February 27, 2026

Thomas Keane, MD, MBA
Assistant Secretary for Technology Policy
National Coordinator for Health Information Technology
U.S. Department of Health and Human Services
330 C Street, SW, 7th Floor
Washington, DC 20024

Re: RIN 0955-AA09

Submitted electronically via http://www.regulations.gov

Dear Assistant Secretary Keane:

The Workgroup for Electronic Data Interchange (WEDI) writes today in response to the “Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity” (HTI-5) proposed rule published in the December 29, 2025, edition of the Federal Register.

WEDI was formed in 1991 by then Department of Health and Human Services (HHS) Secretary Dr. Louis Sullivan to identify opportunities to improve the efficiency of health data exchange. Named in the Health Insurance Portability and Accountability Act (HIPAA) legislation as an advisor to the Secretary of HHS, WEDI is the leading multi-stakeholder authority on the use of health information technology (IT) to efficiently improve health information exchange, enhance care quality, and reduce costs. With a focus on advancing standards for electronic administrative transactions, and promoting data privacy and security, WEDI is recognized and trusted as a formal advisor to the Secretary. Our diverse membership includes health plans, providers, standards development organizations, vendors, federal and state government agencies, and patient advocacy organizations.

WEDI supports and shares the Assistant Secretary for Technology Policy (ASTP)/Office of the National Coordinator for Health Information Technology’s (ONC) goals of leveraging health IT's advanced capabilities and functions to decrease burden and streamline processes to improve the quality of care while minimizing administrative costs. We applaud ASTP/ONC for its ongoing work in advancing interoperability of health information. Developing and implementing standards and processes that encourage the effective and efficient exchange of health information will serve as an important catalyst for improving the nation’s health care delivery system.

To aid us in developing our response to this proposed rule, WEDI conducted a Member Position Advisory (MPA) event on February 3, 2026. Through surveys, interviews, and live events, the MPA process is designed to solicit WEDI member input on topical issues, public and private sector proposals, and government regulations. Individuals representing health plans, providers, standards development organizations, clearinghouses, electronic health record (EHR) vendors, consultants, and other health IT vendors participated in the session.

Introductory Comments

WEDI’s mission and work are driven by easing administrative burden, putting patients at the center of their care, implementing consensus based, mature standards that support automation, and maintaining appropriate safeguards for privacy, security, and confidentiality. With its emphasis on reducing burden and promoting effective data exchange, we support the direction of this proposed rule, and we appreciate the work of ASTP/ONC to improve health IT and reduce administrative burden for all health care stakeholders.

WEDI’s comments are based on key guiding principles that are integral and essential considerations of any regulatory action. Specifically, meeting the goals of the bipartisan 21st Century Cures Act requires that relevant stakeholders have ready access to several critical capabilities and functions. Patients and providers must have access to the clinical data that leads to improved care delivery. New standards and innovative technologies offer the promise of more efficient data exchange and reduced administrative burden. As ASTP/ONC explores opportunities to improve the health technology environment, it is important to design a transition that:

• Ensures the health information needs of the patient and their caregivers are at the center of the ecosystem.
• Promotes seamless, automated data exchange through mature, clear, and unambiguous standards that have been thoroughly evaluated and demonstrate meaningful return on investment.
• Integrates data exchange efficiently within the health plan, provider, and other end-users’ workflows.
• Maximizes the most current data privacy and security safeguards for protecting patients’ health information.

Specific Comments on the Proposed Rule

Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology (Part 170)

WEDI recognizes the intent of the proposals in this section of the proposed rule is to remove or revise the identified certification criteria in the ONC Health IT Certification Program (Certification Program) because they are outdated or duplicative of other requirements. In general, we support this effort as it will reduce burden and costs for all health care stakeholders. While ASTP/ONC does not anticipate the proposed removals or revisions will change the products currently offered by health IT developers, we do have concerns that this may be too strong of an assumption. Developers may not initially change their products, but as the products continue to evolve with new functionalities and requirements, developers may begin to remove older capabilities where the certification is no longer required, thereby impacting the users of those products.

For new developers entering the health IT market, without requiring certain certification criteria, they may never include those functionalities in their products leaving users to purchase those missing but necessary capabilities as add-on services from the developer or other outside vendors. ASTP/ONC states that certification is likely no longer a primary factor driving developers’ improvements or compliance in their products, but the users of the products have come to depend on certain functionalities being included.

We also have concerns about the compressed timelines and speed at which these changes are being proposed for removal or revision. A more practical and reasonable timeline is preferred to allow adequate time for developers and users to accommodate these changes.

The following are specific comments that WEDI has for the Certification of Health Information Technology proposals.

1. Clinical Certification Criteria

Patient Demographics

This proposal would finalize the enforcement discretion put in place in March 2025 related to the U.S. Core Data for Interoperability (USCDI) Version 3 (v3).

WEDI recommends that Patient Demographics be removed instead of revised and replaced with the USCDI, as USCDI has a specific, lengthy list of patient demographic data elements.

Clinical Decision Support

It is our understanding that the current Decision Support Intervention (DSI) certification requirement is being revised to the point that it has limited capabilities, specifically due to the removal of supporting the source attributes and the intervention risk management practices.

While there may be a perspective that DSI has not provided value, we heard in our MPA that physicians have found it to be a valuable component in making informed decisions about artificial intelligence (AI) purchases, implementation, and use. Specifically, physicians have identified trust, transparency, and knowledge about AI use and functionality as a centerpiece in their ability and desire to use AI in their practice. Transparency and information about limitations, data use, privacy, and bias are necessary for the use of AI in clinical decision making, which is the basis for the CDS criterion.

WEDI recommends that this proposal not be finalized as proposed.

2. Care Coordination Certification Criteria

Transitions of Care

This proposal is to remove the certification criterion for the ability to create and send a compliant Consolidated Clinical Document Architecture (C-CDA), as well as receive a C-CDA. WEDI has concerns with this proposal. The first is whether the removal will reduce the burden on providers and developers or will it become more burdensome, because not testing these capabilities means that potentially the receiving system will not be able to import the data, causing disruptions in data exchange and possibly patient care. Second, the Transitions of Care is still a C-CDA criterion and has heavy usage, specifically for patient referrals that include sending data from the patient’s medical record. Lastly, this change has the potential to shift the burden of C-CDA functionality from the developer to the provider.

Other questions about the move from the C-CDA to a FHIR exchange include:

• Can a gateway system create and send a C-CDA document from FHIR resources?
• Is Clinical Document Exchange (CDex) intended to be the FHIR replacement for C-CDA or is the purpose of CDex to allow interaction with C-CDA via attachments?

We believe it is too soon in the transition to Fast Healthcare Interoperability Resources® (FHIR®)-based data exchange to remove these testing criteria for certification.

WEDI recommends that this criterion not be revised until additional evaluation can be done on the impact it will have on clinical document exchange.

3. Privacy and Security Certification Criteria

General

WEDI has commented extensively to HHS, ASTP/ONC, the Centers for Medicare & Medicaid Services (CMS), and the HHS Office for Civil Rights (OCR) on the topic of privacy, security, cybersecurity, and confidentiality, as we feel strongly about the stewardship of patients’ health information by all within the health care ecosystem. Health care organizations continue to be highly vulnerable to data breaches, ransomware and cyberattacks, and general data leaks. We do not believe this is an appropriate time to remove any privacy and security controls or protections for patient health information. In contrast, the continual reporting of data breaches, OCR actions, and high-profile attacks has made industry leaders and policymakers aware of the urgent need for enhanced privacy and security measures.

It is a well-accepted industry standard that security by design is the norm for system development. Security must be embedded in the system from the outset. It has been a longtime effort to get these functionalities into developers’ product design, which has finally been achieved. Again, the assumption is that these functionalities are well-established by developers and will not be removed from existing products. New developers entering the market may not have the same understanding for the prioritization of these functionalities. Speed to market should not take priority over IT security and privacy controls.

Leaving this work to individual providers to build in their security controls would be much more burdensome, difficult, expensive, and prone to errors. These capabilities are not readily available outside of the applications that are supposed to incorporate them. For users of these products to have to go to the market to purchase or license the technology that incorporates all these capabilities outside of the software applications would be difficult and burdensome. These capabilities need to be embedded in the products. Given the prevalence of cyberattacks against health care organizations and likely continued increase, the removal of these criteria may inappropriately weaken security as the burden to incorporate these measures into systems is shifted to providers, along with the added financial burden.

We recognize ASTP/ONC’s goals of an application programing interface (API)-based certification program, and that these efforts are likely informing the agency’s removal of criteria.

Expanding API use and scope without explicit security expectations increases the attack surface and heightens the likelihood of credential compromise, bulk exfiltration, and downstream misuse, risks that frequently land on physicians even when failures originate in vendor systems or third-party tools. Advancing the safe and effective use of APIs will necessitate stronger privacy and security certification requirements.

Additionally, OCR continues to issue corrective action plans where they cite that the provider organization or business associate did not complete a thorough, comprehensive risk assessment, and other requirements were not met. If an organization does not know the data it is handling or the technical controls in place that help protect that data, it puts data privacy and security at risk. If these certification requirements are removed as proposed, developers would no longer have to make that functionality available in their products. Even if these criteria are duplicative, this is the one location where all privacy and security IT certification is in one place.

WEDI recommends that the privacy and security certification criteria remain in place, as we do not believe their removal is in the industry’s best interests for the protection of patient health information.

Auditing Actions on Health Information and Accounting of Disclosures

WEDI supports the removal of the auditing actions on health information and accounting of disclosures criteria, as these are duplicative of auditable events. WEDI recommends these criteria be removed as proposed.

Encrypt Authentication Credentials and Multi-Factor Authentication

WEDI commented on the “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (HTI-2) proposed rule in October 2024 in support of the ASTP/ONC proposal, at that time, to revise the existing multi-factorial authentication (MFA) certification criterion by replacing the current ‘‘yes’’ or ‘‘no’’ attestation requirement with a specific requirement to support MFA on and after January 1, 2028. We recommended that the agency encourage developers to collaborate with their provider customers to ensure that effective security controls are not only available but are effectively deployed.

Review of this proposal drew the same conclusion to retain these criteria and revise them to be more meaningful with certification. The encrypt authentication credentials and MFA requirement for the vendor to simply attest that they support or do not support these functionalities is not sufficient to meet privacy and security needs of today. Certification of a product should inform the user that the product meets these functionalities, not just an attestation, yes or no, for the criteria.

WEDI recommends that these criteria be retained and the certification requirement be revised to require certification of these functionalities, as was proposed in the HTI-2 proposed rule.

4. Patient Engagement Certification Criteria

View, Download, and Transmit to Third Party

WEDI supports the removal of the Network Time Protocol standard as it is our understanding that it is well-established as a functionality and developers would be unlikely to remove it if the certification criterion was removed. As such, WEDI recommends this criterion be revised as proposed.

5. Public Health Certification Criteria

Transmission to Public Health Agencies – Electronic Case Reporting

WEDI has concerns about the proposed removal of the electronic case reporting criterion and believe it would be a step backward for conducting this data exchange. While we understand there are other data exchange methods for this functionality, i.e., app, C-CDA, FHIR, there is wide adoption of the current standards. The functionality of case reporting has a solid framework and technical capability for current and future health reporting needs.

We see the removal of this criterion as a shifting of burden from developers to providers. While we understand that this functionality would not likely be removed immediately, we do have concerns that when something is not required, a request to the developer to have it included in the EHR will result in an added cost for it, which will be difficult for smaller providers to maintain.

WEDI recommends this criterion not be revised as proposed.

6. Design and Performance Certification Criteria

Automated Numerator Recording and Automated Measure Calculation

The automated numerator recording and automated measure calculation are the criteria that developers certify to showing they can calculate the performance improvement measures. We have concerns that removing these criteria will result in a lack of assurance for providers that their metrics are accurate. We question whether CMS has been consulted on this proposal and how they will respond to the removal of these certification criteria from EHRs. We are aware that there is a desire to reduce burden on the developer community but are concerned when that burden is shifted to another stakeholder, in this case the physicians and other clinicians subject to the CMS Merit-based Incentive Payment Systems (MIPS). There are significant consequences related to compliance and meeting the requirements of MIPS in the Quality Payment Program, including steep penalties from noncompliance or missing certain performance measures. Removal of these criteria may have downstream consequences for physicians and other clinicians to be successful in a program that is required by CMS.

WEDI recommends these criteria not be removed as proposed.

7. Transport Methods and Other Protocols Certification Criteria

Direct Project and Direct Project, Edge Protocol, and XDR/XDM Certification criterion for View, Download, and Transmit requires users to have the ability to send a C-CDA to a primary and alternate system via a secure and unsecured method.

Currently, the secured email is frequently sent using Direct. While we anticipate developers will not immediately remove Direct from their solutions and will continue to include it for several years, the concern is with new vendors entering the market not including these conformance standards if they are removed from the Certification Program.

WEDI recommends these criteria not be removed as proposed.

Standards and Implementation Specifications

The following are specific comments on the Standards and Implementation Specifications proposals:

Real World Testing

WEDI has previously been very supportive of real-world testing and the value it brings to implementing new and modified standards, products, and functionalities. Real-world testing provides proof that the product that has successfully tested will operate as expected outside of the laboratory setting.

WEDI has concerns with the proposals to remove the requirement for developers to submit their real-world testing plan on a yearly basis and limit results reporting to API-focused certification criteria. We understand that users of products want to know that what worked in the laboratory will work in their environment. Additionally, these proposals appear to be removing transparency requirements for some of the technology solutions. Maintaining real-world testing is a key factor for users’ confidence that the product will function to the advertised specifications. While we recognize there is some burden on developers to meet these requirements, they give assurance to the users that the certified product will function in the real world.

WEDI recommends that the real-world testing requirements not be changed.

Insights Conditions and Maintenance of Certification

The proposed rule indicates that these metrics might be changed on a yearly basis. This approach could be concerning for developers, as they require sufficient time to receive the new metrics, develop the specifications, code, and test them. Having these metrics change on a yearly basis will be added burden for them.

WEDI recommends that changes to these metrics be made based on a thorough analysis of the time required to implement the modified metrics and the value of the proposed changes.

Information Blocking (Part 171)

Terms and Definitions

While we appreciate the clarity and lack of ambiguity that is being addressed with the proposed changes to these definitions, we have concerns about the introduction of AI into these concepts for information blocking. Effective, efficient, and practical AI will require access to information.

This proposal is problematic because there is an explicit requirement that access, use, and exchange must now recognize AI.

There is already confusion about what constitutes information blocking as it relates to the intersection of HIPAA and state law. Adding to the confusion, states are promulgating regulations on AI. Should this proposal be finalized, providers could be put in the position of trying to comply with at least three sets of regulations, information blocking, HIPAA, and state law, balanced with their obligation to protect patient privacy.

This is not to say that AI is not beneficial and does not have a place in data exchange. The concern is the rapid trajectory that AI is currently on, without the necessary guidance, clarity, and precautions in place. Establishing appropriate guardrails and limits on how information canbe used, outside of the initial request, are critical once AI tools access the information. There is no ability of providers for limiting AI's use of the data and avoiding information blocking.

WEDI recommends that this proposal not be finalized and additional work be done to evaluate the implications of AI access to health information in the context of information blocking.

Infeasibility Exception

Allowances for appropriate instances where information is withheld are necessary. The rationale for removing the Third Party Seeking Modification Use Condition is framed as abuse of the exception. While abuse of an exception is inappropriate and should not be tolerated, the exception should not be eliminated for those that are using it appropriately. If there are abuses of an exception, then there should be strong enforcement and penalties. We believe it is too soon to remove an exception that provides value to those who are using it appropriately simply because some may be abusing it.

We are supportive of the proposal to remove the Manner Exception Exhausted Condition, as it does create confusion. It has been a subject of some abuse by certain users, and more stringent criteria here may not necessarily solve the problem.

WEDI recommends maintaining the Third Party Seeking Modification Use Condition and removing the Manner Exception Exhausted Condition.

Additional General Comments

WEDI offers the following additional general comments:

This certification criteria is an EHR-only approach. Stepping back and looking at this from a health care ecosystem-wide view, we need a broader understanding of what is being put in place and how it impacts the various stakeholders. If we are going to take something away, what is the reason? What value does it currently provide and to whom? What are we putting in place in that absence and what happens in the interim while new data exchange standards are being created? We support burden reduction but urge the agency to avoid shifting burden from one stakeholder to another. We also support reducing or eliminating outdated and low-value certification requirements. At the same time, we are concerned about the risk that the burden will be shifted to the end users of the technology.

While we understand and support moving forward with adopting and implementing new technology and standards that are fit for purpose, we are concerned about the compressed timelines and speed at which changes are being proposed in the absence of having appropriate guardrails in place to ensure the technology and standards achieve the needs and do not introduce new burdens and threats. Complete API access and use with write and read capabilities will significantly increase the volume and velocity of information exchange. Attention needs to be paid to protecting information, particularly cybersecurity and data privacy.

Given the changing market landscape anticipated by these proposals, we encourage ASTP/ONC to develop resources to support EHR acquisitions and due diligence, such as “example acquisitions criteria” for those criteria that are removed but still considered important for users.

There is value in removing a substantial number of regulated functionality and certification criterion and moving to a FHIR API environment. We contend, however, that certain functionalities being proposed for removal from certification are still necessary.

Removing core functionalities from EHRs risks creating gaps that will force users to pay additional costs for what will become system upgrades or purchase external services.

Providers will still be required to meet regulatory requirements, and the needs of their patients, for privacy and security regulations, HIPAA, and CMS programs. We are concerned that by removing criteria from the Certification Program, the burden is being shifted back to providers.

We encourage ASTP/ONC to develop measurement criteria around the removal of certification requirements to monitor for unintended consequences. It is one thing to remove a requirement where there is universal adoption, but another when a certain level of effort to prove compliance is required. ASTP/ONC could also conduct a survey of certified vendors focusing on the status of these certification requirements proposed for removal and ask questions about whether the functionality is still available, widely used, part of a standard implementation, a separate module, requires an additional fee, etc.

With the number of certification criteria being proposed for removal or revision, will any current developers no longer be certified and what will be the ripple effect for providers who are using those products?

With respect to specific certification criteria, there is overlap with CMS programs, e.g., MIPS and the Promoting Interoperability Program. A comprehensive review is needed to ensure that removal of certification criteria does not eliminate certain capabilities that are needed to efficiently and effectively meet CMS program requirements. Without having certified tools in EHRs to support these requirements, providers participating in these programs will face a higher burden. ASTP/ONC should work closely with CMS on coordinating program requirements to ensure the changes do not undermine the integrity of other required programs or put compliance and performance at risk for providers.

The substantive number of certification criteria that are proposed for removal or revision will cause much transformative change that may perhaps be better suited for an iterative approach.

Overall, WEDI recommends that ASTP/ONC continue to monitor the effects of removal of certification criteria on EHRs’ functionalities and restore any criteria where a critical need is identified.

New Foundation for FHIR

WEDI supports moving towards more FHIR-based APIs as a method for data transport. At a high level, the industry needs a better understanding of ASTP/ONC's more specific timeline and implementation plan for migrating to a FHIR-based exchange standard across the health IT ecosystem. The proposed rule shows a rapid succession with compressed timelines to migrate to this innovative approach. While many in the industry support the flexibility and capability of FHIR-based API exchange, there are a significant number of health care organizations, specifically providers that are small and medium-sized and in rural environments, where the capability to support API-only exchange is lagging and may not meet the timeline envisioned by ASTP/ONC.

In moving to a FHIR-based API ecosystem and re-evaluating the Certification Program, assurances are needed that the APIs function as efficiently and effectively and conform to the necessary capabilities as current technology does. Doing away with a substantial number of the certification requirements in EHRs could be problematic. Requiring specific functionalities in EHRs through the Certification Program ensures that the EHRs have those capabilities. While there is an argument to be made that EHR products already support those capabilities, there is a concern that doing away with requirements and going to API-only functionalities loses those standardized requirements that are consistent across products and will cause unnecessary variability, which will have a greater impact on smaller organizations.

We appreciate efforts from the administration to reduce some of the regulatory burden across stakeholders. We also see the potential that expanding the use of FHIR has for the health care ecosystem, given its ability to be more flexible than other currently available frameworks. While we appreciate the thoughtful review of some of the certification criteria and the broader vision to transition to FHIR APIs, we do have concerns about FHIR’s readiness and encourage the development of reasonable transition timelines for all health care organizations, with specific consideration for small and rural organizations.

Conclusion

WEDI supports and shares ASTP/ONC’s goals of reducing the burden of health IT certification and leveraging FHIR-based API technology to advance interoperability and create more efficient and effective health date exchange. This drive for innovation must also be balanced with providing the users with products that function to meet the complete needs for delivering patient care.

We appreciate the opportunity to share our perspective on this proposed rule. We hope our comments and recommendations will serve to assist ASTP/ONC as it moves forward with these proposals.

Please contact Robert Tennant, WEDI Executive Director, at rtennant@WEDI.org with any questions on these comments and recommendations.

Sincerely,

/s/

Merri-Lee Stine
Chair, WEDI
cc: WEDI Board of Directors