The Spring 2026 Unified Agenda reinforces several themes that have been building for years:
Below are several developments healthcare stakeholders should be watching.
Health plans continue to face a growing number of interoperability initiatives layered on top of CMS-0057-F.
The most significant proposal currently in the pipeline is CMS-0062-P, which would extend electronic prior authorization requirements beyond medical services to include both medical benefit and pharmacy benefit drugs for Medicare Advantage, Medicaid, CHIP and Qualified Health Plans. The proposal also adopts FHIR-based HIPAA transaction standards for prior authorization, establishes new decision timeframes and requires reporting of API endpoints to CMS.
At the same time, CMS continues work on broader HIPAA administrative simplification updates, including new ASC X12 transaction standards (CMS-0061) and updated CAQH CORE operating rules (CMS-0060). Transparency in Coverage and annual Notice of Benefit and Payment Parameters rulemaking also remain active.
But wait, there's something else. While CMS-0062-P is likely the most significant near-term policy development for health plans, it is not the only Unified Agenda item that could create downstream operational impacts. FDA’s transition to a standardized 12-digit National Drug Code (NDC) format is often discussed as a life sciences issue, but health plans will also need to track its implications. There is still more to learn about the payer-specific impact, but plans may need to upgrade internal IT systems and claims adjudication engines to store and process longer drug codes, maintain mapping capabilities between older and newer NDC formats during the multi-year transition, and update formulary files, benefit designs, rebate operations and administrative contracts so standardized codes can be accurately tracked across plan operations.
Health plans should begin evaluating how these initiatives fit together rather than treating each rule independently. API strategies, prior authorization workflows, transaction standards and operational processes are increasingly becoming part of a single modernization effort rather than isolated compliance projects.
One of the more notable developments this year is ONC's shift toward reducing certification requirements.
The agency formally withdrew significant portions of the proposed HTI-2 rule while simultaneously proposing HTI-5, which would eliminate or revise nearly 70% of existing certification criteria. Rather than expanding certification requirements, ONC appears focused on streamlining the program and emphasizing FHIR-based interoperability.
At the same time, previously finalized requirements remain in effect. HTI-4 established new certification criteria for electronic prior authorization, ePrescribing, and Real-Time Prescription Benefit, meaning developers still have significant implementation work underway.
Organizations should not mistake deregulation for reduced investment. The agenda signals a deregulatory moment at ONC (HTI-5 removes some burden) running simultaneously with a tightening cybersecurity and access posture at OCR (HIPAA Security and Privacy Rules). Vendors need to pursue both tracks in parallel — streamlining certification footprint while hardening security infrastructure.
The expected HTI-5 final rule (Q3-Q4 2026), however, is the most consequential item for EHR vendors in the entire unified agenda. HTI-5 proposes the largest restructuring of the ONC Certification Program since the 2020 Cures Act Final Rule
Many vendor organizations, including the EHR Association, have also provided feedback to ONC regarding the HTI-5 proposed rule. HTI-5 includes significant updates to the information blocking provision and EHR Association members have expressed significant concerns. They believe it creates new ambiguities, administrative requirements, and risks for developers and providers. In addition, they state the HTI-5 proposed rule downplays the operational and economic impact for covered actors.
The Unified Agenda does not currently indicate a publication date for a final rule, but ONC is continuing to work with industry on a consensus solution by early fall.
Health systems continue to experience increasing overlap between reimbursement policy, interoperability requirements, and cybersecurity.
Also of major significance is the Office for Civil Rights' (OCR) proposed overhaul of the HIPAA Security Rule of 2025. If finalized substantially as proposed, organizations would face more prescriptive cybersecurity requirements, including mandatory multi-factor authentication, encryption, vulnerability testing, disaster recovery expectations and significantly fewer "addressable" implementation specifications.
It is important to note that over 100 provider organizations have called for HHS to withdraw the proposed HIPAA rule along with the College for Health Information Management Executives (CHIME) to withdraw the proposed HIPAA Security Rule updates. They argue the proposals would create massive unfunded mandates, conflict with modern IT architecture, and divert resources away from patient care, particularly burdening smaller or rural hospitals. In total over 5000 comments were received on the proposed rule. The Spring Unified Agenda indicated that a final rule would be published in May 2026; the current projected date is June 2027. Providers should also continue monitoring payment system rules, which increasingly include embedded interoperability and certification requirements.
Cybersecurity planning can no longer occur independently from operational planning. Security, interoperability, revenue cycle and clinical technology teams will need to coordinate implementation efforts as multiple federal initiatives continue to converge. ONC will continue overseeing information blocking and ensure data exchange through Health Information Technology and Interoperability regulations as this is ONC's primary regulatory rulemaking series implementing the 21st Century Cures Act of 2016.
Retail pharmacies should continue monitoring implementation of updated NCPDP transaction standards while also preparing for longer-term impacts from electronic drug prior authorization requirements.
If CMS-0062-P is finalized, pharmacy systems will increasingly participate in standardized FHIR-based prior authorization workflows alongside health plans and providers.
Although many proposed requirements are still several years away, organizations evaluating pharmacy system upgrades or interoperability strategies should account for expanding electronic prior authorization capabilities now rather than waiting for final compliance deadlines.
Several Unified Agenda items have important implications for pharmaceutical manufacturers.
FDA's final National Drug Code modernization rule establishes a transition to a standardized 12-digit NDC format. While implementation extends into 2033, manufacturers should recognize that the change will affect far more than product labeling. It will require updates to ERP systems, master data, packaging and barcode processes, rebate processing, 340B operations and the downstream business processes that depend on accurate NDC identification across trading partners.
CMS-0062-P also carries indirect implications. As payers move toward standardized FHIR-based prior authorization, manufacturers and hub service vendors will need to integrate with those evolving workflows to support patient access programs.
Additional FDA proposals involving pharmacovigilance, postmarketing safety reporting and quality systems also remain active, while the recent rescission of FDA's Laboratory Developed Test rule changes the regulatory landscape for organizations involved in diagnostics.
Many of these initiatives have long implementation horizons, but they require equally long planning cycles. Organizations should begin assessing enterprise impacts well before compliance dates arrive.
The Unified Agenda is not a compliance checklist, nor is it a guarantee that every rule will proceed according to schedule. Timelines change, proposals evolve and priorities shift.
What the Spring 2026 Agenda does make clear is that healthcare organizations should expect interoperability, electronic prior authorization, cybersecurity and administrative simplification to remain central themes across federal agencies.
Organizations that monitor these developments early will be better positioned to understand how individual rules connect, anticipate operational impacts and make strategic investments before implementation deadlines arrive.
At Point-of-Care Partners, we continue tracking these developments through our Regulatory Resource Center subscriptions and consulting services, helping organizations understand not only what is changing and what those changes mean for technology strategy, business operations and long-term planning. Contact us if you’d like to schedule a complimentary consultation to discuss your highest priority challenges.