On December 29, 2025, the U.S. Department of Health and Human Services (“HHS”) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) published two proposed rules in the Federal Register:
- “Health Data, Technology, and Interoperability (“HTI”): Patient Engagement, Information Sharing, and Public Health Interoperability; Withdrawal” (the “Proposed Withdrawal”) and
- “Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions To Unleash Prosperity” (the “HTI-5 Proposed Rule”), (collectively, the “Proposed Rules”)
By clearing away certain unfinalized provisions from 2024’s HTI-2: Patient Engagement, Information Sharing, and Public Health Interoperability,” (the “HTI-2 Proposed Rule”) ATSP/ONC is “resetting” the certification criteria, by removing certification criteria that are outdated, duplicate other regulatory requirements, to reduce burden, offer flexibility to developers and providers, and support innovation.
In addition, the HTI-5 Proposed Rule addresses certain misuses of the Information Blocking exceptions, including: (1) removing the “third party seeking modification use” exception, and to either revise or remove the “manner exception exhausted” from the Infeasibility exception; (2) revising the “manner requested” condition in the Manner exception; and (3) to remove the TEFCA Manner exception. ASTP/ONC also expanded the definitions of “Access” and “Use” to include the ability or means necessary to make electronic health information available for exchange or use, including, without limitation, by automation technologies (e.g., robotic process automation, agentic artificial intelligence, in anticipation of a more automated health care ecosystem where smart devices and apps can communicate to reduce friction, allowing patients to spend less time navigating the health care system and providers can provide better care for patients.
ASTP/ONC has encouraged the broader health care community to review the HTI-5 Proposed Rule in its entirety to fully understand the scope of the proposed changes, with stakeholder comments due by February 27, 2026. In addition, ASTP/ONC issued a request for information (RFI) on December 23, 2025, seeking input on the adoption and use of AI in clinical care, with comments due by February 23, 2026.
If you are interested in submitting comments on these important matters, please contact one of our authors or the EBG attorney with whom you regularly work.
Why Two Separate Proposed Rules?
In August 2024, building on the momentum of the January 2024 HTI-1 Final Rule, ASTP/ONC released the HTI-2 Proposed Rule, a sweeping 314-page document comprised of highly technical provisions (see EBG blog post here). Among other things, HTI-2 proposed to significantly expand the scope of the Health IT Certification Program; adopt USCDI v4 and new bulk Fast Healthcare Interoperability Resources (“FHIR”) capabilities; revise the information blocking regulation to add two new exceptions; and to codify the regulatory governance structure for the Trusted Exchange Framework and Common Agreement (“TEFCA”) and Qualified Health Information Networks (“QHIN”).
ASTP/ONC took a measured approach and finalized only certain provisions of HTI-2, including: (1) codifying TEFCA; (2) strengthening the protections for reproductive health information; (3) modifying the Privacy and Infeasibility information blocking exceptions; and (4) modernizing electronic prior authorization, e-prescribing, and Real-time Prescription Benefit (“RTPB”) information. Withdrawing provisions of a Proposed Rule that were never finalized effectively removes the proposed rule from consideration and signals that it will not be finalized or take effect. A withdrawn proposal carries no legal weight, may not be relied upon, and would require the agency to restart the rulemaking process from the beginning if it later sought to reissue the proposed rule. Based on comments from stakeholders, ONC determined that certain elements of the HTI-2 Proposed Rule were not ready to be finalized or that they no longer align with the FHIR Forward Future agenda now reflected in HTI-5.
Out with the Old to Make Room for What’s Next: Changes to Certification Criteria for Health IT and Upcoming Shifts to FHIR
ASTP/ONC has proposed to revise seven (7), and remove thirty-four (34), of the sixty (60) existing electronic health records (“EHR”) certification criteria that ASTP/ONC determined had become obsolete and were “no longer necessary to advance interoperability,” leaving only nineteen (19) certification criteria in place, 90 Fed. Reg. 60973 (Dec. 29, 2025). To “transition to a FHIR-based API ecosystem” by prioritizing FHIR-based APIs and “aggressively reduc[ing] and remov[ing] longstanding functionality-oriented to document-based exchange and non-FHIR-based certification criteria.” 90 Fed Reg. 60972 (Dec. 29, 2025).
Although, at first glance, the proposed changes may appear to dismantle a core pillar of ASTP/ONC’s regulatory framework, ASTP/ONC has outlined its rationale for updating technology standards to better support new technologies. Health information technology has advanced significantly, and many of the existing certification criteria have become outdated, duplicative, or misaligned with current capabilities. ASTP/ONC explains that it believes a shift toward FHIR-based frameworks has the potential to enable “better, faster, and more consistent ways to address emerging market needs” and aligns with CMS initiatives to move beyond read-only data exchange, and broaden the availability and usability of data to support efficiency, and patient-centered care through the CMS Aligned Networks to “Make Health Tech Great Again.” Against this backdrop, ASTP/ONC proposed to retire certain legacy requirements, as illustrated by the following examples:
Certification criteria for Consolidated Clinical Document Architecture (“CDA”)
CDA is a technical standard designed to exchange entire static documents, which can result in the transmission of large volumes of patient records when only discrete data elements, such as specific laboratory results or vital signs, may be needed. In contrast, FHIR-based APIs enable the exchange of data rather than documents, allowing recipients to access only the specific data elements requested without having to leaf through lengthy records to locate relevant information.
United States Core Data for Interoperability (“USCDI”)
USCDI is a standardized set of data elements and groups that defines the core health information that must be shared to support interoperability and has been adopted across the ONC Health IT Certification Program. Because USCDI already establishes the baseline electronic health information that must be exchanged, separate EHR certification criteria addressing “care plans”, “family health history,” “implantable devices,” and broad “all data request” requirements have become overlapping, duplicative, and appropriate for removal. Under ASTP/ONC’s new framework, USCDI defines what data must be made available, while FHIR provides the technical standard for how that data is structured and exchanged through the Individual and Bulk Access API certification criteria that now apply to all certified EHRs.
Privacy and Security Certification Criteria
Notably, the thirteen (13) privacy and security Certification Criteria targeted by the HTI-5 Proposed Rule were not identified for removal due to any diminished emphasis by ASTP/ONC on the importance of safeguarding health information. Rather, ASTP/ONC recognized that over the course of time, the privacy and security certification criteria that intended to serve as a flexible industry-wide baseline for privacy and security compliance had increased in complexity and cost for both EHR developers and their customers, and had fostered a false sense of security that users of Certified EHRs were in compliance with the Health Insurance Portability and Accountability Act (HIPAA) just by virtue of using an EHR that was certified.
If It’s Broken, Fix It Fast!
With respect to information blocking, the HTI-5 Proposed Rule also seeks to address perceived gaps in the Information Blocking Manner exception and the TEFCA exception, which some stakeholders have argued create unnecessary complexity and friction when sharing electronic health information through alternative technical means. Specifically, the HTI-5 Proposed Rule would revise the definitions of “access” and “use” to clarify that those terms encompass automated methods of accessing, exchanging or using electronic health information, including through autonomous AI-enabled systems. The HTI-5 Proposed Rule would further modify the “manner requested” condition of the Manner Exception to narrow its availability when the requested manner is technically feasible using certified APIs and would eliminate the TEFCA Manner Exception in its entirety based on concerns that it has been misapplied and has not functioned as intended.
ASTP/ONC proposed these changes to the Manner Exception in response to stakeholder feedback indicating that aspects of the exception were not operating as expected. ASTP/ONC appears to be betting on a FHIR-forward future where interoperability can be achieved more organically, reducing reliance on enforcement mechanisms that often involve lengthy investigations and penalties imposed long after the alleged conduct.
The TEFCA exception was intended to incentivize participation. However, by most measures, TEFCA continues to gain momentum, and given the robust TEFCA participation the Sequoia Project, which serves as the Recognized Coordinating Entity for TEFCA and QHINs, sees the incentive as no longer necessary. In addition, in comments received in response to the CMS-ASTP/ONC Request for Information: Health Technology Ecosystem and the Federal Trade Commission’s Request for Public Comment Regarding Reducing Anti-Competitive Regulatory Barriers (FTC–2025–0028), concerns have been raised that the narrow TEFCA Manner Exception (applicable only to certain types of exchange) may create a unintended ceiling on future growth of TEFCA by discouraging participation by new entrants for whom other manners of access, exchange, or use of EHI will more efficiently support their innovative products and services. As a result, ASTP/ONC determined that refinement of how alternative manners are evaluated was necessary to prevent misuse of the exception and ensure that actors provide access in a manner that meaningfully supports interoperability.
What’s Next?
As we move into 2026, HHS is following through on its 2025 commitments to reduce what the agency views as burdensome regulatory requirements and government bureaucracy in order to ease compliance pressures on industry stakeholders. The HTI-5 Proposed Rule is intended to provide greater flexibility and foster innovation for both health IT developers and providers, while expanding access to electronic health information, promoting health information technology, and advancing the Trump administration’s objective of establishing a national policy framework for AI.
As we have noted previously, interoperability has never been simple. By demonstrating a willingness to retire certification criteria tied to legacy technologies, ASTP/ONC has taken a meaningful step toward positioning the health IT ecosystem for what comes next. While a FHIR-forward approach promises more efficient movement of patient data, FHIR remains a transport standard, and existing transaction standards of HIPAA were designed primarily for administrative and financial transactions. A more difficult challenge persists: breaking down entrenched data silos that confine clinical data within provider and payer systems. The next phase of interoperability policy must therefore look beyond the HIPAA and technology standards that have served as proxies for clinical data to ensure patients and providers can reliably access the right information at the right time, in the right context.
Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.
Blog Editors
Authors
Senior Counsel
General Counsel / Chief Privacy Officer
Member of the Firm
Strategic Counsel
Associate