At first glance, the Health Data, Technology, and Interoperability (HTI-5) proposed rule looks like a gift to the healthcare technology sector. The Department of Health and Human Services (HHS) and the Assistant Secretary for Technology Policy (ASTP/ONC) have framed this as a massive "deregulation" effort. They are promising to remove 34 of the 60 current certification criteria: nearly 70% of the existing requirements.
According to official projections, this move is expected to save certified health IT developers more than 1.4 million compliance hours in the first year alone. The dollar amount attached to this "efficiency" is a staggering $1.53 billion in total savings over five years.
But for digital health leaders and AI implementers, we believe it is essential to look past the top-line numbers. In our view at US Healthcare Today, what the government calls "streamlining" might actually be a sophisticated burden-shifting exercise. While developers are celebrating their freedom from "checking boxes," healthcare organizations and AI implementers are quietly being led into a certification trap.
The Mirage of Deregulation
The narrative behind HTI-5 is that the industry has outgrown the legacy "Meaningful Use" requirements of 2011–2015. The argument is that these requirements have become administrative dead weight, slowing down the transition to modern standards like Fast Healthcare Interoperability Resources (FHIR).
We agree that antiquated rules should be updated. However, "removing" a requirement doesn't necessarily mean the need for that requirement disappears. It simply means the government is no longer the one verifying it.
When the ONC removes certification criteria, it essentially tells the market: "We are no longer checking this; check it yourself." For a digital health leader, this is a significant shift in responsibility. You are moving from a world where you could rely on a federal "seal of approval" to a world where you must perform your own due diligence on nearly 70% of the features you rely on for daily operations.
Who Really Wins the $1.5 Billion?
We should be very clear about where that $1.5 billion in "savings" is going. It is not going to the hospitals, the rural clinics, or the independent physician groups. These savings are specifically targeted at the developers of certified health IT.
By reducing the need for Real World Testing plans and removing legacy certification criteria, the government is effectively padding the margins of software vendors. We find it critical to ask: Will these savings be passed down to the healthcare providers in the form of lower subscription fees or better support?
Historically, the answer is no. Instead, we anticipate that the removal of these regulatory "baselines" will create a transparency vacuum. When developers no longer have to prove their tools work in real-world scenarios to a federal body, the cost of verifying that performance falls squarely on your IT department. What looks like a $1.5 billion saving for the industry is, in reality, a massive hidden cost for the organizations that actually implement and use these AI tools.
The Safety Net is Being Withdrawn
One of the most alarming aspects of the HTI-5 "streamlining" effort is the potential loss of baseline assurances. As the Federation of American Hospitals recently pointed out in their feedback, federal certification requirements have historically served as a critical safety net.
These certifications provide a baseline for:
- HIPAA Compliance: Ensuring that data flows meet federal privacy standards.
- CMS Program Participation: Keeping your organization eligible for federal reimbursements.
- Information Blocking Obligations: Protecting your organization from legal claims that you are unfairly restricting data access.
- State-Level AI Requirements: Providing a standard that state regulators can recognize.
By removing these criteria, HTI-5 is pulling the rug out from under implementers. Without federal certification as a guidepost, how will your legal team verify that a new AI-enabled tool won't accidentally trigger an information-blocking investigation? We believe this "streamlining" creates a regulatory vacuum that will inevitably be filled by a chaotic mix of state laws and expensive private litigation.
The AI Transparency Shell Game
HTI-5 shifts the certification focus toward FHIR-based APIs and "AI-enabled interoperability." On the surface, this sounds like a move toward innovation. The ASTP/ONC wants to redirect developer resources from "checking boxes" to building next-generation AI tools.
However, we must be skeptical of how this transparency is being handled. The proposed rule suggests that developers should have more freedom in how they report their AI models. But in a healthcare environment, "freedom" for a developer often translates to "opacity" for the user.
If a developer is no longer required to submit Real World Testing plans to ONC-Authorized Certification Bodies for a wide range of criteria, we lose the standardized benchmarks that allow us to compare Product A against Product B. We are moving toward a "black box" era of healthcare IT where we are told to trust the vendor's self-reported data rather than an independent, federally mandated test.
The Information Blocking Trap
There is a specific irony in the HTI-5 proposal regarding information blocking. The rule proposes tightening exceptions to prevent vendors from blocking app access to patient data. While we support the goal of patient data accessibility, the timing is curious.
By removing the certification criteria that govern how data is structured and shared, while simultaneously increasing the penalties for "blocking" that data, the government is putting providers in a double bind. You are being told you must share data more freely, but the tools provided to you are no longer being federally certified to ensure they share that data safely or correctly.
For digital health leaders, this is a legal minefield. If your uncertified AI tool incorrectly handles a data request, who is liable? Under the HTI-5 framework, the vendor can claim they followed the (now much looser) certification rules, leaving the healthcare organization to face the consequences of a data breach or an information-blocking violation. You can find more details on current regulatory shifts in our post-sitemap.
Strategic Advice: How to Avoid the Trap
We do not believe that digital health leaders should simply accept HTI-5 as an unalloyed good. If these changes go through, your procurement and implementation strategies must change. We recommend the following steps to protect your organization:
- Demand Private Benchmarking: Since the government is stepping back from Real World Testing for many criteria, you must step forward. Do not sign a contract with an AI vendor unless they provide independent, third-party validation of their claims: validation that mirrors or exceeds the old ONC criteria.
- Update Your Indemnification Clauses: With the removal of federal safety nets, your legal team needs to be more aggressive. Ensure that your vendors bear the full liability for any HIPAA or information-blocking issues that arise from their "streamlined" software.
- Monitor State Regulations: As federal oversight recedes, states like California, New York, and Massachusetts are moving to implement their own AI regulations. Do not assume that HTI-5 compliance means you are safe. We are entering a period of regulatory fragmentation.
- Audit Your "Savings": If your vendor claims they are saving thousands of hours due to HTI-5, ask them how that reflects in your pricing. If the "burden" has been lifted from them, the cost of the software should reflect that.
Final Thoughts: Progress or Passing the Buck?
The healthcare industry is desperate for innovation, and AI holds incredible promise. However, we must be wary of "progress" that is achieved by simply lowering the bar for safety and transparency.
The HTI-5 proposed rule isn't just about streamlining; it’s about shifting the burden of risk from the multi-billion-dollar tech industry to the frontline healthcare organizations. At US Healthcare Today, we believe that true interoperability and safe AI implementation require more accountability, not less.
Removing 70% of certification criteria might save developers money today, but it creates a debt of uncertainty that providers will have to pay for years to come. As we move forward into this new era of "deregulated" AI, remember that a certification "trap" is only dangerous if you don't know it's there.
We encourage all digital health leaders to stay informed and stay critical. You can explore more of our analysis on healthcare media and publishing at ushealthcaretoday.com. The future of healthcare AI is too important to be left to the "honor system" of software developers.
Leave a Reply