Insights

On May 1, the NIH issued an update on its grants policy, establishing a “new award structure” that would prohibit foreign subawards from being nested under the parent grant, replacing them with direct awards linked to a prime award. Effective immediately, NIH will no longer issue awards that include a subaward to a foreign entity until the new structure is implemented. The notice did not limit this new structure for foreign recipients to any particular jurisdiction, potentially impacting a wide range of grants and limiting international collaboration with U.S. researchers through the subaward model.

Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments. This update outlines major health policy developments that occurred at the end of 2024 through the first three months of 2025.

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs). Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule.

On March 27, 2025, HHS announced a “dramatic restructuring” of its various agencies and offices in accordance with President Trump's Executive Order, “Implementing the President’s ‘Department of Government Efficiency’ Workforce Optimization Initiative.” HHS also published a Fact Sheet.

On February 28, the Department of Health and Human Services (HHS) announced that it was rescinding the Richardson Waiver, a policy in place since 1971 which said HHS would provide notice of proposed rulemaking in certain cases where it was not otherwise required to do so by law. This announcement signals a policy shift for the agency and suggests that where permitted by law, HHS will generally now issue rules relating to “agency management or personnel or to public property, loans, grants, benefits, or contracts” without providing notice and comment to stakeholders, and may otherwise find good cause to forego notice and comment procedures.

Significant shifts in U.S. technology policy are taking shape at the start of the new administration. This is especially true in the field of artificial intelligence (AI), where President Trump revoked President Biden’s Executive Order 14110, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” as part of his flurry of Day One executive actions. The administration is now moving quickly to put its own stamp on this area in an effort to strengthen U.S. AI leadership and competitiveness and outpace other nations, particularly the People’s Republic of China.

Days after President Trump issued an executive order (EO) taking aim at diversity, equity, and inclusion (DEI) programs and prohibiting federal recognition of gender identity apart from biological sex, previously issued draft guidance on diversity in clinical trials was removed from the website of the U.S. Food and Drug Administration (FDA). While the removed guidance was in draft form, it is highly unusual for FDA to revoke or alter draft guidance without issuing a statement or further guidance. This move raises questions about the applicability of statutory obligations to submit clinical trial Diversity Action Plans and the agency’s current thinking on best practices for clinical development.

On January 6, with increased attention and scrutiny from patients, providers, developers, and payors on the accelerated approval pathway for drugs, the Food and Drug Administration (FDA) released new draft guidance for industry on what it means for a drug’s confirmatory trial to be “underway” under section 506(c) of the Federal Food, Drug, and Cosmetic Act.

On October 29, 2024, the Department of Justice (DOJ) published a Notice of Proposed Rulemaking (NPRM) to implement Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the E.O.).  The E.O. addresses the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans’ sensitive personal data, which includes health data and genetic data. This builds on DOJ’s Advance Notice of Proposed Rulemaking (ANPRM) published on March 5.  Comments are due on November 29, 2024.

On Wednesday, October 16, 2024, New York’s Department of Financial Services (DFS) announced new guidance aimed at identifying and providing a blueprint for protecting against AI-specific cybersecurity risks.  Motivated primarily by advancements in AI that substantially impact cybersecurity—including facilitating new ways to commit cybercrime—DFS’s guidance aims to specifically protect New York businesses but applies to all companies concerned with increasing their cybersecurity and managing risks posed by emerging technologies. The guidance addresses “most significant” AI-related threats to cybersecurity that organizations should consider when they are developing a cybersecurity program, internal protocols, or implementing cybersecurity controls—as well as recommendations for those cybersecurity programs.

On August 21, 2024, the National Institute of Standards and Technology (NIST) released the Second Public Draft of Digital Identity Guidelines (hereinafter, “Draft Guidelines”) for final review. The Draft Guidelines introduce potentially notable requirements for government contractors using artificial intelligence (AI) systems. Among the most significant draft requirements are those related to the disclosure and transparency of AI and machine learning (ML). By doing so, NIST underscores its commitment to fostering secure, trustworthy, and transparent AI, while also addressing broader implications of bias and accountability. For government contractors, the Draft Guidelines are not just a set of recommendations but a blueprint for future AI standards and regulations.

The Federal Trade Commission (FTC) recently entered into a settlement with Monument, Inc., an alcohol addiction treatment service, for allegedly disclosing users’ personal health data to third-party advertising platforms without consumer consent and violating their own website claims to consumers with respect to the disclosure of such data. The action follows other settlements by the FTC focused on tracking technologies collecting sensitive health information through web pages and web portals. “This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”