ONC Certification: What New EHR Vendors Need to Know in 2026

Author: Jean Jacques Nya Ngatchou, MD | December 12, 2025

Jean Jacques Nya Ngatchou, MD is a board-certified endocrinologist and the founder of Thyra, an AI-powered EHR for specialty and primary care workflows. He previously practiced at Optum and completed his endocrinology fellowship at the University of Washington. Thyra is backed by INSEAD AI Venture Lab and Google Cloud for Startups.

ONC certification is the gateway to the US healthcare market. Here is what the process actually involves, what it costs, and where new vendors get stuck.

Certification is market access

Without ONC certification, your EHR cannot participate in federal incentive programs. Providers cannot attest to Promoting Interoperability. Health systems will not consider you. Payers may not integrate with you.

Certification is not optional. It is the minimum bar for participation.

The certification landscape in 2026

The ONC Health IT Certification Program is governed by the 21st Century Cures Act and implemented through rules like HTI-1. The current requirements include:

FHIR R4 API support (US Core profiles)
SMART App Launch for third-party applications
Information blocking compliance
Clinical quality measure reporting capabilities
Standardized APIs for patient and population services
Security requirements including encryption, audit logging, and access controls

The certification process is administered by ONC-Authorized Certification Bodies (ONC-ACBs) like Drummond Group and InfoGard.

The real timeline

New vendors consistently underestimate the timeline. Here is what to expect:

Pre-submission: 3-6 months

Gap analysis against certification criteria
Test environment setup
Documentation preparation
Internal testing and remediation

Testing and review: 3-6 months

Submission to ONC-ACB
Functional testing
Interoperability testing
Security assessment
Remediation cycles

Total: 6-12 months minimum

And that is if your product is already built to the spec. If you are retrofitting, add time.

Where vendors get stuck

FHIR API completeness

Having a FHIR endpoint is not enough. You need:

All US Core profiles implemented correctly
Proper search parameter support
Bulk FHIR for population queries
SMART App Launch with correct scopes

Clinical quality measures

CQM calculation is precise. The logic must match published specifications exactly. Off-by-one errors in date calculations or population criteria will fail testing.

Security requirements

Audit logging, encryption at rest and in transit, role-based access control, automatic session timeout. These are not nice-to-haves—they are testable criteria.

Documentation

Every criterion requires evidence. Screenshots, API responses, test results, configuration documentation. The documentation burden is significant.

Cost

Budget $150,000-$400,000 for initial certification depending on scope. Annual surveillance costs $50,000-$100,000. Engineering time is the largest hidden cost.

Strategy for new vendors

Design to the criteria from day one—do not retrofit
Use FHIR R4 as your internal data model, not just an external API
Build CQM logic into your reporting layer early
Engage an ONC-ACB for a pre-assessment before formal submission
Budget for at least one remediation cycle

The standard to hold

Certification is not a one-time event. It is an ongoing compliance obligation. Build your engineering processes around it, not around it.