Why healthcare vendors should watch HTI-5 and the CMS HTE

The Health Data, Technology, and Interoperability 5 (HTI-5) proposed rule for December 2025 and the Centers for Medicare & Medicaid Services’ (CMS's) new Health Tech Ecosystem (HTE) initiative are two major steps toward a health IT future based on Fast Healthcare Interoperability Resources (FHIR) and AI. HTI-5 is the Office of the National Coordinator for Health Information Technology's (ONC’s) latest effort to streamline the voluntary Health IT Certification Program, removing outdated criteria and laying a foundation for FHIR-based application programming interfaces (APIs) and AI-driven interoperability.

CMS’s Health Tech Ecosystem, launched in 2025 with its first wave in April 2026, is a voluntary, standards-based collaboration (not a new regulation) calling on electronic health records (EHRs), networks, payers, and app developers to align on identity, data, and API standards for an effective patient-data ecosystem.

Why HTI-5 matters for healthcare vendors

HTI-5 is ONC’s proposed rule to overhaul the Health IT Certification Program. Its core goals are to “reduce burden” on developers by removing redundant requirements, to update information-blocking rules to protect patient data access, and to establish a foundation for FHIR-based, AI-enabled interoperability.

According to Tom Keane, MD, Assistant Secretary for Technology Policy and National Coordinator for Health IT, in the proposal press release, “The HTI-5 proposed rule delivers on President Trump’s directive to reduce regulatory burden and to enable American innovation through artificial intelligence. These proposals reflect a commonsense approach that removes redundant requirements on health IT developers, that better ensures seamless patient access to their information and that sets a foundation for AI-based data exchange.”

For example, many legacy standards (CDA summary of care, direct messaging) are slated for elimination, as are standalone privacy/security tests (e.g., multifactor authentication as a separate criterion). It is part of the ONC’s view that modern EHRs and apps should use common FHIR APIs and Open Authorization 2.0 (OAuth2)/OpenID security instead of isolated modules.

HTI-5’s goal is to reset certification around today’s technology. Vendors should anticipate that in a year or two, many of the old certification tests will no longer be required but replaced by new FHIR/API criteria. For example, future certification may focus on implementing the CMS Patient Access and Provider Access APIs, SMART on FHIR launches, and new identity standards.

What the CMS Health Tech Ecosystem means

Unlike ONC or HIPAA rules, the Health Tech Ecosystem is not enforced by law or tied to payment. There are no fines or deadlines from CMS. Instead, CMS offers recognition (e.g., “CMS Aligned” network status) and publicity (endorsed as early adopters at a White House event) to participants. The program stresses “collaboration, not just compliance.” Companies voluntarily pledge to meet certain interoperability and patient-experience criteria (see CMS’s detailed categories for Networks, EHRs, Payers, and Apps).

CMS explicitly states, “We are calling on the healthcare industry – data networks, Electronic Health Record (EHR) systems, health app developers, providers, and innovators – to voluntarily align around a shared framework for data and access that empowers people, improves care, and accelerates progress.”

However, the Ecosystem does send strong market signals. CMS has already secured hundreds of pledges (over 700 organizations by Apr. 2026). The first “Wave” launch in April 2026 showcased 50+ app companies and providers who built Minimum Viable Products by a March 2026 deadline. Even though CMS isn’t requiring data sharing as it does for Meaningful Use, failing to align might leave a vendor out of emerging procurement or partnership opportunities.

How HTI-5 and CMS Connect

On the surface, HTI-5 (an ONC rulemaking) and the CMS Health Tech Ecosystem (a CMS initiative) seem separate, but they reinforce one another. Both push FHIR-based interoperability, patient access, and new identity/auth standards. HTI-5 proposal press release noted that it “reset the Certification Program’s scope to focus its future on standards-based APIs like FHIR” and AI solutions. Simultaneously, it is also noted in the same press release that the EHR criteria require vendors to make electronic medical information accessible via FHIR and to support SMART/QR-based sharing. The technical direction (FHIR, OAuth2, SMART Health cards, etc.) is the same in both initiatives.

Industry leaders see the need for alignment. The HIMSS EHR Association (EHRA) explicitly praised CMS for referencing the certification program and urged clarity so that ONC’s changes align with CMS policies. A letter from them also noted, “While there was largely consensus among health IT developers that removing well-adopted criteria from certification would be unlikely to result in those capabilities being removed from products, there were some voices who expressed a concern that losing the ‘weight’ of regulatory requirements might lead to a reduction in ongoing investment in that existing functionality or associated process going forward.”

How HTI-5 could change health IT standards

A JAMIA study regarding SMART on FHIR captured the shift clearly when it said the platform “defined a way for health apps to connect to EHR systems with appropriate security guarantees,” which is why federal efforts now favor FHIR-based APIs and real-world interoperability over older, heavily customized exchange models.

The HTI-5 proposal and the CMS Health Tech Ecosystem change health IT standards by pushing the industry away from older checkbox-style certification and siloed data exchange and toward a FHIR-first model built around APIs, digital identity, and real-world interoperability. HTI-5 would streamline the ONC certification program, remove redundant requirements, and lay the groundwork for future FHIR-based API expectations.

The CMS’s ecosystem is a voluntary yet strong market signal telling EHRs, networks, payers, and app developers to align now on shared standards for data access, app connectivity, and patient control, rather than waiting for another formal mandate. It raises the bar from simply being certified to actually being able to support secure app-based exchange through standards like SMART on FHIR, OAuth2, and OpenID Connect, so health IT is judged less on static modules and more on whether systems can securely connect, share, and use data across real clinical and patient workflows.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is interoperability?

Interoperability is the ability of different health systems, apps, and organizations to exchange and use data correctly and securely. In simple terms, it means health technology can work together instead of staying trapped in separate systems.

What does FHIR stand for?

FHIR stands for Fast Healthcare Interoperability Resources. It is a modern health data standard designed to make healthcare information easier to exchange through APIs and apps.

What is OAuth2?

OAuth2 stands for Open Authorization 2.0. It is a security framework that lets a user authorize an app to access data without giving the app their password directly.

What is OpenID Connect?

OpenID Connect is an identity layer built on top of OAuth2. It helps systems verify who a user is and supports secure sign-in across connected applications.

What is SMART on FHIR?

SMART on FHIR is a framework that allows health apps to connect to EHRs using FHIR and standard security tools such as OAuth2. It makes it easier for third-party apps to launch inside or alongside clinical systems in a secure and standardized way.