ONC information-blocking disincentives, HHS OCR settlements, CMS interoperability surveillance findings, and certification withdrawals are all public record. Here is where they live, what they range, and what they actually mean for an EHR vendor, payer, provider, or digital health startup.
This page cites only ONC, HHS OCR, and CMS public notices. We do not name companies in our own voice. The regulator does that work. We point you to the public record.
We monitor this so you don’t have to. ONC, CMS, HHS OCR, state Attorneys General, WA MHMDA, CCPA/CPRA, BIPA, and emerging health-data privacy laws are tracked and updated as the rules change. This page reflects the current public record.
If you are responsible for a certified Health IT product, a CMS-regulated API, or a HIPAA-covered system, your failure modes show up on one of four regulator-maintained lists. Buyers, journalists, board members, and Series B investors all check these.
These are public, sourced ranges. They do not predict your specific exposure. They tell you the shape of the risk so your board, your CTO, and your audit committee can plan accordingly.
$25,000 to $16,000,000+
Per HHS OCR's published settlements and CMPs since 2008. Anthem's 2018 settlement reached $16M. Smaller covered entities have settled in the low six figures with multi-year corrective action plans. The number is variable; the publicity is automatic.
Source: HHS OCR Resolution Agreements
Loss of meaningful EHR-user status
Under the HTI-1 disincentive rule (effective July 31, 2024), clinicians and hospitals found to have committed information blocking lose meaningful-user status under Medicare Promoting Interoperability and MIPS, which affects fee schedule and payment adjustments. CMS publishes identified actors.
Reputational + customer contractual exposure
ONC-ACBs (Drummond, ICSA Labs, SLI Compliance) publish surveillance results. A non-conformity becomes a corrective action plan with a deadline. Failure to remediate ends in certification withdrawal, which voids customer contracts conditioned on certified status.
Source: ONC Certification Surveillance
Conditions of participation exposure
For payers (MA organizations, Medicaid managed care, QHPs on the FFEs), Patient Access and Prior Authorization API requirements are tied to conditions of participation. Compliance dates begin January 1, 2026 for prior-auth metrics reporting and ramp through 2027.
Source: CMS-0057-F
One round delay = 6 to 12 months of runway
Not regulator-published, but the most common failure mode we see. Health system procurement and investor technical diligence both ask the same question: can your FHIR endpoint pass a real audit? A failed pilot or a flagged data room kills the round or kills the deal.
Source: practitioner observation across digital health Series A and B engagements. No regulator citation.
State AG enforcement, private right of action (WA)
Washington's My Health My Data Act (effective March 31, 2024) includes a private right of action. California, Nevada, Connecticut, and others have added health-data-specific provisions. State AG and class action exposure is in addition to federal HIPAA.
Source: see our US state privacy laws hub and MHMDA engineering protocols.
Every HHS OCR settlement and every ONC enforcement action is published with the regulator's stated allegations. Journalists, competitors, and Series B leads all read these lists. The financial penalty is rarely the largest cost. The published narrative is.
A surveillance finding lands on a Friday. Your CTO loses the weekend. Your engineering team loses the sprint. Your audit committee loses confidence. Your CEO spends Monday calling the board instead of selling. Your Series B lead asks for the corrective action plan and the timeline starts.
None of this shows up on a regulator's website. It shows up in burnout, in attrition, in lost momentum, and in the cost of replacing a CTO who was supposed to be focused on the product roadmap. We have lived this. The defect-prevention work that produced $13M in risk avoidance at Providence and zero critical defects in production over fifteen years was built specifically to prevent the Friday surveillance call.
That is what TAP is.
TAP is the pen-test before the certification audit. Citation-level findings against the same federal and state framework public enforcement runs on. Fixed-fee, scoped to your endpoints, with a remediation backlog your engineering team can ship.