In December 2025, the U.S. Department of Health and Human Services released the Health Data, Technology, and Interoperability: commonly referred to as HTI-5.
The proposal represents one of the most significant structural changes to the ONC Health IT Certification Program in several years and signals a notable shift in how federal regulators intend to shape the program moving forward. HTI-5 outlines three primary goals:
- The first is to reduce regulatory burden on health IT developers by eliminating certification requirements that regulators view as redundant or no longer necessary.
- The second is to update information blocking regulations in ways intended to strengthen and protect patient access to electronic health information.
- The third goal is to establish a clearer foundation for the next phase of interoperability by supporting the growth of FHIR-based APIs and the emergence of AI-enabled data exchange technologies.
The scale of the proposed changes is substantial. Of the 60 certification criteria that currently exist within the ONC Health IT Certification Program, ASTP/ONC proposes removing 34 entirely and revising an additional seven. In practical terms, that means nearly 70 percent of the program’s existing requirements could be affected in some way.
It is important to emphasize that HTI-5 is still a proposed rule and has not yet been finalized. The public comment period closed on February 27, 2026, but ASTP/ONC has not issued a final rule at this time. As a result, Health IT developers should approach planning with that uncertain reality in mind, building flexibility into roadmaps, until a final rule is issued.
What Is ASTP/ONC Proposing to Remove From the Certification Program?
ASTP/ONC proposes removing 34 of the program’s 60 certification criteria.
Among the criteria proposed for removal are those governing CDA-based document exchange. ASTP/ONC views these requirements as largely superseded by the growing adoption of FHIR-based interoperability approaches:
- Clinical Information Reconciliation and Incorporation (§ 170.315(b)(2))
- Security Tags — Summary of Care — Send (§ 170.315(b)(7))
- Security Tags — Summary of Care — Receive (§ 170.315(b)(8))
- Care Plan (§ 170.315(b)(9))
- Consolidated CDA Creation Performance (§ 170.315(g)(6))
Also proposed for removal are criteria governing legacy transport protocols that ASTP/ONC considers superseded by the shift to a FHIR-first regulatory environment, including Direct Project (§ 170.315(h)(1)) and Direct Project, Edge Protocol, and XDR/XDM (§ 170.315(h)(2)).
Privacy and security certification criteria are also proposed for removal. This represents a notable shift, as these criteria have historically served as a baseline conformity check for capabilities such as authentication, encryption, and audit logging within certified products:
- Authentication, Access Control, Authorization (§ 170.315(d)(1))
- Auditable Events and Tamper-Resistance (§ 170.315(d)(2))
- Audit Report(s) (§ 170.315(d)(3))
- Amendments (§ 170.315(d)(4))
- Automatic Access Time-Out (§ 170.315(d)(5))
- Emergency Access (§ 170.315(d)(6))
- End-User Device Encryption (§ 170.315(d)(7))
- Integrity (§ 170.315(d)(8))
- Trusted Connection (§ 170.315(d)(9))
- Auditing Actions on Health Information (§ 170.315(d)(10))
- Accounting of Disclosures (§ 170.315(d)(11))
- Encrypt Authentication Credentials (§ 170.315(d)(12))
- Multi-Factor Authentication (§ 170.315(d)(13))
Additional criteria identified for removal include family health history, audit reports, multifactor authentication as a standalone certification requirement, safety-enhanced design, and accessibility-centered design. The full list of proposed removals and revisions, including effective dates, is available in the HTI-5 Proposed Rule Chart.
It is important to understand what the removal of a certification criterion actually means in practice. Eliminating a criterion does not imply that the underlying capability has become unimportant or obsolete. Instead, it means that the ONC Health IT Certification Program would no longer require formal certification testing against that specific requirement. Developers and healthcare organizations may still choose to implement these capabilities as part of their product design or operational practices.
In many cases, other regulatory obligations, contractual expectations, or market demands may continue to encourage or require their use. In other words, the proposed removals narrow the scope of what ASTP/ONC formally certifies, but they do not eliminate the broader clinical, security, or operational expectations associated with these functions.
What Certification Criteria Are Being Revised?
Seven criteria are proposed for revision rather than outright removal. While the full list includes criteria governing areas such as transitions of care and clinical quality measures, the most consequential revision targets the Decision Support Interventions criterion at 45 CFR § 170.315(b)(11).”
Under requirements introduced by the HTI-1 Final Rule, health IT developers supplying predictive decision support interventions, including AI-based clinical decision support tools, are required to provide detailed source attribute information, sometimes referred to as “model card” transparency requirements. These disclosures are intended to give healthcare organizations visibility into how AI tools were developed, trained, and validated.
HTI-5 proposes to remove the model card requirements from the DSI criterion.
Given that the proposed rule is not yet final, developers should not remove existing implementations in anticipation of this change. The appropriate response is to monitor the rulemaking process and plan accordingly.
What Criteria Are Staying?
ASTP/ONC proposes to retain 19 certification criteria without change. This group is significant because it defines where the program’s future focus lies.
The retained criteria include all certification criteria adopted in the HTI-4 Final Rule, published August 2025. HTI-4 introduced certification requirements for electronic prior authorization, specifically the Prior Authorization API criteria at §§ 170.315(g)(31), (g)(32), and (g)(33). These new ePA criteria are not being touched by HTI-5, reflecting ASTP/ONC’s position that electronic prior authorization is a priority for reducing administrative burden on providers.
The FHIR Standardized API criterion at § 170.315(g)(10) is also retained. This criterion is the backbone of the program’s API-first direction and the foundation on which ASTP/ONC plans to build future requirements. Developers should treat this criterion, and the ePA API criteria, as the stable core of the certification program moving forward.
The retention of these criteria sends a clear signal: the proposed deregulation is not a retreat from interoperability. It is a pruning of legacy requirements to clear space for a FHIR-forward, API-centric program.
What is Changing for Real-World Testing and Insights Reporting?
Two Conditions and Maintenance of Certification requirements are proposed for significant descoping: Real World Testing and Insights reporting.
The ASTP/ONC recently issued an enforcement discretion stating developers are not expected to submit real world test (RWT) plans to their ONC-ACB. HTI-5 proposes to eliminate the plan submission altogether and narrow RWT results reporting to API-focused criteria only, specifically (g)(10) and the new Prior Authorization API criteria (g)(31)-(g)(33). For non-API criteria, reporting would shift to the voluntary Standards Version Advancement Process.
On Insights reporting, HTI-5 proposes to make permanent the enforcement discretion ASTP/ONC issued in April 2025, which limited collection and reporting requirements to a single measure: use of FHIR in apps through certified health IT. The prior HTI-1 requirement had covered seven separate measures. The proposed rule would codify the narrower scope.
The operational implication is a shift away from broad-spectrum reporting and toward targeted, API-specific performance data.
What Are the Proposed Information Blocking Changes?
While the certification criteria changes get most of the attention, HTI-5 also proposes significant updates to information blocking regulations under 45 CFR part 171. The proposals address three specific exceptions that ASTP/ONC believes are being misused or are no longer necessary:
- First, the “third party seeking modification use” exception, which allowed EHR developers to limit write access by third parties, is proposed for removal.
- Second, the “manner exception exhausted” condition within the Infeasibility exception is proposed for revision or elimination, with ASTP/ONC noting that the existing language is subject to manipulation.
- Third, the TEFCA Manner Exception at § 171.403 is proposed for complete removal.
On the TEFCA Manner Exception specifically: this provision previously allowed actors to limit information sharing to TEFCA-connected channels under certain conditions. ASTP/ONC now considers the exception unnecessary given TEFCA’s maturation, and argues it may actually be discouraging participation by new entrants for whom other exchange methods would better support innovative products and services.
HTI-5 also proposes updating the definitions of “access” and “use” under the information blocking regulations to explicitly include automated means, including agentic AI systems. This change signals ASTP/ONC’s intent to ensure the information blocking framework keeps pace with increasingly automated health data exchange, where AI-enabled tools request and process electronic health information without direct human intermediation.
The directional message of the information blocking proposals is consistent: fewer variables for blocking patient data access, and explicit inclusion of AI-driven data flows within the scope of the regulation.
The Road Ahead for ASTP/ONC Certification
ASTP/ONC describes HTI-5 as a reset, an opportunity to clear the program’s legacy requirements and establish a cleaner foundation for what comes next. The direction of that foundation is unmistakable: FHIR-based APIs, standards-based interoperability, and AI-enabled data exchange.
As part of HTI-5, ASTP/ONC proposes to adopt USCDI version 3.1, which includes a codification of the agency’s March 2025 enforcement discretion for noncompliant USCDI v3 data sets that lack the capability to designate sexual orientation or gender identity. This is a relatively narrow standards update but reflects ongoing maintenance of the United States Core Data for Interoperability.
The practical takeaway for developers: the certification program is becoming leaner on legacy functional requirements and sharper on FHIR API performance and interoperability outcomes.
What Should Health IT Developers Do Now?
HTI-5 is a proposed rule. The first and most important action is to understand what that means for planning purposes: the proposals are not final, and developers should not remove implementations or modify their certification footprint in anticipation of changes that have not yet been codified.
With that baseline established, there are several productive steps developers can take right now. First, review your current certification criteria footprint against the proposed removals and revisions. Identify which criteria in your program are proposed for removal, which are proposed for revision, and which are retained. This assessment provides the basis for roadmap planning under multiple scenarios.
Second, pay particular attention to the retained criteria, especially § 170.315(g)(10) and the electronic prior authorization API criteria from HTI-4. These are the areas where certification requirements are not going away and where investment is clearly aligned with the program’s future direction.
Third, monitor the rulemaking process. As the comment period is closed the ASTP/ONC is now reviewing comments submitted and working towards a final rule. The timeline for finalization has not been announced. Any developer building a multi-year product roadmap should build in flexibility for scenarios where the final rule differs from what was proposed.
Developers who are new to ASTP/ONC certification, or whose teams have experienced recent turnover, may also benefit from structured education on the certification program’s current requirements and how the proposed changes affect the path to certification. Understanding the program thoroughly before beginning formal testing reduces the risk of costly rework and delays.
Developers with questions about how the proposed HTI-5 changes impact their certification can learn more through Drummond’s ONC Health IT Certification and ONC Compliance Learning Series.