Insights Condition and Maintenance of Certification Enforcement Discretion

Dated: April 29, 2025

On January 31, 2025, President Donald J. Trump signed Executive Order (EO) 14192, “Unleashing Prosperity Through Deregulation.” Section 1 of EO 14192 states that it is the policy of the Administration to significantly reduce the private expenditures required to comply with federal regulations to secure America's economic prosperity and national security and the highest possible quality of life for each citizen. Consistent with Section 6 of the EO, the Director of the United States Office of Management and Budget (OMB) issued a memorandum, dated March 26, 2025. The memorandum provides implementation guidance for Section 3 of EO 14192. In providing guidance on how to assess deregulatory actions and cost savings, the memorandum addresses the matter of sunk costs. In general, sunk costs are those costs incurred by regulated entities for complying with regulatory requirements that, for purposes of deregulatory actions, cannot be recovered and counted as cost savings accruing from any deregulatory action.

In consideration of potential future deregulatory actions under the Assistant Secretary for Technology Policy (ASTP) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively, “ASTP/ONC”) authorities and consistent with EO 14192, ASTP/ONC has identified certain regulatory requirements for which the exercise of enforcement discretion may prevent or mitigate the accrual of sunk costs by regulated entities.

The HTI-1 final rule (89 FR 1192) established the “Insights” Condition and Maintenance of Certification requirements (45 CFR 170.407). The Insights Condition and Maintenance of Certification requirements include seven measures that health IT developers under the ONC Health IT Certification Program must annually report on consistent with specified regulatory compliance timelines. The first required reporting begins in July 2027 and gradually increases to full reporting on all measures by July 2029. However, to meet these reporting requirements, health IT developers must begin annually collecting the data specified in each measure in the preceding year, starting in 2026. Further, health IT developers must begin to develop, and implement in client settings, the necessary technology to support the collection and reporting of the measure data and responses. Therefore, while ASTP/ONC considers potential deregulatory actions for the Insights Condition and Maintenance of Certification requirements and to prevent and mitigate potential sunk costs necessary to ultimately report on the measures consistent with the current regulatory timelines, ASTP/ONC is exercising the following enforcement discretion:

  1. ASTP/ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.407(b) except for reporting requirements related to the “use of FHIR in apps through certified health IT” measure (45 CFR 170.407(a)(3)(iv)). Stated another way, ASTP/ONC only expects that health IT developers will report on the “use of FHIR in apps through certified health IT” measure (§ 170.407(a)(3)(iv)(A) and (B) beginning in July of 2027 and (a)(3)(iv)(C) beginning in July 2028).
  2. ASTP/ONC will not conclude that an ONC-ACB has failed to adhere to 45 CFR 170.523(u), find a violation of 45 CFR 170.560(a), or take any enforcement action under 45 CFR 170.565 against an ONC-ACB if an ONC-ACB confirms that the only measure under 45 CFR 170.407(b) for which a health IT developer submits responses for is the “use of FHIR in apps through certified health IT” measure (45 CFR 170.407(a)(3)(iv)).

This enforcement discretion will be in effect beginning on July 1, 2027, and will remain in effect until the Department of Health and Human Services completes a deregulatory action to remove or revise 45 CFR 170.407 and 170.523(u).