ONC 2015 Cures Act Certification Just Got More Complex
The ONC Cures Act certification framework is the federal health IT compliance program that requires certified developers to support standardized APIs, patient access to electronic health information, and information-blocking controls under the 21st Century Cures Act. In practical terms, if you are asking about "ONC 2015 Cures Act certification," the answer is that the original 2015 Edition certification base has been extended and updated by later ONC rules, especially the Cures Act Final Rule and HTI-1, so organizations should now evaluate current ONC certification criteria rather than rely on 2015 alone.
What the certification means
ONC certification is not a single badge for all time; it is a set of regulatory criteria that health IT developers must meet for specific product functions such as electronic prescribing, patient access, API support, and interoperability. ONC's certification program is explicitly tied to the Cures Act Final Rule, which requires standardized application programming interfaces and broad patient access to electronic health information at no cost.
The practical effect is that a certified product must do more than store data. It must also make that data exchangeable, portable, and available to patients and downstream apps in a secure, standards-based way, while developers remain subject to Conditions of Certification and Maintenance of Certification obligations.
How the rules evolved
2015 Edition certification was the original baseline for many EHR compliance programs, but it is now outdated as a stand-alone reference for Cures Act readiness. ONC's current certification framework has been updated through later final rules, including the Cures Act Final Rule and HTI-1, which modernized the program, added new interoperability expectations, and changed how certain criteria are maintained over time.
The Cures Act Final Rule also formalized information-blocking policy, patient access rights, and API-based interoperability. ONC states that the rule "calls on the healthcare industry to adopt standardized application programming interfaces (APIs)" and that it gives patients access to their electronic health information securely and easily.
HTI-1 further updated the certification program, including new and revised standards and the move away from older year-themed editions toward incremental updates.
What is required now
Modern ONC certification readiness usually centers on four operational areas: patient access, API functionality, information blocking compliance, and certified product maintenance. ONC also notes there are nine exceptions to the definition of information blocking, which matters for compliance programs that must distinguish valid withholding from prohibited interference.
- Support standardized APIs for access and exchange of electronic health information.
- Provide patient access to all electronic health information, structured and unstructured, at no cost.
- Meet Conditions and Maintenance of Certification obligations for certified developers.
- Document and manage any permissible information-blocking exceptions.
For vendors, the important point is that certification is now tightly linked to ongoing obligations. ONC's program materials say it can require correction of non-conformities and may suspend or terminate certifications when necessary.
Current compliance snapshot
Certification status should be assessed against today's rule set, not just legacy 2015 criteria. The biggest mistake organizations make is treating "2015 Edition certified" as equivalent to "Cures Act ready," when the latter also implies API publication, information-sharing controls, and current maintenance obligations.
| Area | Legacy 2015 focus | Current ONC expectation | Why it matters |
|---|---|---|---|
| Patient access | Basic viewing and download functions | Electronic access to all EHI at no cost | Supports patient rights and app-based access |
| APIs | Limited or optional interoperability support | Standardized APIs for secure exchange | Enables third-party app connectivity |
| Information blocking | Not central to older certification logic | Explicit prohibitions and exceptions | Creates compliance risk if mishandled |
| Ongoing oversight | One-time certification mindset | Maintenance, surveillance, and possible corrective action | Keeps products aligned with current rules |
Practical readiness steps
Health IT teams should begin with an inventory of certified modules, API endpoints, and product claims. ONC's certification materials make clear that certified API developers must publish service base URLs in a machine-readable format at no charge, which means endpoint visibility is part of operational compliance, not just technical architecture.
- Map each certified module to current ONC criteria and identify any 2015-era gaps.
- Verify that patient-facing APIs and endpoint listings are publicly available and machine-readable.
- Review information-blocking workflows, including exception handling and documentation.
- Confirm that compliance, product, and legal teams share a single maintenance calendar.
- Test surveillance and remediation processes so non-conformities can be fixed quickly.
Organizations that wait until an audit or customer security review often discover that their certification paperwork is current but their operational behavior is not. The result is a gap between nominal certification and real-world interoperability readiness.
Timeline context
Federal timing matters because ONC's certification program has been evolving in stages, not through one single cutoff date. The Cures Act Final Rule was published in 2020, and ONC's current program pages show continuing updates through 2026, including newer HTI rules and oversight guidance.
That means "certified under 2015" can still be meaningful in a historical sense, but it is no longer enough to answer whether a product is aligned with current Cures Act requirements. A modern review should check the latest ONC criteria, Conditions of Certification, and maintenance obligations rather than relying on an old edition label.
Common mistakes
Compliance teams often underestimate the difference between certified capability and certified operation. A product may technically support an API, for example, but still fail if endpoint information is not published correctly or if workflows create unlawful barriers to access.
Another common mistake is assuming that once a certificate is issued, the work is done. ONC's oversight framework includes surveillance, correction of non-conformities, and possible suspension or termination, so certification should be treated as a living compliance commitment.
"The ONC Certification Health IT Program helps enforce the Cures Act Final Rule by establishing Conditions and Maintenance of Certification requirements for developers of health IT."
What buyers should ask
Purchasers evaluating vendors should ask for evidence, not just claims. The most useful questions are whether the vendor is certified to the current ONC criteria, how it publishes API endpoint data, how it handles information-blocking exceptions, and what happens when surveillance identifies a defect.
- Which current ONC criteria does the product meet?
- Which functions are still tied to older 2015 Edition claims?
- How are FHIR endpoints published and maintained?
- What is the remediation process for non-conformities?
FAQ
Bottom line for 2026
Cures Act readiness now means current ONC certification plus operational proof that the product supports patient access, secure APIs, and compliant information sharing. For any organization still using "ONC 2015" as the main benchmark, the safe approach is to re-map the product to current ONC certification and maintenance rules before relying on it for procurement, compliance, or audit defense.
Helpful tips and tricks for Onc 2015 Cures Act Certification Just Got More Complex
What does ONC 2015 Cures Act certification mean?
It usually refers to health IT that was certified under an older ONC certification baseline but is now being evaluated in light of the Cures Act Final Rule and later ONC updates. In practice, it means checking whether the product satisfies current interoperability, patient access, API, and information-blocking requirements.
Is 2015 certification enough today?
No. A 2015 certification may still be part of a product's history, but current compliance depends on the latest ONC rules, including updated certification criteria, Conditions of Certification, and maintenance requirements.
What is the biggest Cures Act requirement?
The biggest practical requirement is that patients can access their electronic health information and that certified products support secure, standards-based exchange through APIs while avoiding information blocking.
Do vendors need to publish API endpoints?
Yes, certified API developers must publish service base URLs in a machine-readable format at no charge, which makes endpoint transparency part of certification operations.
Can ONC take action after certification?
Yes. ONC's oversight framework allows correction of non-conformities and, when necessary, suspension or termination of certifications.