6 Healthcare IT Regulations That Mandate FHIR — And What They Mean for You
A compliance guide for healthcare organizations facing the 2026 and 2027 FHIR deadlines.
Before the Mandates: How FHIR Became Federal Law
Most healthcare IT leaders know FHIR is now required by federal regulation. Fewer know why regulators chose FHIR specifically or why the mandates are structured the way they are. The answer starts with the Argonaut Project.
Argonaut is a private-sector task force launched in 2014 under the HL7 umbrella, bringing together industry heavyweights like Epic, Cerner, Athenahealth, Meditech, Mayo Clinic, Intermountain Healthcare, and others to do one thing: accelerate practical, real-world FHIR adoption faster than the formal HL7 standards process could move on its own.
Argonaut operates as a high-speed execution unit. It defines and battle-tests FHIR implementation specifications in real environments — and its output became the foundation of every modern healthcare integration service built to US standards.HL7 publishes them as official standards. ONC mandates them in EHR certification rules. CMS enforces them through payer regulations and financial penalties.
| Argonaut Project | → | HL7 International | → | ONC / ASTP | → | CMS |
| Defines & tests real-world specs | Formalizes as official standards | Mandates via HTI certification rules | Enforces via payer rules & penalties |
Every FHIR specification in US federal regulation today has traveled this pipeline
SMART on FHIR, US Core, CDS Hooks, Bulk Data, the Prior Authorization APIs, all originated as Argonaut specifications before becoming law. Today every major EHR platforms like Epic, Cerner, Athenahealth, Meditech, NextGen are Argonaut-compliant, which is precisely why the federal mandates have teeth: the industry built the standard before it was required.
This also explains why the current deregulatory environment will not unwind FHIR mandates. The specifications have deep industry consensus baked in from their Argonaut origins. Deregulation removes administrative overhead, it does not dismantle infrastructure the entire industry has already built to.
The 6 Federal FHIR Mandates at a Glance
| Regulation | FHIR Requirement | Deadline |
| 21st Century Cures Act / ONC Final Rule | FHIR R4 Patient Access API; information blocking prohibition (up to $1M/violation) | Effective 2020–2022 |
| CMS-9115-F: Patient Access Rule | FHIR Patient Access API + Provider Directory API for payers | Live since Jan 2021 |
| ONC HTI-1 (Jan 2024) | USCDI v3 via FHIR US Core 6.1.0; updated FHIR API certification criteria | March 1, 2026 |
| CMS-0057-F: Prior Authorization Rule (Jan 2024) | Provider Access, Payer-to-Payer & Prior Authorization APIs — all FHIR R4 | Jan 2026 – Jan 2027 |
| ONC HTI-2 / TEFCA (Dec 2024) | FHIR-based national exchange network; TEFCA Manner Exception to info blocking | Effective Dec 2024 |
| ONC HTI-4 (Aug 2025) | FHIR API certification for e-prior authorization, e-prescribing, real-time benefit | Effective Aug 2025 |
Breaking Down Each Mandate
1. 21st Century Cures Act & ONC Cures Act Final Rule (2020)
Who it applies to: EHR developers, health IT vendors, providers, payers, anyone touching electronic health information (EHI).
The foundation of everything. The ONC Cures Act Final Rule established HL7 FHIR R4 as the national standard for health data access and created the information blocking prohibition. ONC-certified health IT must expose a FHIR R4 Patient Access API giving patients access to all their EHI at no cost. Organizations that interfere with EHI access face civil monetary penalties up to $1 million per violation.
2. CMS-9115-F — Interoperability & Patient Access Final Rule (2020)
Who it applies to: Medicare Advantage, Medicaid, CHIP managed care plans, and QHP payers on Federally-Facilitated Exchanges.
The first rule requiring payers to implement FHIR. Three requirements went live in 2021: a FHIR R4 Patient Access API (claims, encounters, and clinical data available within one business day), a publicly available FHIR Provider Directory API, and Payer-to-Payer exchange of USCDI v1 data at patient request. If your payer organization is not live on these today, you are already out of compliance.
3. ONC HTI-1 Final Rule — Deadline: March 1, 2026
Who it applies to: All ONC-certified health IT developers and EHR vendors.
The most sweeping certification update in years. Health IT modules must upgrade to USCDI v3, over 80 data elements delivered via FHIR US Core Implementation Guide v6.1.0. The updated FHIR API criteria (§170.315(g)(10)) also require SMART App Launch IG v2.0.0, including access revocation within one hour. FHIR Endpoints must be published in ONC-standardized formats.
| Enforcement Note
ONC issued enforcement discretion extending the compliance date to March 1, 2026 (from January 1, 2026). The requirements are not waived, only the enforcement date shifted. |
4. CMS-0057-F — Prior Authorization Final Rule — Deadlines: 2026 & 2027
Who it applies to: Medicare Advantage, Medicaid, CHIP, and QHP payers.
The most operationally demanding FHIR mandate for payers. Four FHIR APIs are required:
- Enhanced Patient Access API (Jan 1, 2026): Prior authorization data added; annual usage metrics reported to CMS.
- Provider Access API (Jan 1, 2027): Patient data shared with in-network treating providers via FHIR.
- Payer-to-Payer API (Jan 1, 2027): FHIR exchange of claims, USCDI data, and prior auth data between payers at patient request.
- Prior Authorization API (Jan 1, 2027): Automated FHIR-based PA requests and responses, built on the Da Vinci PAS Implementation Guide.
| Bottom Line for Payers
Three new FHIR APIs must be live by January 1, 2027. A typical implementation takes 12–18 months. Organizations that have not started are already behind. |
5. ONC HTI-2 / TEFCA Final Rule (December 2024)
Who it applies to: Organizations participating in national health information exchange.
TEFCA (Trusted Exchange Framework and Common Agreement) is the federal government’s national exchange network, built on FHIR as its data backbone. The HTI-2 Final Rule established the TEFCA Manner Exception: organizations exchanging EHI exclusively via TEFCA-compliant FHIR channels are protected from information blocking liability. While TEFCA participation is currently voluntary, organizations not FHIR-ready will be excluded from the national network as it matures.
6. ONC HTI-4 Final Rule (August 2025)
Who it applies to: ONC-certified health IT developers and EHR vendors.
The newest rule. HTI-4 finalizes FHIR API certification criteria for electronic prior authorization, e-prescribing, and real-time prescription benefit, creating the EHR-side mirror to the payer-side requirements in CMS-0057-F. Both ends of the prior authorization workflow are now required to be FHIR-capable.
Your 2026 Compliance Checklist
Payers
- Patient Access API live and reporting usage metrics to CMS by January 1, 2026?
- Provider Access API and Payer-to-Payer API implementation underway for January 1, 2027?
- Prior Authorization API mapped to the Da Vinci PAS Implementation Guide?
Providers & Health Systems
- EHR updated to USCDI v3 via FHIR US Core 6.1.0 by March 1, 2026?
- FHIR service base URLs published in ONC-standardized format?
- TEFCA readiness assessed and QHIN participation pathway identified?
Health IT Developers
- Certified health IT updated to HTI-1 and HTI-4 FHIR API requirements?
- SMART App Launch IG v2.0.0 implemented, including 1-hour access revocation?
The Deadlines Are Fixed. Your Implementation Timeline Is Not.
The Argonaut Project built the specifications. HL7 formalized them. ONC required them. CMS is enforcing them. The organizations that will struggle in 2026 and 2027 are the ones still treating FHIR as a future roadmap item rather than infrastructure that needs to be live now.
If your organization is still assessing where to start or has hit common roadblocks like EHR conformance gaps, USCDI v3 data mapping, or Da Vinci IG implementation, working with experienced FHIR integration services specialists can compress your timeline significantly. The regulatory deadlines are fixed. Your implementation schedule is not.
About the Author
Manasi Mali, [Marketing Manger], KPi-Tech Services. KPi-Tech has delivered HL7 and FHIR integration services to US healthcare organizations for 19+ years, working with 1,000+ hospitals. All FHIR engineers are HL7 v2.x and FHIR R4 certified.
