With the 2025 Assistant Secretary for Technology Policy/Office of the National Health Coordinator (ASTP/ONC) compliance deadlines rapidly approaching, healthcare organizations and health IT developers are racing to implement critical regulatory updates that will shape the future of interoperability, patient data management, and security. These updates include the adoption of USCDI v3, enhanced electronic case reporting (eCR) requirements, updates to be reflected in quarterly attestations, patient requests for restrictions, and expanded FHIR functionality—all of which are essential for maintaining certification and ensuring seamless data exchange.
To help organizations navigate these complex changes, Drummond’s recent webinar, “Conquering ONC Deadlines: Essential Prep for 2025,” brought together compliance experts to address key challenges, clarify regulatory expectations, and outline the steps needed to maintain ASTP/ONC compliance. Many attendees sought guidance on what’s required, how to manage implementation hurdles, and what actions they must take before the final deadlines.
For those who couldn’t attend—or for anyone looking to revisit the discussion—we’ve summarized the most important takeaways, providing clear insights into key regulatory changes and a practical roadmap to help your organization prepare for 2025 certification and beyond.
USCDI v3 & Race/Ethnicity Standards: What’s Required?
A major compliance update for 2025 is the transition to USCDI v3, which introduces changes to demographic data collection, clinical data exchange, and interoperability standards. One frequently asked question was whether organizations must support both the Office of Management and Budget (OMB) Standards for Race and Ethnicity (1997) and the CDC Race and Ethnicity Code Set Version 1.2 (2021).
The answer is yes. Both standards must be implemented to maintain certification. As a result, health IT developers need to ensure their systems can support both sets of race and ethnicity codes. This requirement ensures standardization across federal and public health data collection efforts.
Action Item: Review your USCDI v3 data mappings and confirm your system supports both OMB and CDC Race/Ethnicity Code Sets before the December 2025 deadline.
eCR Reporting: What If My State Isn’t Ready?
A common concern raised was whether organizations must comply with electronic case reporting (eCR) requirements if their state hasn’t fully implemented the necessary reporting infrastructure. The (f)(5) eCR requirement mandates that certified EHR technology be able to electronically generate and transmit case reports for reportable conditions using either HL7 CDA or FHIR-based standards, ensuring standardized public health data exchange. This means that even if a state does not yet require or support automated electronic case reporting, the certified health IT system must still have the technical capability to capture reportable condition trigger codes (RCTC), generate structured case reports, and send them to a system capable of receiving them.
Drummond’s compliance experts clarified that all certified EHRs must meet this requirement, regardless of whether their state currently accepts electronic submissions. Even if a state is not fully ready, a certified system must still be capable of supporting HL7 eCR reporting standards. This ensures that health IT developers remain compliant while enabling seamless adoption as more jurisdictions implement standardized reporting workflows.
Action Item: Ensure your system can capture and transmit reportable condition trigger codes (RCTC) and that it meets the technical specifications for HL7 eCR implementation.
Attestation for (b)(11) Updates: Quarterly or Re-Certification?
A key clarification from the webinar was how organizations should handle attestation for (b)(11) updates on developer-supplied predictive decision support (pDSI). Many attendees asked whether they would need to submit quarterly attestations or even redo SED reports to remain compliant.
Drummond experts confirmed that organizations must submit quarterly attestations to confirm that their decision support interventions (DSIs) remain up to date and continue to meet regulatory requirements. However, redoing SED testing is not necessary unless the health IT developer makes significant modifications to their certified system, such as implementing new predictive decision support models, altering the underlying logic of existing DSIs, or making major software version updates that impact compliance. If changes go beyond standard compliance updates—such as incorporating new features or updates to predictive models—then re-testing may be required to ensure continued certification.
Action Item: Prepare to notify Drummond and evaluate for new SED testing when introducing developer-supplied pDSI.
How Should Organizations Handle Sex Parameter for Clinical Use?
With the ASTP/ONC update to (a)(5) Patient Demographics and Observations, many attendees sought clarification on whether Sex Parameter for Clinical Use (SPCU) is the same as Birth Sex. The short answer is no—these are separate data elements that serve different purposes in clinical documentation and decision-making.
Birth Sex has been a required demographic field since USCDI v1 and is primarily used for administrative and regulatory reporting. It has long been included in CCDA documents and standardized patient records to reflect the sex assigned at birth.
In contrast, Sex Parameter for Clinical Use (SPCU) was introduced in USCDI v3 to provide clinically relevant context for patient care. SPCU is intended to support clinical decision-making processes where sex-linked biological differences may impact care, such as medication dosage adjustments, laboratory reference ranges, and diagnostic interpretation.
Health IT developers must ensure that both Birth Sex and SPCU are stored as distinct data elements and are properly exchanged in FHIR API transactions and CCDA documents. Proper implementation of SPCU is critical to align with evolving clinical workflows and ensure that healthcare providers can make appropriate, patient-centered care decisions based on biological and physiological considerations.
Action Item: Ensure your EHR system stores Sex Parameter for Clinical Use separately from Birth Sex and supports FHIR API and CCDA documentation requirements.
Are There Any Known Extensions or Delays for f(5) eCR Compliance?
Given the current pause on mass communications from The United States Department of Health and Human Services (HHS), some organizations have inquired about potential impacts on the (f)(5) eCR deadlines, particularly regarding CDC partnership engagement and implementation support. Drummond’s compliance team recognizes that the temporary slowdown in federal agency communications has led to some uncertainty. However, at this time, there is no indication that ASTP/ONC intends to delay or extend compliance deadlines for (f)(5) eCR.
Action Item: Proceed with the assumption that f(5) eCR compliance deadlines will remain unchanged and ensure your system is ready by the end of 2025.
What Are the Certification Requirements for Organizations That Have Outsourced (g)(10) Support to a Third Party?
For organizations that rely on a third-party provider for (g)(10) standardized FHIR API support, there was some concern about who is responsible for data collection and compliance reporting. Drummond’s compliance team clarified that if an organization is certified on (g)(10), it is still responsible for meeting ASTP/ONC’s compliance reporting requirements, even if the actual API is managed by a third party. In cases where someone is not certified on (g)(10) and the third-party API product holds its own ASTP/ONC certification, responsibility for compliance reporting will apply to the vendor.
Action Item: Confirm with your third-party FHIR API provider whether they handle compliance reporting, or if your organization needs to submit compliance attestations directly.
Will Organizations Be Required to Retest for USCDI v3 Compliance?
Since USCDI v3 will become the new standard for multiple certification criteria, many organizations asked whether they would need to undergo live testing again to demonstrate compliance. Drummond confirmed that if an organization has already been certified on the applicable criteria, they do not need to undergo additional live testing. Instead, attestation will be required to confirm that the necessary updates have been made to support USCDI v3 data exchange. However, any first-time certifications after January 1, 2026, will be required to undergo live testing with USCDI v3.
Action Item: If your system is already certified, plan to submit a compliance attestation for USCDI v3 rather than re-testing. However, if you are seeking first-time certification after January 1, 2026, prepare for live testing requirements.
Final Takeaways
With ASTP/ONC’s compliance deadline set for the end of 2025, organizations must act now to avoid operational disruptions, last-minute compliance fixes, and increased certification risks. Delaying implementation efforts could leave organizations scrambling to meet requirements, increasing the likelihood of technical issues, regulatory setbacks, and potential lapses in certification status. Finalizing system updates, conducting compliance audits, and submitting required attestations as soon as possible will help mitigate risks and ensure uninterrupted compliance. Waiting too long is not an option—act now and ensure your organization puts itself in the best position to seamlessly achieve 2025 compliance.