On Thursday, July 11, 2025, the U.S. Food and Drug Administration (FDA) publicly released more than 200 archived Complete Response Letters (CRLs) tied to drug applications submitted between 2020 and 2024.
These letters, typically sent to pharmaceutical companies when the FDA declines to approve a drug, outline the reasons for non-approval and what additional data might be needed. Historically, companies were not required to disclose these letters publicly and often shared limited or selective information with investors.
Under the leadership of the U.S. Health and Human Services Secretary Robert F. Kennedy Jr., who has pledged "radical transparency" and criticized the FDA for favoring Big Pharma and Big Food, the agency has moved to increase public access to regulatory documents. The FDA said its decision was motivated in part by a 2015 analysis showing that most companies withheld key safety and efficacy concerns noted in CRLs.
While trade secrets and confidential commercial information were redacted before publication, the move marks a major shift in regulatory disclosure. Industry analysts, such as Piper Sandler’s Biren Amin, noted that this change could pressure companies to be more open about approval setbacks.
Legal experts, including health policy lawyer Paul Kim, suggested the decision could face challenges from affected companies or trade associations due to its scale and precedent-breaking nature.
In the press release, FDA Commissioner Marty Makary, M.D., M.P.H. notes, “For far too long, drug developers have been playing a guessing game when navigating the FDA. Drug developers and capital markets alike want predictability. So today we’re one step closer to delivering it to them, with an ultimate goal of bringing cures and meaningful treatments to patients faster.”
From a data privacy and HIPAA standpoint, the public disclosure of previously confidential regulatory documents raises important considerations. Although the FDA redacted trade secrets and confidential commercial information, the move signals a shift toward broader data transparency that must be balanced against strict federal protections for personal health information.
Healthcare organizations are bound by HIPAA to safeguard individually identifiable health data, and while CRLs typically do not contain such data, the principle remains: public disclosures must never compromise patient privacy or data security. The policy also sets a precedent for how regulatory agencies might handle sensitive information in the future, especially as calls for transparency grow louder.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach occurs when sensitive, protected, or confidential information is accessed, disclosed, or stolen without authorization.
Common causes include phishing attacks, ransomware, lost or stolen devices, unauthorized access by employees, system misconfigurations, and third-party vendor vulnerabilities.
Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.