Regulatory shifts bring new strategies for healthtech leaders
Healthtech companies — from software startups to device manufacturers — continue to attract investment capital after years of steady and continuous growth. But with changing federal regulations and shifts in compliance standards, healthtech leaders need to navigate new conditions for expansion and innovation.
As federal funding and mandates evolve, healthtech is at the center of the action. So, what can companies do now to reinforce their position for long-term growth? How can they increase their value for health systems, payers and patients — their ultimate customers and product end users?
Every moment of change is an opportunity to reset and reorient around business and mission outcomes. While it’s easy to get stuck in place by uncertainty in moments of change, it’s more strategic and productive to keep moving with precision.
Below are three areas of focus for healthtech organizations today, along with key strategies that can help maintain momentum and prepare for the next pivot.
1. Heightened requirements for data security and risk management
What’s happening: In late 2024, HHS proposed updates to the HIPAA Security Rule which, among other changes, require more formal risk management and enhanced data protection. Industry and public feedback submission is still in progress, and there is uncertainty about whether the rule will be finalized or revised by the Trump administration.
The proposal includes requirements to modernize essential cybersecurity safeguards, such as:
- Mandatory encryption of all electronic protected health information (ePHI), both in transit and at rest.
- Multifactor authentication for system access to prevent unauthorized breaches.
- Annual risk assessments and vulnerability scans to identify and mitigate threats.
- Network segmentation to isolate sensitive systems and reduce exposure during cyberattacks.
- Elimination of “addressable” safeguards — all security controls would be required.
What this means for healthtech: These expected updates to HIPAA signal a notable shift for all organizations that operate in the realm of personal health data, including healthtech companies that sell products or services to primary holders of health information. As the industry watches and waits for direction from the Office for Civil Rights (OCR) or HHS, healthtech companies should start adopting the best practices within this more rigorous security framework — whether they meet the “enforceable” standards or not.
Here’s why: Organizations might already be proactively meeting critical security assurance assessments, like HITRUST and SOC 2, as part of their commitment to robust security practices.
But preemptive and ongoing HIPAA compliance fosters a broader 24/7/365 security posture and mitigates disruption or costly penalties in case a data breach happens in the future.
At this stage, healthtech companies should:
- Conduct a gap analysis against the proposed requirements.
- Update risk assessments and documentation practices.
- Inventory all technology assets and create data maps for ePHI flows.
- Review vendor contracts for security compliance.
- Budget for potential upgrades and staff training.
2. Administrative and policy reforms for product development
What’s happening: With leadership changes at the FDA, the department is both reorganizing its structure and resetting its policy vision for the upcoming years. The incoming commissioner highlighted a commitment to modernization and transparency — and is planning efforts to accelerate the approval of cures and treatments by streamlining internal processes and reducing administrative delays.
Major developments at the FDA include:
- Staff reduction announced in April 2025, across a range of administrative and policy roles.
- Shift of policy development to HHS, reducing FDA autonomy in issuing guidance.
- A temporary freeze on pending FDA rules until the new commissioner takes seat.
- Anticipated deregulation, creating uncertainty about which rules apply moving forward.
What this means for healthtech: Clearer, more predictable regulatory pathways can help startups and innovators better plan product development and navigate compliance. And streamlined operations for FDA approval could shorten the time it takes for digital therapeutics, AI diagnostics and novel devices to reach patients. But in the short term, healthtech companies — particularly early-stage startups and small enterprises — may experience slower review cycles, uncertainty about regulation or even hesitation from financial investors.
Here’s what we know: It’s not the time to pause R&D or product investment. The push to reform healthcare to be proactive, rather than reactive, is ultimately good for healthtech companies. Right now, companies should double down on relationship building, industry engagement and sharing feedback with regulators on what works and what doesn’t.
At this stage, healthtech companies should:
- Build longer regulatory timelines into product roadmaps, at least for the near future.
- Strengthen internal compliance expertise to help mitigate risks of delays or dependency resulting from reduced FDA guidance issuance and the new one-in, 10-out.
- Engage early and often with FDA staff and be proactive in communication.
- Document everything because clear internal records are critical with fewer FDA touchpoints.
3. Cascading effects of new Medicaid requirements
What’s happening: With new Medicaid work requirements in the One Big Beautiful Bill (OBBB) Act, up to , and federal Medicaid spending may drop by $344 billion over 10 years. With fewer insured patients, there will be less demand for reimbursable digital health services. Companies that rely on Medicaid or ACA exchange populations may need to explore partnerships with employers, commercial insurers or direct-to-consumer models — while continuing to help health system customers lower costs through efficiency-focused products and services.
The cascading effects of Medicaid requirements include:
- For Medicaid eligibility, states will need to track work hours, exemptions and renewals more frequently.
- Stricter documentation rules will increase data exchange and verification burdens.
- Higher patient copays and new rules may reduce patient access, engagement and adherence.
What this means for healthtech: Right now, it’s important for healthtech companies to dedicate resources toward digital services that create value and outcomes in a cost-conscious environment. Simply put, customers need IT solutions that will either create cost savings, alleviate the burden of managing eligibility requirements or make it easier for Medicaid patients to navigate their healthcare.
Here’s what we know: Certain technology solutions will stand a better chance of differentiation in this next chapter of reimbursement. For example, healthtech products that are interoperable by design and integrate seamlessly with EHR systems — or products that deploy AI to automate processing and compliance — will be able to position more easily for new contracts and partnerships.
At this stage, healthtech companies should:
- Reassess payer mix and evaluate how cuts will affect margins.
- Demonstrate ROI to show customers how solutions reduce cost, improve outcomes or support care coordination.
- Support alternative payment models by aligning with ACOs, bundled payments or home-based care initiatives.
- Invest in interoperability, making it easy for customers to integrate tools into existing workflows and EHRs.
For healthtech companies ready to adapt, there’s immediate opportunity
Industry change can understandably raise financial concerns. But amid the policy noise, there are real financial tools available to fuel innovation, reduce tax burdens and strengthen balance sheets.
Here are just a few examples:
- Bonus depreciation is back: Companies investing in capital equipment can now claim 100% bonus depreciation, retroactive to January 2025. This means faster write-offs and stronger cash flow.
- Section 179 expands: Small and midsized firms can now immediately expense more qualifying assets, reducing taxable income and freeing up capital for growth.
- R&D expensing is restored: With full expensing of research and development costs reinstated, companies can reclaim deductions for software development, AI training, clinical trials and more.
As priorities shift with changing policies, the most important advantage is the ability to pivot and navigate change without derailing profitability. Wipfli partners with healthtech organizations to make sure they can harness financial tools as they emerge and maintain compliance in a dynamic regulatory environment.
How Wipfli can help
Get in touch to learn about our HIPAA security risk assessment, tax and financial services, data and analytics integration — along with our change management capabilities that help healthtech companies roll out new strategies across people, processes and technology.
Explore our services for healthtechRead more:
