The proposed HTI-5 rule from ASTP/ONC (maybe they can shorten the acronyms while they are cutting the red tape?) represents a seismic shift in EHR certification requirements. After a year of speculative “de-regulation,” the Trump administration has delivered a massive reset.
For those of us who felt the industry was settling into “business as usual” (myself included), after
- Executive Order 14168 (Defending Women from Gender Ideology) in January
- Insights Condition and Maintenance of Certification Enforcement Discretion Notice in April
- HTI-4 Final Rule in July
all without any major changes to certification processes and requirements, HTI-5 is a wake-up call.
Directly from the horse’s mouth:
- reduce burden on health IT developers by streamlining ASTP/ONC’s voluntary Health IT Certification Program by removing redundant requirements;
- revise definitions to better promote electronic health information access, exchange, and use so that patients’ access to their data is not blocked; and
- advance a new foundation of AI-enabled interoperability solutions through modernized standards and certification.
ASTP comes across loud and clear:
We’re going to stop meddling with your EHR, but don’t block the data.
Overview of Changes
By removing nearly all legacy “Clinical Processes” and “Care Coordination” mandates, the program is abandoning the old “Meaningful Use” philosophy. Instead, certification is being re-centered almost entirely on FHIR-based APIs and AI-enabled interoperability.
- Certification scope is dramatically reduced
- 34 certification criteria removed
- 7 criteria updated
- Meaningful Use–era mandates
- Legacy criteria from 2011, 2014, 2015, and the Cures Update are largely eliminated
To streamline certification, many criteria that ASTP considers to be “topped out” were also removed – for example, all of the 170.315(d) “Privacy & Security or UI” criteria.
What this means for EHR developers
- Reduced R&D: With 34 criteria removed, developers are estimated to save an average of 4,000 hours each in the first year alone.
- Lower Barrier to Entry: This is an excellent opportunity for new vendors entering the market. The price of admission to the certified market just got significantly cheaper.
- Focus on Innovation, Not Compliance: By stripping away legacy requirements from the 2011–2015 editions, vendors can finally reallocate resources from “checking boxes” to building the tools their customers actually want.
The Big Takeaway: If it’s a manual workflow, a specific transport protocol (like Direct), or a “topped-out” security feature, it’s likely being cut. The future of certification is about the data highway, not the user interface.
Certification Criteria Changes
Certification criteria in blue are currently supported by DHIT.
Certification criteria in peach will be supported by DHIT in 2026.
What’s Unchanged:
| Certification | Name |
|---|---|
| §170.315(a)(1) | CPOE – medications |
| §170.315(a)(2) | CPOE – laboratory |
| §170.315(a)(3) | CPOE – diagnostic imaging |
| §170.315(a)(4) | Drug-drug, drug-allergy interaction checks for CPOE |
| §170.315(a)(15) | Social, psychological, and behavioral data |
| §170.315(b)(3) | Electronic prescribing |
| §170.315(b)(4) | Real-time prescription benefit |
| §170.315(b)(10) | Electronic Health Information export |
| §170.315(c)(1) | CQMs — record and export |
| §170.315(c)(2) | CQMs — import and calculate |
| §170.315(f)(1) | Transmission to immunization registries |
| §170.315(f)(2) | Transmission to public health agencies — syndromic surveillance |
| §170.315(f)(3) | Transmission to public health agencies — reportable lab tests/value/results |
| §170.315(g)(10) | Standardized API for patient and population services |
| §170.315(g)(31) | Provider prior authorization API – coverage requirements discovery |
| §170.315(g)(32) | Provider prior authorization API – documentation templates and rules |
| §170.315(g)(33) | Provider prior authorization API – prior authorization support |
| §170.315(j)(20) | Workflow triggers for decision support interventions — clients |
| §170.315(j)(21) | Subscriptions — client |
What’s Changed:
| Criteria | Name |
|---|---|
| §170.213 | US Core Data for Interoperability (USCDI) |
| §170.315(a)(5) | Patient demographics and observations |
| §170.315(b)(1) | Transitions of care |
| §170.315(b)(11) | Decision support interventions |
| §170.315(c)(3) | CQMs — report |
| §170.315(e)(1) | View, download, and transmit to 3rd party |
| §170.315(f)(5) | Transmission to public health agencies — electronic case reporting |
| §170.315(f)(6) | Transmission to public health agencies — antimicrobial use and resistance reporting |
What’s Gone:
| Criteria | Name |
|---|---|
| §170.315(a)(12) | Family health history |
| §170.315(a)(14) | Implantable device list |
| §170.315(b)(2) | Clinical information reconciliation and incorporation |
| §170.315(b)(7) | Security tags – summary of care – send |
| §170.315(b)(8) | Security tags – summary of care – receive |
| §170.315(b)(9) | Care plan |
| §170.315(c)(4) | CQMs — filter |
| §170.315(d)(1) | Authentication, access control, authorization |
| §170.315(d)(2) | Auditable events and tamper-resistance |
| §170.315(d)(3) | Audit report(s) |
| §170.315(d)(4) | Amendments |
| §170.315(d)(5) | Automatic access time-out |
| §170.315(d)(6) | Emergency access |
| §170.315(d)(7) | End-user device encryption |
| §170.315(d)(8) | Integrity |
| §170.315(d)(9) | Trusted connection |
| §170.315(d)(10) | Auditing actions on health information |
| §170.315(d)(11) | Accounting of disclosures |
| §170.315(d)(12) | Encrypt authentication credentials |
| §170.315(d)(13) | Multi-factor authentication |
| §170.315(e)(3) | Patient health information capture |
| §170.315(f)(4) | Transmission to cancer registries |
| §170.315(f)(7) | Transmission to public health agencies — health care surveys |
| §170.315(g)(1) | Automated numerator recording |
| §170.315(g)(2) | Automated measure calculation |
| §170.315(g)(3) | Safety-enhanced design |
| §170.315(g)(4) | Quality management system |
| §170.315(g)(5) | Accessibility-centered design |
| §170.315(g)(6) | Consolidated CDA creation performance |
| §170.315(g)(7) | Application access — patient selection |
| §170.315(g)(9) | Application access — all data request |
| §170.315(h)(1) | Direct Project |
| §170.315(h)(2) | Direct Project, Edge Protocol, and XDR/XDM |
Easing the Burden: Real World Testing & Insights
The deregulatory theme continues into the Conditions and Maintenance of Certification. ASTP is significantly narrowing the scope of ongoing oversight:
- Real World Testing (RWT): Developers will no longer need to submit RWT test plans to ONC-ACBs for approval. Reporting will be restricted strictly to FHIR API criteria (g)(10) and the new Prior Authorization APIs (g)(31)-(33).
- Insights Reporting: Consistent with the April 2025 enforcement discretion, the reporting burden is slashed. Vendors are now essentially only responsible for the “use of FHIR in apps” measure.
What Isn’t Changing: The March 2026 Deadline
While this rule is a massive win for EHR vendor R&D budgets, it is essential to remember: The HTI-1 requirements with the March 1, 2026 deadline are still in effect. The industry is moving toward a leaner, API-first regulatory environment. This “reset” allows vendors to focus more on innovation, specifically in AI and clinical efficiency, rather than checking boxes for legacy functional requirements.
The text is already grammatically correct and contains no typos. No changes were needed.
What’s Next for DHIT
Since 2011, Dynamic Health IT (DHIT) has helped nearly 100 EHR vendors navigate their certification process. We’ll be honest: the HTI-5 rule is a major shift. By removing over 50% of the criteria we’ve helped our clients maintain for over a decade, the “traditional” compliance business is changing.
But hey, we are Dynamic Health IT. We’re enthusiastic about the opportunities ahead. While traditional “checkbox” compliance requirements are diminishing, they’re giving way to a more robust, data-driven ecosystem. This deregulation eliminates bureaucratic obstacles, enabling us to concentrate on strategies that genuinely drive value for your clients: sophisticated, automated, and intelligent data exchange systems.
We’re realigning our integrated solutions and consulting expertise toward the strategic priorities that ASTP and CMS are emphasizing for 2026 and beyond:
- Advanced EHR Reporting & Insights: With the “Insights” condition focusing on FHIR app usage and interoperability metrics, we are building the analytics tools you need to track real-world performance without the manual headache.
- The Next Gen of Quality: NCQA & dCQMs: As the industry moves toward Digital Quality Measures (dCQMs), we are aligning our tools with NCQA standards and FHIR-based quality reporting.
- USCDI (v4, v5, v6, and Plus): We are moving forward with support for USCDI versions 4, 5, 6, and USCDI+ (quality-data focused) as clients add additional data to the FHIR API.
- UDS: CQMsolution now supports UDS reporting. We’ve curved the development process for clients to ensure quality data requirements aid in population of the tables.
- FHIR Development: HTI-5 doubles down on Standardized APIs (g)(10) and introduces complex Prior Authorization APIs (g)(31-33). Our suite is evolving to handle these heavy-lifting transport and data mapping requirements so you don’t have to build them from scratch.
Stay tuned for our blog post covering DHIT’s roadmap for 2026.
We’re Still Your Compliance Partner
As the healthcare industry moves toward stricter Information Blocking enforcement and enhanced AI transparency requirements, the stakes have never been higher. DHIT is positioned to guide you through this critical transition, ensuring your journey to the March 1, 2026 deadline and beyond is seamless and manageable.
