AHA Comments on ASTP/ONC Health Care Technology Interoperability Proposed Rule

February 27, 2026

Thomas Keane, M.D., MBA
Assistant Secretary for Technology Policy
National Coordinator for Health Information Technology
U.S. Department of Health and Human Services
330 C Street, SW, 7th Floor
Washington, DC 20024

Submitted Electronically

RE: RIN 0955-AA09 Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity

Dear Assistant Secretary Keane,

On behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, our clinician partners — including more than 270,000 affiliated physicians, 2 million nurses and other caregivers — and the 43,000 health care leaders who belong to our professional membership groups, the American Hospital Association (AHA) appreciates the opportunity to provide comment on the “Health Data, Technology and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity” (HTI-5) proposed rule.

The AHA values the role that the Assistant Secretary for Technology Policy (ASTP)/Office of the National Coordinator for Health Information Technology (ONC) plays in promoting data interoperability and advancing the development and use of health information technology (IT). Increased data interoperability in the health care ecosystem can support better continuity of care, more informed decision-making, reduced clinical errors and, ultimately, better patient outcomes. The AHA applauds many of the steps ASTP/ONC proposes in this rule to remove regulatory barriers and provide a vision for the certification program’s future, moving toward more flexible frameworks for data exchange.

While more detailed comments follow, our primary recommendation for each of the broad goals of the HTI-5 proposed rule is to:

• Develop a Reasonable Glidepath to Transition to Fast Healthcare Interoperability Resources (FHIR)-based Certification Criteria. The goal of transitioning the certification program to FHIR-based criteria is laudable; however, we urge the agency to provide reasonable timelines to allow for testing and for providers to align resources. Additionally, we urge the agency to maintain Consolidated Clinical Data Architecture (C-CDA)-based criteria since many rural providers, for example, remain dependent on this exchange framework.
• Preserve Certain Certification Criteria. We appreciate ASTP/ONC’s thoughtful review of certification criteria to identify opportunities for removing unnecessary burden. Due to potential risks, certain criteria should be retained in their current form rather than removed or revised as proposed. Specifically, we urge ASTP/ONC to maintain current privacy and security criteria, as well as transitions of care and decision support interventions criteria.
• Retain Information Blocking Definition and Third-Party Seeking Modification Exception; Repeal Imbalanced Provider Disincentives. Hospitals are committed to removing barriers to interoperability and supporting health data exchange. With respect to the formal integration of artificial intelligence (AI) into information blocking definitions, we recommend that the agency first evaluate impacts and identify where additional guidance may be required before updating definitions. We also urge the agency to retain the “third-party seeking modification infeasibility exception” because it protects patient safety and prevents third parties from inappropriately modifying providers’ records without their knowledge. We also urge the agency to repeal the excessive provider disincentives that were finalized under the Biden administration.

TRANSITION TO FHIR-BASED CERTIFICATION CRITERIA AND STANDARDS

In the HTI-5 proposed rule, ASTP/ONC states its intent to reduce and remove non-FHIR-based certification criteria from the certification program to reduce burden on health IT developers and to enable the agency to shift the certification program to a FHIR-based foundation in the future. ASTP/ONC suggests this shift would enhance automation and application programming interface (API) performance, move systems beyond read-only interactions, and expand the scope of data available to support clinical efficiency, patient-centered care and timely reporting.

The AHA sees significant potential in expanding the use of FHIR, as this standard is more flexible than many other available frameworks. At the same time, transitioning to only FHIR-based standards will be complex. Migration to exclusively FHIR API standards is predicated on the electronic health record vendors and developers, as well as provider readiness. Regarding technical capacity, developers are still addressing challenges like bulk data export. Abbreviated timelines to transition to exclusively FHIR-based exchange may move FHIR standards to production prematurely without necessary testing or fully addressing challenges. In terms of provider readiness, many rural and smaller hospitals do not have the resources to transition to only FHIR-based API exchange. For these reasons, we urge ASTP/ONC to pursue realistic timelines and not set arbitrary certification criteria migration dates.

In the proposed rule, the agency proposes to remove 34 certification criteria and revise an additional seven to make room for future FHIR-based standards. Furthermore, the agency proposes that all 41 removals or modifications be effective either as of the date of the final rule or no later than Jan. 1, 2027. This abbreviated timeline is not feasible, especially considering that corresponding alignment would be required for many criteria through the Centers for Medicare & Medicaid Services’ (CMS) Promoting Interoperability Program for hospitals and clinicians. Even if hospitals were able to transition by Jan. 1, 2027, the effective date would not allow for adequate time for testing. We urge the agency to pursue realistic timelines to migrate to FHIR-based standards and to coordinate with CMS to ensure alignment with Promoting Interoperability Program timelines and requirements. At a minimum, the agency should provide 24 months for transitioning certification criteria after updates are made to both certification criteria and corresponding CMS programs through final rules.

Finally, HTI-5 proposes to remove existing C-CDA-based criteria to make room for FHIR-based standards. Many providers, particularly in rural and underserved areas, rely on C-CDA-based exchange. We are concerned that removing this baseline exchange functionality may jeopardize providers’ ability to exchange data when FHIR is unavailable or cost-prohibitive. Furthermore, if C-CDA criteria are removed, we are concerned that developers will charge providers fees to retain such functionality. Oftentimes, when a service or functionality falls outside of baseline requirements for certification, the feature will be considered an add-on and vendors may charge additional fees. Given that resource constraints are often barriers to transitioning to FHIR APIs in the first place, if vendors charge additional fees to retain C-CDA functionality, some providers may be put in a position where they cannot afford to transition to FHIR while simultaneously not able to afford maintenance of their current exchange format. Therefore, baseline exchange functionality and participants could actually degrade as a result of this policy. As such, we recommend that the agency retain C-CDA criteria and consider incentives to support migration to FHIR API standards.

CERTIFICATION CRITERIA

We appreciate the administration’s efforts to reduce regulatory burden and applaud ASTP/ONC for its thoughtful review of existing certification criteria to identify opportunities to remove outdated or duplicative requirements. We recognize that removing certain elements can support reduced costs and drive efficiencies in the certification program. We hope that regulatory burden reduction for developers will result in increased innovation, reduced time to market for solutions and lower costs for providers purchasing or licensing these tools. 

While AHA supports several of ASTP/ONC’s proposals, we recommend the agency retain some criteria that have been proposed for removal or revision.

Decision Support Interventions

The AHA recommends that the agency retain the current decision support interventions (DSI) criterion. The criterion provides users with information on DSI performance and quality. ASTP/ONC proposes several revisions to the DSI certification criteria, to be effective as of the date of the final rule. Notably, the agency proposes to remove the “AI model card” requirements related to source attributes, access and modification, as well as requirements to manage risks related to the development and deployment of predictive DSIs. The agency asserts that there is no publicly available evidence that transparency requirements have led to positive impacts on patient care, such as removing deficient or untested algorithms or testing a deployed algorithm on local data.

While we appreciate that the agency is attempting to identify criteria that may be of limited value, we have heard from hospitals that this criterion is one of the few examples of transparency standards providing information on AI to help inform procurement and implementation of tools. One of the primary barriers to AI adoption has been the “black box” nature of algorithms. This criterion provides information on how a predictive or generative AI application was designed, developed, tested, evaluated and should be used. These data are critical to foster trust in AI tools and ensure patient safety.

Transitions of Care

The AHA recommends that ASTP/ONC retain the current transitions of care criterion. In the HTI-5 proposed rule, ASTP/ONC proposes to revise the “transitions of care” certification criterion with an effective date of Jan. 1, 2027. The agency proposes to reduce the scope of the criterion to focus on enabling the receipt of a C-CDA document as a way to position this criterion for a future evolution to receipt of FHIR-formatted data. ASTP/ONC acknowledges that the C-CDA standard is still widely used and anticipates its continued use over the near-term, especially for transitions of care among health care delivery settings (e.g., between inpatient and long-term and post-acute care). We echo our concerns above regarding transitioning from C-CDA standards prematurely and the reliance providers have on this exchange framework.

Furthermore, ASTP/ONC specifically proposes to revise the criterion to remove “create” requirements. This provision includes requirements for patient matching within continuity of care documents, such as name, date of birth, current address, phone number and sex. Patient matching is a foundational process for patient safety. One cannot assure that a patient receives the right care, at the right place, at the right time, without first ensuring that it is the right patient. First and foremost, misidentification of patients is a patient safety issue that can lead to medical errors and adverse outcomes. Misidentification also raises privacy concerns, where data may be sent to the wrong patient, resulting in unauthorized disclosures. In other instances, it can result in billing delays, duplicative testing and claims denials. Retaining the patient matching requirements is essential for ensuring patient matching occurs for patient referrals.

Privacy and Security

ASTP/ONC proposes to remove all 13 privacy and security certification criteria and the associated Privacy and Security Certification Framework as of the final rule's effective date. The agency states that privacy and security requirements are diverting financial resources and efforts from innovative solutions that can address threats faced by health care providers.

AHA recognizes the important role of developers in fostering innovative health IT applications and agrees that the proposed changes could reduce barriers for them. At the same time, this innovation should be balanced with reasonable policies that protect sensitive patient data and ensure security and privacy. The AHA is concerned that the proposed removal of all privacy and security certification criteria has risks that outweigh potential benefits.

Cybersecurity is critical to ensuring that hospitals can provide safe, high-quality care to their communities. Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks that can disrupt patient care and erode privacy through personal health care data loss. Even with significant investment, the health care ecosystem continues to defend against unprecedented cyberthreats. According to the HHS Office of Civil Rights, the number of individuals impacted by health care data breaches increased from 27 million in 2020 to a staggering 259 million in 2024. In 2024, the Change Healthcare ransomware attack alone resulted in the theft of 190 million Americans’ personal health information — the largest health care data breach in history. Removing baseline cybersecurity requirements from the certification program at such a time poses significant risk to the entire health care ecosystem.

We are also concerned that removing the privacy and security criteria would inappropriately shift risk and cost to providers. Developers may impose additional fees for these features since they would be considered “add-on” services. Instead of saving costs and reducing burden, the costs and burden would shift to end users.

The agency also asserts that privacy and security criteria have been widely adopted. This may be true for existing certified health IT products, but it may not be true for new entrants and future certified technologies. Baseline privacy and security criteria provide a foundation for security for all health IT products used across the health care ecosystem. The AHA has long supported secure-by-design principles and the HHS Cybersecurity Performance Goals. The current privacy and security certification criteria are aligned with these guiding frameworks to ensure that essential features are integrated before the products are developed.

For these reasons, we urge ASTP/ONC to retain all privacy and security certification criteria.

CONDITIONS AND MAINTENANCE OF CERTIFICATION REQUIREMENTS

Real World Testing

The AHA recommends that ASTP/ONC retain the current real-world testing conditions and maintenance of certification requirements. As a condition and maintenance of certification, health IT developers must successfully test the real-world use of the technology for interoperability in the type of setting in which such technology would be marketed.

In the HTI-5 proposed rule, the agency proposes to descope the “Real World Testing” Condition and Maintenance of Certification requirements. Specifically, the agency proposes to 1) remove the requirement for health IT developers to submit real-world testing plans for all real-world testing certification criteria; 2) limit full real-world testing results reporting to only Health IT Modules that are certified to certain API certification criteria; and 3) permit the use of the Specialty Validated Assessment Program for the remaining non-API real-world testing certification criteria with minimal reporting requirements.

These requirements have provided necessary transparency and assurances to end users that technologies have been tested for functionality in live environments. Providers rely on this information to ensure that products will function in real-world settings versus lab settings. As technology advances with the advent of tools like AI, this transparency becomes even more crucial.

INFORMATION BLOCKING

The AHA has long supported transparency of critical health data for patients and the clinicians treating them. Timely access to data can help patients make more informed decisions about their health. Our recommendations on information blocking proposals are below.

Access and Use Definitions

In the HTI-5 proposed rule, ASTP/ONC proposes to explicitly codify that “access” means the ability or means necessary to make electronic health information (EHI) available for exchange or use, including by automation technologies such as robotic process automation and autonomous AI systems. Similarly, ASTP/ONC proposes to explicitly codify that “use” means the ability for EHI, once accessed or exchanged through whatever technological means, to be understood and acted upon, including, without limitation, by automation technologies such as autonomous AI systems and robotic process automation. 

We recognize AI’s potential to transform care delivery and appreciate the role data interoperability plays in supporting the advancement of AI tools. We also appreciate the need for clarity on how AI tools intersect with information blocking regulation. However, the formal integration of AI into information blocking regulation definitions requires additional guidance, particularly considering potential intersections with HIPAA and state privacy and AI laws and regulations. The AHA encourages the agency to evaluate broader guidance on the applicability of information blocking exceptions for AI — such as guidance on use of data beyond intended purpose — before adopting updated definitions.

Third-party Seeking Modification Exception

ASTP/ONC’s information blocking rule includes an infeasibility exception with several specific use conditions that enable the rules to be waived. In the proposed rule, ASTP/ONC would remove the Third-party Seeking Modification use condition from the Infeasibility Exception. The agency asserts that the exception is susceptible to misuse by actors withholding EHI to unnecessarily inhibit access, exchange and use of EHI by third parties.

However, the AHA urges the agency to retain the third-party seeking modification exception as we believe it provides important patient safety and liability protections for providers. The infeasibility exception ensures that stakeholders not fulfilling a request to access, exchange or use EHI due to the infeasibility of the request are not penalized for information blocking. This particular exception prevents inappropriate modifications by third parties to providers’ legal medical records. Without this exception, third parties may enter data without the providers’ knowledge, and providers may be responsible for data they did not enter, review or verify. Removing this exception raises patient safety and liability concerns.

We recognize ASTP/ONC’s concern that the exception could be misused. However, we believe such misuse would be better addressed through guidance and FAQ documents that more clearly articulate what may constitute inappropriate uses of this exception. The potential liability and patient safety risks of an outright removal of this exception outweigh any benefits associated with mitigating misuse.

Information Blocking Disincentives

While the HTI-5 rule does not address information blocking disincentives, we remain concerned that the 2024 rule establishing disincentives for providers found to have committed information blocking is excessive, confusing and imbalanced. Under the “21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking” (RIN 0955-AA05) rule that was finalized under the Biden administration, hospitals and providers found to engage in information blocking may face reductions in Medicare payment updates, adjustments to reimbursement rates, lower performance scores and potential ineligibility for certain incentive programs.

Specifically, hospitals under the Medicare Promoting Interoperability Program found to have committed information blocking would experience a reduction of the market basket update by 75%. Critical access hospitals would see a reduction from 101% to 100% of reasonable costs, while clinicians in Medicare's Merit-based Incentive Payment System (MIPS) would receive a score of zero in the MIPS Promoting Interoperability performance category. Providers in accountable care organizations that commit information blocking would be ineligible to participate in the Medicare Shared Savings program for at least one year and may not receive revenue they may have earned through the program.

The disincentive structure in this rule is excessive, so much so that it may threaten the financial viability of economically fragile hospitals, including many small and rural hospitals. In addition, the processes by which the Office of the Inspector General will determine if information blocking has occurred are unclear, including the appeals process, giving this rule the appearance of being arbitrary and capricious. We therefore urge the agencies to repeal these disincentives.

Again, we applaud ASTP/ONC’s ongoing work to ensure that providers and patients have access to timely data to better inform care delivery. We look forward to continuing to work with the agency to migrate toward flexible data exchange frameworks, remove unnecessary barriers to data exchange and provide reasonable standards to support data privacy and security. Please contact me if you have questions, or feel free to have a member of your team contact Jennifer Holloman, AHA’s director of health IT policy, at jholloman@aha.org.

Sincerely,

/s/

Ashley Thompson
Senior Vice President
Public Policy Analysis and Development