1. Executive Summary
This plan operationalizes the findings from the May 2026 ONC Certification Strategy & Regulatory Readiness analysis (“Compass Artifact”) into concrete deliverables: new skills, updated rules, new specs, regulatory tracker updates, and AGENTS.md amendments. The recommendation is Alignment-Only now, Modular certification when a trigger fires — but the alignment work itself is substantial.Key Strategic Decisions
2. Deep Review — Gaps Found in Compass Artifact
2.1 Items Missing from the Compass Artifact
The compass artifact is thorough but omits several areas that Encore’s existing compliance infrastructure already tracks or should add:2.2 Items in Compass Artifact Not Yet in Encore’s Compliance Infrastructure
3. New Skills to Create
Skills are organized by priority tier. Each skill follows the.cursor/skills/ convention with YAML frontmatter, references directory where needed, and pointers to authoritative docs.
Tier 1 — Alignment-Critical (Create in first 30 days)
3.1 onc-alignment-assessment (.cursor/skills/)
Purpose: Assess any feature or spec against ONC alignment criteria without requiring formal certification.
Scope:
- Map feature data elements to USCDI v3 data classes/elements
- Check US Core 6.1.0 FHIR profile conformance
- Validate SMART App Launch v2 OAuth flow design
- Evaluate information blocking compliance
- Generate alignment score (0-5) per criterion family
references/uscdi-v3-data-classes.md— USCDI v3 data class inventoryreferences/onc-criterion-checklist.md— Per-criterion implementation checklist
3.2 fhir-profile-conformance (.cursor/skills/)
Purpose: Author and validate FHIR R4 resources against US Core 6.1.0 + USCDI v3 profiles.
Scope:
- US Core 6.1.0 profile requirements per resource type
- USCDI v3 data element mapping
- CapabilityStatement authoring
- Inferno test alignment
- USCDI+ BH profile awareness (future-proofing)
references/us-core-profiles.md— Profile-by-profile requirementsreferences/fhir-resource-patterns.md— Encore-specific FHIR resource authoring patterns
3.3 ds4p-privacy-segmentation (.cursor/skills/)
Purpose: Implement Data Segmentation for Privacy (DS4P) for 42 CFR Part 2 SUD data.
Scope:
- DS4P confidentiality codes (V, R, N) on C-CDA and FHIR resources
- Part 2 consent-to-segmentation pipeline
- Redisclosure notice generation
- DS4P send/receive criterion mapping for §170.315(b)(7)/(b)(8)
- Integration with CL-11 consent management
references/ds4p-codes.md— Confidentiality code table and mapping rulesreferences/part2-consent-flows.md— Part 2 → DS4P decision tree
3.4 information-blocking-compliance (.cursor/skills/)
Purpose: Ensure all data-sharing decisions comply with 21st Century Cures Act information blocking provisions.
Scope:
- Exception documentation (8 exceptions + TEFCA Manner + Protecting Care Access)
- Denial taxonomy and review queue
- Annual governance packet assembly
- OIG CMP risk assessment ($1M per violation)
- Information blocking response workflow
references/exception-matrix.md— Exception-by-exception documentation templatereferences/denial-taxonomy.md— Standardized denial categories and review workflow
Tier 2 — Pre-Certification Readiness (Create in 30-90 days)
3.5 dsi-transparency-disclosure (.cursor/skills/)
Purpose: Generate §170.315(b)(11) DSI source attribute disclosures for AI features.
Scope:
- Source attribute documentation per HTI-1 requirements
- Predictive DSI vs. evidence-based DSI classification
- Algorithm transparency requirements
- User-facing disclosure content generation
- Integration with PM-64 (AI coding) and CL-08 (CDS)
3.6 epcs-audit-preparation (.cursor/skills/)
Purpose: Prepare for DEA EPCS third-party audit (21 CFR 1311).
Scope:
- Identity proofing documentation (NIST SP 800-63-3)
- Two-factor authentication evidence
- Prescription signing workflow design
- Audit trail requirements for controlled substances
- Drummond/DEA audit checklist
- ARCOS reporting integration points
3.7 contexture-hie-integration (.cursor/skills/)
Purpose: Guide integration with Contexture (Health Current) HIE for AHCCCS DAP/TI 2.0.
Scope:
- ADT notification send/receive (HL7 v2.5.1)
- CCD exchange (C-CDA R2.1)
- Contexture participation agreement requirements
- DAP milestone evidence generation
- TEFCA connectivity path (Contexture → eHealth Exchange QHIN → national)
3.8 hitrust-assessment-preparation (.cursor/skills/)
Purpose: Prepare for HITRUST e1 (Essentials) validated assessment.
Scope:
- HITRUST CSF control mapping to existing Encore controls
- Evidence collection checklist
- Gap analysis between SOC 2 Type II and HITRUST e1
- Authorized external assessor engagement guide
- Escalation path to i1
Tier 3 — Certification-Phase Skills (Create when trigger fires)
3.9 onc-criterion-mapper (.agents/skills/)
Purpose: Generate per-criterion compliance evidence packages.
Scope:
- Criterion text → Encore feature → test case → screenshot/log evidence mapping
- Relied-upon software documentation
- CHPL listing metadata generation
- Mandatory disclosure URL content
3.10 inferno-test-author (.agents/skills/)
Purpose: Write Inferno test plans and expected response fixtures.
Scope:
- (g)(10), (g)(7), (g)(9) test plan authoring
- CapabilityStatement validation fixtures
- SMART App Launch v2 test flow documentation
- CI harness integration for Inferno tests
3.11 rwt-plan-author (.agents/skills/)
Purpose: Generate Real World Testing plans and results reports.
Scope:
- RWT plan template per ONC requirements
- Metrics collection framework
- Results report generation
- Enforcement discretion tracking (HTI-5 pending)
3.12 drummond-engagement-orchestrator (.agents/skills/)
Purpose: Pre-populate Drummond ATL test scripts and ACB documentation.
Scope:
- Drummond Advisory Services engagement guide
- ATL test script pre-population
- ACB vendor form completion
- CHPL listing preparation
- Compliance Learning Series planning
4. Regulatory Rules Updates
4.1 Update .cursor/rules/regulatory-compliance.md
Changes needed:
Add the following branches to the decision tree:
4.2 Update .cursor/skills/module-regulatory-compliance/
Changes to SKILL.md:
- Add ONC alignment, FHIR/USCDI, DS4P, EPCS, HITRUST, and EKRA to the decision tree
- Add new common mistakes table entries for ONC-specific errors
- Update tags to include
[regulatory, compliance, HIPAA, ONC, FHIR, USCDI, EPCS, DS4P, HITRUST]
references/per-core-compliance.md:
- Add “ONC / Interoperability Compliance” section under CL
- Add “EPCS / DEA Audit” section under CL
- Add “ONC Patient Access API” section under PM
- Add “HITRUST Assessment” section under IT/PF
- Add “EKRA / Anti-Kickback” section under GR/PF
- Add “SAMHSA Reporting” section under GR
5. New Specs Required
5.1 Specs to Create (ordered by priority)
5.2 Existing Specs Requiring Updates
6. AGENTS.md Updates
6.1 Root AGENTS.md
Add to “What AI Must NEVER Do”:6.2 Core-Specific AGENTS.md Updates
src/cores/cl/AGENTS.md:
- Add DS4P requirements for SUD data in FHIR/C-CDA
- Add EPCS audit trail requirements
- Add USCDI v3 / US Core 6.1.0 conformance requirement for all FHIR resources
- Add DSI transparency requirement for AI clinical features
src/cores/pm/AGENTS.md:
- Add information blocking exception documentation requirement
- Add ONC API governance (PM-72) reference
- Add HTI-4 NCPDP SCRIPT 2023011 deadline awareness
- Add CMS-0057-F Da Vinci timeline independence from HTI-2 withdrawal
7. Regulatory Tracker Updates
7.1 Add to REGULATORY_COMPLIANCE_TRACKER.md
7.2 Update ONC_CERTIFICATION_ROADMAP.md
- Increase version to 2.0.0
- Replace generic phased timeline with the compass artifact’s 30/90/180/365-day roadmap
- Add DEA EPCS, Contexture, HITRUST, and EKRA as parallel tracks
- Add competitive landscape section (10 of 11 BH competitors are ONC-certified)
- Add trigger-based escalation framework
- Cross-reference gap matrix and implementation plan
7.3 Update ONC_CERTIFICATION_GAP_MATRIX.md
- Add DEA EPCS row
- Add EKRA risk assessment row
- Add Contexture/DAP evidence requirements
- Update alignment score from 3.0 to 2.5 per compass artifact analysis
- Add USCDI+ BH as future-state alignment target
8. Content Licensing Tracker
Add to compliance infrastructure (new section inAUTHORITATIVE_REFERENCES.md):
Action: Obtain NLM UMLS license within 30 days (prerequisite for SNOMED CT, RxNorm, LOINC distribution in production).
9. Phased Implementation Timeline
Phase 1: Foundation (Days 0–30)
Phase 2: Interoperability Core (Days 31–90)
Phase 3: Expanded Coverage (Days 91–180)
Phase 4: Certification Readiness (Months 6–12, only if trigger fires)
10. Validation Checklist
Before considering this plan complete, verify:- All 12 new skills have SKILL.md with correct YAML frontmatter
- All new specs follow
specs/_templates/SPEC_TEMPLATE.mdstructure -
SPEC_STATUS_REGISTRY.mdupdated with new spec IDs -
regulatory-compliance.mdrule updated with new decision tree branches -
module-regulatory-complianceskill and references updated - Root AGENTS.md updated with new patterns/landmines/prohibitions
- Core AGENTS.md files (CL, PM) updated
-
REGULATORY_COMPLIANCE_TRACKER.mdhas new rows -
ONC_CERTIFICATION_ROADMAP.mdversion bumped and expanded -
ONC_CERTIFICATION_GAP_MATRIX.mdupdated with new findings -
AUTHORITATIVE_REFERENCES.mdhas content licensing section - All cross-references between documents are valid
11. Cross-References
- Compass Artifact (source analysis)
- ONC Certification Gap Matrix
- ONC Certification Roadmap
- Regulatory Compliance Tracker
- Authoritative References
- PHI Classification
- Constitution §4 (Security), §5 (Database)
- AGENTS.md §Architecture Rules, §What AI Must NEVER Do