ONC (Office of the National Coordinator for Health IT)

regulatory body regulatory compliancehealthcareinteroperabilityfhir

Acronym for: Office of the National Coordinator for Health Information Technology

Source: ONC System: https://www.healthit.gov Code: ONC Reviewed: 05/02/2026 License: CC-BY-4.0

ONC (Office of the National Coordinator for Health IT)

One-sentence definition: ONC — the Office of the National Coordinator for Health Information Technology — is a division of the U.S. Department of Health and Human Services (HHS) that develops national health IT policy, sets health data standards and certification criteria, and oversees programs that advance interoperability and patient access to electronic health information.

Full Definition

ONC is the federal office responsible for coordinating and advancing health IT adoption and interoperability across the US healthcare system. It is not an independent agency — it operates within HHS — but it has statutory authority to set health IT certification standards, establish and maintain the USCDI, administer the information blocking regulations, and coordinate the Trusted Exchange Framework and Common Agreement (TEFCA).

ONC was created by Executive Order 13335 in 2004, codified into statute by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and given expanded authority by the 21st Century Cures Act in 2016. The Cures Act directed ONC to publish rules on information blocking, USCDI, and standardized API requirements — work that culminated in the 2020 ONC Final Rule.

ONC does not directly deliver care, build health IT systems, or run payment programs. Its role is to set the standards, certification criteria, and regulatory framework that other actors — EHR vendors, providers, health information networks — must comply with.

For the regulatory programs ONC administers — the ONC Certification Program, information blocking enforcement, USCDI versions, and the Cures Act rule requirements — see the canonical reference → ONC, Cures Act, and Information Blocking.

Context and Usage

Where This Term Appears

ONC appears throughout health IT compliance and implementation contexts:

  • Certification documentation — EHR products certified under the ONC Health IT Certification Program display an ONC-ATL (Authorized Testing Laboratory) certificate
  • Regulatory references — federal rules on interoperability cite ONC rulemakings: 45 CFR Part 170 (certification criteria) and 45 CFR Part 171 (information blocking)
  • Implementation guides — US Core and other HL7 IGs reference ONC certification requirements to explain which profiles are legally mandated
  • Contract and procurement language — health system and payer agreements specify ONC-certified health IT requirements
  • Industry discussion — “ONC rule,” “ONC certification,” and “ONC’s USCDI” are shorthand in health IT circles for the regulatory framework

Common Usage Examples

In conversation: “Our EHR passed ONC certification for the USCDI v3 data elements — we just need to wire up the SMART on FHIR scope configuration.”

In documentation: “Systems must meet the ONC certification criterion at 45 CFR 170.315(g)(10) to support standardized patient access APIs.”

In technical contexts: An EHR vendor submitting to ONC-ATL testing, a developer checking whether their product requires ONC certification, a provider confirming which version of USCDI their certified EHR supports.

Why ONC Exists

Before HITECH, health IT adoption in the US was fragmented and adoption-driven only by individual organizational decisions. The federal government had no systematic mechanism for ensuring that adopted health IT systems could exchange data, met minimum standards, or supported patient access. HITECH authorized ONC to build the national infrastructure: certification programs, standards, and incentive structures that would make interoperable health IT the baseline rather than the exception.

The Cures Act expanded this further, giving ONC authority to act against specific practices — information blocking — that were undermining the infrastructure HITECH had built. ONC’s role shifted from purely enabling adoption to also preventing obstruction.

ONC Programs and Initiatives

Health IT Certification Program

ONC’s certification program establishes the technical criteria that health IT products must meet to be sold to Meaningful Use, Promoting Interoperability, and MIPS-eligible providers who claim incentive payments or avoid payment penalties. Certification is performed by ONC-Authorized Testing Laboratories (ATLs) and ONC-Authorized Certification Bodies (ACBs).

Certification criteria are defined in 45 CFR Part 170. The current baseline includes criteria for FHIR-based patient access APIs (§ 170.315(g)(10)), clinical decision support, electronic prescribing, patient matching, and many others. Certified products appear on ONC’s Certified Health IT Product List (CHPL).

Trusted Exchange Framework and Common Agreement (TEFCA)

TEFCA is ONC’s framework for creating a nationwide health information network. It establishes common governance, technical requirements, and legal agreements that Qualified Health Information Networks (QHINs) must satisfy to participate. QHINs interconnect, allowing data to flow between health systems that participate through different networks. TEFCA launched operationally in 2023.

Information Blocking Regulations

ONC administers the information blocking regulations at 45 CFR Part 171. For health IT developers, ONC is the enforcement body: it can investigate complaints, pursue civil monetary penalties, and revoke product certification. For healthcare providers and HIEs/HINs, OIG handles enforcement, but ONC coordinates on referrals and policy interpretation.

ONC and FHIR

Certification Criteria

ONC’s 45 CFR 170.315(g)(10) certification criterion requires certified health IT to support a FHIR R4 API for patient access. Specifically, it mandates US Core profile conformance, SMART on FHIR authorization, and specific capability statement publication requirements. This criterion is what makes FHIR and US Core legally mandatory for ONC-certified EHRs in the US — not just best practice.

USCDI Requirements

ONC publishes and maintains the United States Core Data for Interoperability (USCDI) — a standardized set of health data elements required for nationwide interoperability. Each USCDI version is eventually incorporated into ONC certification criteria, establishing a minimum data set that certified EHRs must support. USCDI v1 was incorporated in the 2020 rule; subsequent versions follow through the certification update cycle.

Relationship to Other Terms

  • 21st Century Cures Act — the federal law that gave ONC its current interoperability and information blocking authority
  • USCDI — the data standard ONC develops and maintains
  • Information Blocking — the prohibition ONC regulates for health IT developers
  • CMS — the companion agency whose Interoperability and Patient Access Rule implements FHIR API requirements for payers; ONC and CMS rules are coordinated but separate
  • FHIR — the technical standard ONC mandates through its certification criteria

Common Misconceptions

Misconception 1: ONC Builds Health IT Systems

  • Incorrect belief: ONC develops or operates the health IT systems that providers use — EHRs, health information exchanges, or patient portals.
  • Reality: ONC sets policy, standards, and certification requirements. It does not build health IT systems. Systems that meet ONC criteria are built by commercial vendors and procured by healthcare organizations. ONC’s role is to define what “good enough” looks like, not to supply the software.
  • Why it matters: Organizations looking for help with a specific health IT implementation should look to certified vendors, implementation guides, and HL7 standards bodies — not ONC directly. ONC’s guidance is policy-level; implementation is the vendor’s and integrator’s responsibility.

Misconception 2: ONC Certification Guarantees Interoperability

  • Incorrect belief: If an EHR is ONC-certified, it will exchange data seamlessly with other certified systems.
  • Reality: Certification confirms that a product meets the specified technical criteria tested in a controlled environment. It does not guarantee that any two certified products will exchange data correctly in production. Real-world interoperability depends on configuration, data quality, network connections, and the specific profiles implemented by each party.
  • Why it matters: ONC certification is a floor, not a guarantee. Organizations building FHIR integrations still need end-to-end testing, Inferno validation, and operational configuration work even when both parties run ONC-certified systems.

Why ONC Matters

ONC is the single federal office responsible for making US health data exchange systematic rather than ad hoc. Its certification criteria define the minimum technical capabilities every federally regulated EHR must support. Its USCDI defines the minimum data elements that must travel across those APIs. Its information blocking regulations prevent organizations from using contractual or technical means to undermine what the technical standards enable.

For health IT teams, ONC’s output — certification criteria, USCDI, US Core via HL7 — is the regulatory foundation that determines which standards are mandatory, which data elements must be supported, and which practices are prohibited.

Cross-References

  • 21st Century Cures Act — the legislation that defines ONC’s current authority
  • USCDI — the data standard ONC publishes and maintains
  • Information Blocking — the prohibition ONC enforces for health IT developers
  • CMS — the partner agency for payer-side interoperability requirements

Last reviewed: February 5, 2026 Definition authority: ONC / HHS Content status: Canonical reference