> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # ONC Regulatory Readiness & Alignment Implementation Plan > Version: 1.0.0 Last Updated: 2026-05-15 Source: Compass Artifact deep review + ONC Certification Gap Matrix + existing compliance infrastructure analysis Owner… **Version:** 1.0.0 **Last Updated:** 2026-05-15 **Source:** Compass Artifact deep review + ONC Certification Gap Matrix + existing compliance infrastructure analysis **Owner:** Product / Compliance / CL / PM / PF *** ## 1. Executive Summary This plan operationalizes the findings from the May 2026 ONC Certification Strategy & Regulatory Readiness analysis ("Compass Artifact") into concrete deliverables: new skills, updated rules, new specs, regulatory tracker updates, and AGENTS.md amendments. The recommendation is **Alignment-Only now, Modular certification when a trigger fires** — but the alignment work itself is substantial. ### Key Strategic Decisions | Decision | Recommendation | Trigger to Escalate | | ----------------- | ------------------------------------------- | ---------------------------------------------------------------------- | | ONC Certification | Alignment-Only (no formal filing) | Named enterprise prospect with "CEHRT required" in mandatory RFP terms | | Contexture/HIE | Sign Participation Agreement within 30 days | Already justified — DAP 8.0% uplift | | DEA EPCS | Begin partner evaluation immediately | First MAT-prescribing customer signed | | HITRUST | e1 assessment within 12 months | Kipu competitive parity | | EKRA/NorthSight | P0 legal review immediately | Shared-founder structure is textbook risk | *** ## 2. Deep Review — Gaps Found in Compass Artifact ### 2.1 Items Missing from the Compass Artifact The compass artifact is thorough but omits several areas that Encore's existing compliance infrastructure already tracks or should add: | # | Gap | Severity | Rationale | | -- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | 1 | **OTP/Part 8 compliance (42 CFR Part 8)** — mentioned in passing under EPCS but no dedicated analysis of OTP licensing, SAMHSA certification, and medication-unit dosing rules | Medium | Encore serves MAT/OTP programs; Part 8 governs OTP operations including daily dosing, take-home schedules, and drug testing. Existing tracker already tracks this. | | 2 | **Arizona PDMP (CSPMP) integration** — the regulatory-compliance rule lists this but the compass artifact omits PDMP query requirements entirely | High | A.R.S. § 36-2608 requires PDMP query before prescribing opioids. MAT prescribers using Encore must have PDMP integration or documented workaround. | | 3 | **Psychotherapy notes segregation (45 CFR 164.501)** — existing decision tree includes this but compass artifact does not address ONC criterion mapping for psychotherapy note handling | Low | BH-specific HIPAA carve-out; existing compliance tracking covers this. | | 4 | **HIPAA Breach Notification (HITECH Act)** — compass artifact discusses information blocking penalties but omits breach notification obligations under HITECH, which the IT compliance tracker already covers | Low | Already tracked in `IT_SECURITY_COMPLIANCE_TRACKING.md`. | | 5 | **CMS-0057-F Prior Authorization API** — compass artifact mentions HTI-2 withdrawal of `(g)(30)-(g)(33)` but does not explicitly cover the **separate** CMS-0057-F rule (finalized Jan 2024) requiring payer prior auth APIs by Jan 1, 2027 — existing spec PM-52 covers this | Medium | PM-52 already tracks Da Vinci CRD/DTR/PAS for this rule. | | 6 | **HEDIS/Quality Measures** — compass artifact §7 mentions CARF/Joint Commission as N/A for Encore (correct) but does not address BH HEDIS measures (FUH, FUM, AMM, SSD) that payer contracts frequently require. CL-51 spec and GR tracker already cover this. | Low | Already in compliance tracker and CL-51 spec. | | 7 | **Collections compliance (TCPA/FDCPA/PCI)** — compass artifact omits patient collections compliance, which the regulatory tracker already covers | Low | Already tracked in `REGULATORY_COMPLIANCE_TRACKER.md`. | | 8 | **No Surprises Act/Good Faith Estimate** — omitted from compass artifact; PM tracker covers this | Low | Already tracked; PM specs address GFE. | | 9 | **Surescripts certification pathway** — compass artifact mentions e-prescribing partners but does not detail Surescripts' staged certification process (application → validation → production) which is separate from both ONC and DEA EPCS | Medium | Critical path dependency for any e-prescribing feature. | | 10 | **State Medicaid Promoting Interoperability successors** — compass artifact correctly notes AZ PI ended Oct 2021 but does not survey other states (e.g., CO, NY, TX) that still have active HIT incentive programs, relevant for multi-state expansion via PF-96 | Low | Deferred until multi-state expansion is in scope. | ### 2.2 Items in Compass Artifact Not Yet in Encore's Compliance Infrastructure | # | New Finding | Current Coverage | Action Required | | -- | ----------------------------------------------------------------------------------------------- | ---------------------------------------- | --------------------------------------------- | | 1 | **DEA EPCS certification (21 CFR 1311)** — required for MAT prescribing | Not tracked | Add to regulatory tracker + create new spec | | 2 | **EKRA (18 U.S.C. § 220)** — NorthSight relationship risk | Not tracked | Add to regulatory tracker + legal memo | | 3 | **Section 1557 ACA nondiscrimination** — language access/TTY for patient portal | Partially covered under WCAG/Section 504 | Expand coverage | | 4 | **ADA Title III digital accessibility (WCAG 2.1 AA)** — DOJ April 2024 final rule | Tracked under PF-93 + Section 504 | Update timeline | | 5 | **SAMHSA SUPTRS/MHBG/TEDS reporting** — block-grant reporting hooks | Not tracked | Add to GR compliance tracker | | 6 | **USCDI+ Behavioral Health profiles** — SAMHSA/ONC \$20M initiative | Not tracked | Add to CL-16 roadmap | | 7 | **HITRUST e1 → i1 pathway** — competitive parity with Kipu | Not tracked | Add to IT compliance tracker | | 8 | **DS4P (Data Segmentation for Privacy) — §170.315(b)(7)/(b)(8)** — critical for Part 2 SUD data | Gap matrix shows "None" for b(7)/b(8) | Create new spec | | 9 | **DEA Special Registration for Telemedicine** — MAT-via-telehealth | Not tracked | Add to regulatory tracker | | 10 | **Contexture/Health Current Participation Agreement** — DAP/TI 2.0 gate | Not tracked as deliverable | Add to roadmap | | 11 | **HTI-4 NCPDP SCRIPT 2023011** — Jan 1, 2028 deadline | Mentioned in gap matrix | Ensure CL-06 enhancement tracks this | | 12 | **Information blocking penalty enforcement** — \$1M per violation | Tracked in regulatory tracker | Ensure PM-55 info-blocking workflows complete | *** ## 3. New Skills to Create Skills are organized by priority tier. Each skill follows the `.cursor/skills/` convention with YAML frontmatter, references directory where needed, and pointers to authoritative docs. ### Tier 1 — Alignment-Critical (Create in first 30 days) #### 3.1 `onc-alignment-assessment` (`.cursor/skills/`) **Purpose:** Assess any feature or spec against ONC alignment criteria without requiring formal certification. **Scope:** * Map feature data elements to USCDI v3 data classes/elements * Check US Core 6.1.0 FHIR profile conformance * Validate SMART App Launch v2 OAuth flow design * Evaluate information blocking compliance * Generate alignment score (0-5) per criterion family **References directory:** * `references/uscdi-v3-data-classes.md` — USCDI v3 data class inventory * `references/onc-criterion-checklist.md` — Per-criterion implementation checklist **Trigger phrases:** "ONC alignment", "USCDI mapping", "certification readiness", "FHIR conformance check" *** #### 3.2 `fhir-profile-conformance` (`.cursor/skills/`) **Purpose:** Author and validate FHIR R4 resources against US Core 6.1.0 + USCDI v3 profiles. **Scope:** * US Core 6.1.0 profile requirements per resource type * USCDI v3 data element mapping * CapabilityStatement authoring * Inferno test alignment * USCDI+ BH profile awareness (future-proofing) **References directory:** * `references/us-core-profiles.md` — Profile-by-profile requirements * `references/fhir-resource-patterns.md` — Encore-specific FHIR resource authoring patterns **Trigger phrases:** "FHIR profile", "US Core", "CapabilityStatement", "Inferno test", "USCDI mapping" *** #### 3.3 `ds4p-privacy-segmentation` (`.cursor/skills/`) **Purpose:** Implement Data Segmentation for Privacy (DS4P) for 42 CFR Part 2 SUD data. **Scope:** * DS4P confidentiality codes (V, R, N) on C-CDA and FHIR resources * Part 2 consent-to-segmentation pipeline * Redisclosure notice generation * DS4P send/receive criterion mapping for §170.315(b)(7)/(b)(8) * Integration with CL-11 consent management **References directory:** * `references/ds4p-codes.md` — Confidentiality code table and mapping rules * `references/part2-consent-flows.md` — Part 2 → DS4P decision tree **Trigger phrases:** "DS4P", "data segmentation", "privacy segmentation", "Part 2 FHIR", "confidentiality codes" *** #### 3.4 `information-blocking-compliance` (`.cursor/skills/`) **Purpose:** Ensure all data-sharing decisions comply with 21st Century Cures Act information blocking provisions. **Scope:** * Exception documentation (8 exceptions + TEFCA Manner + Protecting Care Access) * Denial taxonomy and review queue * Annual governance packet assembly * OIG CMP risk assessment (\$1M per violation) * Information blocking response workflow **References directory:** * `references/exception-matrix.md` — Exception-by-exception documentation template * `references/denial-taxonomy.md` — Standardized denial categories and review workflow **Trigger phrases:** "information blocking", "Cures Act", "data sharing denial", "EHI export", "exception documentation" *** ### Tier 2 — Pre-Certification Readiness (Create in 30-90 days) #### 3.5 `dsi-transparency-disclosure` (`.cursor/skills/`) **Purpose:** Generate §170.315(b)(11) DSI source attribute disclosures for AI features. **Scope:** * Source attribute documentation per HTI-1 requirements * Predictive DSI vs. evidence-based DSI classification * Algorithm transparency requirements * User-facing disclosure content generation * Integration with PM-64 (AI coding) and CL-08 (CDS) **Trigger phrases:** "DSI transparency", "AI disclosure", "b(11)", "algorithm transparency", "predictive DSI" *** #### 3.6 `epcs-audit-preparation` (`.cursor/skills/`) **Purpose:** Prepare for DEA EPCS third-party audit (21 CFR 1311). **Scope:** * Identity proofing documentation (NIST SP 800-63-3) * Two-factor authentication evidence * Prescription signing workflow design * Audit trail requirements for controlled substances * Drummond/DEA audit checklist * ARCOS reporting integration points **Trigger phrases:** "EPCS", "DEA audit", "controlled substance", "e-prescribing controlled", "buprenorphine", "21 CFR 1311" *** #### 3.7 `contexture-hie-integration` (`.cursor/skills/`) **Purpose:** Guide integration with Contexture (Health Current) HIE for AHCCCS DAP/TI 2.0. **Scope:** * ADT notification send/receive (HL7 v2.5.1) * CCD exchange (C-CDA R2.1) * Contexture participation agreement requirements * DAP milestone evidence generation * TEFCA connectivity path (Contexture → eHealth Exchange QHIN → national) **Trigger phrases:** "Contexture", "Health Current", "HIE integration", "ADT notification", "DAP attestation", "TI 2.0" *** #### 3.8 `hitrust-assessment-preparation` (`.cursor/skills/`) **Purpose:** Prepare for HITRUST e1 (Essentials) validated assessment. **Scope:** * HITRUST CSF control mapping to existing Encore controls * Evidence collection checklist * Gap analysis between SOC 2 Type II and HITRUST e1 * Authorized external assessor engagement guide * Escalation path to i1 **Trigger phrases:** "HITRUST", "e1 assessment", "i1 assessment", "security certification", "HITRUST CSF" *** ### Tier 3 — Certification-Phase Skills (Create when trigger fires) #### 3.9 `onc-criterion-mapper` (`.agents/skills/`) **Purpose:** Generate per-criterion compliance evidence packages. **Scope:** * Criterion text → Encore feature → test case → screenshot/log evidence mapping * Relied-upon software documentation * CHPL listing metadata generation * Mandatory disclosure URL content *** #### 3.10 `inferno-test-author` (`.agents/skills/`) **Purpose:** Write Inferno test plans and expected response fixtures. **Scope:** * (g)(10), (g)(7), (g)(9) test plan authoring * CapabilityStatement validation fixtures * SMART App Launch v2 test flow documentation * CI harness integration for Inferno tests *** #### 3.11 `rwt-plan-author` (`.agents/skills/`) **Purpose:** Generate Real World Testing plans and results reports. **Scope:** * RWT plan template per ONC requirements * Metrics collection framework * Results report generation * Enforcement discretion tracking (HTI-5 pending) *** #### 3.12 `drummond-engagement-orchestrator` (`.agents/skills/`) **Purpose:** Pre-populate Drummond ATL test scripts and ACB documentation. **Scope:** * Drummond Advisory Services engagement guide * ATL test script pre-population * ACB vendor form completion * CHPL listing preparation * Compliance Learning Series planning *** *** ## 4. Regulatory Rules Updates ### 4.1 Update `.cursor/rules/regulatory-compliance.md` **Changes needed:** Add the following branches to the decision tree: ```text theme={null} ├─ CL (Clinical) │ ├─ [EXISTING branches...] │ ├─ Involves e-prescribing of controlled substances? → DEA EPCS (21 CFR 1311), Drummond audit │ ├─ Involves MAT/buprenorphine prescribing? → DEA EPCS + X-waiver removal (CAA 2023 §1262) + DEA Telemedicine Special Registration │ ├─ Involves FHIR data export with SUD data? → DS4P §170.315(b)(7)/(b)(8) confidentiality coding │ ├─ Involves AI clinical recommendations? → HTI-1 DSI transparency §170.315(b)(11) │ └─ Involves Arizona HIE/Contexture? → AHCCCS DAP/TI 2.0 requirements ├─ PM (Practice Management) │ ├─ [EXISTING branches...] │ ├─ Involves patient access API? → ONC HTI-1 §170.315(g)(10), SMART App Launch v2, US Core 6.1.0 │ ├─ Involves AI coding/billing? → HTI-1 DSI transparency §170.315(b)(11), human acceptance required │ └─ Involves e-prescribing standards? → HTI-4 NCPDP SCRIPT 2023011 (deadline Jan 1, 2028) ├─ PF (Platform Foundation) │ ├─ [EXISTING branches...] │ ├─ Involves patient portal language access? → Section 1557 ACA nondiscrimination │ └─ Involves HITRUST assessment? → HITRUST CSF e1/i1 controls ├─ GR (Governance & Risk) │ ├─ [EXISTING branches...] │ └─ Involves SAMHSA reporting? → SUPTRS, TEDS, MHBG block grant data ``` Add new footer section: ```text theme={null} **ONC/Interoperability-specific:** - `docs/compliance/ONC_CERTIFICATION_GAP_MATRIX.md` — Criterion-level gap analysis - `docs/compliance/ONC_REGULATORY_READINESS_IMPLEMENTATION_PLAN.md` — Skills, specs, and roadmap **Beyond-ONC compliance:** - EKRA (18 U.S.C. § 220) — Kickback risk for recovery treatment referrals - HITRUST e1/i1 — Security assessment pathway - DEA EPCS (21 CFR 1311) — Controlled substance e-prescribing audit ``` ### 4.2 Update `.cursor/skills/module-regulatory-compliance/` **Changes to SKILL.md:** * Add ONC alignment, FHIR/USCDI, DS4P, EPCS, HITRUST, and EKRA to the decision tree * Add new common mistakes table entries for ONC-specific errors * Update tags to include `[regulatory, compliance, HIPAA, ONC, FHIR, USCDI, EPCS, DS4P, HITRUST]` **Changes to `references/per-core-compliance.md`:** * Add "ONC / Interoperability Compliance" section under CL * Add "EPCS / DEA Audit" section under CL * Add "ONC Patient Access API" section under PM * Add "HITRUST Assessment" section under IT/PF * Add "EKRA / Anti-Kickback" section under GR/PF * Add "SAMHSA Reporting" section under GR *** ## 5. New Specs Required ### 5.1 Specs to Create (ordered by priority) | Priority | Spec ID | Title | Core | Rationale | | -------- | ----------- | ------------------------------------------------------ | ---- | ------------------------------------------------------------------------------- | | **P0** | PF-107 | EKRA Compliance and Related-Party Transaction Controls | PF | Shared-founder NorthSight relationship; higher enforcement probability than ONC | | **P1** | CL-63 | DS4P Data Segmentation for Privacy (Send/Receive) | CL | §170.315(b)(7)/(b)(8); critical for Part 2 SUD data in FHIR/C-CDA exchange | | **P1** | CL-64 | DEA EPCS Integration and Audit Readiness | CL | 21 CFR 1311; required for MAT prescribing market | | **P1** | PF-108 | Contexture HIE Integration (ADT/CCD Exchange) | PF | AHCCCS DAP 8.0% uplift; TI 2.0 eligibility; highest-ROI Arizona move | | **P2** | PF-109 | HITRUST e1 Security Assessment Readiness | PF | Competitive parity with Kipu; hospital/payer procurement signal | | **P2** | CL-65 | DSI Transparency Disclosure Framework | CL | §170.315(b)(11) HTI-1; required if AI clinical features ship | | **P2** | PM-72 | ONC API Conditions of Certification Governance | PM | Terms, fees, transparency, maintenance for FHIR APIs | | **P2** | CL-16-EN-03 | USCDI+ Behavioral Health Profile Mapping | CL | SAMHSA/ONC \$20M initiative; proactive alignment | | **P3** | GR-26 | SAMHSA SUPTRS/TEDS/MHBG Reporting Integration | GR | Block-grant reporting for SOR sub-grantees | | **P3** | CL-66 | Immunization Registry Reporting (ASIIS/VXU) | CL | §170.315(f)(1); required for MAT/OTP clinics administering vaccines | | **P3** | CL-67 | Electronic Case Reporting (eCR) | CL | §170.315(f)(5); HIV/HCV reportable conditions for MAT/SUD programs | | **P3** | PM-73 | Surescripts Certification Pathway | PM | Production e-prescribing requirement; staged onboarding | ### 5.2 Existing Specs Requiring Updates | Spec | Update Needed | | --------------- | ------------------------------------------------------------------------------------------------------------------------------ | | **CL-16** | Add USCDI v3 mapping checklist; reference USCDI+ BH; add Inferno CI harness requirement; add DS4P cross-reference to CL-63 | | **CL-16-EN-02** | Update US Core from "planned" to alignment target with specific 6.1.0 profile list | | **PM-55** | Add information blocking denial taxonomy; add §170.315(g)(10) SMART v2 requirements; cross-reference new PM-72 governance spec | | **CL-06** | Add HTI-4 NCPDP SCRIPT 2023011 transition timeline; cross-reference CL-64 EPCS | | **CL-48** | Add C-CDA R4.1 companion guide update; cross-reference DS4P send via CL-63 | | **PM-52** | Note HTI-2 withdrawal of `(g)(30)-(g)(33)` but CMS-0057-F independence; track HTI-5 | | **PF-93** | Add DOJ April 2024 Title II WCAG 2.1 AA rule; add Section 1557 language access | | **PF-44** | Add EHI export criterion b(10) evidence requirements | | **CL-11** | Cross-reference DS4P spec CL-63; add redisclosure notice in FHIR context | *** ## 6. AGENTS.md Updates ### 6.1 Root AGENTS.md Add to "What AI Must NEVER Do": ```text theme={null} - Ship FHIR resources that do not conform to US Core 6.1.0 profiles when CL-16/PM-55 features are in scope. - Omit DS4P confidentiality codes on any FHIR resource or C-CDA document containing 42 CFR Part 2 SUD data. - Implement controlled substance e-prescribing without DEA EPCS audit trail (21 CFR 1311). - Bypass information blocking exception documentation when denying data access requests. ``` Add to "Other Patterns (Pointers)": ```text theme={null} - **ONC Alignment (Alignment-Only):** Build to USCDI v3 + US Core 6.1.0 + SMART v2 + DS4P without formal certification. Gap matrix: `docs/compliance/ONC_CERTIFICATION_GAP_MATRIX.md`. Implementation plan: `docs/compliance/ONC_REGULATORY_READINESS_IMPLEMENTATION_PLAN.md`. - **Contexture/HIE (Arizona):** ADT and CCD exchange via Contexture for AHCCCS DAP/TI 2.0. See PF-108. - **DEA EPCS:** Required for MAT prescribing. Third-party audit via Drummond. See CL-64. - **DS4P (Part 2 + FHIR):** Confidentiality coding on all SUD data in FHIR/C-CDA. See CL-63. - **HITRUST e1:** Security assessment for hospital/payer procurement. See PF-109. - **EKRA:** Anti-kickback for recovery treatment referrals. P0 legal priority. See PF-107. ``` Add to "Landmines (Non-Discoverable)": ```text theme={null} - [2026-05] USCDI v3 is the baseline as of Jan 1, 2026 (with ASTP/ONC enforcement discretion through Feb 28, 2026). All new FHIR work must target v3, not v1. - [2026-05] HTI-2 non-finalized provisions (g(30)-(g)(33), CDS Hooks, Subscriptions) were withdrawn Dec 29, 2025. Do not implement withdrawn criteria. - [2026-05] OIG information blocking penalties ($1M per violation) are live since Sept 2023. Joint HHS-OIG/ASTP enforcement alert issued Sept 4, 2025. - [2026-05] DEA Telemedicine Special Registration rule remains in flux; MAT-via-telehealth must use feature flags. ``` ### 6.2 Core-Specific AGENTS.md Updates **`src/cores/cl/AGENTS.md`:** * Add DS4P requirements for SUD data in FHIR/C-CDA * Add EPCS audit trail requirements * Add USCDI v3 / US Core 6.1.0 conformance requirement for all FHIR resources * Add DSI transparency requirement for AI clinical features **`src/cores/pm/AGENTS.md`:** * Add information blocking exception documentation requirement * Add ONC API governance (PM-72) reference * Add HTI-4 NCPDP SCRIPT 2023011 deadline awareness * Add CMS-0057-F Da Vinci timeline independence from HTI-2 withdrawal *** ## 7. Regulatory Tracker Updates ### 7.1 Add to `REGULATORY_COMPLIANCE_TRACKER.md` | Regulation | Requirement | Deadline | Owning Spec | Status | | ----------------------------- | ------------------------------------------------------------- | ------------------------------- | ------------ | ----------------- | | DEA EPCS (21 CFR 1311) | Third-party audit for controlled substance e-prescribing | Before MAT prescribing launch | CL-64 | Not Started | | EKRA (18 U.S.C. § 220) | Anti-kickback compliance for NorthSight relationship | Immediate (P0) | PF-107 | Not Started | | HITRUST e1 | Security assessment validated by authorized external assessor | 12 months | PF-109 | Not Started | | Section 1557 ACA | Language access, TTY, nondiscrimination in patient portal | Ongoing | PF-93 update | Partially Covered | | ADA Title III / DOJ Rule | WCAG 2.1 AA for patient-facing web properties | HHS May 2026 deadline | PF-93 | In Progress | | SAMHSA SUPTRS/TEDS | Treatment episode reporting for block-grant compliance | Per grant cycle | GR-26 | Not Started | | USCDI+ BH | FHIR BH profiles mapping | Proactive alignment | CL-16-EN-03 | Not Started | | DS4P b(7)/b(8) | Privacy segmentation for SUD data in FHIR/C-CDA | Before production FHIR exchange | CL-63 | Not Started | | HTI-4 NCPDP SCRIPT 2023011 | E-prescribing standard upgrade | Jan 1, 2028 | CL-06 update | Not Started | | DEA Telemedicine Registration | MAT-via-telehealth prescribing rules | Pending final rule (2026?) | CL-64 | Monitoring | | Contexture Participation | HIE connectivity for AHCCCS DAP/TI 2.0 | 30 days (business) | PF-108 | Not Started | | OIG Info Blocking CMP | \$1M per violation for HIT developers | Live since Sept 2023 | PM-55 | In Progress | ### 7.2 Update `ONC_CERTIFICATION_ROADMAP.md` * Increase version to 2.0.0 * Replace generic phased timeline with the compass artifact's 30/90/180/365-day roadmap * Add DEA EPCS, Contexture, HITRUST, and EKRA as parallel tracks * Add competitive landscape section (10 of 11 BH competitors are ONC-certified) * Add trigger-based escalation framework * Cross-reference gap matrix and implementation plan ### 7.3 Update `ONC_CERTIFICATION_GAP_MATRIX.md` * Add DEA EPCS row * Add EKRA risk assessment row * Add Contexture/DAP evidence requirements * Update alignment score from 3.0 to 2.5 per compass artifact analysis * Add USCDI+ BH as future-state alignment target *** ## 8. Content Licensing Tracker Add to compliance infrastructure (new section in `AUTHORITATIVE_REFERENCES.md`): | Content | License | Cost | Status | | --------------------- | ---------------------- | ------------------------------- | ---------------- | | LOINC | Regenstrief Institute | Free | Not yet obtained | | SNOMED CT US Edition | NLM UMLS Metathesaurus | Free (US) | Not yet obtained | | RxNorm | NLM | Free | Not yet obtained | | ICD-10-CM | CMS | Free | Not yet obtained | | CPT | AMA | $500–$3,500/yr for distribution | Not yet licensed | | CVX/MVX vaccine codes | CDC | Free | Not yet obtained | | NCPDP SCRIPT | NCPDP | Membership required | Not yet licensed | **Action:** Obtain NLM UMLS license within 30 days (prerequisite for SNOMED CT, RxNorm, LOINC distribution in production). *** ## 9. Phased Implementation Timeline ### Phase 1: Foundation (Days 0–30) | # | Deliverable | Type | Owner | | -- | ---------------------------------------------- | -------- | ---------- | | 1 | Create PF-107 (EKRA) spec | Spec | Legal/PF | | 2 | Create PF-108 (Contexture) spec | Spec | PF | | 3 | Update `regulatory-compliance.md` rule | Rule | Platform | | 4 | Update `module-regulatory-compliance` skill | Skill | Platform | | 5 | Update AGENTS.md (root + CL + PM) | Docs | Platform | | 6 | Update `REGULATORY_COMPLIANCE_TRACKER.md` | Docs | Compliance | | 7 | Update `ONC_CERTIFICATION_ROADMAP.md` to v2.0 | Docs | Compliance | | 8 | Create `onc-alignment-assessment` skill | Skill | Platform | | 9 | Create `information-blocking-compliance` skill | Skill | Platform | | 10 | Obtain NLM UMLS license | Business | Product | ### Phase 2: Interoperability Core (Days 31–90) | # | Deliverable | Type | Owner | | -- | ---------------------------------------------------- | ------------ | -------- | | 11 | Create CL-63 (DS4P) spec | Spec | CL | | 12 | Create CL-64 (DEA EPCS) spec | Spec | CL | | 13 | Create `fhir-profile-conformance` skill | Skill | Platform | | 14 | Create `ds4p-privacy-segmentation` skill | Skill | Platform | | 15 | Create `dsi-transparency-disclosure` skill | Skill | Platform | | 16 | Create `epcs-audit-preparation` skill | Skill | Platform | | 17 | Create `contexture-hie-integration` skill | Skill | Platform | | 18 | Update CL-16, CL-16-EN-02, PM-55, CL-06, CL-48 specs | Spec updates | CL/PM | | 19 | Create PF-109 (HITRUST e1) spec | Spec | PF/IT | | 20 | Create PM-72 (ONC API Governance) spec | Spec | PM | ### Phase 3: Expanded Coverage (Days 91–180) | # | Deliverable | Type | Owner | | -- | -------------------------------------------------- | --------- | -------- | | 21 | Create CL-65 (DSI Transparency) spec | Spec | CL | | 22 | Create CL-16-EN-03 (USCDI+ BH) spec | Spec | CL | | 23 | Create GR-26 (SAMHSA Reporting) spec | Spec | GR | | 24 | Create `hitrust-assessment-preparation` skill | Skill | Platform | | 25 | Update `per-core-compliance.md` references | Skill ref | Platform | | 26 | Create CL-66 (Immunization ASIIS) spec if in-scope | Spec | CL | | 27 | Create CL-67 (eCR) spec if in-scope | Spec | CL | | 28 | Create PM-73 (Surescripts) spec | Spec | PM | ### Phase 4: Certification Readiness (Months 6–12, only if trigger fires) | # | Deliverable | Type | Owner | | -- | ----------------------------------------------- | ----------- | -------- | | 29 | Create `onc-criterion-mapper` skill | Skill | Platform | | 30 | Create `inferno-test-author` skill | Skill | Platform | | 31 | Create `rwt-plan-author` skill | Skill | Platform | | 32 | Create `drummond-engagement-orchestrator` skill | Skill | Platform | | 33 | Build Inferno CI harness | Engineering | CL/PM | | 34 | Formal Drummond Advisory engagement | Business | Product | *** ## 10. Validation Checklist Before considering this plan complete, verify: * [ ] All 12 new skills have SKILL.md with correct YAML frontmatter * [ ] All new specs follow `specs/_templates/SPEC_TEMPLATE.md` structure * [ ] `SPEC_STATUS_REGISTRY.md` updated with new spec IDs * [ ] `regulatory-compliance.md` rule updated with new decision tree branches * [ ] `module-regulatory-compliance` skill and references updated * [ ] Root AGENTS.md updated with new patterns/landmines/prohibitions * [ ] Core AGENTS.md files (CL, PM) updated * [ ] `REGULATORY_COMPLIANCE_TRACKER.md` has new rows * [ ] `ONC_CERTIFICATION_ROADMAP.md` version bumped and expanded * [ ] `ONC_CERTIFICATION_GAP_MATRIX.md` updated with new findings * [ ] `AUTHORITATIVE_REFERENCES.md` has content licensing section * [ ] All cross-references between documents are valid *** ## 11. Cross-References * [Compass Artifact (source analysis)](../../compass_artifact_wf-5ec62b38-cba7-4116-a35e-5f9b1bc60d47_text_markdown.md) * [ONC Certification Gap Matrix](./ONC_CERTIFICATION_GAP_MATRIX.md) * ONC Certification Roadmap * [Regulatory Compliance Tracker](./REGULATORY_COMPLIANCE_TRACKER.md) * [Authoritative References](./AUTHORITATIVE_REFERENCES.md) * [PHI Classification](./PHI_CLASSIFICATION.md) * [Constitution](../../constitution.md) §4 (Security), §5 (Database) * [AGENTS.md](../../AGENTS.md) §Architecture Rules, §What AI Must NEVER Do