Health Law Advisor

Well before the latest government shutdown, the U.S. Department of Justice’s National Security Division (DOJ NSD) issued a final rule at 28 CFR Part 202 (“2025 Final Rule” or “Rule”) to help prevent “countries of concern” or “covered persons” from accessing U.S. government-related data and Americans’ bulk sensitive personal data. The 2025 Final Rule took effect in April—and after a 90-day safe harbor period, the DOJ began enforcement on July 8.

Six months after implementation—with the U.S. Senate now passing the BIOSECURE Act restricting certain biotech business with China—compliance remains the key for affected stakeholders, including those exchanging personal health data. As we reported in July, the 2025 Final Rule implemented the prior administration’s Executive Order 14117 of February 28, 2024, by prohibiting and restricting “bulk” data transactions with countries that could threaten U.S. national security through the use of Americans’ sensitive personal data.

While the 2025 Final Rule remains largely untested, federal agencies and stakeholders alike have taken action to test the bounds of the Rule and, in some instances, expand applicability beyond 28 CFR Part 202. Below is a brief refresher of the key elements of the Rule and some recent developments.

On October 6, 2025, California Governor Gavin Newsom signed SB 351, aimed at limiting the involvement of private equity groups and hedge funds in health care practices. While the new law does create new statutory requirements governing hedge fund and private equity group involvement in the management of physician and dental practices, those requirements largely reflect existing California case law and Medical Board of California guidance. Specifically, the new law:

• prohibits a private equity group or hedge fund that is involved—including as an investor or owner—with a physician or dental practice doing business in the state, from interfering with the professional judgment of physicians and dentists in making health care decisions;
• prohibits these entities from exercising power over specified actions, including hiring practices and coding and billing procedures for patient services, and
• prohibits contracts between a private equity group or hedge fund or an entity controlled by a private equity group or a hedge fund and a physician or dental practice, if the contract would allow the conduct described above or impose a noncompete or nondisparagement clause.

The law will take effect on January 1, 2026. The state attorney general is empowered to enforce the new law through injunctive relief and other equitable remedies. It is the latest in a national trend among states to strengthen corporate practice of medicine (CPOM) doctrines by limiting the influence of non-licensed entities in clinical decision-making. The bill, introduced by California State Senator Christopher Cabaldon, passed the state legislature in September with bipartisan support.

In the latest in a series of recent cases involving the “but-for” causation standard for Anti-Kickback Statute (“AKS”) claims, Judge Waverly D. Crenshaw in the U.S. District Court for the Middle District of Tennessee has dismissed United States, et al., ex rel. Nolan, et al. v. HCA Healthcare, Inc., 2025 WL 2713747 (M.D. Tenn. Sept. 22, 2025) pursuant to Rules 12(b)(6) and 9(b).

Judge Crenshaw weighed in Nolan whether the relators, co-owners of Pathologists Laboratory P.C. (“PLPC”), had plausibly alleged that: 1) defendant HCA Healthcare Inc. (“HCA”) solicited or received “remuneration” for purposes of an AKS violation; and 2) PLPC or the second lab submitted claims “resulting from” an illegal kickback for purposes of a False Claims Act (FCA). He ultimately determined that the relators had not, in fact, plausibly alleged that HCA either solicited or received “remuneration” for purposes of the AKS.

In the wake of a lawsuit filed in federal district court in California in August—alleging that an artificial intelligence (AI) chatbot encouraged a 16-year-old boy to commit suicide—a similar suit filed in September is now claiming that an AI chatbot is responsible for death of a 13-year-old girl.

It’s the latest development illustrating a growing tension between AI’s promise to improve access to mental health support and the alleged perils of unhealthy reliance on AI chatbots by vulnerable individuals. This tension is evident in recent reports that some users, particularly minors, are becoming addicted to AI chatbots, causing them to sever ties with supportive adults, lose touch with reality and, in the worst cases, engage in self-harm or harm to others.

While not yet reflected in diagnostic manuals, experts are recognizing the phenomenon of “AI psychosis”—distorted thoughts or delusional beliefs triggered by interactions with AI chatbots. According to Psychology Today, the term describes cases in which AI models have amplified, validated, or even co-created psychotic symptoms with individuals. Evidence indicates that AI psychosis can develop in people with or without a preexisting mental health issue, although the former is more common.

On September 25, 2025, the Department of Justice announced a new office within the Civil Division—the Enforcement & Affirmative Litigation Branch—“dedicated to safeguarding public health and safety through proactive enforcement and high-impact affirmative litigation.” The creation of this new office restructures and consolidates affirmative litigation into a specialized branch to “hold powerful actors accountable, protect public health and safety, and enforce critical national policies.”

The telehealth cliff that we warned you about on March 3 and March 25, 2025, is now more fact than fiction—and we need a parachute.

Current Medicare telehealth flexibilities expired on September 30, 2025. This expiration has come to be called a “cliff,” since millions of beneficiaries who have used telehealth as a means for receiving health care services since the COVID-19 pandemic could lose coverage for this benefit. Now, they may have to travel to a health care provider’s office or a health care facility to receive most telehealth services, as opposed to simply logging on at home.

Without question, this is a move backward. Since restrictions for Medicare beneficiaries were eased at the start of the global pandemic in March 2020, many Americans—including seniors, those in rural areas, and those with mobility problems—have learned not only to use telehealth but to embrace it and in fact rely upon it.

As featured in #WorkforceWednesday®: This week, we examine the Federal Trade Commission’s (FTC’s) decisions to drop its appeal of a federal court ruling striking down its proposed non-compete ban and to issue warnings to health care employers about using unreasonable restrictive covenants in employment agreements.

Although the FTC’s decision to abandon its non-compete ban appeal may appear to favor employers, its recent warning letters to health care organizations make clear that regulatory scrutiny is far from over.

In this episode, Epstein Becker Green attorneys E. John Steren and David J. Clark discuss the FTC’s concerns for health care employers, offer guidance on revising non-compete agreements to withstand legal challenges, and explore alternative strategies to protect business interests.

On September 16, 2025, the U.S. Food and Drug Administration (FDA) released more than 60 warning letters sent to specific pharmaceutical manufacturers, alleging misbranding of a particular drug through direct-to-consumer (DTC) advertisements in violation of the federal Food, Drug, and Cosmetic Act (FDCA). The warning letters issued largely from the Center for Drug Evaluation and Research (CDER) and the Center for Biologics Evaluation and Research (CBER).

The FDA also released nearly 40 untitled letters sent to specific drug manufacturers from its Office of Prescription Drug Promotion on September 9 and 23, similarly informing them that one or more direct-to-consumer TV ads misbrands a specific drug.

These actions follow the September 9th announcement that the U.S. Department of Health and Human Services (HHS) and the FDA would be targeting “misleading” DTC pharmaceutical advertisements—the same day that a presidential memorandum directed HHS Secretary Robert F. Kennedy Jr. and FDA Commissioner Martin A. Makary to act.

The letters also reflect a broader shift in the FDA’s oversight of pharmaceutical advertising, particularly in DTC channels. With regulators taking a more aggressive posture across both broadcast and social media platforms, companies should be prepared for shifting regulatory requirements and heightened enforcement risk.

In what will create a glimmer of hope for beleaguered Medicare Advantage Organizations (MAOs) who are facing looming waves of Risk Adjustment Data Validation (RADV) audits, on September 25, 2025, a Northern District (ND) of Texas District Court invalidated the Centers for Medicare & Medicaid Services’ (CMS) 2023 RADV Final Rule, finding that the agency violated the notice-and-comment requirements of the Administrative Procedure Act (APA).

This ruling comes amidst a recently announced aggressive agenda by the current Trump administration to catch up on five payment years of RADV audits. This agenda has triggered visceral concern from MAOs, who are struggling to understand the potential breadth and impact of future extrapolated recoupments. Given the adverse residual impact to MAOs through CMS’s V28 risk adjustment (RA) model cuts, RADV audits landed at a less than opportune time for the industry. The Court’s ruling, while still subject to appeal and possible CMS rule redlining, is at least temporary good news for MAOs.  But, for those popping corks for their victory lap, it ain’t over yet.

As EBG previously reported, on March 10, 2025, Robert F. Kennedy, Jr., Secretary of the U.S. Department of Health and Human Services (“HHS”), announced that the U.S. Food and Drug Administration (the “FDA”) is exploring rulemaking to eliminate the pathway allowing entities to self-affirm that food ingredients are Generally Recognized as Safe (“GRAS”). Earlier this month, on September 4, 2025, the Trump administration’s Spring 2025 Unified Regulatory Agenda (“Agenda”) was published, providing insight into the upcoming regulatory priorities of administrative agencies, including the FDA. In keeping with Secretary Kennedy’s prior statements, the Agenda disclosed an impending Notice of Proposed Rulemaking (“NPRM”) from the FDA regarding GRAS. Unified Agenda Entry RIN 0910-AJ02, which describes the NPRM to be published in October, states that the proposed regulations would “require the mandatory submission of GRAS notices for the use of human and animal food substances that are purported to be GRAS.” This proposed rule, if it goes into effect, will amend the GRAS regulations in 21 CFR parts 170 and 570 and effectively eliminate the self-affirmation pathway – meaning that entities would now be legally obligated to notify the FDA before designating food ingredients as GRAS.