Why 45 CFR Part 170 Matters (and Where HTI-5 Fits)

On December 29, 2025, the U.S. Office of the Assistant Secretary for Technology Policy (ASTP), through the Office of the National Coordinator for Health Information Technology (ONC), released the HTI-5 Proposed Rule. Like many U.S. health IT updates, it was published near the end of the year, and attention has continued to build as people have had time to review what it proposes. (The rule remains open for public comment through February 27, 2026).

While HTI-5 is a U.S. federal rule, it's one that influences vendor behaviour, standards adoption, and product design well beyond U.S. borders. For that reason alone, it helps to understand not just what the rule proposes, but what it actually updates and why.

If you have worked in health IT for a while, this may feel like another update in a long list of federal rules that are hard to prioritize. Some signal meaningful shifts, others adjust definitions, timelines, or enforcement mechanics. It is not always obvious which ones deserve close attention.

If you are newer to the field, the challenge is different. Rules have different names, come from different agencies, and often sound like they might be creating something new when they are really modifying something that already exists. It's not always obvious where something like HTI-5 fits into everything else.

Rather than focusing this as a standalone rule, it helps to look at what HTI updates are, what they change, and how they fit into the broader health IT regulatory structure.

What HTI updates actually do

HTI rules are not new laws. They are federal regulations, which means they are formal updates to existing regulatory text issued through a defined rulemaking process.

Over time, ONC began grouping these regulatory updates under a consistent name: Health Data, Technology, and Interoperability (HTI). Each release builds on the last, which is why they are numbered. HTI-5 is simply the fifth rule released under that naming convention.

Each HTI rule proposes updates to existing health IT regulations rather than creating a new program from scratch.

In practice, those updates most often affect two parts of the Code of Federal Regulations:

📜 45 CFR Part 170 Health IT Certification Program
🚫 45 CFR Part 171 Information blocking

Understanding these two regulations, especially Part 170, makes it much easier to understand why HTI-5 looks the way it does and why its proposals are framed as they are.

45 CFR Part 170 defines the ONC Health IT Certification Program

Part 170 is where federal health IT policy becomes something that vendors and healthcare organizations actually have to implement.

It defines the ONC Health IT Certification Program, including:

• Which health IT capabilities may be certified
• How certification testing and validation are performed
• What developers must demonstrate for their technology to be considered certified

This isn't abstract policy language. It's detailed regulatory content that directly influences what vendors build, what providers purchase, and which capabilities become expected across the market.

Part 170 also didn't appear arbitrarily. It exists because Congress directed that a certification program be created and maintained, and ONC was given responsibility for implementing that direction.

The legislative roots of Part 170

The foundation for Part 170 comes from the American Recovery and Reinvestment Act of 2009, specifically the HITECH Act.

HITECH:
✅ Authorized federal incentive programs for electronic health record adoption
✅ Required that certified technology be used to qualify for those incentives
✅ Gave ONC authority to establish and maintain a certification program

ONC used that authority to create a formal certification framework, which was codified in regulation as 45 CFR Part 170. Early versions of the regulation focused on foundational EHR capabilities such as electronic documentation, basic exchange, and reporting.

This is why certification became such a powerful force in health IT. It wasn't just a technical designation, it was tied directly to participation in major federal programs.

How the Cures Act expanded and modernized Part 170

As technology and the health IT landscape evolved, Congress revisited how health information should be accessed and shared. That resulted in the 21st Century Cures Act of 2016.

Rather than replacing the existing certification framework, the Cures Act expanded and updated what certification was expected to support. It directed ONC to strengthen interoperability, improve access to electronic health information, and address practices that interfered with information sharing.

In response, ONC updated Part 170 to incorporate:

• Stronger expectations around standardized data exchange
• Support for modern application programming interfaces
• Alignment with evolving data standards such as USCDI

The Cures Act also led to the creation of 45 CFR Part 171, which governs information blocking. Which has become one of the most discussed and, at times, misunderstood aspects of modern health IT regulation. While Part 170 focuses on what technology must support to be certified, Part 171 focuses on how information must be made available and not inappropriately restricted.

Together, Parts 170 and 171 are the primary regulatory tools used to operationalize the health IT provisions of the Cures Act.

How HTI rules fit into all of this

HTI rules are the mechanism ONC uses to revise and update Parts 170 and 171 over time.

Each HTI rule proposes changes to the existing regulatory framework. Those changes may adjust certification criteria, refine definitions, clarify expectations, or modify enforcement approaches as policy goals and industry realities evolve.

While an HTI rule may occasionally touch related definitions elsewhere in federal health regulations, its substantive impact is almost always centered on:

➡️ Certification criteria and processes in Part 170
➡️ Information blocking definitions and conditions in Part 171

This is why understanding Part 170 provides more clarity than tracking individual HTI rule names in isolation.

What this means now, with HTI-5 under review

With HTI-5 now open for public comment, attention has shifted to the specific changes being proposed to Parts 170 and 171. Importantly, the underlying legislation that requires these regulations to exist has not gone away.

HITECH still authorizes certification.
The Cures Act still requires interoperability and access to electronic health information.

What HTI-5 proposes to change is how those requirements are reflected in today’s regulatory framework.

Over the years, Part 170 accumulated roughly 60 active certification criteria, added across multiple final rules as policy priorities expanded and the market matured. HTI-5 reflects a broader administrative goal of reducing regulatory burden, particularly where certification criteria no longer function as effective levers.

At a high level, the proposed rule focuses on three themes:

🧹 Reducing regulatory burden by removing or revising certification criteria that no longer serve a clear regulatory purpose
🧭 Clarifying and updating information blocking provisions in Part 171, including definitions and conditions that have created confusion or been prone to misuse in practice
🔗 Reinforcing a modern, FHIR-based foundation for data access and exchange as the primary path forward for certified health IT

When HTI-5 proposes removing 34 certification criteria and revising 7 others, it does not mean those capabilities disappear. Many are already well established across the industry. Others are reinforced through mechanisms such as USCDI, contracts, accreditation requirements, or operational expectations.

Instead, the proposal reflects a reassessment of how certification is being used today and whether every accumulated requirement still serves a meaningful regulatory purpose.

That framing matters when trying to understand what would change in practice, and what would remain in place.