Skip to main content
Source: Compass Artifact deep review + ONC Certification Gap Matrix + existing compliance infrastructure analysis Owner: Product / Compliance / CL / PM / PF

1. Executive Summary

This plan operationalizes the findings from the May 2026 ONC Certification Strategy & Regulatory Readiness analysis (“Compass Artifact”) into concrete deliverables: new skills, updated rules, new specs, regulatory tracker updates, and AGENTS.md amendments. The recommendation is Alignment-Only now, Modular certification when a trigger fires — but the alignment work itself is substantial.

Key Strategic Decisions


2. Deep Review — Gaps Found in Compass Artifact

2.1 Items Missing from the Compass Artifact

The compass artifact is thorough but omits several areas that Encore’s existing compliance infrastructure already tracks or should add:

2.2 Items in Compass Artifact Not Yet in Encore’s Compliance Infrastructure


3. New Skills to Create

Skills are organized by priority tier. Each skill follows the .cursor/skills/ convention with YAML frontmatter, references directory where needed, and pointers to authoritative docs.

Tier 1 — Alignment-Critical (Create in first 30 days)

3.1 onc-alignment-assessment (.cursor/skills/)

Purpose: Assess any feature or spec against ONC alignment criteria without requiring formal certification. Scope:
  • Map feature data elements to USCDI v3 data classes/elements
  • Check US Core 6.1.0 FHIR profile conformance
  • Validate SMART App Launch v2 OAuth flow design
  • Evaluate information blocking compliance
  • Generate alignment score (0-5) per criterion family
References directory:
  • references/uscdi-v3-data-classes.md — USCDI v3 data class inventory
  • references/onc-criterion-checklist.md — Per-criterion implementation checklist
Trigger phrases: “ONC alignment”, “USCDI mapping”, “certification readiness”, “FHIR conformance check”

3.2 fhir-profile-conformance (.cursor/skills/)

Purpose: Author and validate FHIR R4 resources against US Core 6.1.0 + USCDI v3 profiles. Scope:
  • US Core 6.1.0 profile requirements per resource type
  • USCDI v3 data element mapping
  • CapabilityStatement authoring
  • Inferno test alignment
  • USCDI+ BH profile awareness (future-proofing)
References directory:
  • references/us-core-profiles.md — Profile-by-profile requirements
  • references/fhir-resource-patterns.md — Encore-specific FHIR resource authoring patterns
Trigger phrases: “FHIR profile”, “US Core”, “CapabilityStatement”, “Inferno test”, “USCDI mapping”

3.3 ds4p-privacy-segmentation (.cursor/skills/)

Purpose: Implement Data Segmentation for Privacy (DS4P) for 42 CFR Part 2 SUD data. Scope:
  • DS4P confidentiality codes (V, R, N) on C-CDA and FHIR resources
  • Part 2 consent-to-segmentation pipeline
  • Redisclosure notice generation
  • DS4P send/receive criterion mapping for §170.315(b)(7)/(b)(8)
  • Integration with CL-11 consent management
References directory:
  • references/ds4p-codes.md — Confidentiality code table and mapping rules
  • references/part2-consent-flows.md — Part 2 → DS4P decision tree
Trigger phrases: “DS4P”, “data segmentation”, “privacy segmentation”, “Part 2 FHIR”, “confidentiality codes”

3.4 information-blocking-compliance (.cursor/skills/)

Purpose: Ensure all data-sharing decisions comply with 21st Century Cures Act information blocking provisions. Scope:
  • Exception documentation (8 exceptions + TEFCA Manner + Protecting Care Access)
  • Denial taxonomy and review queue
  • Annual governance packet assembly
  • OIG CMP risk assessment ($1M per violation)
  • Information blocking response workflow
References directory:
  • references/exception-matrix.md — Exception-by-exception documentation template
  • references/denial-taxonomy.md — Standardized denial categories and review workflow
Trigger phrases: “information blocking”, “Cures Act”, “data sharing denial”, “EHI export”, “exception documentation”

Tier 2 — Pre-Certification Readiness (Create in 30-90 days)

3.5 dsi-transparency-disclosure (.cursor/skills/)

Purpose: Generate §170.315(b)(11) DSI source attribute disclosures for AI features. Scope:
  • Source attribute documentation per HTI-1 requirements
  • Predictive DSI vs. evidence-based DSI classification
  • Algorithm transparency requirements
  • User-facing disclosure content generation
  • Integration with PM-64 (AI coding) and CL-08 (CDS)
Trigger phrases: “DSI transparency”, “AI disclosure”, “b(11)”, “algorithm transparency”, “predictive DSI”

3.6 epcs-audit-preparation (.cursor/skills/)

Purpose: Prepare for DEA EPCS third-party audit (21 CFR 1311). Scope:
  • Identity proofing documentation (NIST SP 800-63-3)
  • Two-factor authentication evidence
  • Prescription signing workflow design
  • Audit trail requirements for controlled substances
  • Drummond/DEA audit checklist
  • ARCOS reporting integration points
Trigger phrases: “EPCS”, “DEA audit”, “controlled substance”, “e-prescribing controlled”, “buprenorphine”, “21 CFR 1311”

3.7 contexture-hie-integration (.cursor/skills/)

Purpose: Guide integration with Contexture (Health Current) HIE for AHCCCS DAP/TI 2.0. Scope:
  • ADT notification send/receive (HL7 v2.5.1)
  • CCD exchange (C-CDA R2.1)
  • Contexture participation agreement requirements
  • DAP milestone evidence generation
  • TEFCA connectivity path (Contexture → eHealth Exchange QHIN → national)
Trigger phrases: “Contexture”, “Health Current”, “HIE integration”, “ADT notification”, “DAP attestation”, “TI 2.0”

3.8 hitrust-assessment-preparation (.cursor/skills/)

Purpose: Prepare for HITRUST e1 (Essentials) validated assessment. Scope:
  • HITRUST CSF control mapping to existing Encore controls
  • Evidence collection checklist
  • Gap analysis between SOC 2 Type II and HITRUST e1
  • Authorized external assessor engagement guide
  • Escalation path to i1
Trigger phrases: “HITRUST”, “e1 assessment”, “i1 assessment”, “security certification”, “HITRUST CSF”

Tier 3 — Certification-Phase Skills (Create when trigger fires)

3.9 onc-criterion-mapper (.agents/skills/)

Purpose: Generate per-criterion compliance evidence packages. Scope:
  • Criterion text → Encore feature → test case → screenshot/log evidence mapping
  • Relied-upon software documentation
  • CHPL listing metadata generation
  • Mandatory disclosure URL content

3.10 inferno-test-author (.agents/skills/)

Purpose: Write Inferno test plans and expected response fixtures. Scope:
  • (g)(10), (g)(7), (g)(9) test plan authoring
  • CapabilityStatement validation fixtures
  • SMART App Launch v2 test flow documentation
  • CI harness integration for Inferno tests

3.11 rwt-plan-author (.agents/skills/)

Purpose: Generate Real World Testing plans and results reports. Scope:
  • RWT plan template per ONC requirements
  • Metrics collection framework
  • Results report generation
  • Enforcement discretion tracking (HTI-5 pending)

3.12 drummond-engagement-orchestrator (.agents/skills/)

Purpose: Pre-populate Drummond ATL test scripts and ACB documentation. Scope:
  • Drummond Advisory Services engagement guide
  • ATL test script pre-population
  • ACB vendor form completion
  • CHPL listing preparation
  • Compliance Learning Series planning


4. Regulatory Rules Updates

4.1 Update .cursor/rules/regulatory-compliance.md

Changes needed: Add the following branches to the decision tree:
Add new footer section:

4.2 Update .cursor/skills/module-regulatory-compliance/

Changes to SKILL.md:
  • Add ONC alignment, FHIR/USCDI, DS4P, EPCS, HITRUST, and EKRA to the decision tree
  • Add new common mistakes table entries for ONC-specific errors
  • Update tags to include [regulatory, compliance, HIPAA, ONC, FHIR, USCDI, EPCS, DS4P, HITRUST]
Changes to references/per-core-compliance.md:
  • Add “ONC / Interoperability Compliance” section under CL
  • Add “EPCS / DEA Audit” section under CL
  • Add “ONC Patient Access API” section under PM
  • Add “HITRUST Assessment” section under IT/PF
  • Add “EKRA / Anti-Kickback” section under GR/PF
  • Add “SAMHSA Reporting” section under GR

5. New Specs Required

5.1 Specs to Create (ordered by priority)

5.2 Existing Specs Requiring Updates


6. AGENTS.md Updates

6.1 Root AGENTS.md

Add to “What AI Must NEVER Do”:
Add to “Other Patterns (Pointers)”:
Add to “Landmines (Non-Discoverable)“:

6.2 Core-Specific AGENTS.md Updates

src/cores/cl/AGENTS.md:
  • Add DS4P requirements for SUD data in FHIR/C-CDA
  • Add EPCS audit trail requirements
  • Add USCDI v3 / US Core 6.1.0 conformance requirement for all FHIR resources
  • Add DSI transparency requirement for AI clinical features
src/cores/pm/AGENTS.md:
  • Add information blocking exception documentation requirement
  • Add ONC API governance (PM-72) reference
  • Add HTI-4 NCPDP SCRIPT 2023011 deadline awareness
  • Add CMS-0057-F Da Vinci timeline independence from HTI-2 withdrawal

7. Regulatory Tracker Updates

7.1 Add to REGULATORY_COMPLIANCE_TRACKER.md

7.2 Update ONC_CERTIFICATION_ROADMAP.md

  • Increase version to 2.0.0
  • Replace generic phased timeline with the compass artifact’s 30/90/180/365-day roadmap
  • Add DEA EPCS, Contexture, HITRUST, and EKRA as parallel tracks
  • Add competitive landscape section (10 of 11 BH competitors are ONC-certified)
  • Add trigger-based escalation framework
  • Cross-reference gap matrix and implementation plan

7.3 Update ONC_CERTIFICATION_GAP_MATRIX.md

  • Add DEA EPCS row
  • Add EKRA risk assessment row
  • Add Contexture/DAP evidence requirements
  • Update alignment score from 3.0 to 2.5 per compass artifact analysis
  • Add USCDI+ BH as future-state alignment target

8. Content Licensing Tracker

Add to compliance infrastructure (new section in AUTHORITATIVE_REFERENCES.md): Action: Obtain NLM UMLS license within 30 days (prerequisite for SNOMED CT, RxNorm, LOINC distribution in production).

9. Phased Implementation Timeline

Phase 1: Foundation (Days 0–30)

Phase 2: Interoperability Core (Days 31–90)

Phase 3: Expanded Coverage (Days 91–180)

Phase 4: Certification Readiness (Months 6–12, only if trigger fires)


10. Validation Checklist

Before considering this plan complete, verify:
  • All 12 new skills have SKILL.md with correct YAML frontmatter
  • All new specs follow specs/_templates/SPEC_TEMPLATE.md structure
  • SPEC_STATUS_REGISTRY.md updated with new spec IDs
  • regulatory-compliance.md rule updated with new decision tree branches
  • module-regulatory-compliance skill and references updated
  • Root AGENTS.md updated with new patterns/landmines/prohibitions
  • Core AGENTS.md files (CL, PM) updated
  • REGULATORY_COMPLIANCE_TRACKER.md has new rows
  • ONC_CERTIFICATION_ROADMAP.md version bumped and expanded
  • ONC_CERTIFICATION_GAP_MATRIX.md updated with new findings
  • AUTHORITATIVE_REFERENCES.md has content licensing section
  • All cross-references between documents are valid

11. Cross-References