backNew litigation and federal government policy statements demonstrate the ever-evolving nature of the health information technology landscape. These new developments will impact how businesses operating in the health information technology sector share information and operate going forward. On January 31, 2025, President Trump issued Executive Order 14192 “Unleashing Prosperity Through Deregulation,” that has led to several new proposed rules, RFIs, and FAQs aimed at accelerating AI adoption and deregulating health information exchange and access to information. In addition, a new lawsuit filed by Epic Systems, a health record manager against Health Gorilla and its clients, signifies that private actions will also influence how health data is shared and used. Actors in the health information technology sector will need to closely monitor shifting health data developments in both the public and private sectors.
Federal Government Signals Shift Toward Accelerating AI Adoption
On December 23, 2025, the Office of the Deputy Secretary and Assistant Secretary for Technology Policy (ASTP), the Office of the National Coordinator for Health Information Technology (ONC), and Department of Health and Human Services (HHS) issued a “Request for Information: Accelerating the Adoption and Use of Artificial Intelligence as Part of Clinical Care.” The RFI was published after several other AI-focused federal government agency publications, including Executive Orders and memoranda. This RFI focused on soliciting responses to questions about how HHS could make changes to reimbursement, regulation, and research and development to incentivize and accelerate adoption of AI in clinical care delivery. Comments are due on February 23, 2026.
New Information Blocking Developments
The Assistant Secretary for Technology Policy issued new information blocking FAQs. The FAQs clarified that interfering with an automation technology including “agentic artificial intelligence” could implicate the information blocking regulations. The FAQs also clarified that in most instances an actor must provide all of the electronic health information (EHI) requested to satisfy the Manner Exception and that the alternative manner condition of the Manner Exception is also dictated by the requestor’s request. The FAQs also clarified that an actor cannot meet the Fees Exception by entering into a revenue sharing agreement with the requestor that is conditioned on the fees the requestor “derives or may derive from the access, exchange, or use of the EHI” because it goes beyond the fees reasonably incurred by the actor providing access to the EHI.
HTI-2 Withdrawal
On December 29, 2025, the ASTP/ONC issued a proposed rule withdrawing the remaining proposals in the “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (HTI-2) that had not been finalized. The agency cited the agencies focus on deregulation as a motive for withdrawing the remaining HTI-2 proposals. HTI-2 was published on August 5, 2024, with a comment period that ended on October 4, 2024. Several provisions of HTI-2 were finalized in the TEFCA (HTI-2) Final Rule and the HTI-3 Final Rule. The new proposal withdraws proposals to adopt the United States Core Data for Interoperability (USCDI) standard v4, including certification criteria that would refer to USCDI. The proposed rule also withdraws the proposal to adopt the updated version of Annex A of the Federal Information Processing Standards (FIPS) 140-2 (Draft, October 12, 2021) for the Standards for Encryption and Decryption of Electronic Health Information and withdraws proposals related to public health data exchange. The withdrawal went into effect on December 29, 2025.
HTI-5 Proposed Rule
On December 29, 2025, ASTP/ONC and HHS published a proposed rule entitled, “Health Data, Technology, and Interoperability: ASTP/ONC Deregulatory Actions to Unleash Prosperity” (HTI-5). Per the agencies, the proposed rule is meant to remove and revise certification criteria and regulations to offer developers and providers more flexibility, and clarify information blocking definitions and exceptions that have potential for misuse.
HTI-5 Certification Criteria
The proposed rule underscores the agencies’ focus on transitioning to Fast Healthcare Interoperability Resources (FHIR)-based APIs that are more automated, use more data, and have increased interoperability. The proposed rule proposes changes to the health IT voluntary certification program by removing 34 of the 60 certification criteria and revising 7 of the 60 certification criteria. The stated goal of these changes is to attain the goal of universal use of FHIR-based APIs.
HTI-5 Information Blocking Proposals
The proposed rule proposes revising the information blocking definitions of “access,” “use,” and “exchange” to include automated ways of accessing, using, and exchanging EHI through “bots” and autonomous AI systems. The proposed rule also proposes revising the Infeasibility Exception by removing the third party seeking modification use condition based on the alleged susceptibility of actors misusing this exception to withhold EHI from third parties. HTI-5 proposed rule also proposes revising or removing the manner exception exhausted condition from the Infeasibility Condition on the basis that actors misuse this exception by not exploring options to reach terms to fulfill the request in the manner requested or in an alternative manner. The proposed rule if finalized would also revise the manner requested condition in the Manner Exception to clarify that contracts of adhesion, or contracts with non-market rates or unconscionable terms cannot meet the exception. Finally, the proposed rule advocates for removal of the TEFCA Manner Exception. Comments to the proposed rule are due on February 27, 2026 at 5:00 p.m. ET.
Epic Systems Litigation
A recent lawsuit filed by major electronic health record manager Epic Systems against health information network Health Gorilla, and several of its clients, highlights significant concerns about the current data privacy landscape for electronic health records, and in particular the role of private health information exchanges in assuring that patient information is used for clinical purposes.
Providers such as Epic Systems participate in medical record interoperability frameworks, including Carequality and the Trusted Exchange Framework and Common Agreement (TEFCA), that outline standards for the exchange of medical records. These frameworks are essential infrastructure for the free flow of medical information between different providers; however, they do not themselves vet or monitor access to health records. That role falls to Implementors (known under TEFCA as Qualified Health Information Networks), such as Health Gorilla, who operate health data sharing networks, as well as members of these networks. Implementers are responsible for ensuring that requests by their members for medical records are made in accordance with framework standards, including that they are made for a medical purpose.
Epic Systems alleges that Health Gorilla and some of its clients “are exploiting interoperability frameworks to obtain patient records on a large scale under the false pretense of providing treatment,” and that Health Gorilla instead sought to monetize patient information, including to collect potential claimants for lawyers assembling class action lawsuits. According to the complaint, the Defendants used complex ownership structures and manipulated metrics to make their access patterns appear more in line with those of a normal provider. According to the complaint, these measures allowed the Defendants to hide the fact that they were accessing medical records en masse for non-treatment purposes.
For their part, the Defendants deny the allegations and assert that Epic Systems’ lawsuit is part of a pattern of monopolistic practices designed to limit competition.
The case underscores the legal and regulatory challenges related to data privacy – especially in the context of private health care data. Businesses operating in the health IT sector should be aware of heightened scrutiny around data access and use, particularly as regulatory pressures from both the state and federal levels increase. The dispute also highlights the need for clear policies and procedures for vetting participants in information exchanges and ensuring that patient information is used only for legitimate treatment purposes.