Everyone is talking about AI, but not everyone understands what AI is. AI, or artificial intelligence, refers to technology that enables machines to perform tasks that traditionally required human thinking—things like reading, writing, analyzing information, and making decisions.

A particularly powerful form of AI today is the large language model (or LLM), which is a type of AI trained on vast amounts of text that allows it to understand and generate human language, making it the engine behind popular tools like chatbots and AI writing assistants. Think ChatGPT or Google Gemini.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

In December 2024, the FTC announced two separate settlements against Mobilewalla, Inc. and Gravy Analytics, Inc., asserting that the two companies were unlawfully tracking and selling sensitive location data from users without consent, including data related to visits to health centers. 

Close up of doctor working on computer in doctor's office. Physician doing paperwork and administration.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

On March 27, 2025, the U.S. Department of Health and Human Services (HHS) announced a sweeping reorganization under the Department of Government Efficiency Workforce Optimization Initiative. The plan consolidates 28 divisions into 15, reduces the number of regional offices from 10 to 5, and introduces a new entity: the Administration for a Healthy America (AHA). This transformation aims to modernize HHS’s structure and operations, improve efficiency, and strengthen oversight across federal health programs.

Blog SeriesConference Post (1)

This is the third in a series of articles designed to provide SXSW and LSI USA ’26 attendees and other MedTech professionals with practical considerations for efficiently executing mission-critical life science deals. On March 15, during SXSW, Husch Blackwell’s healthcare team will host two panels, bringing together founders and investors from healthcare, technology, and early-stage companies for candid discussion, practical insights, and plenty of time to connect.

Register here.

Department of Justice Bulk Sensitive Personal Data Transfer Rule (28 CFR Part 202) 

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Overview 

On February 28, 2024, President Biden signed Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This order, implemented through the Department of Justice (DOJ) regulations (28 C.F.R. Part 202) and Cybersecurity and Infrastructure Security Agency (CISA) requirements, creates sweeping new restrictions on the transfer of Americans’ health data to certain foreign countries and entities. 

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

HHS Ramps Up Enforcement Against Information Blocking

2025 marks a significant turning point in federal enforcement against “information blocking” in healthcare. In a series of announcements this September, the U.S. Department of Health and Human Services (“HHS”) signaled a major crackdown on healthcare entities—especially health IT developers, health information networks, and certain providers—that restrict patient access to their electronic health information (“EHI”).

Under the direction of Secretary Robert F. Kennedy, Jr., HHS has dedicated increased resources and issued clear warnings that enforcement of information blocking rules is now a top priority. This includes the threat of substantial civil monetary penalties (“CMPs”)—up to $1 million per violation—for certain actors, as well as program-specific disincentives for providers who participate in Medicare and other federal programs. 

Blog SeriesConference Post (1)

This is the second in a series of articles designed to provide SXSW and LSI USA ’26 attendees and other MedTech professionals with practical considerations for efficiently executing mission-critical life science deals.

Collaborations often start with a simple premise: build something together, share the risk, and create value.

The complexity shows up later when investors or buyers ask who actually owns the platform.

In co-development structures involving devices and software, ownership and control are rarely binary. They are defined by layered licensing arrangements, regulatory allocations, manufacturing dependencies, and IP assignments that were often negotiated quickly to get a deal done.

AdobeStock_1539387488

On May 9, 2024, the Department of Health and Human Services (“HHS”) published a Final Rule (“the Rule”) updating Section 504 of the Rehabilitation Act of 1973 (“Section 504”) regulations. As part of the Rule, every facility, program, or activity with 15 or more employees and receiving HHS funding will need to comply with new digital accessibility guidelines by May 11, 2026. Those with fewer than 15 employees will need to comply by May 10, 2027.

dataLocks148650499

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The healthcare sector continues to grapple with an unrelenting wave of cyberattacks, with a notable shift in 2024 and 2025 toward targeting third-party vendors and business associates entrusted with sensitive protected health information (“PHI”). This trend has led to a surge in data breaches, affecting tens of millions of Americans and prompted heightened regulatory scrutiny over how healthcare providers manage and oversee their vendor relationships. 

The Tenth Circuit U.S. Court of Appeals has reaffirmed the authority of Occupational Health and Safety Administration’s (OSHA) to cite healthcare employers for workplace violence under its General Duty Clause. In a February 13, 2026 decision, Cedar Springs Hospital v. Occupational Safety and Health Review Commission (OSHRC), No. 24-9519 (10th Cir. 2026), the