In late December 2025, ASTP/ONC released a Notice of Proposed Rulemaking (NPRM) titled Health Data, Technology, and Interoperability: Deregulatory Actions to Unleash Prosperity. The proposal signals a major reset of the federal health IT regulatory framework, particularly the ONC Health IT Certification Program and selected information blocking provisions.
ASTP/ONC frames the rule as part of a broader effort to reduce regulatory burden on health care providers and developers so that providers can focus more directly on preventing and treating chronic disease. Central to this approach is a decision to scale back long-standing, functionality-oriented certification requirements and reset the Certification Program around a FHIR-enabled future, positioning APIs and standards-based exchange as the foundation for the next phase of interoperability.
At the same time, the rule reinforces a firm expectation that electronic health information must remain accessible—particularly through automated and AI-enabled means. While federal oversight of how technology is designed and certified would be reduced, tolerance for restrictions on access, exchange, and use of patient data would also narrow.
For Civitas and its members, this combination is consequential. Many federal and state initiatives continue to assume high levels of interoperability maturity, trust, and reliability, even as this proposal scales back the federal guardrails that have historically supported those outcomes. As a result, governance, coordination, and shared norms across networks may play an increasingly central role in sustaining trust and alignment in the data sharing ecosystem.
What the Rule Proposes — High-Level Overview
The proposed rule makes targeted but consequential changes to the federal health IT regulatory framework, primarily affecting the ONC Health IT Certification Program and the information blocking regulations under 45 CFR Part 170.
At a high level, the NPRM would eliminate or revise a majority of existing ONC certification criteria (34 of 60), codify enforcement discretion policies that have been in effect for several years, and remove select certification requirements related to clinical decision support and AI. In parallel, the rule revises information blocking definitions and exceptions to better accommodate automated, system-to-system data use.
Collectively, these changes reduce the scope of prescriptive certification requirements while sharpening expectations around data availability and use. Oversight shifts away from detailed functional requirements embedded in certification and toward post-market mechanisms, standards-based exchange, and downstream accountability.
Reset of the ONC Health IT Certification Program
Reduction in Certification Criteria
As part of the proposed reset of the Certification Program, ASTP/ONC proposes to eliminate or revise a substantial portion of existing certification criteria (see Appendix for full list of criteria). The intent is to narrow certification to core interoperability capabilities and reduce prescriptive requirements related to technology design and functionality.
Key changes include the elimination or revision of certification criteria related to:
- Safety-enhanced and user-centered design
- Accessibility considerations
- Audit and reporting functionality
- Certain security-related requirements
- Specific data capture and workflow expectations, such as family health history
ASTP/ONC argues that these requirements are outdated, duplicative of other regulatory regimes, or better addressed through market competition rather than federal certification.
Implication: Certification would become a more limited signal—focused primarily on baseline interoperability and API capability rather than broader indicators of usability, safety, or operational maturity. Stakeholders that have relied on certification as a proxy for readiness may need to recalibrate how they assess technology capabilities.
Permanent Enforcement Discretion
In addition to reducing certification criteria, the proposal would codify several enforcement discretion policies that ASTP/ONC has applied in recent years. These changes formalize a longer-term shift in how the certification program is overseen.
Key elements include:
- Narrowing performance reporting requirements to focus on FHIR-based measures
- Reduced enforcement related to real-world testing and certain attestation obligations
- Greater reliance on voluntary standards processes, rather than regulatory mandates
- Limited retrospective enforcement tied to prior compliance deadlines
Implication: Federal oversight increasingly emphasizes flexibility and burden reduction, with fewer built-in guardrails at the point of certification. As a result, accountability for ensuring consistent implementation, quality, and reliability may shift downstream to providers, networks, and other ecosystem actors.
AI and Clinical Decision Support: Reduced Federal Guardrails
One of the more consequential aspects of the proposal is the removal of certification requirements related to clinical decision support (CDS) transparency, including expectations that developers disclose information about algorithms, data sources, and limitations. This represents a rollback of one of the few existing federal mechanisms aimed at promoting transparency and accountability for AI-enabled clinical tools embedded in certified health IT.
Implication: Responsibility for evaluating AI safety, bias, and appropriateness increasingly shifts to providers, networks, and purchasers—often without standardized disclosure.
Changes to the Information Blocking Framework
While the proposed rule is broadly deregulatory, it takes a more assertive posture with respect to information blocking. ASTP/ONC uses this section of the NPRM to clarify expectations around data access in an environment increasingly characterized by automated, system-to-system, and AI-enabled use.
The NPRM clarifies that “access,” “exchange,” and “use” of electronic health information (EHI) explicitly include automated, system-to-system, and AI-driven processes. This clarification is intended to support emerging use cases such as algorithmic analysis, population-level insights, and real-time decision support.
At the same time, ASTP/ONC proposes to narrow or remove certain information blocking exceptions that have been used to justify contractual, technical, or operational restrictions on data access.
Implication: Even as federal oversight of technology design and certification requirements is reduced, expectations that electronic health information be made available—particularly for automated and AI-enabled use—become more explicit. Responsibility for data quality, context, and appropriate use increasingly shifts to downstream actors such as providers, networks, and data sharing organizations.
Data Standards Update: Adoption of USCDI Version 3.1
ASTP/ONC proposes to adopt United States Core Data for Interoperability (USCDI) Version 3.1 as the updated baseline data standard for certified health IT.
Key elements of this update include:
- Adoption of USCDI Version 3.1 as the required baseline standard for certification
- Removal or modification of data elements related to sex, sexual orientation, and gender identity, consistent with the direction set forth in Executive Order 14168
Although framed as a technical standards update, changes to USCDI define what information is considered “core” for exchange across the health care system. As the certification program narrows and federal guardrails are reduced, standards decisions play a more central role in shaping what data is prioritized, exchanged, or omitted.
Implication: Changes to USCDI carry heightened policy and governance significance in a more deregulatory environment. For networks and data sharing organizations, shifts in the federal baseline can affect data consistency, longitudinal records, analytics, and trust—particularly where state requirements, program expectations, or community needs diverge from federal definitions of core data.
Withdrawal of Remaining HTI-2 Proposals
In conjunction with the HTI-5 NPRM, ASTP/ONC also issued a notice formally withdrawing the remaining unfinalized proposals from the HTI-2 proposed rule published in 2024. This action clarifies which policy directions are no longer under active consideration as part of the current regulatory agenda. By formally withdrawing these proposals, ASTP/ONC signals a narrowing of near-term federal ambitions related to data expansion, imaging exchange, and certain privacy and security enhancements within the certification framework.
Withdrawn proposals include:
- Adoption of United States Core Data for Interoperability (USCDI) Version 4, and corresponding updates to the Health IT Certification Program to implement USCDI v4
- Certification program changes to support access, exchange, and use of diagnostic images, including imaging links, computerized provider order entry, and public health data exchange
- Privacy and security proposals related to encryption and decryption of electronic health information (EHI), including requirements for encryption of authentication credentials
Implication: The withdrawal of these proposals reinforces the deregulatory posture of the current rulemaking and removes several areas that stakeholders may have anticipated as future federal priorities. For networks and data sharing organizations, this may shift responsibility for advancing imaging exchange, expanded data classes, and certain privacy and security practices away from federal certification and toward voluntary standards, state policy, or network-level governance.
Strategic Implications for Civitas and Members
This proposal reinforces several trends Civitas members are already navigating:
- Fewer federal guardrails do not eliminate the need for governance. As certification requirements recede, networks may need to fill gaps related to trust, consent, data quality, and responsible use.
- Interoperability accountability may shift from regulators to networks. HIEs and multi-stakeholder collaboratives could play a larger role in setting expectations, norms, and safeguards.
- AI-enabled access increases risk as well as opportunity. Expanded access definitions support innovation, while heightening concerns about consent, secondary use, and transparency.
- Variation across the ecosystem may increase. With less prescriptive federal guidance, implementation may diverge across vendors, states, and networks.
Next Steps
The NPRM is subject to a public comment period through February 27, 2026. Civitas intends to submit comments on behalf of its members and will collect member input through a targeted feedback request and a virtual listening session during the first week of February, with written input requested by February 10th to inform the consolidated response.
Appendix: Proposed Removals or Revisions of Certification Criteria
Certification Criteria | Reference | Remove/Revise | Timing |
Patient demographics and observations | § 170.315(a)(5) | Revise | Effective date of final rule |
Clinical decision support | § 170.315(a)(9) | Remove | Effective date of final rule |
Family health history | § 170.315(a)(12) | Remove | Effective January 1, 2027 |
Implantable device list | § 170.315(a)(14) | Remove | Effective date of final rule |
Transitions of care | § 170.315(b)(1) | Revise | Effective January 1, 2027 |
Clinical information reconciliation and incorporation | § 170.315(b)(2) | Remove | Effective January 1, 2027 |
Security tags – summary of care – send | § 170.315(b)(7) | Remove | Effective date of final rule |
Security tags – summary of care – receive | § 170.315(b)(8) | Remove | Effective date of final rule |
Care plan | § 170.315(b)(9) | Remove | Effective date of final rule |
Decision support interventions | § 170.315(b)(11) | Revise | Effective date of final rule |
Clinical quality measures — report | § 170.315(c)(3) | Revise | Effective date of final rule |
Clinical quality measures — filter | § 170.315(c)(4) | Remove | Effective January 1, 2027 |
Authentication, access control, authorization | § 170.315(d)(1) | Remove | Effective date of final rule |
Auditable events and tamper-resistance | § 170.315(d)(2) | Remove | Effective date of final rule |
Audit report(s) | § 170.315(d)(3) | Remove | Effective date of final rule |
Amendments | § 170.315(d)(4) | Remove | Effective date of final rule |
Automatic access time-out | § 170.315(d)(5) | Remove | Effective date of final rule |
Emergency access | § 170.315(d)(6) | Remove | Effective date of final rule |
End-user device encryption | § 170.315(d)(7) | Remove | Effective date of final rule |
Integrity | § 170.315(d)(8) | Remove | Effective date of final rule |
Trusted connection | § 170.315(d)(9) | Remove | Effective date of final rule |
Auditing actions on health information | § 170.315(d)(10) | Remove | Effective date of final rule |
Accounting of disclosures | § 170.315(d)(11) | Remove | Effective date of final rule |
Encrypt authentication credentials | § 170.315(d)(12) | Remove | Effective date of final rule |
Multi-factor authentication | § 170.315(d)(13) | Remove | Effective date of final rule |
View, download, and transmit to 3rd party | § 170.315(e)(1) | Revise | Effective date of final rule |
Patient health information capture | § 170.315(e)(3) | Remove | Effective January 1, 2027 |
Transmission to cancer registries | § 170.315(f)(4) | Remove | Effective January 1, 2027 |
Transmission to public health agencies — electronic case reporting | § 170.315(f)(5) | Revise | Effective date of final rule |
Transmission to public health agencies — antimicrobial use and resistance reporting | § 170.315(f)(6) | Revise | Effective date of final rule |
Transmission to public health agencies — health care surveys | § 170.315(f)(7) | Remove | Effective January 1, 2027 |
Automated numerator recording | § 170.315(g)(1) | Remove | Effective January 1, 2027 |
Automated measure calculation | § 170.315(g)(2) | Remove | Effective January 1, 2027 |
Safety-enhanced design | § 170.315(g)(3) | Remove | Effective date of final rule |
Source: ASTP/ONC
