Healthcare IT Certification Faces Debate: Industry Reacts to Deregulation Proposal

Published: 14 Jan 2026

Author: Precedence Research

Share :

The U.S. Department of Health and Human Services recently proposed modifications to the health IT certification program through the office of the National Coordinator for Health Information Technology (ONC) to streamline compliance and promote innovation in electronic health records (EHRs) and other health IT systems. The draft rule aims to remove 34 current certification requirements and amend seven others. Many industry experts are concerned that the proposal could pose problems for interoperability, cybersecurity, and practical implementation across healthcare settings, despite ONC's emphasis that the changes could lower barriers for developers and accelerate technology adoption. 

The proponents contend that simplifying certification could facilitate smaller developers' entry into the market and accelerate the delivery of new solutions to healthcare providers. Additionally, the draft revises information blocking regulations specifically addressing robotic process automation and AI systems for access and use. This recognition of new technologies is viewed as a step toward bringing laws into line with the state of technology today. Industry leaders warn that additional guidance is required to ensure that simplification does not jeopardize the efficacy of health IT systems, as the proposed regulations still lack clarity on a number of technical details.

Proposed modifications to data-sharing exceptions are the main source of concern. Vendors are currently able to request an exception if they are unable to fulfill a request for data sharing through approved methods. Before claiming infeasibility, vendors would have to present all other options in a particular order under the new regulation. Industry associations such as the Electronic Health Record Association contend that this sequential approach may increase needless administrative work without enhancing provider-to-provider data exchange. The suggested order is redundant and possibly onerous because technical teams frequently present all viable options at once in real-world situations.

Requirements for security and privacy are also controversial. Some current privacy and security certification requirements would be eliminated by the proposed deregulation, but some audit-related requirements might still be in place to guard against fraud and abuse. Critics emphasize that providers and developers are still required by laws like HIPAA to maintain strong data protection even though certification requirements may change. Stakeholders in the industry are demanding precise guidelines to guarantee that any certification simplification does not jeopardize cybersecurity or patient privacy. The draft rule is open for public comment until February 27. Before it is finalized, the discussion will be shaped by the active participation of numerous organizations.