Enforcement Delays Signal Deeper Fragility in Federal Health IT Oversight

The Office of the National Coordinator for Health IT (ONC), in coordination with the Assistant Secretary for Technology Policy (ASTP), announced temporary enforcement discretion for certain compliance and attestation deadlines within the ONC Health IT Certification Program. While positioned as a procedural adjustment due to a lapse in federal appropriations, the decision reveals a deeper structural concern: the fragility of public-sector infrastructure that underpins regulatory accountability in health IT.

This latest delay, which extends compliance leeway for health IT developers until early 2026, directly affects enforcement of certification criteria under the HTI-1 final rule, including provisions on algorithm transparency, interoperability, and information sharing. It also delays mandatory attestations related to ongoing certification status, a cornerstone of ONC’s oversight strategy post-Cures Act.

For hospitals, developers, and third-party vendors navigating tight upgrade cycles and evolving compliance risks, this development offers short-term breathing room. But it also underscores a long-standing vulnerability: the federal enforcement backbone for health IT policy is only as strong as the continuity of its digital infrastructure.

Regulatory Grace Periods Are Becoming a Pattern

According to the announcement, ONC will exercise enforcement discretion in two primary areas:

1. Certification criteria compliance dates – Health IT developers now have until February 28, 2026 to complete module updates for criteria outlined in HTI-1, covering key interoperability and transparency measures.
2. Condition and maintenance of certification attestations – Developers will be permitted to submit missed attestations for the April–September 2025 period through December 31, 2025, with regular cadence resuming in April 2026.

While the rationale, a shutdown-induced website outage that blocked access to submission portals, is both legitimate and pragmatic, it raises policy-level concerns. As regulatory frameworks lean more heavily on continuous attestation and modular certification to maintain market integrity, lapses in federal accessibility threaten to undercut program credibility.

This is not the first time ONC has had to issue grace periods or adjust timelines due to resource constraints. In 2020, COVID-19 prompted a broad suspension of enforcement deadlines. In 2023, implementation delays around the Trusted Exchange Framework and Common Agreement (TEFCA) required recalibration of expectations around interoperability compliance. The pattern is familiar—and telling.

Certification Oversight Relies on Infrastructure Resilience

The Cures Act redefined ONC’s role from a programmatic certifier to an ongoing regulator. Health IT developers are now required to meet not only initial criteria but also attest to the condition and maintenance of certification at regular intervals. These attestations function as live compliance checkpoints, enabling ONC to monitor adherence across rapidly evolving software products.

But the November enforcement discretion reveals a structural dependency: these obligations hinge on a single point of federal infrastructure, the ASTP/ONC website and its associated portals. When that infrastructure falters, the entire compliance system halts.

This fragility introduces downstream risks for health systems, which rely on certified modules to meet their own regulatory obligations. For example, providers participating in programs like the Promoting Interoperability Program or CMS quality initiatives are required to use ONC-certified health IT. If developer compliance is disrupted, provider compliance becomes harder to verify.

The broader issue is strategic. As federal agencies continue to embed AI governance, data transparency, and real-time interoperability into certification standards, the platforms supporting enforcement must be treated as critical public infrastructure, not administrative afterthoughts.

Implications for Developers and ONC-Authorized Bodies

For health IT developers, the enforcement pause offers short-term flexibility, particularly for those struggling to meet HTI-1’s expanded requirements around AI-enabled tools and algorithmic risk visibility. But the delay also extends a shadow of uncertainty. Without attestation, module status becomes ambiguous. This creates procurement hesitation among provider organizations and complicates contracting with payer and government stakeholders.

For ONC-Authorized Certification Bodies (ONC-ACBs), the enforcement delay compresses already tight verification timelines. With year-end attestations now due just days before 2026, and regular submissions resuming in April, certification bodies face a potential backlog during Q1 that could delay market entry for new or updated technologies.

These entities also shoulder liability for ensuring that late submissions are validated and recorded correctly, without clear precedent for how retroactive attestations will be reviewed, published, or challenged.

HTI-1 Compliance Deadlines Are More Than Technicalities

At a strategic level, the compliance dates tied to HTI-1 are more than regulatory markers. They are policy triggers for high-priority reforms, including:

• Algorithm transparency: Developers must disclose risk mitigation strategies and enable users to understand how predictive tools influence clinical decisions.
• Information sharing: The rule builds on the 21st Century Cures Act’s focus on data liquidity, expanding expectations around access and patient-directed data use.
• Interoperability standards: Modules must comply with updated U.S. Core Data for Interoperability (USCDI) standards, critical for TEFCA alignment and public health readiness.

Delays in enforcement, even if justified, push back implementation timelines for these broader initiatives. They also risk widening the compliance gap between large developers with internal legal and engineering capacity and smaller firms that depend on steady guidance to stay aligned.

A Warning for 2026 and a Test of ONC’s Institutional Maturity

The next attestation window opens in April 2026, and it will cover a period that includes this current lapse. Health IT developers, certification bodies, and provider organizations should be preparing now for a compressed regulatory calendar and potential ambiguities in certification status.

ONC, for its part, must reconcile its policy ambitions with infrastructure realities. If regulatory enforcement is to keep pace with digital transformation, the agency must invest not only in rulemaking and stakeholder engagement but also in platform resilience, disaster recovery planning, and multichannel redundancy for critical functions.

Otherwise, even well-designed policies risk eroding trust when delivery systems falter.