Health Law Advisor

Legislation introduced in the U.S. Senate in November, informally called the “Better FDA Act of 2025,” is perhaps a bit misleading. While it involves the Food and Drug Administration (“FDA”), the full title of S. 3122—introduced on November 6—is actually “The Better Food Disclosure Act of 2025,” designed to amend the federal Food, Drug, and Cosmetic Act (“FDCA”) regarding food substances generally recognized as safe (“GRAS”).

Imagine this scenario: a longtime patient at an ENT practice decides to leave the traffic and sprawl of a major metropolitan area for a more idyllic, rural existence elsewhere in the state. Accustomed to the familiar, top-ranked brands of excellent hospitals, however, the patient is unsure of what to expect in the new location in terms of quality of care. Fortunately, posters on the walls in the old and new locations, online websites, and postcards in the mail—with the same familiar names and logos—immediately reassure the patient that the health professionals in this new location are not only as good as those back home but are affiliated with them.

In today's competitive health care landscape, hospitals are increasingly exploring innovative ways to expand their market presence and generate additional revenue streams. One particularly effective strategy is brand licensing to urgent care facilities. Becker’s Health IT, in fact, has reported on Monigle’s rankings of the 30 most trusted health system brands for 2024 and the 25 “most human” health system brands for 2025. This post explores key opportunities, challenges, and best practices for hospital administrators considering brand licensing programs.

The federal government is back in business, and those who may be scrambling to comply with the January 20, 2026, deadline for the Food and Drug Administration’s (“FDA” or the “Agency”)  Food Traceability Rule (“FTR” or “Final Rule”) will be pleased with the likely possibility of a generous extension from the agency—to July 20, 2028.

As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance. Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.

Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.

Health care organizations operate under constant scrutiny from government regulators and the threat of potential whistleblowers. Even in a time of government downsizing, the Trump administration has consistently publicized its intent to pursue vigorous prosecutions under the False Claims Act. And, according to U.S. Department of Justice annual fraud statistics, of the 455 new health care-related fraud matters in FY2024, 370 (or more than 81 percent) were filed by whistleblowers. On top of that, data security risks are becoming, potentially, an even greater threat. Put mildly, litigation exposure is a daily reality for health care organizations. Yet, one of the most common challenges organizations face during a legal crisis is not the merits of the inquiry but operational readiness.

The digital transformation has led to significant advancements in authentication and identity verification technologies and other cyber defenses. From biometrics to multi-factor authentication (MFA) to use of Artificial Intelligence (AI) enhanced detection and response tools, these systems are the first line of critical defense against unauthorized access in critical sectors such as finance, healthcare, manufacturing and government. However, with the rapid development of Multi-Modal AI and agentic AI, a new challenge has emerged—one that may compromise the very systems designed to protect us. By integrating multiple forms of data (e.g., voice, video, text) in multi-modal AI and use of agentic AI (automated decision-making with little or no human intervention), malicious actors are increasingly capable of bypassing authentication and identity verification security and other defenses, thereby posing a new level of cybersecurity threat. The rapid deployment of AI integrated into a wide variety of commercial products, platforms and workflows has dramatically expanded the potential attack surface.

Practices related to enrollment in Medicare Advantage plans continue to draw scrutiny from government regulators. Over the last few weeks, and simultaneous with Medicare’s Annual Open Enrollment Period, six states issued statements regarding recent Medicare Advantage and MedSupp (or “Medigap”) carrier actions related to enrollment and marketing accessibility.  Specifically, regulators from state insurance departments in the states of Delaware, Idaho, Montana, New Hampshire, North Dakota and Oklahoma, have indicated that the following acts, if taken by MA and MedSupp carriers, are considered unfair and deceptive under state law:

On June 12, 2025, the Children’s Hospital of Philadelphia (“CHOP”) received a subpoena issued by the Department of Justice (“DOJ”) requesting highly sensitive patient health and procedure information related to gender-affirming care. These subpoenas, issued to multiple hospitals, doctors, and clinics, were directly related to the Trump Administration’s January 28, 2025, Executive Order entitled, “Protecting Children from Chemical and Surgical Mutilation” (“EO 14187”).  The subpoena to CHOP has resulted in recent court activity over its purpose and enforceability. 

New from the Diagnosing Health Care Podcast: By early 2026, substance use disorder (SUD) providers, health plans, clinicians, health information exchanges (HIEs), and vendors must meet new federal privacy standards for SUD treatment records or face Health Insurance Portability and Accountability Act (HIPAA)-level enforcement and penalties.

On this episode, Epstein Becker Green attorneys Lisa Pierce Reisz, David Shillcutt, and Laura DePonio join Nichole Sweeney, General Counsel and Chief Privacy Officer at CRISP, to break down the 42 CFR Part 2 final rule: what’s changing, what’s staying the same, and what organizations often miss.

The group explains how the final rule aligns with (but does not replace) HIPAA, why patient consent remains central, and what new operational risks are emerging.

Tune in to learn about the changes that matter most and the risks you can’t ignore.

[UPDATE: This post has been updated to reflect the Drug Enforcement Administration’s November 10, 2025, notice of the upcoming Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications.]

The United States just made its latest move regarding Medicare telehealth flexibilities, which expired on September 30, 2025.

On November 9, the Senate voted 60-40 to end the then-nearly 40-day U.S. government shutdown, hammering out a continuing resolution (CR) that would extend the telehealth flexibilities extended in the Consolidated Appropriations Act of 2023 through January 30, 2026. The House vote on November 12, 222-209, clinched the deal.

It’s a welcome development. A research brief updated on November 10, 2025, by the Center for Advancing Health Policy Through Research (CAHPR) and the Brown University School of Public Health reports that telemedicine visits declined by 24 percent in the first 17 days of October for Medicare fee-for-service beneficiaries, and by 13 percent for Medicare Advantage beneficiaries. This is compared to visits from the start of July to the end of September, when the U.S. government’s failure to extend Medicare telehealth coverage sent practitioners and patients alike over what is now commonly termed a telehealth policy “cliff.”