HTI-5 and the New Ground Rules for Health Data: What the Comment Letters Actually Say

•March 16, 2026

Thoughts on Healthcare Markets & Tech•Mar 16, 2026

Key Takeaways

•HTI-5 cuts 34 of 60 EHR certification criteria.
•Info blocking exception changes spark strong vendor opposition.
•AI model card requirement removal faces mixed industry backlash.
•RPA and autonomous AI access definition raises safety concerns.
•Certification cleanup supported, but transition timelines deemed aggressive.

Summary

The ONC’s HTI-5 rule, released Dec. 2025, proposes removing 34 of 60 EHR certification criteria and revising several others, while overhauling information‑blocking exceptions and scaling back AI model‑card transparency. Comment letters show broad support for the certification cleanup but fierce resistance to changes that could weaken vendor moats, especially around third‑party data modification and the new definition of automated AI access. Stakeholders also warn that aggressive implementation dates could create compliance gaps for providers. The proposals signal a shift toward a FHIR‑first, API‑centric ecosystem with heightened risk for AI‑driven workflows.

Pulse Analysis

The certification overhaul at the heart of HTI‑5 reflects a broader industry desire to retire legacy, document‑centric standards in favor of FHIR‑based APIs. By stripping out obsolete criteria, ONC aims to reduce compliance costs—projected at $1.53 billion in savings—and accelerate innovation. However, commenters caution that the rapid removal of C‑CDA and Direct messaging requirements could create a transitional vacuum, leaving providers without certified pathways while the new FHIR specifications mature. Aligning CMS’s Promoting Interoperability metrics with the revised certification timeline will be essential to avoid payment penalties for clinicians.

Information‑blocking reforms are the most contentious element of the proposal. Removing the third‑party modification condition and tightening the Manner Exception could dismantle the regulatory moat that EHR giants have relied on to limit third‑party integrations. Data‑intermediary firms such as Innovaccer and Datavant welcome the change, seeing it as a catalyst for a thriving ecosystem of AI‑driven analytics and patient‑access apps. Conversely, vendors like Epic and the EHR Association warn that ambiguous language—especially around “analogous” APIs—will fuel litigation and increase operational overhead, potentially slowing adoption of automated data flows.

The AI and automation provisions raise fresh safety and liability questions. Eliminating model‑card requirements removes a standardized transparency layer that many clinicians use during procurement, while the blanket inclusion of robotic process automation and autonomous AI under the access definition could expose EHR platforms to unintended write‑back errors. Real‑world incidents cited by Epic—mass medication dosing mistakes and mis‑attributed notes—illustrate the tangible risks of unchecked bots. Policymakers will need to balance the push for high‑throughput, AI‑enabled workflows with robust audit and governance mechanisms to protect patient safety and maintain trust in the evolving health‑data landscape.