Health Law Advisor

New from the Diagnosing Health Care Podcast: Value-based enterprises depend on timely, accurate data, yet the rules that govern how that data moves between the Centers for Medicare & Medicaid Services (CMS), accountable care organizations, payors, and providers remain complex and often inconsistent.

On this episode, Epstein Becker Green attorneys Kevin Malone and Karen Mandelbaum unpack the regulatory frameworks shaping data exchange in value-based care.

They outline how federal privacy laws, CMS rules, the Health Insurance Portability and Accountability Act (HIPAA), and state requirements intersect; why CMS-sourced data operates under a different regime than Medicare Advantage; and where organizations face the biggest operational hurdles when using, sharing, and governing data across large networks.

The Second Circuit dealt a blow to the dietary supplement industry last month as it affirmed a lower court’s decision not to temporarily pause enforcement of New York’s new restrictions on sales of certain dietary supplements to minors as legal challenges continue to proceed through the court system.

As Epstein Becker & Green, P.C. previously reported, the National Security Division of the U.S. Department of Justice (“DOJ”) issued a final rule, effective on April 8, 2025, called the Bulk Sensitive Data Rule (“BSD Rule”) (codified at 28 C.F.R. Part 202), which prohibits and/or restricts U.S. persons and/or companies from engaging in certain transactions involving certain categories of government-related data and sensitive personal data with covered persons or six countries of concern– China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.

Legislation introduced in the U.S. Senate in November, informally called the “Better FDA Act of 2025,” is perhaps a bit misleading. While it involves the Food and Drug Administration (“FDA”), the full title of S. 3122—introduced on November 6—is actually “The Better Food Disclosure Act of 2025,” designed to amend the federal Food, Drug, and Cosmetic Act (“FDCA”) regarding food substances generally recognized as safe (“GRAS”).

Imagine this scenario: a longtime patient at an ENT practice decides to leave the traffic and sprawl of a major metropolitan area for a more idyllic, rural existence elsewhere in the state. Accustomed to the familiar, top-ranked brands of excellent hospitals, however, the patient is unsure of what to expect in the new location in terms of quality of care. Fortunately, posters on the walls in the old and new locations, online websites, and postcards in the mail—with the same familiar names and logos—immediately reassure the patient that the health professionals in this new location are not only as good as those back home but are affiliated with them.

In today's competitive health care landscape, hospitals are increasingly exploring innovative ways to expand their market presence and generate additional revenue streams. One particularly effective strategy is brand licensing to urgent care facilities. Becker’s Health IT, in fact, has reported on Monigle’s rankings of the 30 most trusted health system brands for 2024 and the 25 “most human” health system brands for 2025. This post explores key opportunities, challenges, and best practices for hospital administrators considering brand licensing programs.

The federal government is back in business, and those who may be scrambling to comply with the January 20, 2026, deadline for the Food and Drug Administration’s (“FDA” or the “Agency”)  Food Traceability Rule (“FTR” or “Final Rule”) will be pleased with the likely possibility of a generous extension from the agency—to July 20, 2028.

As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance. Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.

Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.

Health care organizations operate under constant scrutiny from government regulators and the threat of potential whistleblowers. Even in a time of government downsizing, the Trump administration has consistently publicized its intent to pursue vigorous prosecutions under the False Claims Act. And, according to U.S. Department of Justice annual fraud statistics, of the 455 new health care-related fraud matters in FY2024, 370 (or more than 81 percent) were filed by whistleblowers. On top of that, data security risks are becoming, potentially, an even greater threat. Put mildly, litigation exposure is a daily reality for health care organizations. Yet, one of the most common challenges organizations face during a legal crisis is not the merits of the inquiry but operational readiness.

The digital transformation has led to significant advancements in authentication and identity verification technologies and other cyber defenses. From biometrics to multi-factor authentication (MFA) to use of Artificial Intelligence (AI) enhanced detection and response tools, these systems are the first line of critical defense against unauthorized access in critical sectors such as finance, healthcare, manufacturing and government. However, with the rapid development of Multi-Modal AI and agentic AI, a new challenge has emerged—one that may compromise the very systems designed to protect us. By integrating multiple forms of data (e.g., voice, video, text) in multi-modal AI and use of agentic AI (automated decision-making with little or no human intervention), malicious actors are increasingly capable of bypassing authentication and identity verification security and other defenses, thereby posing a new level of cybersecurity threat. The rapid deployment of AI integrated into a wide variety of commercial products, platforms and workflows has dramatically expanded the potential attack surface.

Practices related to enrollment in Medicare Advantage plans continue to draw scrutiny from government regulators. Over the last few weeks, and simultaneous with Medicare’s Annual Open Enrollment Period, six states issued statements regarding recent Medicare Advantage and MedSupp (or “Medigap”) carrier actions related to enrollment and marketing accessibility.  Specifically, regulators from state insurance departments in the states of Delaware, Idaho, Montana, New Hampshire, North Dakota and Oklahoma, have indicated that the following acts, if taken by MA and MedSupp carriers, are considered unfair and deceptive under state law: