Health IT Policy Path for 2026: Signals, Shifts, and Stakeholder Impact

  By Mary Griskewicz, Regulatory Resource Center Lead

A few “holiday gifts” were dropped by federal agencies at the end of 2025, but beyond these recent policy updates, we need to look at what may be on the horizon in 2026. Federal agencies are signaling a move away from expanding prescriptive requirements and toward streamlining existing programs, reducing vendor system certification requirements, and relying more heavily on market-driven adoption. At the same time, enforcement, incentive alignment, and standards governance are becoming more prominent tools for shaping behavior across the healthcare system.

Below, we outline key healthcare information technology (health IT) policy developments and signals that are expected to influence strategy and compliance planning in 2026. It focuses on major rules, programs, and governance changes from the Centers for Medicare and Medicaid Services (CMS) and the Assistant Secretary for Technology Policy, highlighting what these actions suggest about federal priorities and how different stakeholders may be affected. Together, these policy signals provide insight as to where regulations are tightening, where they are easing, and where organizations will be expected to assume greater responsibility.

1. ASTP Direction: Decertification and Accountability Without Safe Harbors
2. DSMO Update and HIPAA Standards Governance
3. TEFCA’s Voluntary Evolution
4. CMS Continued Prioritization of Public/Private Collaboration and Incentive Realignment
5. HTI-5 Proposed Rule and Trajectory Toward HTI-6
6. AI Policy Signals: Data Quality, Governance, and Market Responsibility

The Assistant Secretary for Technology Policy (ASTP) is using its statutory authority to recalibrate the federal role in health IT oversight to align with the current administration’s deregulatory priorities while maintaining firm expectations for interoperability, access, and trust. Rather than expanding or refining prescriptive certification programs for system vendors, ASTP is signaling a deliberate move away from certification as the primary proof point for functionality, compliance, or interoperability readiness.

A defining feature of this direction is its willingness to streamline certification criteria that no longer reflect how health IT operates in the real world. This shift reflects an explicit acknowledgement that certification has increasingly functioned as a compliance floor rather than a reliable indicator of operational performance. In practice, certification has too often been treated as a shield, allowing organizations to point to attestation or conformance artifacts as evidence of success even when workflows fail, data do not move as expected, or users cannot rely on systems in production environments.

Importantly, this movement away from outdated certification requirements does not signal reduced accountability. Instead, it represents a transfer of scrutiny from premarket checklists to postimplementation behavior. In a relaxed certification environment, organizations can no longer default to product certification status as implicit validation. Real-world failures related to access, exchange, security, or information blocking will be more visible and harder to deflect, particularly as enforcement, audits, complaints, and litigation increasingly focus on outcomes rather than certified intent.

Under this posture, responsibility shifts decisively to health systems, payers, and vendors to partner, demonstrating that the technology works as claimed under real operational conditions. Governance, monitoring, incident response, and documentation of actual performance become more important than formal conformance to retired criteria. The absence of certification safe harbors raises the stakes for interoperability failures, elevating reputational, contractual, and enforcement risk for organizations unprepared to operate without regulatory guardrails.

Taken together, ASTP’s direction suggests a future in which fewer boxes are checked up front, but far more attention is paid to what happens after implementation. For stakeholders, success will depend less on certification status and more on demonstrable operational reliability, security posture, and the ability to withstand scrutiny when systems fail to meet expectations in the real world.

Recent updates to the designated standards maintenance organization (DSMO) process signal a meaningful shift in how Health Insurance Portability and Accountability Act (HIPAA)-named standards are evaluated, consulted on, and advanced. The updated approach places greater emphasis on earlier and more coordinated industry engagement, recognizing that standards increasingly shape implementation realities well before changes appear in regulations.

Under the revised DSMO process, there is increased attention on evaluating newer versions of existing HIPAA-named standards rather than relying indefinitely on legacy versions that may no longer reflect current technology or workflows. This shift acknowledges that standards are evolving and policy must adapt to support modernization without causing unnecessary disruption.

Notably, the updated governance model includes formal consideration of Fast Healthcare Interoperability Resources (FHIR®) approaches, particularly for administrative transactions such as prior authorization. While FHIR is not itself a HIPAA-named standard today, its growing role in administrative and clinical exchange has elevated its relevance within standards governance discussions. This reflects broader recognition that modern application programming interface (API)-based approaches are increasingly foundational to scalable interoperability.

The updated DSMO framework also places greater weight on pilots, testing, and real-world implementation evidence as inputs for policy decisions. Rather than advancing standards solely based on theoretical readiness, federal agencies are signaling that demonstrated feasibility and operational experience will matter more in determining when and how standards are elevated in regulation.

ASTP continues to promote the Trusted Exchange Framework and Common Agreement (TEFCA) as the national framework for nationwide interoperability, with the explicit goal of addressing long-standing trust barriers that have historically limited data sharing across the healthcare system. By establishing common governance, legal agreements, and technical expectations, TEFCA was designed to reduce the need for one-off trust negotiations and enable more fluid, scalable exchange across networks.

At the same time, TEFCA’s evolution remains firmly voluntary. There have been no new federal mandates compelling payer or provider participation, leaving adoption dependent on perceived value, operational readiness, and confidence in the framework. For some stakeholders, particularly payers, unresolved questions around obligations under the Common Agreement, including response expectations and operational burden, continue to influence participation decisions. ASTP has indicated it will work with the payer community and others to build participation in a potential workgroup to develop use cases.

Recent developments have brought new scrutiny on whether TEFCA’s trust model will hold up under real-world pressure. Epic’s lawsuit against Health Gorilla, a designated TEFCA-qualified health information network (QHIN), alleges issues with access and data-sharing practices that, if substantiated, could undermine confidence in TEFCA’s ability to function as a trusted national exchange framework. Health Gorilla has issued a statement opposing the lawsuit, claiming the allegations are baseless and that it is prepared to vigorously defend itself. The case is ongoing and outcomes remain uncertain; it highlights how trust and security are foundational to TEFCA’s success and how perceived weaknesses in those areas can reverberate across the broader ecosystem.

Absent new participation mandates, TEFCA’s trajectory will likely depend on whether it can continue to demonstrate that its governance, enforcement, and security mechanisms meaningfully reduce trust rather than introduce new uncertainty. How ASTP, the recognized coordinating entity, and QHINs respond to emerging challenges may determine whether TEFCA accelerates as a national exchange backbone or remains one option among many in the evolving interoperability landscape.

CMS continues to signal a preference for public-private collaboration as a complement to traditional rulemaking, using voluntary initiatives to encourage progress in areas where mandates alone may be insufficient. One prominent example is the CMS Health Technology Ecosystem initiatives launched in 2025, which invite organizations across the ecosystem to participate in targeted pledge categories aligned with shared goals such as interoperability, burden reduction, and data exchange.

In a recent interview on The Dish on Health IT podcast, CMS Advisor and Department of Government Efficiency (DOGE) Administrator Amy Gleason reported that more than 600 participants are collaborating to establish and deliver a minimum viable product to support the pledge objectives.

These pledges remain open across multiple categories, and CMS has indicated that progress tracking and milestone updates will be important components in evaluating the initiative’s effectiveness. The success or limitations of this approach may inform how CMS structures future public-private collaborations, particularly as it balances deregulation with innovation and accountability.

ASTP and CMS continue to work on prior authorization (PA) and as reported by Dr. Keane, Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology, at the Workgroup for Electronic Data Interchange town hall meeting on February 4th, they will launch a new workgroup focused on the transport standard. They will focus on federal requirements governing how transportation‑related PA must be documented, justified, and processed, especially for non‑emergency medical transportation and non-emergency ambulance services. It’s not a single technical standard like FHIR; instead, it’s a regulatory framework defining when transport requires PA, what documentation is needed, and how payers must evaluate requests, hence the need to work with industry.

CMS has also continued to realign incentives through Innovation Center models that emphasize outcomes and real-world data. The Advancing Chronic Care with Effective, Scalable Solutions (ACCESS) Model reflects CMS’s focus on leveraging electronic health record (EHR)-generated data to support reimbursement tied to chronic care outcomes. In parallel, models such as the Food and Drug Administration’s Technology-Enabled Meaningful Patient Outcomes (TEMPO) signal interest in using real-world evidence and efficacy data to inform payment and coverage decisions.

Together, these efforts suggest a policy direction prioritizing focused, industry-driven, and tested approaches over top-down regulatory requirements, using targeted models to test whether better-aligned incentives and interoperable data can support measurable improvements in care delivery.

Against the broader backdrop of ASTP's emphasis on trust frameworks and market-driven interoperability, the HTI-5 Proposed Rule represents the most concrete application of that philosophy within the Health IT Certification Program. Rather than expanding certification as the primary policy lever, HTI-5 signals a recalibration of the federal role, narrowing its scope and refocusing certification on what ASTP considers essential to maintaining baseline interoperability.

Under HTI-5, a significant portion of existing certification criteria would be removed, particularly those tied to document-centric exchange workflows that are increasingly misaligned with how data are accessed and used today, causing fragmentation. ASTP has used publicly available industry data to frame these changes as an effort to reduce regulatory burden by retiring requirements that are already widely adopted in the market or no longer meaningfully drive interoperability outcomes. ASTP can always introduce new certification requirements should it see market fragmentation, and plans to release HTI-6 this summer.

At the same time, HTI-5 reinforces FHIR-based APIs as the preferred exchange mechanism, not by introducing new mandates but narrowing the set of certified interoperability pathways available to developers. By removing alternative, legacy options, the proposal effectively signals the expected technical direction of exchange while leaving implementation maturity and workflow optimization to market forces. The new foundation of FHIR-based APIs will also promote artificial intelligence (AI)-enabled interoperable solutions through modernized standards and with updated certification requirements.

While largely deregulatory in tone, HTI-5 also includes targeted, meaningful tightening of certain information-blocking exceptions, clarifying expectations regarding access, exchange, and use of electronic health information. These provisions reinforce that a reduction in certification requirements does not mean reduced accountability and that enforcement remains a central policy tool.

Looking ahead, the structure and framing of HTI-5 provide early insight into HTI-6's likely trajectory. Rather than signaling a return to broad functional mandates, emerging rulemaking suggests continued scope narrowing, further retirement of outdated criteria, and deeper alignment with modern, API-based exchange. Together, HTI-5 and the anticipated direction of HTI-6 point to a sustained policy strategy: Streamline certification, reinforce FHIR as the default, and rely on trust frameworks, enforcement, and market adoption to drive interoperability beyond the regulatory floor.

For additional industry discussion of HTI-5’s implications, see this podcast episode analyzing the proposed rule and its broader impact:

5. Rural Health: Closing Gaps in Interoperability

The federal government has designated rural health as a priority in 2026 and essential to sustain struggling hospitals, address severe provider shortages, and improve access to care in areas where the ZIP code often dictates life expectancy. It supports infrastructure and technology and prevents the closure of critical facilities. CMS has announced $50 billion in funding through the Rural Health Transformation (RHT) program, with funding distributed over five fiscal years beginning in 2026. All 50 states have submitted proposals and are participating in this effort.

This level of investment places significant pressure on health IT infrastructure to support access, sustainability, and whole-person care in rural settings. Rural care delivery often relies on nontraditional care sites, pharmacists, telehealth, and community-based workers, increasing the need for interoperable data exchange across fragmented environments.

Rural use cases frequently expose weaknesses in identity matching, data availability, and workflow design. Limited staffing and fewer resources reduce tolerance for manual workarounds, making interoperability gaps more visible. As RHT-funded initiatives move from planning to execution, rural health will serve as a proving ground for whether interoperability investments translate into real improvements in access and care delivery.

As interest in AI-enabled healthcare accelerates, federal health IT policy in 2026 reflects a notably restrained posture. There are no new federal AI certification, transparency, or reporting mandates anticipated in the near term, in contrast to earlier health IT rules that emphasized algorithm transparency, risk disclosure, and documentation requirements.

Instead, public agency messaging increasingly signals reliance on health systems, payers, and vendors to govern AI use internally, placing responsibility for safety, oversight, and ethical deployment squarely on organizations adopting these technologies. This approach aligns with broader deregulatory themes while acknowledging the rapid pace of AI innovation.

At the same time, there is a growing consensus across industry and policy discussions that data quality, provenance, and governance are prerequisites for effective AI and agentic systems. Poorly structured, incomplete, or inconsistent data limit the reliability of AI outputs regardless of model sophistication. As a result, interoperability, standards alignment, and data governance are increasingly viewed as foundational to responsible AI adoption rather than separate concerns.

As such, states will continue to introduce AI legislation. It has been reported that 150 general AI bills were prefiled in 19 states during the first two weeks of 2026. We can expect a volume of AI healthcare-related bills again, as in 2025, when the American Medical Association reported 250+ AI‑in‑healthcare bills introduced across states. Legislation in 2026 is expected to focus on mental health, insurance coverage decisions, disclosure statements, and patient-facing AI tools.

These signals suggest that while federal policy may remain hands-off on AI mandates, organizations will face increasing pressure to demonstrate maturity in data governance and accountability as AI becomes more deeply embedded in clinical and operational workflows and a need to manage state mandates.

What This Means for the Industry and Next Steps

Taken together, the policy signals shaping 2026 point to a health IT environment defined less by expanding mandates and more by execution, trust, and accountability. Certification requirements are narrowing, trusted frameworks are being tested, interoperability deadlines are arriving, and voluntary collaboration is increasingly used to align incentives. At the same time, organizations are being asked to accept greater responsibility for ways standards are implemented, how data are governed, and how emerging technologies like AI are deployed.

Point-of-Care Partners works at the intersection of policy, standards, and real-world implementation. We help organizations understand how shifting federal priorities and industry reactions translate to operational risk and opportunity, and how to move beyond compliance toward strategies that improve efficiency, scalability, and outcomes. Whether you are reassessing interoperability investments, navigating upcoming deadlines, or evaluating how data readiness impacts your future roadmap, we can help you connect policy intent to practical action.

Reach out to set up an initial consultation so we can learn more about your current situation and discuss how policy shifts should inform your strategic planning.