Current Requirements vs. HTI-5 Proposed Changes | Implementation, Real World Testing (RWT), and Insights Condition | February 2026
| Citation | Criterion | CURRENT STATE | HTI-5 PROPOSED | Notes | |||||
|---|---|---|---|---|---|---|---|---|---|
| Implementation Requirement | RWT | Insights | Status | Implementation Change | RWT | Insights | |||
| (a) Clinical Criteria | |||||||||
| § 170.315(a)(1) | CPOE – Medications Base EHR |
Record, change, access medication orders. Drug-drug and drug-allergy interaction checking before order completion. | — | — | ✓ RETAIN | No change. Remains part of Base EHR definition. | — | — | Core EHR functionality. Interaction checking uses First Databank, Medi-Span, or similar. |
| § 170.315(a)(2) | CPOE – Laboratory Base EHR |
Record, change, access laboratory orders. | — | — | ✓ RETAIN | No change. | — | — | Alternative to (a)(3) for Base EHR. |
| § 170.315(a)(3) | CPOE – Diagnostic Imaging Base EHR |
Record, change, access diagnostic imaging orders. | — | — | ✓ RETAIN | No change. | — | — | Alternative to (a)(2) for Base EHR. |
| § 170.315(a)(5) | Patient Demographics and Observations Base EHR |
Record demographics per USCDI (name, DOB, sex, race, ethnicity, preferred language, address). Record vital signs. SOGI (sexual orientation/gender identity) required as of HTI-1. | — | — | ⚠ REVISE | REMOVE SOGI requirements. Codifies March 2025 enforcement discretion. Other demographics retained. | — | — | Vitals: BP, height, weight, HR, RR, temp, pulse ox, BMI, head circumference (children). |
| § 170.315(a)(9) | Clinical Decision Support | Five CDS intervention types. Drug-drug, drug-allergy interactions. Problem-based interventions. User-configurable rules. Info links. | — | — | ✗ REMOVE | EXPIRED Jan 1, 2025 per HTI-1. Replaced by (b)(11) Decision Support Interventions. | — | — | Legacy criterion. (b)(11) now covers DSI including AI/ML. |
| § 170.315(a)(12) | Family Health History | Record, change, access patient family health history using SNOMED-CT familial concepts. | — | — | ✗ REMOVE | Remove effective Jan 1, 2027. Rationale: "Topped out" – widely implemented. | — | — | Optional for MIPS bonus. Functionality will persist without certification. |
| § 170.315(a)(14) | Implantable Device List Base EHR (current) |
Record UDIs. Parse UDI into components. Obtain device description from GUDID. Display device info. | — | — | ✗ REMOVE | Remove effective date of final rule. FDA UDI requirements apply independently. | — | — | Will be removed from Base EHR definition under HTI-5. |
| (b) Care Coordination Criteria | |||||||||
| § 170.315(b)(1) | Transitions of Care Base EHR |
Create and receive C-CDA transition/referral documents. Display section summaries. Send/receive via Direct or XD* transport. Validate received documents. | Suspended was required pre-June 2025 |
Suspended C-CDA exchange volume |
⚠ REVISE | Effective Jan 1, 2027: REMOVE receive/reconcile. RETAIN only send/create. Aligns with FHIR-first strategy. | ✗ Removed permanently excluded |
✗ Removed measure eliminated |
Major scope reduction. FHIR APIs (g)(10) become primary exchange method. |
| § 170.315(b)(2) | Clinical Information Reconciliation | Reconcile medications, allergies, problems from received C-CDA documents. Generate reconciled lists. Incorporate into record. | Suspended was required pre-June 2025 |
Suspended C-CDA reconciliation |
✗ REMOVE | Remove effective Jan 1, 2027. Consolidated with (b)(1) revision. FHIR workflows preferred. | ✗ Removed with criterion |
✗ Removed with criterion |
Low adoption. Reconciliation via FHIR-based exchange. |
| § 170.315(b)(3) | Electronic Prescribing | NCPDP SCRIPT messages: NewRx, CancelRx, RxFill, RxRenewal, RxChange. Formulary/benefit checking. Medication history. ePA (optional until HTI-4). | Suspended was required pre-June 2025 |
— | ✓ RETAIN | No removal. HTI-4 requires NCPDP SCRIPT 2023011 and mandatory ePA by Dec 31, 2027. | ✗ Removed permanently excluded |
— | Surescripts primary intermediary. HTI-4 modernizes standards. |
| § 170.315(b)(4) | Real-Time Prescription Benefit (RTPB) Base EHR (Jan 2028) |
NEW in HTI-4. Query payer for patient-specific drug costs, coverage, alternatives at point of prescribing. | — | — | ★ NEW | No change. Required for Base EHR effective Jan 1, 2028. Uses NCPDP RTPB v13. | — | — | Improves cost transparency. Requires (b)(3) certification. |
| § 170.315(b)(7) | Security Tags – Summary of Care – Send | Apply DS4P security labels to C-CDA document segments based on sensitivity. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective date of final rule. Very low adoption; C-CDA de-emphasis. | ✗ Removed with criterion |
— | DS4P adoption minimal despite years of availability. |
| § 170.315(b)(8) | Security Tags – Summary of Care – Receive | Process and respect DS4P security labels on received C-CDA documents. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective date of final rule. Same rationale as (b)(7). | ✗ Removed with criterion |
— | Companion to (b)(7). Neither widely implemented. |
| § 170.315(b)(9) | Care Plan | Create, receive, display care plan documents per C-CDA Care Plan template. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective date of final rule. Low adoption; care planning via FHIR apps. | ✗ Removed with criterion |
— | Functionality may persist without certification. |
| § 170.315(b)(10) | Electronic Health Information (EHI) Export | Single patient EHI export: On-demand, computable format. Patient population export: Full database capability. | Suspended was required pre-June 2025 |
— | ✓ RETAIN | No change to implementation. Critical for information blocking compliance and data portability. | ✗ Removed permanently excluded |
— | Format flexible (JSON, XML). Distinct from (g)(10) Bulk Data. RWT suspension made permanent. |
| § 170.315(b)(11) | Decision Support Interventions (DSI) Base EHR (since Jan 2025) |
Base DSI: Configure evidence-based interventions (drug-drug, drug-allergy alerts, reminders, order sets). Enable/disable by user. Link to reference info. HTI-1 additions for Predictive DSI (AI/ML): Source attributes (model cards) with intended use, training data, performance, risks, validation. Risk management practices. Intervention risk level display. | Suspended was required pre-June 2025 |
— | ⚠ REVISE | REMOVE all HTI-1 AI transparency requirements: No model cards, no source attributes, no risk management documentation for predictive DSIs. RETAIN base DSI: Configurable alerts, enable/disable, reference links. | ✗ Removed permanently excluded |
— | Major AI policy reversal. HTI-1 was first federal AI transparency mandate for health IT; HTI-5 removes it entirely. |
| (c) Clinical Quality Measures Criteria | |||||||||
| § 170.315(c)(1) | CQM – Record and Export Base EHR |
Record data elements for CQMs. Export QRDA Category I (patient-level) and QRDA Category III (aggregate). | Suspended was required pre-June 2025 |
— | ✓ RETAIN | No change. Required for quality reporting (MIPS, hospital quality). | ✗ Removed permanently excluded |
— | QRDA standards updated annually by CMS. |
| § 170.315(c)(2) | CQM – Import and Calculate | Import QRDA Category I files. Calculate CQM results from imported and native data. | Suspended was required pre-June 2025 |
— | ✓ RETAIN | No change. | ✗ Removed permanently excluded |
— | Supports multi-source quality reporting. |
| § 170.315(c)(3) | CQM – Report | Report calculated CQMs to CMS and other entities. Filter and sort capabilities. | Suspended was required pre-June 2025 |
— | ⚠ REVISE | Streamline requirements. Remove redundant format specifications. | ✗ Removed permanently excluded |
— | Minor revision to reduce burden. |
| § 170.315(c)(4) | CQM – Filter | Filter patient lists for CQMs by demographics, problems, medications, etc. | — | — | ✗ REMOVE | Remove effective Jan 1, 2027. Functionality well-established. | — | — | Filtering expected to persist without certification. |
| (d) Privacy and Security Criteria — ALL 14 PROPOSED FOR REMOVAL | |||||||||
| § 170.315(d)(1) | Authentication, Access Control, Authorization | Verify user identity. Assign role-based permissions. Control access to functions and data. | — | — | ✗ REMOVE | "Topped out" – universally implemented. HIPAA Security Rule requires independently. | — | — | Removal does not eliminate HIPAA obligations. |
| § 170.315(d)(2) | Auditable Events and Tamper-Resistance | Record audit logs. Make records tamper-resistant. Include timestamp, user, patient, action. | — | — | ✗ REMOVE | Topped out. HIPAA requires. | — | — | Alternative to (d)(10). Both removed. |
| § 170.315(d)(3) | Audit Report(s) | Generate audit reports sortable by user, patient, date, action. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(d)(4) | Amendments | Enable patient amendment requests. Track requests and responses. | — | — | ✗ REMOVE | HIPAA Privacy Rule requires independently. | — | — | |
| § 170.315(d)(5) | Automatic Access Time-out | Automatically terminate session after inactivity. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(d)(6) | Emergency Access | Break-the-glass functionality for emergency access with audit trail. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(d)(7) | End-User Device Encryption | Encrypt EHI stored on end-user devices. | — | — | ✗ REMOVE | Topped out. OS-level encryption ubiquitous. | — | — | |
| § 170.315(d)(8) | Integrity | Detect unauthorized alteration via hashing. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(d)(9) | Trusted Connection | Use TLS for data in transit. | — | — | ✗ REMOVE | Topped out. TLS universal. | — | — | |
| § 170.315(d)(10) | Auditing Actions on Health Information | Alternative to (d)(2). Audit actions with required data elements. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(d)(11) | Accounting of Disclosures | Track PHI disclosures for patient accounting per HIPAA. | — | — | ✗ REMOVE | HIPAA requires independently. | — | — | |
| § 170.315(d)(12) | Encrypt Authentication Credentials | Encrypt stored passwords and credentials. | — | — | ✗ REMOVE | Topped out. Standard practice. | — | — | |
| § 170.315(d)(13) | Multi-Factor Authentication (MFA) | Support MFA for user authentication. | — | — | ✗ REMOVE | Topped out. Widely adopted. | — | — | All 14 (d) criteria removed. ASTP/ONC: HIPAA sufficient. |
| (e) Patient Engagement Criteria | |||||||||
| § 170.315(e)(1) | View, Download, and Transmit to 3rd Party | Patient portal: View health info online. Download C-CDA. Transmit to third party via Direct or download. | Suspended was required pre-June 2025 |
Suspended Individuals' access to EHI |
⚠ REVISE | Streamline. Align with FHIR patient access via (g)(10). Reduce C-CDA requirements. | ✗ Removed permanently excluded |
✗ Removed measure eliminated |
Patient access increasingly via FHIR apps rather than portals. |
| § 170.315(e)(3) | Patient Health Information Capture | Capture patient-submitted health data (devices, questionnaires) into EHR. | — | — | ✗ REMOVE | Remove effective Jan 1, 2027. FHIR-based approaches (SMART apps) preferred. | — | — | |
| (f) Public Health Criteria | |||||||||
| § 170.315(f)(1) | Transmission to Immunization Registries | HL7 v2.5.1 immunization messages (VXU) to IIS. | Suspended was required pre-June 2025 |
Suspended Immunization data |
✓ RETAIN | No change. Critical public health infrastructure. | — | ✗ Removed measure eliminated |
HL7 v2 persists due to registry infrastructure. |
| § 170.315(f)(2) | Transmission – Syndromic Surveillance | HL7 v2.5.1 ADT messages for ED syndromic surveillance. | Suspended was required pre-June 2025 |
— | ✓ RETAIN | No change. | ✗ Removed permanently excluded |
— | |
| § 170.315(f)(3) | Transmission – Reportable Lab Results | HL7 v2.5.1 Electronic Lab Reporting (ELR) to public health. | Suspended was required pre-June 2025 |
— | ✓ RETAIN | No change. | ✗ Removed permanently excluded |
— | |
| § 170.315(f)(4) | Transmission to Cancer Registries | HL7 CDA-based cancer case reports to registries. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective Jan 1, 2027. Transitioning to FHIR-based mCODE. | ✗ Removed with criterion |
— | mCODE (Minimal Common Oncology Data Elements) is replacement. |
| § 170.315(f)(5) | Electronic Case Reporting (eCR) | Trigger-based case detection. Create eICR. C-CDA or FHIR pathways. Receive Reportability Response. | Suspended was required pre-June 2025 |
— | ⚠ REVISE | Streamline. Focus on FHIR-based eCR pathway. De-emphasize C-CDA. | ✗ Removed permanently excluded |
— | COVID-19 accelerated eCR adoption. |
| § 170.315(f)(6) | Antimicrobial Use and Resistance Reporting | CDA-based AUR reports to NHSN. | Suspended was required pre-June 2025 |
— | ⚠ REVISE | Streamline requirements. | ✗ Removed permanently excluded |
— | |
| § 170.315(f)(7) | Health Care Surveys | Transmission to NHSN for CDC surveys. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective Jan 1, 2027. Low adoption. | ✗ Removed with criterion |
— | |
| (g) Design, Performance, and API Criteria | |||||||||
| § 170.315(g)(1) | Automated Numerator Recording | Auto-record numerator data for CQMs. | — | — | ✗ REMOVE | Remove effective Jan 1, 2027. Established. | — | — | |
| § 170.315(g)(2) | Automated Measure Calculation | Auto-calculate CQM results. | — | — | ✗ REMOVE | Remove effective Jan 1, 2027. Established. | — | — | |
| § 170.315(g)(3) | Safety-Enhanced Design | Document user-centered design processes. | — | — | ✗ REMOVE | Topped out. Limited downstream use of artifacts. | — | — | |
| § 170.315(g)(4) | Quality Management System | Document QMS used in development. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(g)(5) | Accessibility-Centered Design | Document accessibility standards applied. | — | — | ✗ REMOVE | Topped out. | — | — | |
| § 170.315(g)(6) | Consolidated CDA Creation Performance | Properly formatted C-CDA output. Schema and content validation. | — | — | ✗ REMOVE | C-CDA de-emphasis. FHIR-first strategy. | — | — | C-CDA creation still needed for (b)(1) but validation criterion removed. |
| § 170.315(g)(7) | Application Access – Patient Selection Base EHR (current) |
API to receive patient ID request and return token. Non-standards-based functional API. | Required Results due Mar 2026 |
— | ✗ REMOVE | Remove effective Jan 1, 2027. Superseded by (g)(10) FHIR API. | ✗ Ends criterion removed |
— | Legacy API. Will be removed from Base EHR. |
| § 170.315(g)(8) | Application Access – Data Category Request | API to return specific data categories. Non-standards-based. | Required (if still certified) |
— | ✗ REMOVE | Already effectively removed by Cures. Superseded by (g)(10). | ✗ Ends criterion removed |
— | Largely deprecated. |
| § 170.315(g)(9) | Application Access – All Data Request Base EHR (current) |
API to return full patient record (C-CDA format). Non-standards-based. | Required Results due Mar 2026 |
— | ✗ REMOVE | Remove effective Jan 1, 2027. Superseded by (g)(10). | ✗ Ends criterion removed |
— | Returns C-CDA; (g)(10) returns FHIR. |
| § 170.315(g)(10) | Standardized API for Patient and Population Services Base EHR — ANCHOR CRITERION |
FHIR R4 API. US Core profiles. USCDI data. SMART on FHIR auth (patient, user, system scopes). Bulk Data Access for population export. Token introspection. Patient authorization revocation within 1 hour. | Required Results due Mar 2026. Must address all sub-requirements. |
Required "Use of FHIR in apps" + 3 suspended: Apps supported, Bulk data, Individuals' access |
✓ RETAIN | NO CHANGE. Core API criterion. Standards: FHIR R4, US Core 6.1.0+, SMART 2.0+, Bulk Data 1.0.1+, USCDI v3+. Foundation for FHIR-first strategy. | Required | Required "FHIR in apps" only 3 measures removed |
THE anchor criterion for interoperability. Enables third-party apps, patient access, population health, research. |
| § 170.315(g)(31) | Prior Auth API – Coverage Requirements Discovery (CRD) | NEW in HTI-4. Real-time coverage queries via CDS Hooks during ordering/scheduling. Return coverage cards. Indicate if PA required. | — New criterion |
— | ★ NEW | No change. Da Vinci CRD IG. Effective Oct 1, 2025 for new certifications. | Required (once certified) |
— | Part of Da Vinci Burden Reduction suite. |
| § 170.315(g)(32) | Prior Auth API – Documentation Templates and Rules (DTR) | NEW in HTI-4. Retrieve payer FHIR Questionnaires. Auto-populate from EHR data using CQL. Support standard and adaptive forms. | — New criterion |
— | ★ NEW | No change. Da Vinci DTR IG. | Required (once certified) |
— | Automates documentation gathering. |
| § 170.315(g)(33) | Prior Auth API – Prior Authorization Support (PAS) | NEW in HTI-4. Submit PA requests via FHIR. Receive payer decisions. Check status. Support real-time and pended responses. | — New criterion |
— | ★ NEW | No change. Da Vinci PAS IG. All-FHIR exchange under enforcement discretion (no X12 278). | Required (once certified) |
— | Completes electronic PA workflow. CMS rules require payer support. |
| (h) Electronic Exchange Criteria | |||||||||
| § 170.315(h)(1) | Direct Project Base EHR (current) |
Send/receive Direct secure messages (SMTP-based healthcare email). S/MIME encryption. Certificate management. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective date of final rule. FHIR APIs preferred. Direct declining. | ✗ Removed with criterion |
— | Direct was primary pre-FHIR. Will be removed from Base EHR. |
| § 170.315(h)(2) | Direct Project, Edge Protocol, XDR/XDM Base EHR (current) |
Direct + SMTP Edge + IHE XDR/XDM document exchange. | Suspended was required pre-June 2025 |
— | ✗ REMOVE | Remove effective date of final rule. Same rationale. | ✗ Removed with criterion |
— | Alternative to (h)(1). Both removed. |
| (j) Modular API Capabilities (NEW in HTI-4) | |||||||||
| § 170.315(j)(20) | Workflow Triggers for DSI – Clients | NEW in HTI-4. CDS Hooks client capability. Fire hooks at workflow points (order-select, order-sign, appointment-book). | — New criterion |
— | ★ NEW | No change. Supports real-time CDS via FHIR APIs. | — | — | Enables third-party CDS services. |
| § 170.315(j)(21) | Subscriptions – Client | NEW in HTI-4. FHIR Subscriptions client. Subscribe to events/data changes. Receive real-time notifications. | — New criterion |
— | ★ NEW | No change. Supports event-driven workflows. | — | — | ADT notifications, lab alerts, public health. |
Generated February 2026 | Sources: 45 CFR Part 170, HTI-1 through HTI-5 proposed rules, ONC enforcement discretion notices (June 2025, April 2025) | This document is for reference only. Consult Federal Register for official requirements.