Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability; Withdrawal

#  Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability; Withdrawal

**AGENCY:**

Assistant Secretary for Technology Policy (ASTP)/Office of the National Coordinator for Health Information Technology (ONC) (collectively, ASTP/ONC), Department of Health and Human Services (HHS).

**ACTION:**

Proposed rule; withdrawal of non-finalized provisions.

**SUMMARY:**

ASTP/ONC published in the *Federal Register* on August 5, 2024, a proposed rule, titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (HTI-2), in which it proposed updating and adding regulations regarding health information technology, information blocking, and the Trusted Exchange Framework and the Common Agreement. The comment period closed on October 4, 2024. ASTP/ONC is withdrawing the remaining proposals that have not been finalized from the HTI-2 Proposed Rule.

**DATES:**

The non-finalized provisions of the proposed rule published at 89 FR 63498 on August 5, 2024, are withdrawn effective December 29, 2025.

**ADDRESSES:**

Comments on the proposed rule published at 89 FR 63498 on August 5, 2024, can be found at *https://www.regulations.gov/document/HHS-ONC-2024-0010-0001.*

**FOR FURTHER INFORMATION CONTACT:**

Michael Lipinski, Office of Policy, Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology, 202-690-7151.

**SUPPLEMENTARY INFORMATION:**

On August 5, 2024, ASTP/ONC issued the HTI-2 Proposed Rule proposing to update 45 CFR parts 170 and 171 and add part 172. The comment period closed on October 4, 2024.

ASTP/ONC finalized certain proposals from the HTI-2 Proposed Rule in December 2024 through the Health Data, Technology, and Interoperability: Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2) Final Rule (89 FR 101772) and the Health Data, Technology, and Interoperability: Protecting Care Access (HTI-3) Final Rule (89 FR 102512).

On January 31, 2025, President Donald J. Trump signed Executive Order (E.O.) 14192, “Unleashing Prosperity Through Deregulation.” [^1] Section 1 of E.O. 14192 states that it is the policy of the Administration to significantly reduce the private expenditures required to comply with Federal regulations to secure America's economic prosperity and national security and the highest possible quality of life for each citizen. Consistent with E.O. 14192 and our planned deregulatory proposed rule (Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity (HTI-5) Proposed Rule), [^2] ASTP/ONC reexamined the HTI-2 Proposed Rule. ASTP/ONC reviewed comments received in response to the HTI-2 Proposed Rule and reevaluated proposals not yet finalized. We determined that certain proposals should be finalized, while other proposals should not be finalized or needed further consideration, revision, or both. Recently, the Office of Management and Budget, the Department of Health and Human Services, and Centers for Medicare & Medicaid Services (CMS), in collaboration with ASTP/ONC, issued separate requests for information (RFIs) related to deregulation. We reviewed comments received on these RFIs related to ASTP/ONC activities. In response to the Request for Information; Health Technology Ecosystem (90 FR 21034) (CMS-ASTP/ONC RFI), commenters expressed a strong desire to modernize the ONC Health IT Certification Program (Certification Program) by making it more modular, application programming interface (API)-focused, and less centered on specific electronic health record (EHR) functionalities. After reviewing these additional comments and the comments submitted in response to the HTI-2 Proposed Rule, we are withdrawing the remaining non-finalized proposals from the HTI-2 Proposed Rule.

[^1]*https://www.federalregister.gov/documents/2025/02/06/2025-02345/unleashing-prosperity-through-deregulation.*

[^2]*https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202504&RIN=0955-AA09.*

We determined that certain proposals would improve interoperability and reduce costs and burden within the U.S. health care system. Therefore, we finalized proposals for six new and one revised certification criteria in the Health Data, Technology, and Interoperability: Electronic Prescribing, Real-Time Prescription Benefit and  Prior Authorization (HTI-4) Final Rule (90 FR 37130). This final rule was published as a part of the Medicare Program; Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals (IPPS) and the Long-Term Care Hospital Prospective Payment System and Policy Changes and Fiscal Year (FY) 2026 Rates; Changes to the FY 2025 IPPS Rates Due to Court Decision; Requirements for Quality Programs; and Other Policy Changes; Health Data, Technology, and Interoperability: Electronic Prescribing, Real-Time Prescription Benefit and Electronic Prior Authorization Final Rule, which appeared in the *Federal Register* on August 4, 2025 (90 FR 36536).

ASTP/ONC is, however, withdrawing the remaining non-finalized proposals from the HTI-2 Proposed Rule for the following reasons: comments received on the HTI-2 Proposed Rule and the above-referenced RFIs; a focus on deregulation; and changes in applicable technologies, such as newer standards, updated application programming interfaces, and emerging artificial intelligence technologies. As to comments received on the HTI-2 Proposed Rule, a number of commenters expressed concerns regarding the non-finalized proposals, such as a lack of clarity in some proposals, the availability of newer and/or more appropriate standards for certain proposed certification criteria, and excessive costs and burden for meeting certain proposals, if finalized. ASTP/ONC will consider these and other stakeholder comments in conjunction with Administration and ASTP/ONC policies and priorities when crafting any future regulatory proposals related to the non-finalized provisions of the HTI-2 Proposed Rule. For now, we have concluded finalization of proposals from the HTI-2 Proposed Rule. We withdraw the remaining proposals of the HTI-2 Proposed Rule, generally identified as proposals to:

• *USCDI.* Adopt the United States Core Data for Interoperability (USCDI) standard v4 (45 CFR 170.213(c)); establish an expiration date for USCDI v3; and update certification criteria that cross-reference USCDI:

○ “Care coordination—Transitions of care—Create” (§ 170.315(b)(1)(iii)(A)( *1* ) and ( *2* ));

○ “Care coordination—Clinical information reconciliation and incorporation—Reconciliation” (§ 170.315(b)(2)(iii)(D)( *1* ) through ( *3* ));

○ “Decision support interventions—Decision support configuration” (§ 170.315(b)(11)(ii)(A) and (B), and “Source attributes” (§ 170.315(b)(11)(iv)(A)( *5* ) through ( *13* ));

○ “Patient engagement—View, download, and transmit to 3rd party—View” (§ 170.315(e)(1)(i)(A)( *1* ) and ( *2* )), and “Multi-factor authentication (§ 170.315(e)(1)(iii));

○ “Transmission to public health agencies—electronic case reporting” (§ 170.315(f)(5)(i)(C)( *2* )( *i* ));

○ “Design and performance—Consolidated CDA creation performance” (§ 170.315(g)(6)(i)(A) and (B));

○ “Design and performance—Application access—all data request—Functional requirements” (§ 170.315(g)(9)(i)(A)( *1* ) and ( *2* )); and

○ “Design and performance—Standardized API for patient and population services—Data response” (§ 170.315(g)(10)(i)(A) and (B)).

• *Imaging.* Revise the certification criteria adopted in § 170.315(b)(1), (e)(1), and (g)(9) and (10) to include new certification requirements to support the access, exchange, and use of diagnostic images via imaging links.

• *Clinical Information Reconciliation and Incorporation.* Require Health IT Modules to be capable of reconciling and incorporating all USCDI v4 data classes. As an alternative proposal, require reconciliation and incorporation of a smaller subset of data.

• *Standards for Encryption and Decryption of Electronic Health Information.* Adopt the updated version of Annex A of the Federal Information Processing Standards (FIPS) 140-2 (Draft, October 12, 2021) in § 170.210(a)(3) and incorporate it by reference in § 170.299; add an expiration date of January 1, 2026, to the FIPS 140-2 (October 8, 2014) version of the standard adopted in § 170.210(a)(2); remove the standard found in § 170.210(f); and revise impacted certification criteria:

○ § 170.315(d)(7) “health IT encryption;”

○ § 170.315 (d)(9) “trusted connection;” and

○ § 170.315 (d)(12) “protect stored authentication credentials.”

• *Minimum Standards Code Sets.* Adopt newer versions of the following minimum standards code sets:

○ § 170.207(a)—Problems;

○ § 170.207(c)—Laboratory tests;

○ § 170.207(e)—Immunizations;

○ § 170.207(f)—Race and Ethnicity;

○ § 170.207(n)—Sex;

○ § 170.207(o)—Sexual orientation and gender information; and

○ § 170.207(p)—Social, psychological, and behavioral data.

• *Computerized Provider Order Entry—Laboratory Criterion.* Update the “computerized provider order entry—laboratory” certification criterion (§ 170.315(a)(2)) to require a Health IT Module to enable a user to create and transmit laboratory orders electronically according to the standard proposed in § 170.205(g)(2) (HL7® Laboratory Order Interface (LOI) Implementation Guide (IG)); and require technology to receive and validate laboratory results according to the standard proposed in § 170.205(g)(3) (HL7® Laboratory Results Interface (LRI) IG).

• *Encrypt Authentication Credentials.* Revise § 170.315(d)(12) by replacing the “yes” or “no” attestation requirement with a new requirement that Health IT Modules be able to demonstrate that they are able to store authentication credentials and protect the confidentiality and integrity of stored authentication credentials according to the Federal Information Processing Standards (FIPS) 140-2 [^3] (October 12, 2021) standard; and by changing the name of the certification criterion to “protect stored authentication credentials”.

[^3]*https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402annexa.pdf.*

• *Public Health Data Exchange.* Revise the certification criteria related to public health in § 170.315(f) by: adding several new functional requirements and adopting newer versions of standards within the current (f) certification criteria; adding two new certification criteria in the current (f) certification criteria for birth reporting and bi-directional exchange with a prescription drug monitoring program (PDMP); and adopting new certification criteria for health IT for public health in § 170.315(f)(21) through (29). In addition, adopt a new certification criterion for a standardized FHIR-based API for public health data exchange in § 170.315(g)(20), which we also proposed to adopt as part of the Base EHR definition.

• *Dynamic Client Registration Protocol.* Add requirements to support dynamic client registration and subsequent authentication and authorization for dynamically registered apps for patient-facing, user-facing, and system confidential applications. Specifically, add these requirements to:

○ § 170.315(g)(10) certification criterion;

○ § 170.315(g)(20), (30), and (32) through (35) proposed certification criteria;

○ § 170.315(j)(2), (5), (8), and (11) proposed certification criteria; and

○ API Conditions and Maintenance of Certification requirements in § 170.404.

• *Modular API Capabilities.* Add a new paragraph (j) to § 170.315 titled “modular API capabilities.”

**Note:**

We finalized two new criteria: “workflow triggers for decision support interventions—clients” (45 CFR 170.315(j)(20)) and “subscriptions—client” (45 CFR 170.315(j)(21)) in the HTI-4 Final Rule.

• *Patient, Provider, and Payer APIs.* Adopt a set of certification criteria in 45 CFR 170.315(g)(30) through (36) to support data exchange between healthcare payers, providers, and patients.

**Note:**

We adopted electronic prior authorization criteria in 45 CFR 170.315(g)(31), (32), and (33) in the HTI-4 Final Rule based on the capabilities originally proposed in the HTI-2 Proposed Rule for the “prior authorization API—provider” certification criterion (45 CFR 170.315(g)(34)).

• *Conditions and Maintenance of Certification.* Revise the Insights and Attestations Conditions and Maintenance of Certification requirements.

• *Definitions in 45 CFR 171.102.* Revise the definition of “health care provider” and add definitions for “business day or business days” and “health information technology.”

• *Interference.* Add a new section (45 CFR 171.104) to codify certain practices that constitute “interference” and “interfere with” (as defined in § 171.102) for purposes of the information blocking definition in § 171.103.

• *Requestor Preferences Exception.* Adopt a new exception in § 171.304 for actors limiting, when asked to by a requestor, how much EHI is made available to that requestor, including when and/or under what conditions the EHI is made available.

• *Infeasibility Exception—Responding to Requests Condition.* Modify the *responding to requests* condition (§ 171.204(b)) to clarify timeframes for telling requestors why requested access, exchange, or use of EHI is not feasible.

Robert F. Kennedy Jr.,

Secretary, Department of Health and Human Services.