ONC Interoperability Rule
The 45 CFR Part 170 rule that operationalizes the 21st Century Cures Act — mandating FHIR APIs, app marketplace openness, and standardized health data for certified health IT.
The ONC's 21st Century Cures Act Final Rule (85 FR 25642, published May 1, 2020) created the current regulatory framework at 45 CFR Part 170 for health information technology certification. The rule established the ONC Health IT Certification Program criteria, most critically § 170.315(g)(10) — the Standardized API for Patient and Population Services criterion. This requires certified health IT to implement a FHIR R4-based API supporting both single-patient and multi-patient (Bulk) data access, with SMART on FHIR authorization, and covering all data classes in the United States Core Data for Interoperability (USCDI). The rule also created transparency requirements (§ 170.315(d)(9)) for certified health IT developers to post costs, fees, and API documentation publicly. ONC Certification is administered through Authorized Testing Laboratories (ATLs) and the ONC-ACB accreditation program.
The engineering complexity of ONC certification is significant. § 170.315(g)(10) testing via ONC's Inferno testing tool requires passing over 100 test sequences covering FHIR conformance, SMART launch sequences (both EHR Launch and Standalone Launch), token revocation, refresh token behavior, granular scope support, and Bulk Data export. Inferno tests against real running endpoints, not mock servers. Many teams fail on subtleties: the requirement to support both system-level and user-level SMART scopes, the specific OAuth 2.0 PKCE implementation requirements, the mandatory support for token introspection, and the requirement to return all USCDI data elements populated where they exist in the patient record. USCDI version transitions create engineering debt: certified systems must incorporate new USCDI data classes on ONC timelines, which requires mapping new data elements to FHIR profiles that may not yet have stable US Core implementation guide support.
Part 170 interacts with multiple other regulatory frameworks. The Information Blocking rule (45 CFR Part 171) uses Part 170 certification criteria as reference points — an uncertified API is not per se information blocking, but failure to maintain certification creates regulatory exposure. CMS's Interoperability and Prior Authorization Final Rule (CMS-0057-F) references Part 170 FHIR API standards for payer systems, applying overlapping but distinct requirements. The Trusted Exchange Framework (TEFCA) designates the ONC API standard as one acceptable technical basis for Qualified Health Information Network (QHIN) participation. For international vendors entering the US market, ONC certification is a de facto market access requirement for selling to Medicare/Medicaid-eligible providers, making it a commercial imperative independent of the legal mandate.
We build ONC certification readiness into health IT system architecture from day one — not as a retrofit. Our FHIR server implementations include automated Inferno test suite execution in CI/CD pipelines, providing continuous conformance monitoring rather than one-time certification snapshots. We maintain a USCDI data element coverage matrix that maps every required data class to its source system, transformation logic, and FHIR resource representation, enabling rapid response to USCDI version updates.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.