TechSignal.news
Healthcare Tech

ONC Proposes Dropping 34 of 60 EHR Certification Rules, Shifts Compliance to FHIR APIs

The December 22 HTI-5 rule eliminates 57% of current EHR certification requirements, pivoting security obligations to FHIR API endpoints. Health systems must rearchitect access controls and audit capabilities around API traffic by February 2026.

TechSignal.news AI5 min read

ONC's HTI-5 Rule Rewrites EHR Certification Around APIs

The Office of the National Coordinator for Health IT published the HTI-5 proposed rule on December 22, 2025, eliminating 34 of 60 certification requirements for electronic health record systems — a 57% reduction in functional mandates. The rule shifts compliance obligations from prescriptive feature checklists to FHIR-based API interoperability, with a 60-day comment period closing February 27, 2026.

For enterprise buyers, this means security and compliance budgets must move from UI-layer controls to API-layer access governance. The change affects Epic, Oracle Health, MEDITECH, athenahealth, and every third-party application that touches patient data through APIs. If your EHR vendor cannot demonstrate fine-grained authorization, audit logging, and data minimization at the FHIR resource level, you now face a compliance gap where none existed under the old functional certification model.

API Security Becomes the Primary Compliance Surface

As certification requirements collapse into FHIR APIs, every endpoint becomes a regulated interface. Health systems must verify that API gateways enforce OAuth 2.0 scopes per resource type, log every access attempt with sufficient detail for HIPAA audit trails, and detect anomalous query patterns that signal data exfiltration or ransomware reconnaissance.

Vendors with mature API security stacks — those offering runtime authorization, rate limiting, and behavioral anomaly detection — gain an advantage. API protection platforms competing with Salt Security, Noname Security, and Akamai become relevant in healthcare RFPs for the first time, because FHIR endpoints are now the primary attack surface regulators care about. Legacy integration engines that lack strong authentication, detailed logging, or FHIR support become harder to justify when HTI-5 alignment appears in procurement requirements.

The rule creates immediate budget pressure. Short-term savings from dropping certification features will be reallocated to FHIR API management platforms, consent and access governance tools, and DevSecOps capabilities that monitor API changes. Buyers should expect 15-25% of current EHR certification compliance budgets to shift into API security tooling and identity providers that can enforce attribute-based access control at the FHIR resource level.

Telehealth Prescribing Extension Through 2026 Locks In Security Investments

The DEA and HHS issued a fourth temporary extension on December 31, 2025, allowing telehealth-only prescribing of Schedule II-V controlled substances through December 31, 2026. This extension stabilizes the compliance landscape for Teladoc, Amwell, Doxy.me, and telehealth modules embedded in Epic and other EHRs, but it also extends the security obligations those platforms must meet.

More controlled substance prescriptions over telehealth means more regulated events to log, monitor, and audit. Health systems must ensure video platforms provide end-to-end encryption, multi-factor authentication for prescribers, detailed session logs, and integration with SIEM or XDR platforms that can detect account takeover or fraudulent prescribing patterns. Lightweight video-chat tools that lack HIPAA-compliant logging and strong authentication are eliminated from consideration.

The extension allows multi-year capital planning for secure telehealth infrastructure. Budgets for endpoint hardening, secure video SDKs, cloud security posture management, and identity proofing tools remain justified through 2026. Risk increases with volume: account takeover of prescribers, data interception in video sessions, and fraudulent scripts all scale with telehealth adoption. Buyers should tighten vendor requirements for device attestation, behavioral biometrics, and audit trail granularity when evaluating telehealth platforms.

CMS WISeR Model Adds AI Claims Review as a Compliance Target

CMS launched the Wasteful and Inappropriate Service Reduction (WISeR) Model on January 1, 2026, a six-year pilot in six states using AI and machine learning to flag inappropriate claims before payment. For vendors building AI-driven payment integrity or prior authorization tools, WISeR creates a new compliance surface.

Any AI model that ingests claims data must meet HIPAA Security Rule requirements for access controls, encryption, and audit logging. If the model's training data includes protected health information, vendors must document data minimization, de-identification techniques, and retention policies. Health plans participating in WISeR will demand evidence that AI vendors can provide explainable outputs, version-controlled model changes, and audit trails that show which data elements influenced each decision.

The competitive advantage goes to vendors with built-in compliance infrastructure: role-based access control, automated audit log generation, encryption at rest and in transit, and transparency reports that map model inputs to outputs. Payment integrity vendors that treat HIPAA compliance as an afterthought will struggle in WISeR-adjacent RFPs.

What to Watch

The February 27, 2026 close of the HTI-5 comment period will clarify how quickly health systems must implement API-centric security controls. Buyers should audit current API gateways and identity providers now — waiting until the rule is final leaves insufficient time to rearchitect access controls before certification audits.

For telehealth platforms, the December 2026 extension endpoint creates urgency around permanent prescribing rules. If DEA requires in-person exams after 2026, health systems with insufficient hybrid workflows will face service disruptions. Budget for identity proofing and device security tools that work across in-person and remote encounters.

In AI-driven claims review, expect payers to formalize security requirements for vendors participating in WISeR and similar models. If your payment integrity or prior authorization platform cannot produce detailed audit logs and explainability reports, you will lose to competitors that can.

healthcare-cybersecurityFHIR-APIsEHR-certificationtelehealth-complianceHIPAA-security

Technology decisions, clearly explained.

Weekly analysis of the tools, platforms, and strategies that matter to B2B technology buyers. No fluff, no vendor spin.

More in Healthcare Tech