The readiness case

What readiness is worth, sourced.

Strong interoperability readiness wins deals, clears diligence, and protects patients. ONC information-blocking policy, HHS OCR settlements, CMS surveillance, and certification status are all public record, so here is what readiness is measured against, what is verifiably at stake, and what it means for an EHR vendor, payer, provider, or digital health startup, in the regulator's own words.

This page cites only ONC, HHS OCR, and CMS public notices. We do not name companies in our own voice. The regulator does that work. We point you to the public record.

Last reviewed: 2026-05-16. We re-audit this page monthly against ONC, CMS, and HHS OCR public records, with quarterly state Attorney General passes. If a citation has gone stale, tell us.

We monitor this so you don’t have to. ONC, CMS, HHS OCR, state Attorneys General, WA MHMDA, CCPA/CPRA, BIPA, and emerging health-data privacy laws are tracked and updated as the rules change. This page reflects the current public record.

Where readiness is measured

The four public records that reflect your readiness

If you own a certified Health IT product, a CMS-regulated API, or a HIPAA-covered system, your readiness shows up on one of four regulator-maintained records. Buyers, board members, and Series B investors all check these, so it pays to know where you stand before they look.

Authoritative public records

What's at stake, sourced

What each category is worth getting right

These are public, sourced ranges. They do not predict your specific exposure. They tell you the shape of the risk so your board, your CTO, and your audit committee can plan accordingly.

HIPAA settlement

OCR Resolution Agreement or Civil Money Penalty

$25,000 to $16,000,000+

Per HHS OCR's published settlements and CMPs since 2008. Anthem's 2018 settlement reached $16M. Smaller covered entities have settled in the low six figures with multi-year corrective action plans. The number varies widely; the public record is what buyers and boards see.

Source: HHS OCR Resolution Agreements

ONC information blocking

HTI-1 disincentive for clinicians, hospitals, MIPS-eligible groups

Loss of meaningful EHR-user status

Under the HTI-1 disincentive rule (effective July 31, 2024), clinicians and hospitals found to have committed information blocking lose meaningful-user status under Medicare Promoting Interoperability and MIPS, which affects fee schedule and payment adjustments. CMS publishes identified actors.

Source: CMS Information Blocking Disincentives

ONC certification

Surveillance finding or certification withdrawal

Reputational + customer contractual exposure

ONC-ACBs (Drummond, ICSA Labs, SLI Compliance) publish surveillance results. A non-conformity becomes a corrective action plan with a deadline. Failure to remediate ends in certification withdrawal, which voids customer contracts conditioned on certified status.

Source: ONC Certification Surveillance

CMS interoperability

CMS-9115-F and CMS-0057-F API non-compliance

Conditions of participation exposure

For payers (MA organizations, Medicaid managed care, QHPs on the FFEs), Patient Access and Prior Authorization API requirements are tied to conditions of participation. Compliance dates begin January 1, 2026 for prior-auth metrics reporting and ramp through 2027.

Source: CMS-0057-F

Procurement / diligence

Failed Series B technical diligence or health-system pilot DQ

One round delay = 6 to 12 months of runway

Not regulator-published, but the most common failure mode we see. Health system procurement and investor technical diligence both ask the same question: can your FHIR endpoint pass a real audit? Walking in with a clean readiness report is often what keeps a round or a deal on track.

Source: practitioner observation across digital health Series A and B work. No regulator citation.

State privacy

WA MHMDA, CA CPRA, and emerging state health privacy laws

State AG enforcement, private right of action (WA)

Washington's My Health My Data Act (effective March 31, 2024) includes a private right of action. California, Nevada, Connecticut, and others have added health-data-specific provisions. State AG and class action exposure is in addition to federal HIPAA.

Source: see our US state privacy laws hub and MHMDA engineering protocols.

What ends up on the public record

Every HHS OCR settlement and every ONC enforcement action is published with the regulator's stated allegations. Journalists, competitors, and Series B leads all read these lists. The financial penalty is rarely the largest cost. The published narrative is.

The return no one prices

What getting ahead of it protects

The human upside

When you find conformance gaps on your own schedule, your CTO keeps the weekend. Your engineering team keeps the sprint. Your audit committee gets evidence instead of apologies. Your CEO spends Monday selling instead of calling the board. Your Series B data room opens with a clean readiness report already in it.

That momentum does not show up on a regulator's website either. It shows up in shipped features, retained senior engineers, and a technical organization that looks as strong in diligence as it does in the demo. This is the work we have spent careers on. The defect-prevention discipline that produced $13M in risk avoidance at Providence, while maintaining a track record of zero critical defects introduced into production over the last 15 years of the founder's career, was built specifically to keep teams ahead of the surveillance call.

That is what TAP is.

Know exactly where your endpoint stands, on your schedule.

TAP is the pen-test before the certification audit. Citation-level findings against the same federal and state framework public enforcement runs on. Fixed-fee, scoped to your endpoints, with a remediation backlog your engineering team can ship.