Health Law Advisor

Tuesday, January 6, 2026, yielded two surprising updates from the Food and Drug Administration (“FDA”) Center for Devices and Radiological Health. While many experts have been forecasting continued tension between med tech innovators and the agency based on enforcement trends in 2025, FDA released two policy updates that, in fact, purport to ease the burdens on developers of certain wearables and clinical decision support (“CDS”) software tools.

This blog post is the latest installment in a series focused on the DOJ’s Bulk Sensitive Data Rule, and is intended to help stakeholders navigate the complex rule’s requirements and move toward full compliance.

Epstein Becker Green’s previous blog post on this topic encouraged U.S. organizations across all industries with cross-border operations – including health care/life sciences, finance, e-commerce, and research – to “know their data.”  In this post, we discuss why it is critical for these organizations to also “know their vendors.” We discuss how the BSD Rule imposes new requirements on U.S.-based companies to monitor and scrutinize vendor engagements beyond those with the six designated countries of concern.

The Center for Medicare and Medicaid Innovation (CMMI) recently announced a voluntary, 10-year Medicare payment and service delivery model: Advancing Chronic Care with Effective, Scalable Solutions (ACCESS) Model.

The ACCESS Model tests whether a new payment methodology, Outcome Aligned Payments (OAPs) can better support technology-enabled care, improve health outcomes, and lower overall Medicare spending for high-prevalence, high-cost chronic conditions that affect more than two-thirds of people enrolled in Medicare.

The ACCESS Model will focus on chronic conditions including high blood pressure, diabetes, chronic musculoskeletal pain, and depression.

Several actions have occurred since Epstein Becker & Green, P.C.’s blog post, dated November 19, 2025, regarding state insurance departments scrutinizing Medicare Advantage and MedSupp Trade Practices, which warrants a brief update on this topic.

On December 11, 2025, the U.S. Food and Drug Administration (“FDA”) announced in a letter to the dietary supplement industry that it is actively considering requests to amend its dietary supplement labeling regulation at 21 C.F.R. § 101.93(d), which governs placement of the disclaimer required for structure/function claims under the Dietary Supplement Health and Education Act of 1994 (“DSHEA”).

The regulation currently requires the DSHEA disclaimer—which states that the product has not been evaluated by FDA and is not intended to diagnose, treat, cure, or prevent disease—to appear on each panel of a product label where a qualifying structure/function claim is made.

Based on its initial review, FDA indicated that removing the “each panel” requirement would be consistent with the DSHEA, could reduce label clutter and unnecessary costs, and would align with the agency’s historical enforcement posture, noting that the requirement has rarely, if ever, been enforced. FDA further stated that, absent significant concerns, it is likely to propose formal rulemaking to amend the regulation.

On December 18, 2025, the Centers for Medicare and Medicaid Services (CMS) issued two proposed rules impacting the ability of providers to deliver gender-affirming care to minors—now termed “sex-rejecting procedures” by the federal government. 

As we noted in our recent Insight, at least eight decisions from district courts around the country have rejected the reasoning in the September 30, 2024, opinion of District Judge Kathryn Kimball Mizelle from the U.S. District Court for the Middle District of Florida—holding that the  qui tam provisions in the False Claims Act (“FCA”) violate the Appointments Clause of Article II of the U.S. Constitution. Every other Court of Appeals to address the question has ruled similarly. 

The U.S. Court of Appeals for the First Circuit recently provided important clarity—and welcome relief—for clinical laboratories facing False Claims Act (“FCA”) allegations based on a lack of medical necessity for processing tests ordered by a physician. In a case of first impression, United States ex rel. OMNI Healthcare, Inc. v. MD Spine Solutions LLC,[1] the First Circuit held that clinical laboratories may rely on an ordering physician’s determination that lab tests billed to Medicare are medically necessary. The First Circuit held that laboratories need not second-guess a physician’s certification absent red flags or suspected improper conduct. While the First Circuit’s decision does not relieve clinical laboratories of their existing obligation under the FCA to ensure they are not submitting a false claim to government payors, it provides much-needed clarity for clinical laboratories across the country on what constitutes the knowing submission of false claims to the government and highlights several practical takeaways for managing compliance risk.

The False Claims Act (FCA) is one of the federal government’s most powerful tools for combatting healthcare fraud. Yet, as with any enforcement tool, its reach is constrained by a statute of limitations. The FCA statute of limitations provisions, set out in 31 U.S.C. § 3731(b), are surprisingly nuanced and often depend on when the government learns of the alleged misconduct. In practice, this framework often favors the government, yet these nuances are worth unpacking, which we do below.

New from the Diagnosing Health Care Podcast: Value-based enterprises depend on timely, accurate data, yet the rules that govern how that data moves between the Centers for Medicare & Medicaid Services (CMS), accountable care organizations, payors, and providers remain complex and often inconsistent.

On this episode, Epstein Becker Green attorneys Kevin Malone and Karen Mandelbaum unpack the regulatory frameworks shaping data exchange in value-based care.

They outline how federal privacy laws, CMS rules, the Health Insurance Portability and Accountability Act (HIPAA), and state requirements intersect; why CMS-sourced data operates under a different regime than Medicare Advantage; and where organizations face the biggest operational hurdles when using, sharing, and governing data across large networks.