The MedTech industry continues to navigate a dynamic regulatory landscape. The Trump Administration has initiated the rollout of AI technologies at the federal agency level while contemporaneously developing guidelines for AI usage in MedTech. Further, tariffs are increasing MedTech companies’ focus on their supply chains, expansion of the U.S. operations, and advocacy for trade policy reform—all while absorbing billions in projected costs and navigating rapidly evolving global regulations.
Trump administration advances AI implementation
The Office of Management and Budget (OMB) issued two memoranda in early April containing guidance on the federal government’s initiatives to accelerate AI adoption by government agencies. The dual OMB memoranda signal the Trump administration’s intent to continue AI innovation in executive agencies while governing efficiently and maintaining public trust.
Chief AI Officers are responsible for meeting heightened oversight standards for “high-impact AI” usage (previously referred to as “rights-impacting” or “safety-impacting” categories of AI). Among other safeguards, executive agencies must conduct pre-deployment testing, complete AI impact assessments, and monitor any potential violations of laws governing privacy, civil rights, or civil liberties.
The healthcare industry, particularly with respect to medically relevant functions, diagnostics, treatment, and the allocation of insurance, was included in a non-exhaustive list of categories where AI applications would be presumed “high-impact.” Federal agencies are encouraged to choose American-made AI products and services and prohibit vendors from training commercial models using non-public government data without the applicable agency’s express permission.
On May 29, 2025, the public comment period concluded with respect to the creation of a National AI Research and Development (R&D) Strategic Plan, showing a governmental interest in AI use for technological advancement in R&D functions across industries.
Additionally, the Food and Drug Administration (FDA) has implemented Elsa, a generative AI model, to help employees work more efficiently. Built in the GovCloud environment to optimize performance across the FDA, Elsa is a large language model-powered AI tool designed to assist with reading, writing, and analysis.
For example, Elsa can summarize adverse events to support safety profile assessments, accelerate clinical protocol reviews, perform faster label comparisons, identify high-priority inspection targets, and generate code to help develop databases for nonclinical applications. The FDA notes that Elsa does not train on data submitted by regulated industry. As the tool matures, the FDA plans to integrate additional AI functionality, including data processing and generative-AI capabilities.
MedTech industry response to tariffs and export controls
Tariffs have continued to significantly affect the MedTech industry, contributing to financial strain, supply chain uncertainty and operational adjustments. On May 14, 2025, a 90-day pause in the U.S.-China trade standoff offered the potential for temporary relief, although uncertainty persists following the Court of International Trade’s (CIT) decision blocking most of the Trump administration’s tariffs, a decision that arose in connection with lawsuits filed by states and small-scale importers.
Despite the CIT ruling, the U.S. Court of Appeals for the Federal Circuit stayed a permanent injunction that would have prevented the government from collecting tariffs during the appeal process. For MedTech companies, this uncertainty complicates strategic planning, particularly with respect to pricing, procurement, and global sourcing.
Amid rapidly evolving legal and political developments, tariffs continue to shape industry-wide strategies. At least one report has projected a $2bn loss to the MedTech industry in connection with the tariffs. MedTech start-ups with physical components in their offerings are significantly affected, with delayed development and commercialization timelines, as well as higher upfront costs.
Larger MedTech manufacturers have largely endeavored to avoid cost-cutting measures to R&D and reductions in workforce, focusing instead on seeking tariff exemptions and reducing other costs. Some medical device manufacturers are shifting production to the U.S. to reduce tariff exposure, and are grappling with the increased costs of production, overlapping regulatory regimes that are in flux and increased supply chain complexity.
Additionally, China’s implementation of export controls on rare earth elements is likely to significantly impact MedTech companies that manufacture or rely on magnets, lasers, radiopharmaceuticals, and certain other medical equipment. China has significant stocks of rare earths and processes approximately 90% of rare earths. Manufacturers of many rare earth-dependent diagnostics and cancer treatments are working to diversify their supply chains.
New DOJ data transfer rules may impose significant regulation on MedTech entities processing bulk personal health and medical data
The Department of Justice (DOJ) recently finalized their Data Security Program (DSP) which imposes a new regulatory regime for certain bulk data transfers with criminal and civil penalties that may apply to MedTech companies that store or process personal information, particularly given the DSP’s focus on sensitive personal health and medical data.
The DSP regulates transfers of certain thresholds of bulk data (described below) to covered persons, including foreign entities headquartered in “countries of concern” (China, Cuba, Iran, North Korea, Russia, and Venezuela); foreign nationals resident in countries of concern; foreign nationals employed or contracted by a country of concern or another covered person; and companies 50% or more owned by interests from countries of concern or another covered person.
Certain transfers to those covered persons are prohibited, including: (1) any transfers of covered bulk personal information that is not associated with an employment, investment or vendor agreement; or (2) any provision of bulk human ‘omic data. The regulations also impose a dizzying array of compliance requirements for restricted bulk data transfers with a country of concern or covered person related to employment, investment or vendor agreements, including cybersecurity, audit, recordkeeping, and reporting requirements to DOJ. Finally, the DSP imposes prescriptive contractual obligations on certain covered bulk data transfers to any foreign country or person outside the United States, even if not associated with a country of concern or covered person, requiring a commitment to not further transfer data to countries of concern or covered persons, and to provide notice of any breach of the requirements.
Companies that handle bulk data should be wary of the broad definition of data transfers pursuant to the DSP, which could include the provision of data to a foreign-owned or located cloud data storage provider, or the mere access to the data by a non U.S. citizen employee resident in a country of concern during the course of their employment.
Accordingly, a key question for companies is whether they process, manage or otherwise store data meeting the thresholds for bulk data under the regulations, with lower thresholds for sensitive personal health and medical data. Specifically, while the threshold for general personally identifiable information is 100,000 U.S. data subjects in a year, there are lower U.S. data subject thresholds for the following sensitive categories: genomic (100), human ‘omic (1,000), biometric (1,000), personal health data (10,000), and personal financial data (10,000). Violations of the DSP may result in civil penalties of up to the greater of $368,136 or twice the value of each violative transaction. Willful violations may result in criminal penalties, including imprisonment of up to 20 years and a $1,000,000 fine.
It is critical for entities to determine whether their operations require compliance with the DSP, including by mapping their data, and considering whether certain limited exceptions apply. Although the DSP has been effective since April, DOJ has announced that it will not seek to civilly enforce DSP violations for entities making good faith efforts to comply during an initial 90-day grace period, which ends on July 8, 2025. Entities are expected to be in full compliance with due diligence and reporting requirements by October 6, 2025.
Meet the team
