based on non-compliance with 45 CFR 170.550 for certifying a Health IT Module that is presented for certification to the “transmission to public health agencies – electronic case reporting” certification criterion (45 CFR 170.315(f)(5)), where the Health IT Module demonstrates and maintains conformance with paragraph (f)(5)(i) or the requirements of paragraph (f)(5)(ii) as specified in paragraph 1a through d above.

For Calendar Year 2026

1. ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises from certified health IT not conforming to the adopted standards finalized in 45 CFR 170.315(f)(5)(ii), so long as the certified health IT remains conformant with the requirements in (f)(5)(ii) as follows:
   1. (ii)(A) Consume and process case reporting trigger codes and identify a reportable patient visit or encounter based on a match with a trigger code value set (e.g., table).
   2. (ii)(B) Create a case report.
   3. (ii)(C) Receive, consume, and process a case report response.
   4. (ii)(D) Transmit a case report electronically to a system capable of receiving a case report.
2. ONC will not take any enforcement action under 45 CFR 170.565 against an ONC-ACB based on non-compliance with 45 CFR 170.550 for certifying a Health IT Module that is presented for certification to the “transmission to public health agencies – electronic case reporting” certification criterion (45 CFR 170.315(f)(5)), where the Health IT Module demonstrates and maintains conformance with the requirements of paragraph (f)(5)(ii) as specified in paragraph 1a through d above.

The intended practical effect of this enforcement discretion is that a developer with a Health IT Module currently certified to 45 CFR 170.315(f)(5) will remain in compliance with the Certification Program until December 31, 2025, if its Health IT Modules maintain compliance with either the criterion as defined in 45 CFR 170.315(f)(5)(i) or the requirements of 45 CFR 170.315(f)(5)(ii) as outlined above. Developers with a Health IT Module already conformant to 45 CFR 170.315(f)(5)(ii) may continue to be have its Health IT Module certified to the certification criterion without any further action. Additionally, in calendar years 2025 and 2026, health IT developers may pursue certification of their health IT to 45 CFR 170.315(f)(5)(ii) with or without adherence to the referenced standards.

This enforcement discretion will be in effect immediately, and will remain in effect until December 31, 2026, or until the Department of Health and Human Services completes a deregulatory action to revise 45 CFR 170.315(f)(5), whichever comes first.

ID:EDN2025.04

Dated: June 30, 2025

On January 31, 2025, President Donald J. Trump signed Executive Order (EO) 14192, “Unleashing Prosperity Through Deregulation.” Section 1 of EO 14192 states that it is the policy of the Administration to significantly reduce the private expenditures required to comply with federal regulations to secure America’s economic prosperity and national security and the highest possible quality of life for each citizen.

In consideration of potential future deregulatory actions under the Office of the National Coordinator for Health Information Technology (ONC) authorities and consistent with EO 14192, ONC has identified certain regulatory requirements for which the exercise of enforcement discretion would reduce burden and costs for regulated entities.

Section 3001(c)(5)(D)(v) of Title XXX of the Public Health Service Act (PHSA), as amended by the 21st Century Cures Act (Cures Act), requires, as a Condition and Maintenance of Certification under the ONC Health IT Certification Program (Program), that health IT developers successfully test the real world use of their technology for interoperability in the type of setting in which such technology would be marketed. [1]

In the Cures Act final rule (85 FR 25768-25775), we finalized the application of the statutory real world testing requirement to health IT certified to the following certification criteria:

• The “care coordination” criteria in § 170.315(b);
• The “clinical quality measures” criteria in § 170.315(c)(1) through (3);
• The “view, download, and transmit to 3rd party” criterion in § 170.315(e)(1);
• The “public health” criteria in § 170.315(f);
• The “application programming interface” criteria in § 170.315(g)(7) through (10); and
• The “transport methods and other protocols” criteria in § 170.315(h).

For these certification criteria, developers are required to submit annual testing plans and report real world testing results in accordance with § 170.405(b)(1) and (2), respectively. In relation to these requirements, ONC is exercising the following enforcement discretion:

For calendar year (CY) 2025:

1. ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.405(b)(1). This means that a developer with a Health IT Module(s) certified to one or more of the criteria referenced in 45 CFR 170.405(a) is not expected to submit an annual real world testing plan to its ONC-Authorized Certification Body (ONC-ACB) for the 2026 real world testing year.
2. ONC will not conclude that an ONC-ACB has failed to adhere to 45 CFR 170.523(p)(1) and (3), find a violation of 45 CFR 170.560(a), or take any enforcement action under 45 CFR 170.565 against an ONC-ACB for not reviewing CY 2026 real world testing plans and submitting the plans to ONC for public availability.

For calendar year (CY) 2026:

1. ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.405(b)(2), except with respect to Health IT Modules certified to the certification criteria specified in 45 CFR 170.315(g)(7) through (10). This means that ONC only expects a developer with a Health IT Module(s) certified to the (g)(7) through (10) certification criteria, as of August 31, 2024, will submit a CY 2025 real world testing results report to its ONC-ACB by March 2026.
2. ONC will not conclude that an ONC-ACB has failed to adhere to 45 CFR 170.523(p)(2) and (3), find a violation of 45 CFR 170.560(a), or take any enforcement action under 45 CFR 170.565 against an ONC-ACB if an ONC-ACB does not review and confirm that applicable health IT developers submit real world testing results reports, except with respect to Health IT Modules certified to the criteria specified in 45 CFR 170.315(g)(7) through (10).

This enforcement discretion will be in effect immediately, and will remain in effect until December 31, 2026, or until the Department of Health and Human Services completes a deregulatory action to revise 45 CFR 170.405 and 45 CFR 170.523(p), whichever comes first.

ID:EDN2025.03

[1] 21st Century Cures Act, P. L. 114-255, Sec. 4002(a).

Dated: March 21, 2025

On January 20, 2025, President Donald J. Trump signed Executive Order (EO) 14168, “Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government.” Section 2 of EO 14168 establishes that it is the policy of the United States to recognize two sexes, male and female. Section 3 of EO 14168 further states that agencies shall remove all statements, policies, regulations, forms, communications, or other internal and external messages that promote or otherwise inculcate gender ideology, and shall cease issuing such statements, policies, regulations, forms, communications or other messages. The United States Office of Personnel Management (OPM) issued a memorandum, dated January 29, 2025, that provided initial guidance for EO 14168. Section 1(f) of the guidance directs agencies to withdraw any final or pending documents, directives, orders, regulations, materials, forms, communications, statements, and plans that inculcate or promote gender ideology.[1]

Consistent with EO 14168 and OPM guidance, the Office of the National Coordinator for Health Information Technology (ONC) is exercising enforcement discretion and issuing certification guidance for the ONC Health IT Certification Program. Section 170.550 of Title 45 of the Code of Federal Regulations requires an ONC-Authorized Certification Body (ONC-ACB), when certifying Health IT Modules, to certify in accordance with the applicable certification criteria adopted in regulation.

1. Under this enforcement discretion and certification guidance, ONC will not take any enforcement action under 45 CFR 170.565 against an ONC-ACB based on non-compliance with 45 CFR 170.550 for certifying a Health IT Module that is presented for certification to a certification criterion or criteria in 45 CFR 170.315 that cross-references the United States Core Data for Interoperability (USCDI) version 3, where the Health IT Module:
   1. Does not demonstrate the capability to categorize data on individuals based on either or both of the following data elements:
      • sexual orientation; and
      • gender identity; or
   2. Only demonstrates the capability to categorize data on individuals for the sex data element in accordance with the following SNOMED CT® codes:
      • 248152002 |Female (finding)|; and
      • 248153007 |Male (finding)|.
2. Additionally, under this enforcement discretion and certification guidance, ONC will not take any enforcement action under 45 CFR 170.565 against an ONC-ACB based on non-compliance with 45 CFR 170.550 for certifying a Health IT Module that is presented for certification to the “patient demographics and observations” certification criterion (45 CFR 170.315(a)(5)), where the Health IT Module:
   1. Does not demonstrate conformance with any or all of the following data and observations in paragraph (a)(5)(i): sex parameter for clinical use, sexual orientation, gender identity, name to use, and pronouns; or
   2. Does not demonstrate conformance with any or all of the following paragraphs of (a)(5)(i): (D) (“sexual orientation”), (E) (“gender identity”), (F) (“sex parameter for clinical use”), (G) (“name to use”), and (H) (“pronouns”); or
   3. Only demonstrates, for conformance with paragraph (a)(5)(i)(C) (“sex”), that it can record sex in accordance with either the standard specified in § 170.207(n)(1) for the period up to and including December 31, 2025, or the following SNOMED CT® codes found in the standard specified in § 170.207(n)(2):
      • 248152002 |Female (finding)|; and
      • 248153007 |Male (finding)|.

Further, ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a Health IT Module not demonstrating the capabilities specified in (1)(a), (2)(a) or (2)(b) above; or for only demonstrating the limited specified capabilities in (1)(b) or (2)(c) above, for the relevant certification criteria requirements.

This enforcement discretion and certification guidance will remain in effect for twelve (12) months from the date of this notice or until the Department of Health and Human Services completes a regulatory action to revise the applicable regulations in compliance with EO 14168, whichever comes first. 

*ID:EDN2025.01

[1] “Gender ideology” as used here has the same meaning as defined in Section 2 of EO 14168.

Dated: April 29, 2025

On January 31, 2025, President Donald J. Trump signed Executive Order (EO) 14192, “Unleashing Prosperity Through Deregulation.” Section 1 of EO 14192 states that it is the policy of the Administration to significantly reduce the private expenditures required to comply with federal regulations to secure America’s economic prosperity and national security and the highest possible quality of life for each citizen. Consistent with Section 6 of the EO, the Director of the United States Office of Management and Budget (OMB) issued a memorandum, dated March 26, 2025. The memorandum provides implementation guidance for Section 3 of EO 14192. In providing guidance on how to assess deregulatory actions and cost savings, the memorandum addresses the matter of sunk costs. In general, sunk costs are those costs incurred by regulated entities for complying with regulatory requirements that, for purposes of deregulatory actions, cannot be recovered and counted as cost savings accruing from any deregulatory action.

In consideration of potential future deregulatory actions under the Office of the National Coordinator for Health Information Technology (ONC) authorities and consistent with EO 14192, ONC has identified certain regulatory requirements for which the exercise of enforcement discretion may prevent or mitigate the accrual of sunk costs by regulated entities.

The HTI-1 final rule (89 FR 1192) established the “Insights” Condition and Maintenance of Certification requirements (45 CFR 170.407). The Insights Condition and Maintenance of Certification requirements include seven measures that health IT developers under the ONC Health IT Certification Program must annually report on consistent with specified regulatory compliance timelines. The first required reporting begins in July 2027 and gradually increases to full reporting on all measures by July 2029. However, to meet these reporting requirements, health IT developers must begin annually collecting the data specified in each measure in the preceding year, starting in 2026. Further, health IT developers must begin to develop, and implement in client settings, the necessary technology to support the collection and reporting of the measure data and responses. Therefore, while ONC considers potential deregulatory actions for the Insights Condition and Maintenance of Certification requirements and to prevent and mitigate potential sunk costs necessary to ultimately report on the measures consistent with the current regulatory timelines, ONC is exercising the following enforcement discretion:

1. ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.407(b) except for reporting requirements related to the “use of FHIR in apps through certified health IT” measure (45 CFR 170.407(a)(3)(iv)). Stated another way, ONC only expects that health IT developers will report on the “use of FHIR in apps through certified health IT” measure (§ 170.407(a)(3)(iv)(A) and (B) beginning in July of 2027 and (a)(3)(iv)(C) beginning in July 2028).
2. ONC will not conclude that an ONC-ACB has failed to adhere to 45 CFR 170.523(u), find a violation of 45 CFR 170.560(a), or take any enforcement action under 45 CFR 170.565 against an ONC-ACB if an ONC-ACB confirms that the only measure under 45 CFR 170.407(b) for which a health IT developer submits responses for is the “use of FHIR in apps through certified health IT” measure (45 CFR 170.407(a)(3)(iv)).

This enforcement discretion will be in effect beginning on July 1, 2027, and will remain in effect until the Department of Health and Human Services completes a deregulatory action to remove or revise 45 CFR 170.407 and 170.523(u).

ID:EDN2025.02