Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability; Withdrawal

Issuing agencies

Abstract

ASTP/ONC published in the Federal Register on August 5, 2024, a proposed rule, titled "Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability" (HTI-2), in which it proposed updating and adding regulations regarding health information technology, information blocking, and the Trusted Exchange Framework and the Common Agreement. The comment period closed on October 4, 2024. ASTP/ONC is withdrawing the remaining proposals that have not been finalized from the HTI-2 Proposed Rule.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 245 (Monday, December 29, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 245 (Monday, December 29, 2025)]
[Proposed Rules]
[Pages 60602-60604]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-23890]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 170, 171, and 172

RIN 0955-AA08


Health Data, Technology, and Interoperability: Patient 
Engagement, Information Sharing, and Public Health Interoperability; 
Withdrawal

AGENCY: Assistant Secretary for Technology Policy (ASTP)/Office of the 
National Coordinator for Health Information Technology (ONC) 
(collectively, ASTP/ONC), Department of Health and Human Services 
(HHS).

ACTION: Proposed rule; withdrawal of non-finalized provisions.

-----------------------------------------------------------------------

SUMMARY: ASTP/ONC published in the Federal Register on August 5, 2024, 
a proposed rule, titled ``Health Data, Technology, and 
Interoperability: Patient Engagement, Information Sharing, and Public 
Health Interoperability'' (HTI-2), in which it proposed updating and 
adding regulations regarding health information technology, information 
blocking, and the Trusted Exchange Framework and the Common Agreement. 
The comment period closed on October 4, 2024. ASTP/ONC is withdrawing 
the remaining proposals that have not been finalized from the HTI-2 
Proposed Rule.

DATES: The non-finalized provisions of the proposed rule published at 
89 FR 63498 on August 5, 2024, are withdrawn effective December 29, 
2025.

ADDRESSES: Comments on the proposed rule published at 89 FR 63498 on 
August 5, 2024, can be found at <a href="https://www.regulations.gov/document/HHS-ONC-2024-0010-0001">https://www.regulations.gov/document/HHS-ONC-2024-0010-0001</a>.

FOR FURTHER INFORMATION CONTACT: Michael Lipinski, Office of Policy, 
Assistant Secretary for Technology Policy/Office of the National 
Coordinator for Health Information Technology, 202-690-7151.

SUPPLEMENTARY INFORMATION: On August 5, 2024, ASTP/ONC issued the HTI-2 
Proposed Rule proposing to update 45 CFR parts 170 and 171 and add part 
172. The comment period closed on October 4, 2024.
    ASTP/ONC finalized certain proposals from the HTI-2 Proposed Rule 
in December 2024 through the Health Data, Technology, and 
Interoperability: Trusted Exchange Framework and Common Agreement 
(TEFCA) (HTI-2) Final Rule (89 FR 101772) and the Health Data, 
Technology, and Interoperability: Protecting Care Access (HTI-3) Final 
Rule (89 FR 102512).
    On January 31, 2025, President Donald J. Trump signed Executive 
Order (E.O.) 14192, ``Unleashing Prosperity Through Deregulation.'' \1\ 
Section 1 of E.O. 14192 states that it is the policy of the 
Administration to significantly reduce the private expenditures 
required to comply with Federal regulations to secure America's 
economic prosperity and national security and the highest possible 
quality of life for each citizen. Consistent with E.O. 14192 and our 
planned deregulatory proposed rule (Health Data, Technology, and 
Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity 
(HTI-5) Proposed Rule),\2\ ASTP/ONC reexamined the HTI-2 Proposed Rule. 
ASTP/ONC reviewed comments received in response to the HTI-2 Proposed 
Rule and reevaluated proposals not yet finalized. We determined that 
certain proposals should be finalized, while other proposals should not 
be finalized or needed further consideration, revision, or both. 
Recently, the Office of Management and Budget, the Department of Health 
and Human Services, and Centers for Medicare & Medicaid Services (CMS), 
in collaboration with ASTP/ONC, issued separate requests for 
information (RFIs) related to deregulation. We reviewed comments 
received on these RFIs related to ASTP/ONC activities. In response to 
the Request for Information; Health Technology Ecosystem (90 FR 21034) 
(CMS-ASTP/ONC RFI), commenters expressed a strong desire to modernize 
the ONC Health IT Certification Program (Certification Program) by 
making it more modular, application programming interface (API)-
focused, and less centered on specific electronic health record (EHR) 
functionalities. After reviewing these additional comments and the 
comments submitted in response to the HTI-2 Proposed Rule, we are 
withdrawing the remaining non-finalized proposals from the HTI-2 
Proposed Rule.
---------------------------------------------------------------------------

    \1\ <a href="https://www.federalregister.gov/documents/2025/02/06/2025-02345/unleashing-prosperity-through-deregulation">https://www.federalregister.gov/documents/2025/02/06/2025-02345/unleashing-prosperity-through-deregulation</a>.
    \2\ <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202504&RIN=0955-AA09">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202504&RIN=0955-AA09</a>.
---------------------------------------------------------------------------

    We determined that certain proposals would improve interoperability 
and reduce costs and burden within the U.S. health care system. 
Therefore, we finalized proposals for six new and one revised 
certification criteria in the Health Data, Technology, and 
Interoperability: Electronic Prescribing, Real-Time Prescription 
Benefit and

[[Page 60603]]

Prior Authorization (HTI-4) Final Rule (90 FR 37130). This final rule 
was published as a part of the Medicare Program; Hospital Inpatient 
Prospective Payment Systems for Acute Care Hospitals (IPPS) and the 
Long-Term Care Hospital Prospective Payment System and Policy Changes 
and Fiscal Year (FY) 2026 Rates; Changes to the FY 2025 IPPS Rates Due 
to Court Decision; Requirements for Quality Programs; and Other Policy 
Changes; Health Data, Technology, and Interoperability: Electronic 
Prescribing, Real-Time Prescription Benefit and Electronic Prior 
Authorization Final Rule, which appeared in the Federal Register on 
August 4, 2025 (90 FR 36536).
    ASTP/ONC is, however, withdrawing the remaining non-finalized 
proposals from the HTI-2 Proposed Rule for the following reasons: 
comments received on the HTI-2 Proposed Rule and the above-referenced 
RFIs; a focus on deregulation; and changes in applicable technologies, 
such as newer standards, updated application programming interfaces, 
and emerging artificial intelligence technologies. As to comments 
received on the HTI-2 Proposed Rule, a number of commenters expressed 
concerns regarding the non-finalized proposals, such as a lack of 
clarity in some proposals, the availability of newer and/or more 
appropriate standards for certain proposed certification criteria, and 
excessive costs and burden for meeting certain proposals, if finalized. 
ASTP/ONC will consider these and other stakeholder comments in 
conjunction with Administration and ASTP/ONC policies and priorities 
when crafting any future regulatory proposals related to the non-
finalized provisions of the HTI-2 Proposed Rule. For now, we have 
concluded finalization of proposals from the HTI-2 Proposed Rule. We 
withdraw the remaining proposals of the HTI-2 Proposed Rule, generally 
identified as proposals to:
    <bullet> USCDI. Adopt the United States Core Data for 
Interoperability (USCDI) standard v4 (45 CFR 170.213(c)); establish an 
expiration date for USCDI v3; and update certification criteria that 
cross-reference USCDI:
    [cir] ``Care coordination--Transitions of care--Create'' (Sec.  
170.315(b)(1)(iii)(A)(1) and (2));
    [cir] ``Care coordination--Clinical information reconciliation and 
incorporation--Reconciliation'' (Sec.  170.315(b)(2)(iii)(D)(1) through 
(3));
    [cir] ``Decision support interventions--Decision support 
configuration'' (Sec.  170.315(b)(11)(ii)(A) and (B), and ``Source 
attributes'' (Sec.  170.315(b)(11)(iv)(A)(5) through (13));
    [cir] ``Patient engagement--View, download, and transmit to 3rd 
party--View'' (Sec.  170.315(e)(1)(i)(A)(1) and (2)), and ``Multi-
factor authentication (Sec.  170.315(e)(1)(iii));
    [cir] ``Transmission to public health agencies--electronic case 
reporting'' (Sec.  170.315(f)(5)(i)(C)(2)(i));
    [cir] ``Design and performance--Consolidated CDA creation 
performance'' (Sec.  170.315(g)(6)(i)(A) and (B));
    [cir] ``Design and performance--Application access--all data 
request--Functional requirements'' (Sec.  170.315(g)(9)(i)(A)(1) and 
(2)); and
    [cir] ``Design and performance--Standardized API for patient and 
population services--Data response'' (Sec.  170.315(g)(10)(i)(A) and 
(B)).
    <bullet> Imaging. Revise the certification criteria adopted in 
Sec.  170.315(b)(1), (e)(1), and (g)(9) and (10) to include new 
certification requirements to support the access, exchange, and use of 
diagnostic images via imaging links.
    <bullet> Clinical Information Reconciliation and Incorporation. 
Require Health IT Modules to be capable of reconciling and 
incorporating all USCDI v4 data classes. As an alternative proposal, 
require reconciliation and incorporation of a smaller subset of data.
    <bullet> Standards for Encryption and Decryption of Electronic 
Health Information. Adopt the updated version of Annex A of the Federal 
Information Processing Standards (FIPS) 140-2 (Draft, October 12, 2021) 
in Sec.  170.210(a)(3) and incorporate it by reference in Sec.  
170.299; add an expiration date of January 1, 2026, to the FIPS 140-2 
(October 8, 2014) version of the standard adopted in Sec.  
170.210(a)(2); remove the standard found in Sec.  170.210(f); and 
revise impacted certification criteria:
    [cir] Sec.  170.315(d)(7) ``health IT encryption;''
    [cir] Sec.  170.315 (d)(9) ``trusted connection;'' and
    [cir] Sec.  170.315 (d)(12) ``protect stored authentication 
credentials.''
    <bullet> Minimum Standards Code Sets. Adopt newer versions of the 
following minimum standards code sets:
    [cir] Sec.  170.207(a)--Problems;
    [cir] Sec.  170.207(c)--Laboratory tests;
    [cir] Sec.  170.207(e)--Immunizations;
    [cir] Sec.  170.207(f)--Race and Ethnicity;
    [cir] Sec.  170.207(n)--Sex;
    [cir] Sec.  170.207(o)--Sexual orientation and gender information; 
and
    [cir] Sec.  170.207(p)--Social, psychological, and behavioral data.
    <bullet> Computerized Provider Order Entry--Laboratory Criterion. 
Update the ``computerized provider order entry--laboratory'' 
certification criterion (Sec.  170.315(a)(2)) to require a Health IT 
Module to enable a user to create and transmit laboratory orders 
electronically according to the standard proposed in Sec.  
170.205(g)(2) (HL7[supreg] Laboratory Order Interface (LOI) 
Implementation Guide (IG)); and require technology to receive and 
validate laboratory results according to the standard proposed in Sec.  
170.205(g)(3) (HL7[supreg] Laboratory Results Interface (LRI) IG).
    <bullet> Encrypt Authentication Credentials. Revise Sec.  
170.315(d)(12) by replacing the ``yes'' or ``no'' attestation 
requirement with a new requirement that Health IT Modules be able to 
demonstrate that they are able to store authentication credentials and 
protect the confidentiality and integrity of stored authentication 
credentials according to the Federal Information Processing Standards 
(FIPS) 140-2 \3\ (October 12, 2021) standard; and by changing the name 
of the certification criterion to ``protect stored authentication 
credentials''.
---------------------------------------------------------------------------

    \3\ <a href="https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402annexa.pdf">https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402annexa.pdf</a>.
---------------------------------------------------------------------------

    <bullet> Public Health Data Exchange. Revise the certification 
criteria related to public health in Sec.  170.315(f) by: adding 
several new functional requirements and adopting newer versions of 
standards within the current (f) certification criteria; adding two new 
certification criteria in the current (f) certification criteria for 
birth reporting and bi-directional exchange with a prescription drug 
monitoring program (PDMP); and adopting new certification criteria for 
health IT for public health in Sec.  170.315(f)(21) through (29). In 
addition, adopt a new certification criterion for a standardized FHIR-
based API for public health data exchange in Sec.  170.315(g)(20), 
which we also proposed to adopt as part of the Base EHR definition.
    <bullet> Dynamic Client Registration Protocol. Add requirements to 
support dynamic client registration and subsequent authentication and 
authorization for dynamically registered apps for patient-facing, user-
facing, and system confidential applications. Specifically, add these 
requirements to:
    [cir] Sec.  170.315(g)(10) certification criterion;
    [cir] Sec.  170.315(g)(20), (30), and (32) through (35) proposed 
certification criteria;
    [cir] Sec.  170.315(j)(2), (5), (8), and (11) proposed 
certification criteria; and
    [cir] API Conditions and Maintenance of Certification requirements 
in Sec.  170.404.
    <bullet> Modular API Capabilities. Add a new paragraph (j) to Sec.  
170.315 titled ``modular API capabilities.''


[[Page 60604]]


    Note: We finalized two new criteria: ``workflow triggers for 
decision support interventions--clients'' (45 CFR 170.315(j)(20)) 
and ``subscriptions--client'' (45 CFR 170.315(j)(21)) in the HTI-4 
Final Rule.

    <bullet> Patient, Provider, and Payer APIs. Adopt a set of 
certification criteria in 45 CFR 170.315(g)(30) through (36) to support 
data exchange between healthcare payers, providers, and patients.

    Note: We adopted electronic prior authorization criteria in 45 
CFR 170.315(g)(31), (32), and (33) in the HTI-4 Final Rule based on 
the capabilities originally proposed in the HTI-2 Proposed Rule for 
the ``prior authorization API--provider'' certification criterion 
(45 CFR 170.315(g)(34)).

    <bullet> Conditions and Maintenance of Certification. Revise the 
Insights and Attestations Conditions and Maintenance of Certification 
requirements.
    <bullet> Definitions in 45 CFR 171.102. Revise the definition of 
``health care provider'' and add definitions for ``business day or 
business days'' and ``health information technology.''
    <bullet> Interference. Add a new section (45 CFR 171.104) to codify 
certain practices that constitute ``interference'' and ``interfere 
with'' (as defined in Sec.  171.102) for purposes of the information 
blocking definition in Sec.  171.103.
    <bullet> Requestor Preferences Exception. Adopt a new exception in 
Sec.  171.304 for actors limiting, when asked to by a requestor, how 
much EHI is made available to that requestor, including when and/or 
under what conditions the EHI is made available.
    <bullet> Infeasibility Exception--Responding to Requests Condition. 
Modify the responding to requests condition (Sec.  171.204(b)) to 
clarify timeframes for telling requestors why requested access, 
exchange, or use of EHI is not feasible.

Robert F. Kennedy Jr.,
Secretary, Department of Health and Human Services.
[FR Doc. 2025-23890 Filed 12-22-25; 4:15 pm]
BILLING CODE 4150-45-P


</pre></body>
</html>