HTI-5 and the Future of Health Data Infrastructure

‍

A Defining Regulatory Juncture

The HHS Assistant Secretary for Technology Policy (ASTP) has taken a bold stance with its release of the HTI-5 Proposed Rule. The proposal takes major deregulatory steps while also taking precision-targeted action to ensure that information blocking requirements accomplish the bipartisan intent of the 21st Century Cures Act. Overall, HTI-5  recalibrates the federal government's approach to interoperability, information blocking enforcement, and health IT oversight.

The timing of HTI-5 matters. The ability of AI-enabled innovation to transform healthcare hinges on whether our health data ecosystem operates as an accessible, standards-based digital utility, or continues to feature silos with varying degrees of partial, conditional openness. Whether EHRs become open platforms that enable an innovative ecosystem, or remain systems that can only innovate at the speed of a single vendor, is a question HTI-5 has a real opportunity to help answer.

For organizations building AI-driven data platforms across the healthcare continuum, this distinction determines whether innovation compounds or stalls at system boundaries.

The Case for Data Liquidity in an AI Era

Healthcare providers are increasingly expected to do more with less. An aging population requires more care, while the healthcare workforce is not growing sufficiently to cover the increased demand. Escalating operating costs, and shrinking margins from payment contracts, keep ruthless pressure on health system executives, with challenges being most acute in rural and underserved areas that can least afford to lose their local hospitals. 

The situation seems tailor made for beneficial disruption by AI. Two barriers, related but distinct, unfortunately stand in the way. The first barrier is robust, timely access to data. Progress has been made on this front, and the existing information blocking provisions have played a major role in that progress. It is not a stretch to say that without the Information Blocking rule and similar regulatory efforts over the years, access to EHR and payer data for consumers and app developers would be almost non-existent. Nonetheless, basic data access remains as a barrier, particularly for some use cases, or with less sophisticated systems of record.

The second barrier is bidirectional movement of data. Giving an AI agent or copilot access to data is necessary, but not sufficient, for it to be effective. AI-enabled tools must be able to drive changes in systems of record, in order to make a systemic dent in the challenges faced by our healthcare ecosystem. 

HTI-5 addresses both of these barriers, while also reducing certification burdens on health tech developers, freeing capacity for innovation rather than compliance. It strengthens and clarifies the information blocking framework, addressing persistent gaps in how the 21st Century Cures Act's access mandate is enforced in practice. It takes an appropriately strong position on “use” of data being linked to bidirectionality, setting the regulatory stage for innovative tools to fully realize their potential.

The Incumbent Playbook — and Why It Matters

Before walking through our specific recommendations, it is worth understanding the context in which HTI-5 is being debated. The proposed rule's information blocking provisions have drawn sharp opposition from incumbent EHR vendors, and the pattern of that opposition is instructive.

The argument goes something like this: the information blocking reforms are not truly deregulatory, ASTP has failed to conduct a proper cost analysis, and the proposals should be severed and withdrawn. Incumbent vendors contend that automated access by AI and RPA systems should be subject to broad restrictions, that developers need the ability to limit which technologies interact with their platforms and on what terms, and that existing exception conditions, which have been used to allow them to decline data access requests, differentiate between types of requestors, and impose standardized take-it-or-leave-it contracts, should be preserved or even strengthened.

These arguments are framed as protecting patient safety, preserving intellectual property, and promoting standards-based interoperability. Some of these concerns are genuine. But taken together, they amount to a regulatory capture strategy for maintaining control over the terms under which health data moves: who gets access, through which channels, at what price, and under whose rules.

The cost analysis argument is particularly revealing, and worth examining carefully, because the methodology itself is doing work. Incumbent vendors catalog the compliance costs they would bear under revised information blocking exceptions: reviewing contracts, restructuring arrangements, accommodating new requestors. What goes entirely unaccounted is the cost of the status quo. Health systems pay for AI and analytics tools they cannot fully integrate because write access is unavailable. Clinicians manually re-enter AI-generated recommendations into EHRs because bidirectional connectivity was blocked at the vendor's discretion. Rural hospitals absorb proprietary integration fees on top of tool licensing costs because there is no competitive alternative. These are not hypothetical costs. They are borne daily by providers, patients, and the institutions least able to absorb them.

This is cost externalization. Incumbent vendors have structured the data access environment so that the burden of their gatekeeping falls entirely on others, and then presented a cost analysis that counts only their side of the ledger. That is not a neutral methodology, but rather a deliberate framing choice, one that systematically favors the party doing the accounting. We believe that ASTP should reject it outright. A genuine cost-benefit analysis must account for the full cost of managed access, and when it does, the case for reform becomes considerably stronger than the incumbents' objections suggest. 

ASTP should finalize and HHS should enforce the information blocking reforms in HTI-5. Retreating under pressure from the vendors who benefit most from managed access would signal that the Cures Act's interoperability mandate is negotiable when incumbents object loudly enough.

Our Recommendations on Key Provisions

Our response to HHS focused on three interlocking domains: information blocking reforms, certification program adjustments, and the broader governance implications for AI-enabled interoperability.

Clarifying Automated Access, Use, and Exchange

We strongly support the proposed revisions to the definitions of "access" and "use" to explicitly encompass automated means, including robotic process automation and autonomous AI systems. These workflows, including automated data extraction, normalization, and AI-powered processing, have been subject to increasing friction from EHR developers who have argued that automated access falls outside the scope of existing information blocking protections. The proposed codification eliminates that ambiguity.

Incumbent vendors have argued that the term "without limitation" should be deleted from the proposed definitions, and that developers should retain broad authority to restrict how automated technologies interact with their systems. They point to safety incidents involving RPA as justification for limiting automated access. These incidents are real and worth taking seriously. But they are governance problems, not arguments for blanket access restrictions. The answer is accountability standards, monitoring requirements, and clear liability frameworks — not a regulatory structure that allows the platform storing the data to decide which AI systems may access it and on what terms.

We further urged ASTP to adopt the alternative proposal and revise the "exchange" definition in parallel. As agentic AI systems increasingly mediate real-time data exchange across institutional boundaries, automated exchange will become as foundational as automated access and use. Limiting the clarification to "access" and "use" alone leaves a gap that sophisticated actors may exploit through creative arguments that their obstruction of AI-driven data exchange does not implicate the information blocking rules. Revising all three definitions in concert provides a coherent and future-proof framework.

Restoring Bidirectional Integration

We strongly support complete removal of the "third party seeking modification use" condition from the Infeasibility Exception. As ASTP has noted, this provision can function in practice as a categorical veto for EHR developers to block bidirectional integration with third-party platforms, even where the health system itself has requested and contracted for such integration.

Write-back capability is not optional functionality. When AI-driven solutions identify a recommended order or potential new diagnosis, the clinical value of that insight depends on the clinician's ability to act on it with minimal manual intervention or double data entry. Bidirectional integration makes this possible. The current condition has allowed EHR developers to refuse this integration on the grounds that supporting third-party write access is not required under the information blocking rules, even when the health system explicitly wanted it.

We concur with ASTP's assessment that this condition is unnecessary given the Infeasibility Exception's remaining technical limitations defense, and that it has been misused to impede competition. Clear guidance should accompany the removal, confirming that EHR developers who refuse technically feasible third-party write access requested by their provider customers must demonstrate that one of the remaining infeasibility conditions applies. This will help ensure that removal translates into meaningful real-world access rather than a migration to alternative justifications for the same obstructive conduct.

Reforming the Manner Exception and Contracting Practices

We support revising the Manner Exception's Exhausted Condition rather than removing it entirely. There may be genuine technical scenarios in which no reasonable alternative manner exists, but the condition has been misused. Actors have offered a single, nominally different alternative that is more expensive, technically inferior, or unavailable to the requesting party's infrastructure, then declared the exception exhausted. An EHR developer should not be able to claim exhaustion by pointing to a proprietary integration toolkit or app marketplace that requires non-negotiable, specious, or unconscionable terms.

Incumbent vendors have also argued for maintaining the "similarly situated" framework, which allows developers to differentiate between types of requestors when provisioning access. They frame this as risk management. But when that discretion is exercised by a vendor with direct competitive interests in limiting third-party access, the result is gatekeeping dressed as risk management. ASTP should address specific misuses by adding to the list of prohibited factors rather than preserving a framework that enables broad-based access differentiation.

We strongly support clarifying that the Manner Exception cannot be satisfied through contracts that are not at market rate, are contracts of adhesion, or contain unconscionable terms. Health systems seeking to share data via FHIR APIs have encountered non-negotiable fee schedules at rates substantially above market, with data use restrictions that prevent the functions the health system commissioned, and with unilateral termination clauses. These have all presented on a take-it-or-leave-it basis to organizations with no realistic ability to switch EHR vendors. Incumbent vendors argue standardized contracts enable efficient contracting at scale, but that efficiency accrues to the vendor, not the captive customer. The Manner Exception was not designed to protect this dynamic.

We additionally recommended that ASTP issue guidance defining "market rate" for common access mechanisms and consider establishing a transparency mechanism for reporting potentially unconscionable terms.

Removing the TEFCA-Specific Pathway Limitation

We support complete removal of the TEFCA-specific Manner Exception. TEFCA is a valuable national exchange framework, but the exception creates a perverse dynamic: it permits actors to limit EHI access by directing requestors to TEFCA as the sole approved exchange pathway, even where other technically capable and mutually acceptable exchange mechanisms exist. This instrumentalizes TEFCA as a gatekeeping mechanism rather than as one among many pathways for interoperable exchange.

Incumbent vendors have argued for retaining and narrowing the exception rather than removing it. But the fundamental problem is structural: any exception that allows an actor to channel all data access requests through a single pathway creates an incentive to use that pathway as a bottleneck rather than a bridge. TEFCA's value lies in enabling nationwide, standardized data exchange, not in serving as justification for restricting other forms of exchange. Removing the exception ensures that the information blocking framework applies uniformly regardless of TEFCA participation status.

Building the Infrastructure Healthcare Will Depend On

Healthcare's next decade will be defined not merely by technological capability, but by infrastructure design. AI offers meaningful leverage, but only when embedded within interoperable, trustworthy systems.

The regulatory decisions finalized through HTI-5 will determine whether interoperability becomes durable infrastructure or remains aspirational policy. The incumbent strategy is clear: support deregulation of certification requirements that reduce their compliance costs while opposing information blocking reforms that would reduce their control over data access. ASTP should not allow the deregulatory provisions and the interoperability provisions to be treated as severable: they are two halves of the same policy vision. Finalizing the certification burden reductions while withdrawing the information blocking reforms would hand incumbents a regulatory outcome perfectly calibrated to their interests: less compliance burden, same gatekeeping authority.

If data liquidity becomes the operational norm, AI can scale across the enterprise in ways that strengthen both clinical quality and financial sustainability. If legacy gatekeeping structures persist, innovation will remain uneven and constrained.

The architecture chosen now will define the capacity of healthcare institutions to adapt, compete, and deliver high-quality care in an increasingly complex environment.

‍