Most coverage of HTI-5 ran with the easy headline.
- Federal regulators are pulling back.
- 34 certification criteria were eliminated.
- AI transparency requirements scaled down.
- A projected 1.4 million hours of compliance burden is gone industry-wide.
That’s the easy read. The accurate read is sharper.
While ASTP/ONC was loosening certification on one side, it was quietly tightening information blocking on the other. Letters of nonconformity started landing on EHR vendors in February 2026. The TEFCA Manner Exception, the one many compliance teams treated as a useful escape hatch, is on its way out. The infeasibility exception that providers leaned on when data requests got messy? Narrower now.
So if you’re a health IT leader reading HTI-5 as “compliance just got easier,” you’re reading half the page.
Here’s the rest of it.
A 30-Second Catch-Up on HTI-1 Through HTI-4
If you’ve been tracking this from the start, skip ahead. If you haven’t, here’s the short version. The full breakdown of how these rules stack and where the friction lives is in our HTI whitepaper.
- HTI-1 (2024). USCDI v3 became the baseline. FHIR APIs are required. Audit logs became tamper-proof.
- HTI-2 (2025). The “Complete EHR” certification badge died. Every module had to certify on its own. AI tools have strict privacy and security obligations.
- HTI-3 (2025). Narrow exceptions arrived for reproductive health, gender-affirming care, and cross-state legal conflicts. Documentation burden landed on compliance officers.
- HTI-4 (Aug 2025). Compliance reached daily care. Prescribing systems, real-time benefit checks, and prior authorization came under the rule, with key provisions phasing in through 2027.
Four rules in less than two years, each one is stacking on the last, none of them going anywhere, even with HTI-5 on the table.
Now to the new arrival.
What HTI-5 Actually Does (Three Things to Know)
HTI-5 was proposed on December 29, 2025, under the title “Deregulatory Actions to Unleash Prosperity.” Comments closed February 27, 2026. Three shifts matter.
1. Certification just got lighter. ASTP/ONC proposes to eliminate 34 of the existing 60 certification criteria and revise another seven. The “Insights” reporting requirements get scaled back from seven measures to one (FHIR usage). Real-world testing obligations are descoped in favor of the voluntary Standards Version Advancement Process. For developers, that’s a real exhale.
2. AI transparency rules are walking backward. The Decision Support Intervention (DSI) criterion you spent 2024 retooling around? Scaled back. The “model card” transparency for AI tools, the source-attribute disclosures, and the risk-management documentation are all proposed for removal. ASTP cited the White House’s AI deregulatory posture as the reason.
3. Information blocking exceptions are tightening, not loosening. This is the part people miss. While certification eased, the rules that govern when you can legally withhold data got harder to invoke.
- The TEFCA Manner Exception (the shortcut that lets providers fulfill requests exclusively through QHINs) is proposed for elimination.
- The Manner Exception now excludes arrangements at non-market rates, contracts of adhesion, or terms ASTP calls “unconscionable.”
- The Infeasibility Exception loses a key condition that lets actors deny third-party write-back requests.
Translation: fewer legitimate ways to say no. More risk if you say it wrong.
The Paradox Most People Are Missing
Certification softens. Enforcement hardens. These are not accidents. They are moving in opposite directions on purpose.
Some context worth sitting with:
- Civil monetary penalties for non-provider actors have been in place since September 2023.
- CMS payment disincentives for providers came online in mid-2024.
- In February 2026, ASTP/ONC issued letters of nonconformity to certified EHR developers, citing concerns around API performance and potential information blocking.
- Around the same time, the agency announced that nearly 500 million records had been exchanged through TEFCA.
That’s the new signal. The government doesn’t need a thicker rulebook because it’s getting serious about the rules it already has.
Civil litigation is another shoe. Plaintiffs are starting to cite information blocking allegations as the basis for unfair competition claims under state law. That’s a category of risk most compliance officers were not pricing in twelve months ago. The exposure is no longer just regulatory.
The pattern across all of this is consistent. Less paperwork at the front door. More consequences at the back door. The agencies appear to have decided that prescriptive certification was producing compliance theater and that targeted enforcement of a smaller set of rules will move the industry faster.
Whether that bet pays off for the system is an open question. What is not open is whether it changes how your organization should think about risk. It does.
What This Means for You
Different seats in the room, different reads on HTI-5. Here’s the point-by-point.
If you’re a vendor:
- Certification got cheaper. Don’t celebrate.
- API performance is now an enforcement vector, not just a certification one.
- The DSI walk-back doesn’t mean AI is unregulated. It means the federal floor moved. Your enterprise customers will still demand the documentation you were preparing.
- Letters of nonconformity are not theoretical. February 2026 proved that.
- Real-world testing is descoped at the federal level, not at the contractual one. Read your customer agreements before celebrating the time savings.
If you’re a provider:
- HTI-1’s USCDI v3, HTI-2’s modular certification framework, HTI-3’s exceptions, and HTI-4’s prescribing rules all still apply. None of that changed.
- Your favorite exceptions just got narrower. Audit your reliance on Infeasibility and Manner before someone else does it for you.
- TEFCA is no longer a shortcut. It’s an obligation.
- Medicare payment disincentives are real. Information blocking is the fastest path to losing them.
- Your vendor’s certification posture is now your enforcement risk. Their problem is your problem when the letter arrives.
If you’re a digital health company:
- AI transparency requirements eased at the certification layer. They did not ease in the market. Enterprise buyers still want model cards.
- The data exchange obligations got sharper. If your platform sits between systems, your liability profile changed in February.
- The “we’ll just rely on TEFCA” answer is gone.
If you’re a compliance officer:
- The binder you built around HTI-1 through HTI-4 is not obsolete. The rules in it are still the law.
- The exceptions you trained your team on may look different by Q4.
- Documentation matters more, not less, in a deregulated certification world. When the government does enforce, it enforces hard.
What’s Not Changing
This is the part the headlines bury.
HTI-1 through HTI-4 are still in force. USCDI v3 is still baseline. FHIR APIs are still required. HTI-4’s real-time prior authorization requirements begin to bite in 2027. The HTI-3 privacy exceptions remain. The modular certification framework holds.
If anything, the deregulation of certification makes the surviving rules heavier, not lighter. Fewer requirements, more weight per requirement, and sharper teeth on enforcement.
The New Strategic Question
Stop thinking about HTI as a checklist that ends at HTI-5. Start thinking about it as a moving target with two speeds.
One speed pulls certification down. Toward FHIR-native, AI-flexible, lighter-touch oversight. That’s where the headlines live.
The other speed pushes enforcement up. Civil monetary penalties, payment disincentives, letters of nonconformity, and now civil litigation. That’s where the cost lives.
Your compliance strategy needs to account for both. The organizations that get this right will spend less on certification overhead and more on enforcement readiness. They will move from “did we meet the rule?” to “can we defend the call we made?”
That second question is the one worth getting good at.
Five Questions Worth Asking in Your Next Compliance Meeting
If you’re trying to gut-check where your organization sits, start here.
- Which of our HTI-1 through HTI-4 controls are we treating as optional now that HTI-5 is in play? (Wrong answer: any of them.)
- What’s our exposure if the Infeasibility or Manner Exception narrows the way HTI-5 proposes? (If you can’t answer, that’s the answer.)
- Are our vendor SLAs tied to API performance, not just uptime? (ASTP/ONC is enforcing the former.)
- Have we modeled our risk under civil litigation, not just regulatory penalty? (Newer category. Bigger ceiling.)
- Who in our organization owns the answer to “can we defend this?” (If the answer is no one, that is the project.)
None of these questions is theoretical. All of them have shown up in real conversations across the industry in the last ninety days.
How Nalashaa Helps
We sit at the seam where regulation meets reality. That means translating shifting rule text into engineering decisions, aligning vendor timelines with enforcement realities, and building systems that hold up when the auditor calls.
The rules will keep moving. The enforcement will not.
For the complete breakdown of HTI-1 through HTI-4, the deadlines that still apply, the friction points most organizations only learn about the hard way, and the operational playbook your team should have in front of them, read the full whitepaper here: Health IT Compliance: The HTI Whitepaper.
