In March 2025, the Assistant Secretary for Technology Policy (ASTP) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively, ASTP/ONC), issued new guidance under the ONC Health IT Certification Program. The update introduces a 12-month period of enforcement discretion, pausing enforcement of specific certification requirements related to gender identity, sexual orientation, and expanded sex data elements.
This change follows Executive Order 14168, titled “Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government,” which was issued on January 20, 2025. The order directs federal agencies to revise or remove policies, materials, and communications that promote gender ideology, and to align federal systems and processes with a binary recognition of biological sex.
A Time Bound Enforcement Pause—Not a Rule Change
ASTP/ONC’s guidance makes clear that this enforcement discretion is temporary. It will remain in effect for 12 months from the date of the announcement or until a regulatory revision is adopted—whichever comes first. While the discretion modifies how certification is enforced, it does not amend the existing certification criteria themselves.
Under this enforcement discretion, ASTP/ONC is allowing certification of certain Health IT Modules that, under normal circumstances, might not meet all requirements. This applies specifically to modules being certified under criteria that reference USCDI Version 3, including the “patient demographics and observations” criterion (170.315(a)(5)). Even if a module doesn’t fully conform to the usual rules in 45 CFR 170.550, ONC-Authorized Certification Bodies (ONC-ACBs) won’t face enforcement action for certifying them—as long as the module fits within the specific exceptions ASTP/ONC has laid out—such as omitting certain gender-related data elements or using only binary sex codes.
More specifically, ASTP/ONC will not penalize ONC-ACBs for certifying Health IT Modules that:
- Do not demonstrate the capability to categorize data on individuals based on sexual orientation and/or gender identity;
- Only demonstrate the capability to categorize data on individuals by sex, limited to the following SNOMED CT® codes:
- 248152002 | Female (finding)
- 248153007 | Male (finding);
- Do not conform with any or all of the following paragraphs of §170.315(a)(5)(i):
- (D) sexual orientation
- (E) gender identity
- (F) sex parameter for clinical use
- (G) name to use
- (H) pronouns;
- Only conform with paragraph (C)—the sex data element—using either:
- The standard specified in § 170.207(n)(1) (which remains permissible through December 31, 2025), or
- The SNOMED CT® codes mentioned above, as found in § 170.207(n)(2).
In addition to the certification-specific discretion, ASTP/ONC has also stated that it will not exercise its direct review authority under 45 CFR 170.580 for any actual or potential nonconformity that arises solely from a Health IT Module lacking the above capabilities—or only demonstrating the permitted elements outlined in the discretion.
It is important to emphasize that this policy applies strictly to the certification process. It defines what ONC-ACBs are permitted to certify under current federal guidance. It does not mandate or restrict the inclusion of functionality in Health IT Modules beyond what is necessary for certification. It also does not apply retroactively to already certified products, nor does it impose new design requirements. In fact, both birth sex and sexual orientation and gender identity (SOGI) data elements have existed in the ONC Health IT Certification Program since the 2015 Edition. Health IT products already certified to §170.315(a)(5) are not required to remove these data elements or change their user interfaces because of this guidance.