A common misconception about the current regulatory environment in healthcare is that deregulation signals reduced risk. It doesn’t. Cyberattacks on health systems are not declining as federal requirements ease. Healthcare remains the most targeted sector for ransomware, and hacking now accounts for 81% of all reported HIPAA breaches, up from 49% in 2019.
What deregulation changes is not the exposure. It is who owns it. Four federal initiatives in 2026 are collectively shifting accountability for security, governance, and technology management away from vendors and certification programs and onto hospital IT infrastructure teams. My intent is to provide clarity and understanding to each of these four regulatory initiatives and what each one demands in practice as the starting point for getting ahead of them.
1. Health data, technology and interoperability: ASTP/ONC deregulations to unleash prosperity (HTI-5) proposed rule
When the certification shortcut goes away
The Office of the National Coordinator for Health Information Technology (ONC) certification has served as a practical shortcut in healthcare IT procurement for years. A certified clinical system carried independent, verified assurance that it met a defined baseline for authentication, access control, and authorization, giving compliance teams a documentable basis for vendor security decisions. The HTI-5 proposed rule, which closed its comment period in February 2026 and is expected to finalize mid-to-late 2026, proposes to remove all 14 of those privacy and security criteria from the certification program. The stated rationale is that they duplicate existing HIPAA requirements.
A Health Affairs Forefront analysis of HTI-5 named the real consequence: removing those criteria does not remove the compliance obligations. It removes the mechanism health systems have used to document that vendors meet them.
Among the 14 criteria being removed is audit logging, the requirement that certified systems demonstrate they are recording who accessed ePHI, when, and what they did. That requirement was independent verification that the systems health organizations rely on are generating the audit trails that breach investigations and Office of Civil Rights (OCR) audits depend on. Without it, health systems can no longer assume a certified system maintains a defensible audit record. If a system is not logging access correctly and a breach occurs, the trail that would tell you who accessed what and when may simply not exist.
The burden of verifying that audit logging is in place, contractually requiring it from every vendor, and maintaining that documentation independently now falls to the health system. That accountability does not arrive with a compliance deadline. It shifts the moment the rule finalizes.
2. Trusted Exchange Framework and Common Agreement (TEFCA)
The interoperability network is operational and growing
TEFCA is not a framework in development. It is now an active national network. Approximately 10 million health records were exchanged through the Qualified Health Information Network infrastructure in January 2025. By February 2026, that figure was nearly 500 million. USCDI v3 data conformance has been required since January 2026. The Social Security Administration joined the network in early 2026, projecting cuts to disability claims processing time of more than 50%. The question of whether TEFCA would reach meaningful scale has now been answered.
What makes this consequential for hospital IT is where TEFCA intersects with M&A, which is where most health systems are already under the most pressure. As Cletis Earle wrote in a January 2026 blog about hospital consolidation, IT integration is the primary cause of M&A failure in healthcare. Bain and Company research puts the integration success rate at 14%, with 83% of practitioners citing IT challenges as the leading cause, and IT accounting for up to 70% of the synergies these transactions are supposed to generate.
Clinical staff at acquired facilities need cross-entity access to records and applications long before full EHR integration is complete. TEFCA formalizes that expectation from outside the organization. Fragmented credentials, inconsistent access governance, and staff using workarounds to bridge systems are not just integration friction. They are the conditions that create security exposure, and they are now a TEFCA compliance concern as well. For acute care hospitals, non-compliance with federal interoperability participation requirements carries financial penalties of up to 75% of the annual payment update, a consequence that does not wait for M&A integration to catch up.
3. Health Insurance Portability and Accountability Act (HIPAA) Security Rule
The first update since 2003
For 23 years, the “addressable” category in the HIPAA Security Rule gave health systems documented flexibility to defer or substitute certain controls. The proposed update, published January 2025 with a final rule expected in 2026, eliminates that category. Every control becomes mandatory. The controls most deferred under the addressable framework – specifically encryption of ePHI and multi-factor authentication – are also among the most commonly exploited vulnerabilities in healthcare ransomware attacks. Deferred controls are not compliance gaps in the abstract. They are open attack vectors. With hacking now accounting for 81% of all reported HIPAA breaches, the rule is removing a flexibility that the threat environment had already made untenable.
When systems go dark in a clinical environment, the consequences are not just operational. Clinical workflows halt, patient care decisions stall, and the exposure extends well beyond the IT team, as a March 2026 conversation with Citrix’s Healthcare, Field CTO, Cletis Earle on healthcare business resiliency documents.
The proposed 72-hour critical systems restoration requirement is not achievable through a security sprint. It requires infrastructure investment, disaster recovery planning, vendor coordination, and board-level commitment. The window to build that deliberately, before a deadline forces emergency remediation, is open now.
4. HHS AI strategy
Federal policy is pushing adoption into a governance gap
The HHS AI strategy, released December 2025 and followed by a Request for Information on accelerating clinical AI through regulatory and reimbursement policy, is not a binding rule. However, it is a clear signal of intent.
The federal government is designing conditions to push more AI into clinical care, and it intends to move quickly. The problem is that AI is already outpacing governance in most health systems before that acceleration has taken full effect. A February 2026 Healthcare Brew survey found that 57% of healthcare professionals had already used or encountered unauthorized AI tools at work. A 2025 IBM study found that 97% of organizations that experienced an AI-related security incident lacked proper AI access controls.
As Cletis Earle wrote in an April 2026 blog about AI governance in healthcare, “AI is already being used, sometimes officially, sometimes quietly, sometimes in ways leaders did not intend,” and critically: “policy without enforcement is not governance, it is intention.” When clinical staff route work through unreviewed AI tools, ePHI can reach models that were never assessed for security, creating breach risk that no policy document prevents.
In our response to the HHS Health Sector AI Request for Information, Citrix argued that the biggest barrier to safe, scalable AI in healthcare is not the model itself but the governance and delivery layers surrounding it. The organizations managing clinical AI well are not restricting adoption. They are building a sanctioned path with security review, ePHI classification, and role-based access built into the process, not retrofitted after an incident.
What this means for hospital IT
The thread connecting all four of these initiatives is auditability. Who accessed what, when, through which system, and under what authorization. That question sits at the center of every breach investigation, OCR audit, AI governance failure, and M&A integration gap. And in each area, the regulatory environment is shifting the responsibility for answering it from external frameworks onto hospital IT infrastructure directly.
HTI-5 removes the independent verification that clinical systems are generating defensible audit trails at all. The HIPAA Security Rule update makes encryption and MFA mandatory, the controls that determine whether access to ePHI can be traced and contained when something goes wrong. TEFCA requires cross-entity governance of access and data exchange across organizations that may not yet share systems or identity infrastructure with penalties for non-compliance. And shadow AI creates exactly the auditability gap that regulators will eventually require health systems to close: ePHI moving through tools that were never reviewed, never logged, and never governed.
None of this is a new strategic direction for hospital IT. It is the regulatory environment formalizing a single expectation that the threat landscape has already made non-negotiable: health systems need to know, at any point, who has access to patient data, through which systems, and under what controls. Without that audit capability, breaches go undetected longer, investigations stall without evidence, and the gap between what happened and what can be demonstrated grows. The organizations building toward that capability now are not just better positioned for the rules ahead. They are fundamentally harder to breach, and far better equipped to respond when it happens.
The deregulation environment described here does not reduce the security and governance obligations on health systems. It relocates them from vendor certification programs and external frameworks to the infrastructure health systems own and operate directly. The Citrix platform is built for that position. When ONC certification no longer provides that independent verification, the delivery layer becomes the audit layer. The Citrix platform creates that audit trail by generating an independent record of who accessed which application, when, and under what policy, without depending on whether any individual clinical application maintains a defensible audit trail. This is just one example of how Citrix is your partner in innovation and compliance – now and into the future.
For more information and details on how we can help you navigate these and other healthcare challenges, please contact your Citrix team for more information.
