Key Developments in AI and Digital Health Signal Growing Federal Activity (Q1 2025)

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments. This update outlines major health policy developments that occurred at the end of 2024 through the first three months of 2025.

Executive Branch and Federal Agency Updates

The White House

• Trump Administration Issues AI Executive Order and Seeks Input from Public on National Artificial Intelligence Action Plan (January-April 2025)
  • Since taking office in January, President Trump has taken several policy actions related to AI. In sum, these actions aim to undo Biden-era policies and initiatives and hint that a Trump Administration approach to AI will likely focus on deregulation and aim to promote innovation and U.S. leadership in AI. They include the following:
    • On his first day in office, January 20, 2025, President Trump issued an Executive Order (EO) titled, “Initial Rescissions of Harmful Executive Orders and Actions,” to revoke several EOs and memorandums issued by President Biden. This includes EO 14110 titled, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (see here), which was issued in October 2023.
    • On January 23, 2025, President Trump issued EO 14179 titled “Removing Barriers to American Leadership in Artificial Intelligence,” which aims to revoke “certain existing AI policies and directives that act as barriers to American AI innovation” and to bolster U.S. AI leadership. Specifically, the EO directs the Assistant to the President for Science and Technology, the Special Advisor for AI and Crypto, and the Assistant to the President for National Security Affairs, in coordination with relevant agency heads, to prepare within 180 days an AI Action Plan to replace the policies that have been rescinded from the Biden Administration.
    • On February 6, 2025, the National Science Foundation (NSF), on behalf of the White House Office of Science and Technology Policy (OSTP), issued a Request for Information (RFI) to ask for public input about creating a national AI Action Plan. This directive was included in EO 14179 “Removing Barriers to American Leadership in Artificial Intelligence.” The RFI identifies areas for stakeholders to recommend “concrete AI policy actions,” including model development, cybersecurity, and data privacy and security throughout the AI lifecycle. Additional information on the RFI is available here. The RFI, which closed on March 15, invited input from academia, industry groups, private sector organizations, government entities, and other interested parties to recommend recommendations on a broad range of related topics.
    • On April 3, 2025, the White House Office of Management and Budget (OMB) issued two memoranda, M-25-21 and M-25-22, that address federal agency use of AI and federal procurement processes. M-25-21, titled, “Accelerating Federal Use of AI through Innovation, Governance, and Public Trust,” directs agencies to accelerate the federal use of AI by removing “unnecessary and bureaucratic requirements” and increasing transparency by focusing on three key priorities: innovation, governance, and public trust. M-25-22, titled, “Driving Efficient Acquisition of Artificial Intelligence in Government,” builds on M-25-21 and requires federal agencies to update their policies on procuring AI systems and products in a way that protects personally identifiable information (PII) and intellectual property rights.
  • Why it matters for you: The Trump Administration’s early actions on AI signal a shift in policy and indicate that the current administration will create policies to prioritize the reduction of regulatory barriers to accelerate AI development and strengthen U.S. leadership. This may be a shift from the previous administration’s focus on safety and security. As the Trump Administration continues to shape AI policy, we anticipate further actions from policymakers and regulators that will impact organizations. While there is some uncertainty, we do not see the policy shifts necessitating changes in technology development and deployment, but we do encourage organizations to follow this space closely.

The Department of Health and Human Services (HHS)

• HHS Announces “Dramatic Restructuring” (March 27, 2025)
  • HHS announced a “dramatic restructuring” of its various agencies and offices in accordance with President Trump's Executive Order, “Implementing the President’s ‘Department of Government Efficiency’ Workforce Optimization Initiative.” According to HHS, the restructuring will include a reduction in workforce of about 10,000 full-time employees resulting in taxpayer savings of $1.8 billion per year. It reduces the number of HHS divisions from 28 to 15, including a new division called the Administration for a Healthy America. It centralizes core functions such as Human Resources, Information Technology, Procurement, External Affairs, and Policy. It also and reduces regional offices from 10 to 5, among other changes. Additional information is available in our client alert here.
  • Why it matters for you: While the specifics of the restructuring plan have been announced so far, many questions remain unanswered. It is likely that HHS’ restructuring will have significant impacts on priorities, programs, and daily operations of HHS divisions.
• HHS Suggests It Will Provide Less Notice and Opportunity for Comment on Grant and Contract Rules (February 28, 2025)
  • HHS announcedthat it was rescinding the Richardson Waiver, a policy in place since 1971 which said HHS would provide notice of proposed rulemaking in certain cases where it was not otherwise required to do so by law. This announcement signals a policy shift for the agency and suggests that where permitted by law, HHS will generally now issue rules relating to “agency management or personnel or to public property, loans, grants, benefits, or contracts” without providing notice and comment to stakeholders, and may otherwise find good cause to forego notice and comment procedures. Additional information on the announcement is available here.
  • Why it matters for you: Secretary Kennedy’s policy announcement makes clear that HHS will provide notice and opportunity for comment less frequently than stakeholders may have become accustomed to under previous policy. This will allow HHS to issue new rules and policies concerning grants and contracts more quickly, with little to no stakeholder input and transparency. We are continuing to monitor ongoing policy developments at HHS.

Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC)

• ASTP Issues Leading Edge Acceleration Projects (LEAP) in Health IT Funding Opportunity (January 15, 2025)
  • ASTP issued a LEAP in Health IT Notice of Funding Opportunity (NOFO) for fiscal year (FY) 2025. The goal of the LEAP in Health IT funding opportunity is to address well-documented and fast emerging challenges inhibiting the development, use, or advancement of well-designed, interoperable health IT, which are scalable across the healthcare industry. In FY 2025, ASTP seeks applications pursuant to the LEAP in Health IT notice of funding opportunity for projects that address one of the following areas of interests:
    • Area 1: Demonstrate readiness of FHIR®-based Subscriptions capability as a foundational health IT capability for improved interactivity with third-party applications.
    • Area 2: Identify and test innovative technical approaches that would inform future changes to the Trusted Exchange Framework and Common Agreement (TEFCA) infrastructure to increase adoption of Individual Access Services (IAS).
  • Why it matters for you: ASTP has stated that it expects to issue one cooperative agreement award per area of interest of up to $1 million per award, totaling up to $2 million for the two awards in FY 2025. The NOFO closed on April 25, 2025.
• ASTP Finalizes Two Rules Focused on TEFCA and Reproductive Healthcare Data (December 16 and 17, 2024)
  • Before the end of 2024, ASTP finalized two rules: Health Data, Technology, and Interoperability: Trusted Exchange Framework and Common Agreement (HTI-2) and Health Data, Technology, and Interoperability: Protecting Care Access (HTI-3). The two final rules address only a limited number of policies that were proposed by ASTP in August 2024. The HTI-2 Proposed Rule included numerous provisions related to public health interoperability, USCDI Version 4, updated minimum standards code sets, bulk data, prior authorization, and Application Programming Interface (API) capabilities, among others.

    Released on December 16, 2024, the HTI-2 Final Rule focused on changes to CFR Parts 170 and 171, finalizing updates to the Privacy and Security Framework criterion and certification, information blocking regulations including definitions related to the Trusted Exchange Framework and Common Agreement (TEFCA) Manner Exception, and several administrative updates. It also created a new Part 172 focused on TEFCA. The HTI-2 Final Rule became effective on January 15, 2025.

    Released on December 17, 2024, the HTI-3 Final Rule finalized proposals related to reproductive health data and information blocking regulations, including modifications to the existing information blocking exceptions (Privacy Exception and Infeasibility Exception) and a new information blocking exception (Protecting Care Access). The HTI-3 Final Rule was effective upon publication. Additional information on the two final rules is available in our client alert here.

• • Why it matters for you: The release of the HTI-2 and HTI-3 Final Rules solidifies TEFCA in regulation and addresses protecting privacy of certain sensitive data. Organizations should note that these final rules were published during the late Biden Administration and expect that there will be discussions by the new HHS leadership about whether to roll back the policies and/or finalize other parts of the HTI-2 Proposed Rule through regulation.

Department of Health and Human Services Office for Civil Rights (HHS OCR)

• HHS OCR Proposes New Cybersecurity Requirements in Updated HIPAA Security Rule (December 27, 2024)
  • HHS OCR issued a Notice of Proposed Rulemaking (NRPM) (“HIPAA Security Rule NPRM”) that would modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule to require health plans, health care clearinghouses, and certain health care providers and their business associates (collectively “regulated entities”) to strengthen cybersecurity protections for individuals’ electronic protected health information (ePHI). These proposals are intended to revise existing regulations to better protect the confidentiality, integrity, and availability ePHI and would be the first significant modification to the security rule standards since they were initially issued. The comment period on the proposed rule closed on March 7, 2025. A more detailed summary of the NPRM is available here.

    The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications and includes the following provisions:

    • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required (with limited exceptions);

• • • Require written documentation of all HIPAA Security Rule policies, procedures, plans, and analyses;
    • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an annual basis and in response to a change in the regulated entity’s environment or operations that may affect ePHI;
    • Require greater specificity for conducting a risk analysis and proposes new express requirements;
    • Strengthen requirements for planning for contingencies and responding to security incidents.
    • Require regulated entities to conduct a compliance audit annually to ensure their compliance with the Security Rule requirements; and
    • Require encryption, multi-factor authentication (MFA), and network segmentation, among other technical safeguards.
  • Why it matters for you: OCR, under the Biden Administration, published this NPRM just before the change in administration. Given that protecting against cybersecurity is a bipartisan issue, we anticipate that the Trump Administration will be interested in the comments submitted to OCR, but may decide to take a different approach, given the deregulatory posture of this administration. If the NPRM were to be finalized as proposed, most regulated entities will need to evaluate their security practices, policies, and procedures. Further, many will need to significantly modify their information security programs to comply with these changes to the HIPAA Security Rule.

Centers for Medicare & Medicaid Services (CMS)

• CMS Issues Marketplace Integrity and Affordability Proposed Rule (March 10, 2025)
  • The Trump Administration, through CMS, displayed on March 10, 2025, a proposed rule titled, “2025 Marketplace Integrity and Affordability Proposed Rule” (the Proposed Rule), which proposes policy changes for the Health Insurance Marketplaces that impact health plans and insurers offering Affordable Care Act (ACA) coverage to consumers. Specifically, the Proposed Rule shortens the Annual Open Enrollment Period (OEP) for all individual market coverage; proposes standards related to income verification for Health Insurance Marketplaces (Marketplaces); modifies eligibility redetermination procedures; and eliminates eligibility for “Deferred Action for Childhood Arrivals” (DACA) recipients, among other provisions. Additional information is available in our client alert here.

    Specifically, the Proposed Rule includes the following provisions:

    • Limit the annual OEP to 45 days, from November 1 through December 15 preceding the coverage year, instead of through January 15 of the coverage year;

• • • Modify the definition of “lawfully present” (at 42 C.F.R.  155.20) in a key way that specifically excludes DACA recipients from that defined term;
    • Reinstate pre-enrollment SEP verification requirements for certain types of SEPs by the federal Marketplaces and to require all Marketplaces to conduct SEP eligibility verification for at least 75 percent of new enrollments;
    • Change Essential Health Benefit (EHB) requirements that would prohibit individual and small group insurers from covering what it refers to as “sex-trait modification”; and
    • Establish certain income verification eligibility requirements related to advance payments of the premium tax credit (APTCs), among other provisions.
  • Why it matters for you: In issuing the Proposed Rule, the Trump Administration is aiming to reinstate policies that were implemented during the first Trump Administration. It proposes to implement several Trump Administration policy priorities, including countering fraud and abuse in health care, reducing “adverse selection” in enrollment, and addressing other issues related to gender-affirming care and immigration. Healthcare stakeholders should pay attention to the effective dates of provisions included in the Proposed Rule. Several provisions would be finalized when the final rule is issued, while others would become effective on specific dates, beginning in 2026.

U.S. Food and Drug Administration (FDA)

• FDA Issues AI and Other Guidances Before Change of Administration (January 6-7, 2025)

• • • In early January 2025, the FDA, under the Biden Administration, issued a slew of guidances to advance policy priorities, including those related to AI and obesity-related drugs, before the change of Administration and FDA leadership. The guidances cover a number of products and issue areas that FDA regulates. Specifically, FDA has issued the following draft and final guidances, among others:

• • • • Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations: Draft Guidance for Industry and Food and Drug Administration Staff (see draft guidance here)

• • • • Considerations for the Use of Artificial Intelligence To Support Regulatory Decision-Making for Drug and Biological Products: Draft Guidance for Industry and Other Interested Parties (see draft guidance here)

• • • • Evaluation of Sex-Specific Data in Medical Device Clinical Studies - Guidance for Industry and Food and Drug Administration Staff (see final guidance here)

• • • • Accelerated Approval and Considerations for Determining Whether a Confirmatory Trial is Underway (see draft guidance here)

• • • • Obesity and Overweight: Developing Drugs and Biological Products for Weight Reduction (see draft guidance here)

• • • • Considerations for Including Tissue Biopsies in Clinical Trials (see draft guidance here)

• • • • Communications From Firms to Health Care Providers Regarding Scientific Information on Unapproved Uses of Approved/Cleared Medical Products: Questions and Answers (see final guidance here)

• • • • Guidance for Industry: Action Levels for Lead in Processed Food Intended for Babies and Young Children (see final guidance here)

• • • • Interim Policy on Compounding Using Bulk Drug Substances Under Section 503A of the Federal Food, Drug, and Cosmetic Act (see final guidance here)

• • • Why it matters for you: The FDA guidances provide important insight into the FDA’s interpretation of regulatory policy. Industry should note that many of these guidances are in draft form, and it remains to be seen whether the FDA, under the Trump Administration, will finalize guidance as proposed.

National Institute of Standards and Technology (NIST)

• NIST Activity Related to AI and Cybersecurity (February-April 2025)
  • In recent months, NIST has announced guidance and other publications and stakeholder engagement opportunities related to AI, including issuing guidance to update the NIST Privacy Framework; issuing a draft concept paper on cybersecurity and AI; and launching a pilot project to promote AI innovation. Below we have outlined recent developments:
    • NIST’s AI Standards “Zero Drafts” Pilot Project: The “Zero Drafts” Pilot Project will start a process to broaden participation in and accelerate the creation of AI standards. NIST is working and accepting stakeholder feedback from now until summer 2025 to scope and propose initial concept papers for its initial pilots. Specifically, they will address the following topics:
      • Documentation about system and data characteristics for transparency among AI actors;
      • Methods and metrics for AI testing, evaluation, verification, and validation (TEVV);
      • Maps of concepts and terminology regarding AI system designs, architectures, processes, and actors; and
      • Technical measures for reducing risks posed by synthetic content.

• • • NIST Cybersecurity and AI Workshop Concept Paper: NIST, through the National Cybersecurity Center of Excellence (NCCoE), issued on February 14, 2025 a draft concept paper to inform development of a possible Cyber Security Framework (CSF) Community Profile based on the intersection of cybersecurity and AI. NIST expressed interest in supporting stakeholders to address the cybersecurity risks related to AI development and use. In order to gauge stakeholders’ shared goals related to cybersecurity and AI, NIST outlined in the concept paper a number of questions to inquire about stakeholders’ perspectives about guidelines and resources, existing NIST guidance, and standards activities. Comments on the concept paper closed on March 14, 2025.
    • NIST Privacy Framework 1.1: On April 14, 2025, NIST released for public comment draft update to the NIST Privacy Framework. According to NIST, the draft update was released to address current privacy risk management needs, maintain alignment with NIST’s recently updated Cybersecurity Framework, and improve usability. It also addresses AI and privacy risk management. Comments on the draft update will close on June 13, 2025.
  • Why it matters for you: Stakeholders should note that recent NIST activity has occurred under the current administration. We recommend that industry and stakeholders continue to look to NIST as an important guide for standard setting.

Federal Legislative Developments

• House Committee Seeks Comment on New Comprehensive Data Privacy and Security Framework (February 21, 2025)
  • Representatives Brett Guthrie (R-KY) and John Joyce (R-PA), the Chairman and Vice Chairman of the U.S. House Committee on Energy and Commerce, respectively, issued a Request for Information(RFI) inviting stakeholders to provide comment as the Committee explores the development of a federal data privacy and security framework. Responses to the RFI were due on April 7, 2025. This RFI follows a February 12 announcement that the committee would form a Privacy Working Group, comprised of nine Republican members, to address the need to establish a national data privacy standard. The RFI included specific questions for stakeholders and addresses a number of policy and technical areas, including how to differentiate obligations in data privacy and security for entities based on the roles they play in handling consumer information (e.g., controllers, processors, and third parties). It recognized existing state laws on privacy and data security requested feedback on the degree of federal preemption that should be included in a comprehensive framework. It also asked for stakeholder input on including AI restrictions in a privacy and consumer protection law “and the impact on U.S. AI leadership.”
  • Why it matters for you: The RFI demonstrates Congress’ continued interest to establish a national data privacy framework, which could impact entities that are working on compliance with various state laws. Additional information on the RFI is available here.
• Bipartisan House Members Outline Future for Cures 2.1 (December 24, 2024)
  • Representatives Diana DeGette (CO-01) and Larry Bucshon (IN-08) released a white paper titled, “A Roadmap for 21^stCentury Cures,” (White Paper) that outlines next steps for Cures 2.1 and the 21st Century Cures The White Paper states the future legislation would address the deployment of innovative technologies to improve health outcomes. It would also address policies that would create a healthcare infrastructure that enables information sharing, continuous evidence gathering, and implementation of new knowledge. Notably, the White Paper states that the regulation of health data is outdated and supports ongoing efforts to improve patients’ health data privacy, including their de-identified data. Additionally, it includes the following policy priorities:
    • Improve Medicare coverage policies for innovative new treatments and technologies, including those related to high-cost curative therapies and breakthrough devices;
    • Increase access to telehealth services for Medicare and Medicaid patients, including those covered under the Children's Health Insurance Program (CHIP);
    • Provide training and educational programs for at-home caregivers; and
    • Align FDA processes with modern technology and patient needs to break down barriers for cutting-edge technologies.
  • Why it matters for you: The release of the White Paper follows a June 2024 request for information (RFI), which received hundreds of responses and recommendations from stakeholders to further innovation and access to quality health care. This White Paper provides insight to stakeholders on Congress’ vision for future Cures legislation.
• Bipartisan House Task Force Releases AI Report, Includes Recommendations for Health Care (December 17, 2024)
  • The House Task Force on Artificial Intelligence (Task Force) released a report titled, “Bipartisan House Task Force Report on Artificial Intelligence,” (the Report) which establishes guiding principles and issues recommendations to guide U.S. innovation in AI, including in the healthcare sector. The Report is intended to serve as a blueprint for Congress to take future actions to address advances in AI technologies. Congress may introduce AI legislation, which would likely address health-specific AI applications. The Report’s section on healthcare focuses on the potential of AI technologies to improve healthcare research, diagnosis, and care delivery. It presents evidence-based findings and discusses previous agency work and regulations to address certain AI issues. It issues the following healthcare recommendations:

• • • Encourages the practices needed to ensure AI in healthcare is safe, transparent, and effective;
    • Maintains robust support for healthcare research related to AI;
    • Creates incentives and guidance to encourage risk management of AI technologies in healthcare across various deployment conditions to support AI adoption and improve privacy, enhance security, and prevent disparate health outcomes;
    • Supports the development of standards for liability related to AI issues; and
    • Supports appropriate payment mechanisms without stifling innovation.
  • Why it matters for you: The Report represents consensus among some bipartisan members of Congress and identifies areas of Congressional interest for potential legislation. Stakeholders should review the Report and evaluate whether their organizations’ products or services are addressed by the Task Force and consider opportunities for engagement with Congress. Additional information on the Report is available here.

Upcoming Developments

Per the Office of Information and Regulatory Affairs (OIRA) website, HHS submitted proposed rules for review prior to publication on the Federal Register. Specifically, they include the below:

• Preserving Medicaid Funding for Vulnerable Populations – Closing a Health Care-Related Tax Loophole (CMS-2448);
• CY 2026 Hospital Outpatient PPS Policy Changes and Payment Rates and Ambulatory Surgical Center Payment System Policy Changes and Payment Rates (CMS-1834);
• CY 2026 Changes to the End-Stage Renal Disease (ESRD) Prospective Payment System and Quality Incentive Program (CMS-1830);
• CY 2026 Revisions to Payment Policies Under the Physician Fee Schedule and Other Revisions to Medicare Part B (CMS-1832);
• CY 2026 Home Health Prospective Payment System Rate and Durable Medical Equipment, Prosthetics, Orthotics, and Supplies Competitive Bidding Program Updates (CMS-1828);

Crowell Health Solutions is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based care. We provide this monthly update on AI and digital health policy issues for health care stakeholders and innovators. Follow Crowell Health Solutions’ Trends in Transformation blog for the latest updates and in-depth analysis.