Insights

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs). Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule.

In its first healthcare proposed regulation, the Trump Administration, through the Centers for Medicare & Medicaid Services (CMS), displayed on March 10, 2025, a proposed rule titled, “2025 Marketplace Integrity and Affordability Proposed Rule” (the Proposed Rule), which proposes policy changes for the Health Insurance Marketplaces that impact health plans and insurers offering Affordable Care Act (ACA) coverage to consumers. Specifically, the Proposed Rule shortens the Annual Open Enrollment Period (OEP) for all individual market coverage; proposes standards related to income verification for Health Insurance Marketplaces (Marketplaces); modifies eligibility redetermination procedures; and eliminates eligibility for “Deferred Action for Childhood Arrivals” (DACA) recipients, among other provisions.  

On January 6, 2025, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a notice of proposed rulemaking (the “NPRM”) entitled HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. In light of evolving technologies and cybersecurity threats, the NPRM aims to modernize security regulations implementing the Health Insurance Portability and Accountability Act security standards (the “HIPAA Security Rule”) and strengthen protections for the confidentiality, integrity, and availability of electronic protected health information (“ePHI”). In particular, OCR is considering modifications to the HIPAA Security Rule to address:

Federal policy efforts to advance health data exchange and interoperability are continuing to change rapidly. The latest changes are the publication of two final rules by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) finalizing parts of the of the Health Data, Technology, and Interoperability (HTI-2) Proposed Rule. These rules adopt requirements regarding the Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2 Final Rule), and create a new Information Blocking exception under Protecting Care Access (HTI-3 Final Rule), on December 16thand 17th, respectively.

On October 29, 2024, the Department of Justice (DOJ) published a Notice of Proposed Rulemaking (NPRM) to implement Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the E.O.).  The E.O. addresses the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans’ sensitive personal data, which includes health data and genetic data. This builds on DOJ’s Advance Notice of Proposed Rulemaking (ANPRM) published on March 5.  Comments are due on November 29, 2024.

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments.

The Department of Health and Human Services (HHS) continues its push on health data interoperability with a proposed rule, HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology.  Specifically, HHS proposes to modify the Health and Human Service Acquisition Regulation (HHSAR) to implement an HHS-wide policy to align requirements related to the procurement of health IT with standards and implementation specifications adopted by the Office of the National Coordinator for Health IT (ONC) or compliance with the voluntary ONC Health IT Certification Program.  This proposed rule was published on August 9, 2024, just 4 days after the ONC proposed HTI-2 rule was published in the Federal Register.

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments.

On April 26, 2024, the Federal Trade Commission (“FTC”) announced a final rule (“Final Rule”) modifying the Health Breach Notification Rule (“HBNR”). The Final Rule, which largely finalizes changes proposed in a Notice of Proposed Rulemaking published last year (“2023 NPRM”), broadens the scope of entities subject to the HBNR, including many mobile health applications (“apps”) and similar technologies, and clarifies that breaches subject to the HBNR include not only cybersecurity intrusions but also unauthorized disclosures, even those that are voluntary. The Final Rule will take effect 60 days after its publication in the Federal Register.

On Monday, May 6th, the Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) published a final rule to implement Section 1557 of the Affordable Care Act[1] (“Section 1557”), which prohibits discrimination on the basis of race, color, national origin, age, disability, or sex (including pregnancy, sexual orientation, gender identity, and sex characteristics), in covered health programs or activities (the “Final Rule”). Here, we focus on the Final Rule’s application of nondiscrimination principles under Section 1557 to the use of “patient care decision support tools” in clinical care. This Final Rule responds to the President’s Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence and comments received regarding the proposed rule for Section 1557. Other key provisions of the Final Rule, including the restoration of protections for LGBTQI+ and pregnant individuals, are summarized in a companion alert.

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation.

On April 26, 2024, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a final rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Final Rule”) to address new privacy issues that have resulted in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (“Dobbs”). The Final Rule aims to strengthen reproductive health care privacy under the Health Insurance Portability and Accountability Act and its implementing regulations (collectively, “HIPAA”) by prohibiting covered entities and business associates (collectively, “regulated entities”) from using or disclosing protected health information (“PHI”) to investigate or impose liability on any person for the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for such purposes.

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation.

In the latest sign that federal enforcers remain focused on increasing antitrust enforcement, last Thursday, the Justice Department (DOJ), Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) revealed an online portal, HealthyCompetition.gov, to encourage the public to submit reports on potential anticompetitive and monopolistic conduct in the healthcare sector.  The initiative seeks to address concerns that such behavior may affect healthcare affordability and quality, and employee wages. 

On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule (“Final Rule”) in the Federal Register modifying regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. The changes, which largely finalize those proposed in a notice of proposed rulemaking (“NPRM”), are intended to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act and more closely align Part 2 with privacy rules under the Health Insurance Portability and Accountability Act (“HIPAA”). Ultimately, the much-anticipated Final Rule relaxes some of Part 2’s very stringent requirements, which have historically limited the ability to include SUD data in electronic health information exchange and care coordination efforts. However, there may be more enforcement of Part 2 now that there can be civil enforcement that aligns with HIPAA. Compliance with the Final Rule is required by February 16, 2026.

On January 17, 2024, the Centers for Medicare & Medicaid Services (CMS) issued the Interoperability and Prior Authorization Final Rule (Final Rule), which establishes requirements applicable to certain impacted payers which are intended to improve the electronic exchange of health information and prior authorization processes. The application programming interface (API) requirements will take effect January 1, 2027, while the operational provisions will take effect January 1, 2026. CMS has issued a helpful slide deck summarizing the Final Rule.

On December 13, 2023, the U.S. Department of Health and Human Services' (HHS) Office of the National Coordinator for Health Information Technology (ONC) released the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule. The effective date of the HTI-1 Final Rule is updated and is now March 11, 2024.

Digital health companies, investors, and other health care organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation.

On November 1, 2023, the Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) at the Department of Health and Human Services (HHS) issued the “21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking” proposed rule (Proposed Rule). Comments are due by January 2, 2024.

On November 2, 2023, the Centers for Medicare & Medicaid Services (“CMS”) released the calendar year (“CY”) 2024 Hospital Outpatient Prospective Payment and Ambulatory Surgical Center Payment Systems Final Rule (“CY 2024 OPPS/ASC Final Rule”). The final rule with comment period finalizes payment rates and policy changes affecting Medicare services furnished in hospital outpatient and ambulatory surgical center (“ASC”) settings for CY 2024.