Understanding CEHRT Updates Under the 21st Century Cures Act

Priti PrabhaPriti Prabha Priti PrabhaonLeave a Comment on Understanding CEHRT Updates Under the 21st Century Cures Act

What is CEHRT and Why It Matters in 2025 

Certified Electronic Health Record Technology (CEHRT) is the standard that defines whether an EHR system meets federal requirements for data exchange, privacy, and clinical functionality. Healthcare organizations that depend on electronic systems to manage patient care, and EHR vendors building those systems, CEHRT is the benchmark that guides development and certification. 

When the Final Rule of the 21st Century Cures Act came into play in May 2020, it didn’t just tweak a few policies — it restructured the foundation of how EHR systems needed to function. From the way data is shared across systems to the formats that define structured health information, the goal was clear: make patient data more accessible and portable, without compromising on privacy or accuracy. 

Fast forward to today, and the changes haven’t stopped. The criteria that defined CEHRT five years ago are no longer enough. Vendors are expected to track updates to USCDI versions, build for FHIR-based APIs, support EHI export, and stay aligned with how the ONC interprets information blocking. Falling behind doesn’t just mean non-compliance — it risks product viability in a competitive and highly regulated market. 

This blog looks at what changed in 2020, how it reshaped CEHRT, and what’s required in 2025 to keep pace. 

A Quick Recap: The 2020 Cures Act Final Rule and Its Initial Impact on CEHRT 

CEHRT Evolution Timeline_ 2015 → 2025

CEHRT Evolution Timeline_ 2015 → 2025When the 21st Century Cures Act Final Rule took effect in 2020, it redefined what developers needed to prioritize in their EHR systems. The ONC introduced sweeping updates to the 2015 Edition Health IT Certification Criteria, directly influencing how CEHRT would be evaluated going forward.

These updates weren’t cosmetic. They realigned the certification criteria with a broader vision — nationwide interoperability, patient-controlled access, and secure, standardized data exchange. To make room for this, the ONC reorganized the certification structure into three key areas:

Time-Limited and Removed Criteria 

Some criteria were marked for removal because they were either redundant or soon to be covered under new standards like USCDI or EHI Export. Others became non-mandatory, serving as placeholders during the transition. This move was designed to reduce the certification burden on developers and streamline the roadmap for future functionality. 

Examples of removed or time-limited criteria: 

  • Problem List, Medication List, and Allergy List 
  • Smoking Status 
  • Common Clinical Data Set Summary Record 
  • Drug Formulary and Preferred Drug List 
  • Application Access 
  • Data Export 

Many of these functionalities weren’t eliminated entirely — they were folded into broader, updated categories to prevent overlap and promote consistency. 

Revised Criteria 

Several existing certification criteria were revised to improve alignment with the Cures Act’s goals, particularly around security, data integrity, and interoperability. These updates demanded more precise handling of clinical information and added technical specificity for vendors. 

Notable revisions included: 

  • Security tagging for the summary of care 
  • Updates to Clinical Quality Measures (CQMs) 
  • Integration of ASTM healthcare standards 
  • Adjustments to application access protocols 

These changes served to close loopholes, make expectations clearer, and push vendors toward more structured, future-ready systems. 

New Criteria 

Entirely new certification requirements were added to reflect the changing expectations around data sharing and accessibility. The emphasis was on API access, patient data portability, and standardized export of health information.

Key additions included: 

  • Electronic Health Information (EHI) Export
  • Standardized APIs based on FHIR
  • Electronic Prescribing enhancements

These new criteria were central to the ONC’s vision — enabling patients to access their data electronically, developers to build interoperable apps, and providers to exchange data with fewer limitations. 

CEHRT Compliance in 2025: What Has Changed Since 2020 

Over the past few years, the expectations tied to CEHRT have deepened. It’s no longer enough to meet the minimum. ONC’s focus has shifted toward ongoing conformity, not one-time certification. What this means for HIT vendors is simple: the bar keeps moving, and so must your systems. 

USCDI: From v1 to v4 (and beyond) 

In 2020, the United States Core Data for Interoperability (USCDI) was still in its early phase. Today, most certified EHRs are expected to align with USCDI v3 or v4, depending on the timeline of their updates. Each new version expands the scope of standardized data classes — from sexual orientation and gender identity to social determinants of health and clinical notes. 

If your EHR still builds around USCDI v1 or v2, you’re likely behind on multiple data exchange expectations. 

EHI Export: From Feature to Requirement 

Initially introduced as a new capability, electronic health information (EHI) export became a critical compliance feature. What started as a concept to support patient access is now a formal part of ONC’s certification requirements. Developers must support complete patient data exports — not just summaries — in a format that allows for data portability across systems.

For vendors, this means rethinking how data is structured and ensuring it can move without relying on proprietary formats or middleware. 

API Requirements: Now with Teeth 

FHIR-based APIs were a focus in 2020, but enforcement was lenient. That’s changed. As of 2023, certified health IT modules must meet updated API certification criteria, including support for standardized endpoints, dynamic registration, and patient-facing app access. ONC has increased pressure on vendors to improve API availability, usability, and reliability.

Third-party integrations and SMART on FHIR applications are now central to CEHRT. Poor API design isn’t just a product flaw — it can be a compliance risk. 

Information Blocking: Enforcement is Here 

The concept of information blocking started as a policy principle. In 2025, it will have enforcement mechanisms behind it. The HHS Office of Inspector General (OIG) has started issuing fines for non-compliance, and healthcare organizations are becoming more cautious about the vendors they choose.

CEHRT certification is now closely tied to how you handle patient access, data sharing requests, and system openness. Delays or denials without clear exceptions can put vendors in regulatory crosshairs. 

Key Criteria Explained – What’s In, What’s Out 

The 2015 Edition Certification Criteria was restructured to make way for smarter, more relevant compliance measures. But as of 2025, the criteria introduced by the Cures Act Final Rule have themselves evolved. Some were sunset, others have been modified to stay useful, and a few have become central to what CEHRT means today. 

Below is a breakdown of where things stand now: 

Criteria That Were Retired or Phased Out 

These are the criteria that were either formally removed or deprioritized as overlapping features were absorbed into broader standards. Their removal was less about loss of function and more about streamlining. 

  • Problem, Medication, and Allergy Lists – Folded into more flexible, USCDI-based data representations. 
  • Smoking Status – Replaced by broader health behavior categories under USCDI updates. 
  • Common Clinical Data Set (CCDS) Summary Record – Superseded by USCDI and more flexible FHIR-based structures. 
  • Drug Formulary and Preferred Drug List – Deprioritized due to more advanced e-prescribing modules. 
  • Data Export – Absorbed by the more comprehensive EHI Export requirement.
  • Application Access – Rewritten under FHIR API expectations.

These elements aren’t obsolete in practice, but they’re no longer separate checkpoints in the CEHRT framework. 

Criteria That Were Revised 

Some original criteria remain relevant but have been tightened to reflect the ONC’s updated technical expectations. These aren’t new, but how they’re implemented now looks different. 

  • Security Tagging – More prescriptive definitions tied to sensitive health data types and patient-level privacy controls. 
  • Clinical Quality Measures (CQMs) – Updated to reflect the evolving standards for outcomes reporting and integration with external quality reporting programs. 
  • ASTM Standards – Still part of data structuring rules, but now applied in more nuanced ways as FHIR takes on a dominant role. 
  • Application Access – Moved from open-ended access to clearly defined SMART on FHIR app integration, with technical performance expectations. 

These revised criteria reflect the ONC’s push for precision over broad compliance — vendors are expected to implement these with real-world usability in mind. 

Criteria That Became Core in 2025 

The criteria added in 2020 have now matured into pillars of CEHRT. These aren’t just required — they define the new competitive baseline. 

  • EHI Export – No longer just a compliance check; now a signal of vendor transparency and data portability readiness. 
  • Standardized FHIR APIs – Mandatory and closely scrutinized, especially with the rise of patient-facing health apps. 
  • Electronic Prescribing Enhancements – Encompasses both drug interaction checks and support for real-time benefit tools (RTBT) under payer integrations. 

For HIT vendors, these are now non-negotiable. Falling short doesn’t just put certification at risk — it weakens your product’s standing in a market where buyers are increasingly informed and compliance-savvy. 

Common Roadblocks in Meeting CEHRT Requirements 

Even with a clear checklist from the ONC, many vendors struggle to align their systems with CEHRT expectations. The challenges aren’t just technical — they often come down to interpretation, coordination, and timing. 

  1. Ambiguity Around EHI Scope

Understanding what qualifies as Electronic Health Information (EHI) isn’t always straightforward. Some vendors over-interpret it and build features they don’t need; others miss critical elements. The lack of consistent definitions across provider settings adds to the confusion. 

  1. Legacy Architecture Limitations

Older systems, especially those not designed for modular upgrades, often hit a wall when trying to support FHIR APIs or structured data exports. Retrofitting can take more effort than rebuilding, and many vendors aren’t prepared for that. 

  1. Gaps in Testing and Validation

Passing the certification test isn’t the same as building something that performs well in real-world conditions. Vendors sometimes neglect usability, security testing, or compatibility with third-party apps, which leads to issues post-certification. 

  1. Poor Documentation Practices

Maintaining traceable documentation for CEHRT criteria is still a weak point. Without it, audits become difficult, and internal teams lose visibility into how specific features meet compliance requirements. 

  1. Misalignment Between Product and Compliance Teams

When product development and compliance aren’t in sync, features are either delayed or implemented in a way that doesn’t satisfy certification goals. For smaller vendors, this disconnect is especially common. 

The Road Ahead for EHR Developers 

In 2025, it’s a continuous process shaped by shifting rules, technical updates, and tighter scrutiny. Staying certified now means vendors must be adaptable, well-informed, and ready to revise their systems with little notice. 

The pace of regulatory change makes it risky to rely on reactive fixes. Instead, vendors need structured strategies for monitoring updates, planning development cycles around them, and validating features well before deadlines hit. 

Proactive compliance planning is safer and adds a competitive advantage. Vendors that build with current and future CEHRT expectations in mind are more likely to win trust from provider networks and healthcare organizations that don’t want to deal with last-minute gaps. 

How Nalashaa Healthcare Solutions Can Help 

Navigating CEHRT updates calls for domain understanding, regulatory awareness, and the ability to build for change. That’s where Nalashaa comes in. 

We help EHR vendors: 

  • Interpret CEHRT criteria correctly, including USCDI and EHI export requirements 
  • Upgrade legacy systems to support FHIR APIs and modular certification 
  • Design and test features aligned with ONC expectations 
  • Streamline certification prep with documentation and audit readiness 

With deep expertise in healthcare data solutions and a decade of experience working with HIT vendors, we make CEHRT compliance part of your product roadmap. 

If you’re building or maintaining a CEHRT-certified solution, we’d be glad to help. Connect with us at info@nalashaa.com. Learn more about updates on CEHRT from our webinar. 

The following two tabs change content below.
Priti PrabhaPriti PrabhaPriti Prabha

Priti Prabha

Priti is a marketing enthusiast with a keen interest in digital advancements. She finds immense joy in crafting impactful content that addresses challenges and spreads awareness in the healthcare sector. Her work consistently showcases how technology aligns with value-based care to improve patient outcomes and operational efficiencies. When not immersed in content writing, Priti enjoys geeking out on pop music or delving into the latest tech magazines.
Priti PrabhaPriti PrabhaPriti Prabha

Latest posts by Priti Prabha (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *