Health Law Advisor

Epstein Becker Green (“EBG”) has previously advised U.S. organizations that share data in bulk or otherwise grant access to U.S. sensitive data to countries of concern or covered persons to “Know Their Data” and “Know Their Vendors.” In this post, we discuss why U.S. organizations across all industries with cross-border operations – including health care / life sciences, finance, e-commerce, and research – must “know their reporting requirements,” to fully comply with the BSD Rule and its brand-new reporting obligations.   

The Dietary Supplement Listing Act of 2026 (H.R. 8370, 119th Congress) (the “Act”), introduced in the U.S. House of Representatives on April 20, 2026, has the potential to significantly impact the dietary supplement industry. The Act proposes to amend the Federal Food, Drug, and Cosmetic Act (“FDCA”), via a new Section 403D, and create the first mandatory FDA product-listing regime for dietary supplements.

New York has passed sweeping food additive legislation that, if signed by the Governor, will fundamentally reshape how food manufacturers and suppliers operate in the state. The Food Safety and Chemical Disclosure Act (S1239F) (the “Act”) would establish the first state-level disclosure and database regime for substances that companies have independently determined to be “Generally Recognized as Safe” (“GRAS”). The bill represents a significant escalation in state-level food safety regulation with far-reaching consequences for food manufacturers, ingredient suppliers, and consumer products companies operating in the New York market.

Anthropic’s new initiative—“Project Glasswing,” announced in April 2026—reflects a significant development in the cybersecurity landscape that should command the immediate attention of every C-suite leader, privacy officer, information security professional, and compliance executive in health care and life sciences, financial services and other critical infrastructure industries, and their legal counsel.

On March 12, 2026, Microsoft officially launched Copilot Health — a dedicated, secure space within its Copilot AI platform designed to aggregate a user’s health records, wearable data, and lab results into a single, personalized health profile. While the product has drawn considerable excitement in the health-tech space, it also raises significant legal considerations for individual adopters and their healthcare providers.

On April 3, 2026, the director of the Office of Management and Budget submitted to Congress President Donald Trump’s budget for 2027—proposing $111.1 billion in discretionary budget authority for the U.S. Department of Health and Human Services (HHS) for Fiscal Year 2027, beginning October 1, 2026, and ending September 30, 2027. The number represents a $15.8 billion or 12.5 percent decrease from the 2026 enacted level and suggests ongoing emphasis on combatting improper payments and practices in health care. The proposed budget investments also signal potential shifts that will impact service delivery for certain communities and business operations for entities that contract with the federal government or federal government grantees. We’ve noted the following key takeaways from the HHS Budget in Brief on these points, below.

On April 10, the U.S. Department of Justice (DOJ) announced the first settlement to resolve False Claims Act (FCA) allegations regarding a private employer’s failure to comply with anti-discrimination requirements in contracts with the federal government. The settlement with IBM comes just two weeks after the March 26 signing of a new executive order called “Addressing DEI Discrimination by Federal Contractors” (EO 14398), curbing diversity, equity, and inclusion (DEI) programming (read more here). 

What health care and life sciences organizations need to know:

• “Bulk” Has a New Definition: The volume thresholds under the U.S. Department of Justice’s (DOJ’s) Bulk Sensitive Data (BSD) Transfer Rule are surprisingly low—sharing genomic data on just 100 people can trigger compliance requirements, catching many organizations off guard.
• HIPAA Compliance Is Not Enough: The BSD Transfer Rule creates an entirely new compliance layer that goes beyond existing privacy frameworks, such as the Health Insurance Portability and Accountability Act (HIPAA), applying even when data has been de-identified or anonymized.
• It’s About Access, Not Just Transfers: Simply giving a foreign vendor, board member, or investor the ability to view sensitive data can trigger the BSD Transfer Rule—no formal data-sharing agreement is required.

In this episode of Diagnosing Health Care^®, Epstein Becker Green attorneys Laura DePonio, Elizabeth McEvoy, and Elena Quattrone walk health care and life sciences organizations through the DOJ’s BSD Transfer Rule—from scoping and compliance to enforcement risks and exemptions.

The Food and Drug Administration (FDA) is urging innovators, providers, and patients to “reimagine the home as an integral part of the health care system.” If you’re skeptical, the “Home as a Health Care Hub” initiative was introduced in 2024 by the FDA’s Center for Devices and Radiological Health (CDRH) in response to changing needs of health care and feedback from the public, accelerated by the COVID-19 pandemic.

On March 27, 2026, the Food and Drug Administration (“FDA”) held a public meeting entitled “Exploring the Scope of Dietary Supplement Ingredients.” Sponsored by FDA’s Office of Dietary Supplement Programs (“ODSP”), the meeting was designed for agency officials and stakeholders “to discuss the evolving landscape of dietary supplement ingredients and how recent scientific and technological advances are shaping the industry.”