Hospitals, health systems and payers are entering 2026 with several regulatory issues coming together. A significant focus is on how care decisions are documented and communicated, how health data is shared between systems and how privacy expectations are conveyed to patients.
These changes are particularly relevant for organizations that work with Medicare Advantage, Medicaid or CHIP populations, as well as for provider groups and vendors in certified health IT environments.
Here’s an overview of US developments that healthcare teams will monitor in 2026, along with a brief global watchlist of health data and AI regulations.
Prior Authorization and Interoperability: CMS Rules Begin to Bite
This CMS rule outlines requirements for certain payers regarding how prior authorization decisions are managed and reported, as well as how information should be exchanged using standardized technical methods.
CMS finalized the Interoperability and Prior Authorization rule (CMS-0057-F) in January 2024. It affects Medicare Advantage, Medicaid, CHIP programs and some Qualified Health Plans on the federal exchanges.
Starting January 1, 2026, affected payers must meet new business process requirements even if all technical API work is not yet complete. Standard requests generally require a decision within seven calendar days and expedited requests within 72 hours, with denials including a specific reason. Payers must also begin public reporting of prior authorization metrics in 2026, with first reports due March 31, 2026.
The various APIs (application programming interfaces, or standardized methods for systems to exchange data) will follow later, with compliance dates starting in 2027.
Health IT Certification and Algorithm Transparency: HTI-1 in Practice
This Office of the National Coordinator for Health IT (ONC) rule updates the federal certification program for health IT and introduces transparency expectations for certain predictive tools used in clinical workflows.
In 2024, ONC released the HTI-1 rule, Health Data, Technology and Interoperability: Certification Program Updates, Algorithm Transparency and Information Sharing. The rule updates the ONC Health IT Certification Program, adds transparency requirements for certain predictive tools and refines information blocking provisions under the 21st Century Cures Act.
HTI-1 includes timelines for adopting updated standards, such as USCDI v3, and new certification criteria for decision support and APIs, with key dates in January 2026.
In late 2025, ONC announced enforcement discretion, meaning it would not take enforcement actions solely for missing the January 1, 2026, compliance date and would delay enforcement actions until after March 1, 2026.
Information Blocking: From Policy to Active Oversight
This framework addresses practices that interfere with access, exchange or use of electronic health information, subject to defined exceptions. While this legal framework has existed for several years, enforcement has typically been limited.
In 2025, the US Department of Health and Human Services (HHS) launched a broad enforcement initiative focused on information blocking, initiating a shift from education to more active oversight.
HHS has indicated the initiative is intended to support patient access, reduce friction in data exchange and ease burdens tied to fragmented information.
Privacy and Reproductive Health Information: HIPAA Updates
This HIPAA update restricts certain uses and disclosures of reproductive health information and includes a requirement to update patient-facing privacy notices.
In 2025, the HHS Office for Civil Rights (OCR) finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, enhancing protections for certain reproductive health information. The rule took effect in June 2024, with a general compliance date in December 2024. One key requirement extends into 2026, as covered entities must update their Notice of Privacy Practices (NPP) by February 16, 2026 to reflect the new reproductive health privacy protections.
Covered entities must revise their Notices of Privacy Practices (NPPs) to detail the new protections and disclosure limits, with a compliance date for these changes set for February 16, 2026.
For hospitals, clinics and health plans, this includes updating privacy notices and aligning staff processes for handling reproductive health information with the revised rule.
Global Watchlist: European Union Health Data and AI Rules
Outside the US, regulators are advancing health data and AI frameworks that could influence requirements for organizations operating internationally.
European Health Data Space (EHDS)
The EHDS Regulation entered into force in March 2025 and will roll out in phases. It’s the EU’s plan to make electronic health records (EHRs) easier to access and share across the EU for care, and to create rules for reusing health data for research, innovation and policy under defined governance.
European AI And Digital Rules
In 2025, the European Commission proposed a “Digital Omnibus” package, a set of proposed changes intended to simplify parts of the EU’s digital rulebook. One proposal would delay certain high-risk AI obligations, pending approval.
Overall, these developments point to 2026 as a year focused less on new healthcare laws and more on how existing rules are implemented and enforced.
If you want your company to be featured on Xtalks.com, please email [email protected].
Join or login to leave a comment
JOIN LOGIN