Insights

On April 29, 2026, the New York Department of Financial Services (NYDFS) announced the finalization of a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co., resolving allegations that the affiliated companies failed to comply with the state’s stringent cybersecurity, consumer data protection, and incident reporting requirements. For health insurers, managed care organizations, and their third-party service providers operating in New York, the announcement comes as the latest signal that the NYDFS intends to aggressively enforce its cybersecurity regulations — which are widely considered the strictest in the nation following a 2023 overhaul. These regulations, codified at 23 NYCkRR 500 (Cybersecurity Requirements for Financial Services Organizations), apply to any entity licensed under New York insurance law, including health insurers, managed care organizations, and their third-party service providers.

Consistent with recent FDA initiatives directed at leveraging AI technologies and improving early-phase clinical trial conduct, the FDA has issued a Request for Information (RFI) for input on a proposed AI-enabled optimization pilot program for early-phase clinical trials. The issues for which FDA is requesting information fall into two categories:  (A) Pilot program design and implementation and (B) Program evaluation metrics and success criteria.

Several recent class actions filed against Tempus AI, Inc., a health care technology company that combines AI with molecular and clinical data to develop precision medicine services, are the latest in a series of cases illustrating a fast-growing legal risk: the repurposing of genetic and clinical data — collected for diagnostic or treatment purposes — for artificial intelligence (AI) model training, analytics, and downstream commercialization following corporate acquisitions. At the same time, state genetic privacy regulation is expanding rapidly, with Utah and South Dakota being the most recent states to enact new statutes, and legislation advancing in several additional states. Organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

At the International Association of Privacy Professionals’ (IAPP) annual conference March 30-31, 2026, enforcement officials from California, Connecticut, Indiana, and Delaware shared their current and upcoming enforcement priorities under U.S. state consumer privacy laws. This alert summarizes the key themes from the panel and offers practical guidance for companies navigating the evolving enforcement landscape.

In a development likely to ramp up regulatory pressure on an industry already under significant federal scrutiny, Federal Trade Commission (FTC) Chairman Andrew Ferguson recently directed leaders across his agency to launch a team dedicated to cooperatively advancing enforcement and advocacy activities relevant to health care.

On March 6, 2026, the White House released its National Cyber Strategy (Strategy) and issued an accompanying Executive Order, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens” (EO). These documents outline the administration’s priorities for combating cybercrime and call for coordination across the federal government and the private sector to invest in new technologies, continue innovation, and prioritize the United States’ cyber capabilities. Key sectors of concern include energy, financial services, telecommunications, data centers, water, and health care. The Strategy and EO encourage increased public-private coordination, signal greater latitude for private sector offensive cyber operations, prioritize securing critical infrastructure, elevate cybercrime as a national security priority, outline a path for victim compensation, and promote streamlining cyber regulations.

On December 11, 2025, President Trump signed a much-anticipated Executive Order that seeks to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds and calls for a national policy framework on AI. The Executive Order, Ensuring a National Policy Framework for Artificial Intelligence (EO), declares it the policy of the administration “to sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI.”

President Trump is preparing to sign an Executive Order that would seek to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds. The draft, unsigned six-page Executive Order, “Eliminating State Law Obstruction of National AI Policy” (EO), the text of which has been circulating publicly since November 19, would declare it the policy of the Administration “to sustain and enhance America’s global AI dominance through a minimally burdensome, uniform national policy framework for AI.”

On September 30, 2025, the Food and Drug Administration (FDA) issued a Request for Public Comment (“Request”) inviting stakeholders to share practical experience and recommendations for measuring and evaluating the real-world performance of AI-enabled medical devices, including those powered by GenAI. According to FDA, the Request is not intended to communicate new guidance or regulatory expectations but aims to advance the conversation on how best to assure the safety, effectiveness, and reliability of AI-driven technologies in clinical practice.

On September 26, the White House invited the public to submit comments on Federal laws, rules, and policies that “unnecessarily hinder” the development or deployment of artificial intelligence (AI) technologies in the United States. This request marks one of the Trump Administration’s most substantial moves yet to reduce the regulatory burden on AI. Respondents may submit comments through a government website until October 27, 2025.

On August 21, the Supreme Court, in National Institutes of Health v. American Public Health Association, granted the government’s application for a stay of the district court’s order vacating NIH’s termination of various research grants. The Court denied the government’s application with respect to the district court’s vacatur of related internal guidance documents. The Court’s order impacts federal government grantees who wish to challenge grant terminations in federal court.

Threat actors have targeted insurance companies in a recent string of cyber-attacks, exposing patients’ personal information, including Social Security numbers, claims information, and health reports.

On Monday, July 21, 2025, the Food and Drug Administration (FDA) issued draft guidance entitled “E21 Inclusion of Pregnant and Breastfeeding Women in Clinical Trials” from the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH). The guidance is currently in Step 2 of the ICH process and open for public comment until September 19, 2025.

On July 23, 2025, the Trump Administration issued an artificial intelligence (AI) action plan titled “Winning the Race: America’s AI Action Plan” (the Plan) to guide AI innovation in the U.S. The Plan includes 90 policy recommendations that will shape future AI guidance and policies impacting a range of entities and industry sectors, including health care/life sciences and entities involved in clinical research.

On July 23, 2025, the White House released Winning the Race: America’s AI Action Plan (“the Plan”) the Trump Administration’s most significant policy statement on artificial intelligence to date.

In a somewhat ambiguous press release on Wednesday, June 18, 2025, the Food and Drug Administration (FDA) announced a halt and “immediate review” of new clinical trials where American patients’ cells are sent to China or other “hostile countries” for genetic engineering with the expectation that the cells will be infused back into U.S. patients.[1] A subsequent podcast published by the agency also said that therapies that involved cells that were sent to China for genetic engineering and intended for subsequent infusion into U.S. patients would not be approved going forward. The announcement said that there is “mounting evidence” that some clinical researchers failed to obtain informed consent from trial participants about the international transfer and manipulation of biological material.

On May 1, the NIH issued an update on its grants policy, establishing a “new award structure” that would prohibit foreign subawards from being nested under the parent grant, replacing them with direct awards linked to a prime award. Effective immediately, NIH will no longer issue awards that include a subaward to a foreign entity until the new structure is implemented. The notice did not limit this new structure for foreign recipients to any particular jurisdiction, potentially impacting a wide range of grants and limiting international collaboration with U.S. researchers through the subaward model.

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments. This update outlines major health policy developments that occurred at the end of 2024 through the first three months of 2025.

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs). Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule.

On March 27, 2025, HHS announced a “dramatic restructuring” of its various agencies and offices in accordance with President Trump's Executive Order, “Implementing the President’s ‘Department of Government Efficiency’ Workforce Optimization Initiative.” HHS also published a Fact Sheet.