ASTP/ONC's Year-End Moves Mark a Strategic Pivot in Federal Health IT Policy

The Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) closed out 2025 with a flurry of actions that together mark a sharp pivot in federal health information technology (IT) policy. The changes underscore a broader deregulatory approach aimed at easing compliance burdens while prioritizing interoperability and data access through standardized application programming interfaces (APIs).

On December 19, 2025, ASTP/ONC released a Request for Information (RFI) seeking broad public input on how the U.S. Department of Health and Human Services (HHS) can accelerate the adoption and use of artificial intelligence (AI) in clinical care. According to ASTP/ONC, responses will inform future approaches to regulation, reimbursement, and research and development (R&D) for clinical AI.

On regulation, HHS signals interest in a clear, risk-based framework that protects patients and health information while seeking feedback on regulatory, payment and programmatic changes – including governance, liability, evaluation and interoperability – that could better support AI use. On reimbursement, HHS acknowledges shortcomings in legacy fee-for-service systems and requests input on payment reforms that would incentivize high-value AI, promote competition and improve affordability and access. Finally, HHS seeks recommendations on targeted R&D investments, including public-private partnerships, to help integrate AI into care delivery and create sustainable long-term market opportunities.

Comments are due by February 23, 2026.

That RFI was followed by updated information blocking FAQs, clarifying:

• revenue sharing arrangements
• the role of a "requestor" under the Manner Exception
• the scope of electronic health information (EHI) required to satisfy the Manner Exception
• whether interference with automation technologies implicates information blocking rules

Given the industry's rapid adoption of digital health automation to increase operational efficiencies, the automation technology FAQs signal the need for additional attention by healthcare providers and health IT vendors implementing processes to access and exchange data through automated tools for scheduling, records exchange, coding analytics and the other applications for these tools.

On December 22, 2025, ASTP/ONC then layered on two proposed rules that would unwind major portions of an unfinished health IT rulemaking from the prior administration and materially scale back the federal health IT certification program.

HTI-2 Withdrawal Proposal

The HTI-2 Withdrawal proposal would eliminate the non-finalized elements of ONC's August 2024 interoperability proposal, which sought to expand data exchange among payers, public health agencies and providers and to establish voluntary certification pathways for payer and public health IT tools under the 21st Century Cures Act.

ONC finalized only limited elements of that rule in December 2024, focused on privacy and information blocking. View more information on the final HTI-2 regulations. The new proposal would withdraw remaining HTI-2 proposals related to U.S. Core Data for Interoperability (USCDI), including proposals to adopt the USCDI standard v4, establish an expiration date for USCDI v3 and update certain USCDI certification criteria. The rule also proposes to withdraw remaining HTI-2 proposals related to Standards for Encryption and Decryption of Electronic Health Information, including proposals to adopt the updated version of Annex A of the Federal Information Processing Standards 140-2 and establish an expiration date of January 1, 2026, to the FIPS 140-2 (October 8, 2014) version of the standard.

Additionally, the proposed rule would withdraw HTI-2 proposals related to Public Health Data Exchange and Infeasibility Exception – Responding to Requests Condition, among others. The non-finalized provisions of the HTI-2 proposed rule would be withdrawn as of the date of publication on Federal Register. The agency cites cost, complexity and lack of clarity as justifications.

HTI-5 Deregulatory Proposal

Separately, ASTP/ONC released HTI-5: Deregulatory Actions to Unleash Prosperity, framed as consistent with President Donald Trump's January 31, 2025, executive order directing agencies to reduce regulatory burdens. The proposal, known as HTI-5, the fifth iteration of the Health Data, Technology, and Interoperability rulemaking, marks one of the most consequential shifts in federal health IT policy in years.

ASTP/ONC identifies three primary objectives in HTI-5, each aimed at streamlining compliance while strengthening data access and interoperability. These include 1) reducing burden in the Health IT Certification Program, 2) revisiting the information blocking regulatory framework by proposing to revise or remove certain definitions, conditions and exceptions that have been susceptible to misuse or overbroad interpretation, and 3) reorienting the Certification Program around FHIR-based APIs and modern interoperability standards.

First, ASTP/ONC proposes the removal of 34 of 60 certification criteria and revision of seven others – altering nearly 70 percent of existing requirements. Some of the certification criteria proposed for removal include clinical decision support, family health history, multifactor authentication and audit reports. Of the certification criteria proposed for removal, 24 would be eliminated as of the date of publication of the final rule, including certification criteria for clinical decisions support to remove "model card" requirements such as source attributes and predictive risk management. The remaining would be removed on January 1, 2027, including certification criteria for family health history. Patient demographics requirements would also be rolled back, removing data elements added in HTI-1 (sexual orientation, gender identity, sex parameter for clinical use, pronouns and name to use), with corresponding updates to USCDI v3.1. Transitions of care would be simplified to receipt of Consolidated Clinical Document Architecture (C-CDA) documents only. Of those proposed for revision, all but one (transitions of care) would be effective as of the date of publication of the final rule.

The proposed rule also includes several information blocking proposals. First, it would modify the definitions of "access," "use" and "exchange" to clarify that they encompass automated means of accessing, exchanging or using electronic health information, including autonomous AI. Second, it proposes revisions to the infeasibility exception, including removing the third party seeking modification use condition, narrowing the manner exception exhausted condition to reduce the risk of misuse, and eliminating the Trusted Exchange Framework and Common Agreement manner exception, citing continued growth in Qualified Health Information Network (QHIN) participation and signaling that nominal participation in the HHS Trusted Exchange Framework and Common Agreement (TEFCA) will no longer justify information blocking.

Though all of these changes are significant, removal of the privacy and security certification criteria will require that healthcare providers and others acquiring health IT products perform diligence to confirm that such products continue to provide functionality necessary to meet the Health Insurance Portability and Accountability Act's (HIPAA) privacy and security safeguard requirements, incorporate specific requirements in contracts and implement, as appropriate, business associate security reviews into HIPAA business associate management. The HHS Office of Civil Rights has been restaffing and has proceeded with its security risk analysis initiative and security rule enforcement. When or if the proposed extensive HIPAA Security Rule amendments will be finalized, in part or at all, is unclear. See more information on the December 2024 proposed Security Rule.

The HTI-5 proposed rule will be subject to a 60-day public comment period closing on February 27, 2026. ASTP/ONC expects robust stakeholder engagement from health IT developers, providers, payers, digital health innovators and patient advocacy organizations, given the scope and potential impact of the proposed changes.

Taken together, the AI RFI, updated FAQs, and HTI-2 and HTI-5 proposals reflect a decisive shift toward a leaner certification program centered on FHIR-based APIs, paired with a more aggressive and technology-aware information blocking enforcement posture, while substantially reducing prescriptive federal oversight of health IT functionality and clinical AI development.