Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during June and early July 2024 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• FDA Regulatory Updates
• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Provider Reimbursement Updates
• Policy Updates
• Privacy and AI Updates

U.S. Featured Content

The DOJ has pursued its first criminal drug distribution prosecution related to a digital health company distributing controlled substances through telemedicine. The founder and CEO of Done Global, Ruthia He, and its clinical president, David Brody, MD, were indicted in connection with a purported scheme to provide “easy access” to Adderall and other stimulants in exchange for a monthly subscription fee and “limiting the information available to Done prescribers, instructing Done prescribers to prescribe Adderall and other stimulants even if the Done member did not qualify, and mandating that initial encounters would be under 30 minutes.” As a result of the scheme, Done allegedly arranged for the prescription of over 40 million pills of Adderall and other stimulants and obtained over US$100 million in revenue.

EU and UK News

• Regulatory Updates
• IP Updates

EU/UK Featured Content

While it has been a relatively quiet month in the EU given elections in the European Parliament and in the UK (as well as other countries across the EU), agencies across the globe have published important guidance on machine-learning enabled medical devices. This includes the UK Medicines and Healthcare products Regulatory Agency’s (MHRA) guiding principles on transparency, published together with the U.S. Food and Drug Administration (FDA) and Health Canada, and the International Medical Device Regulators Forum (IMDRF) consultation on its guiding principles on good machine learning practice (which itself follows similar guidance from MHRA, FDA, and Health Canada in 2021). This demonstrates the increased importance of international standards in this area and the need for coordination between regulatory authorities to standardize guidance for these products.

U.S. News

FDA Regulatory Updates

FDA Issues Update on Artificial Intelligence Program Research Focus. On June 10, 2024, FDA’s Center for Devices and Radiological Health (CDRH) issued updates on the Artificial Intelligence (AI) Program’s research priorities. The AI Program is one of 20 research programs in CDRH’s Office of Science and Engineering Laboratories. The AI Program is intended to fill regulatory knowledge gaps and challenges with AI by developing robust test methods and evaluation methodologies for assessing AI performance, both in premarket and real-world settings. Examples of regulatory science research areas that the AI Program is currently focused on include: (1) addressing the limitations of medical data in AI, (2) identifying and measuring AI bias for enhancing health equity, (3) regulatory evaluation of new AI uses for improving and automating medical practice, and (4) methods for effective post-market monitoring of AI-enabled devices.

FDA Requests Comments on Patient Safety of Certain Non-Device Software Functions. On June 18, 2024, FDA posted a request for comments on non-device software functions and impacts on patient safety. Non-device software functions are those software functions that are excluded from the statutory “device” definition under the 21st Century Cures Act (Cures Act), such as certain general wellness software functions and certain clinical decision support software functions for health care professionals. Comments FDA receives will help the agency develop its 2024 report on the risks and benefits to health of non-device software functions. The Cures Act requires FDA to publish a report on non-device software functions. The agency previously issued reports in 2018, 2020, and 2022.

FDA To Host Public Workshop on AI in Drug and Biological Product Development. FDA, along with the Clinical Trials Transformative Initiative, will hold a hybrid public workshop on AI in drug and biological product development. The workshop will discuss guiding principles on the responsible use of AI in drug development, including discussions of real case examples. The workshop is scheduled for August 6, 2024, from 10 AM to 5:30 PM EDT.

Health Care Fraud and Abuse Updates

DOJ Pursues the First Criminal Drug Distribution Prosecutions Related to a Digital Health Company Distributing Controlled Substances Through Telemedicine. On June 13, 2024, the founder and CEO of Done Global, Ruthia He, and its clinical president, David Brody, MD, were indicted in connection with a purported scheme to provide Adderall to individuals by exploiting telemedicine and spending tens of millions of dollars on deceptive social media advertising. He and Brody, along with other co-conspirators, allegedly conspired to provide “easy access” to Adderall and other stimulants in exchange for a monthly subscription fee. They also purportedly structured the Done platform intentionally to facilitate access to Adderall and other stimulants, including by “limiting the information available to Done prescribers, instructing Done prescribers to prescribe Adderall and other stimulants even if the Done member did not qualify, and mandating that initial encounters would be under 30 minutes.” He allegedly set up an “auto-refill” function on Done’s platform that would permit Done subscribers to request a refill every month. This feature was allegedly set up to discourage follow up medical care by only paying Done prescribers solely on the number of patients who received prescriptions and refusing to pay for any medical visits, telemedicine consultations, or time spent caring for patients after an initial consultation. As a result of the scheme, Done allegedly arranged for the prescription of over 40 million pills of Adderall and other stimulants and obtained over US$100 million in revenue. According to the DOJ, these charges are the department’s first criminal drug distribution prosecutions related to a digital health company distributing controlled substances through telemedicine.

National Health Care Fraud Enforcement Action Leads to 36 Defendants Charged in Connection With the Submission of Over US$1.1 Billion in Fraudulent Claims Resulting From Telemedicine Schemes. On June 27, 2024, the DOJ announced the 2024 National Health Care Fraud Enforcement Action, leading to criminal charges filed against 193 defendants for their alleged participation in numerous health care fraud schemes involving approximately US$2.75 billion in intended losses and US$1.6 billion in actual losses. Of these 193 defendants, 76 doctors, nurse practitioners, and other licensed medical professionals in 32 federal districts across the United States were ultimately charged. Specific to telemedicine, 36 defendants were charged in connection with the submission of over US$1 billion in fraudulent claims to Medicare stemming from telemedicine schemes. These schemes included clinical laboratory owners purportedly paying illegal kickbacks and bribes to entities, including telemedicine companies, in exchange for the referral of orders for unnecessary genetic testing. Additionally, in another alleged telemedicine scheme, a psychiatrist allegedly submitted fraudulent claims based on minimal patient interactions, such as telemedicine visits that only lasted between 10 to 30 seconds. DOJ’s new initiative emphasizes the department’s focus and commitment in eradicating telemedicine schemes, and saving taxpayers billions of dollars in the process.

Corporate Transactions Updates

Guess Who’s Back, Back Again? Digital Health IPOs Are Back, Tell a Friend. The exit market for digital health has finally returned after nearly two years (21 months) without a single initial public offering (IPO). In the second quarter of 2024, three digital health companies exited onto the Nasdaq or New York Stock Exchange: FDA-cleared remote pregnancy monitoring company Nuvo exited via special acquisition company (SPAC) in May; health care payment software company Waystar exited via IPO in June; and artificial intelligence genetics-testing company Tempus AI also exited via IPO in June.

The first brave player to make an exit in 2024 was Nuvo. Exits via SPAC, or combining a company’s stock with a SPAC (coined “reverse mergers”), carry concern as many companies lose shareholder’s money after exiting via SPAC. Notably, Nuvo stock increased sharply right after its exit (200%), but has since dropped to below its initial $10 offering price.

On June 7, 2024, Waystar made its debut on the public market as the first digital health company to go public via IPO since 2022 with a US$968 billion IPO. Waystar’s initial public offering priced in the middle of its expected range at $21.50 a share, and its stock opened at $21, slightly below the IPO price, providing for a market value of approximately US$3.6 billion. Tempus AI followed a week later, making its public market debut on June 14, 2024. Tempus AI priced its IPO at the higher end of its targeted range at $37 a share and opened trading at $40 a share, which rose to nearly $44 on its first day on the market before dropping. The IPO suggests Tempus AI has a market value of approximately US$6.6 billion.

Both Waystar and Tempus AI disclosed that the money raised from their IPOs would be utilized to pay down debt in the high interest rate environment. It should also be noted that Tempus adjusted its IPO pricing for the market, pricing its IPO at almost a 40% discount from its US$10.25 billion valuation in 2022. Some digital health experts believe this is just the beginning of the IPO resurgence, and that the highest quality startups will wait until 2025 to go public because their balance sheets are stronger, allowing them to let other companies test the choppy public market waters first.

Provider Reimbursement Updates

Physician Fee Schedule Proposed Rule. On July 10, 2024, the Centers for Medicare & Medicaid Services (CMS) issued the calendar year (CY) 2025 Medicare Physician Fee Schedule (PFS) proposed rule. Importantly, the agency maintains its position that the Public Health Emergency-related telehealth flexibilities will expire on December 31, 2024. The agency also, for the first time, makes a proposal to pay for a mental health digital therapeutic.

Telehealth Services. The expiration of these flexibilities means that in 2025, absent action by Congress, Medicare will revert to the statutorily authorized geographic and site of service parameters for telehealth services under section 1848(m) of the Social Security Act. Generally, except for telehealth services furnished in a patient’s home for mental health services, substance use disorder services, and clinical assessments related to end-stage renal disease for beneficiaries receiving home dialysis, telehealth services will only be available to beneficiaries in rural areas and only when the patient is located in certain types of medical settings.

Using the five-step process it adopted in the CY 2024 PFS final rule, CMS makes a number of proposals with regard to requests for changes to the list of permanent and provisional telehealth service. Among other changes, CMS proposes to:

• Expand the list of services payable under the PFS when furnished via telehealth to include caregiver training, counseling for pre-exposure prophylaxis (PrEP) to prevent HIV (pending future finalization of the National Coverage Determination for PrEP for HIV infection), and training on the use of International Normalized Ratio monitors.
• Remove frequency limitations for CY 2025 for telehealth subsequent care services in inpatient and nursing facility settings, as well as for critical care consultation services.
• Revise the regulatory definition for “interactive telecommunications” to allow telehealth services furnished to a beneficiary in their home to occur via two-way, real-time audio-only communication technology, but only if the physician or practitioner is technically capable of using an interactive telecommunications system and the patient is not capable of, or does not consent to, the use of video technology.
• Extend the definition of “direct supervision” to include audio-video communications technology through CY 2025, and permanently for a subset of incident to services furnished by employed auxiliary personnel working under direct supervision (assigned PC/TC indicator or 5) and services described by CPT 99211.

Digital Therapeutics. Significantly, CMS proposes to advance Medicare reimbursement for a digital therapeutic related to behavioral health. Specifically, the agency proposes to create three codes (GMBT1, GMBT2, and GMBT3) for purposes of paying practitioners for furnishing digital mental health treatment (DMHT) devices furnished incident to or integral to professional behavioral health services in association with ongoing treatment under a plan of care by the billing practitioner, who must diagnose and prescribe or order the device. CMS’ proposal would only apply to DMHT devices that are cleared by the FDA, demonstrate a reasonable assurance of safety and effectiveness, and represent a cost to the billing practitioner. CMS indicates that this proposal is driven by a growing demand for behavioral health care services and workforce shortages nationwide. Acknowledging that “the field of digital therapeutics is evolving,” but also recognizing the challenges of incorporating digital therapeutics into the Medicare framework (including capturing such items in the practice expense methodology), CMS states it is “open to feedback from the public on this topic.”

Policy Updates

Senate Finance Chair Urges HHS To Require Mandatory Cybersecurity Protections. On June 5, 2024, Senate Finance Committee Chair Ron Wyden (D-OR) sent a letter to the U.S. Department of Health and Human Services (HHS) urging for new cybersecurity requirements, including the use of multi-factor authentication, for large health care companies. The letter urges HHS to provide technical assistance to providers and require: (1) minimum, mandatory technical cybersecurity standards for systemically important entities (SIEs), including clearinghouses and health systems; (2) resiliency requirements for SIEs to get up and running quickly if infected with ransomware; and (3) periodic cybersecurity audits of covered entities and business associates. Chair Wyden said the “current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress.”

House Ways and Means Committee Advances Legislation Improving Medicare Coverage Options for PDTs. On June 27, 2024, the House Ways and Means Committee favorably voted to advance the American Medical Innovation and Investment Act (H.R. 8816), which would in part require CMS to consider additional pathways for Medicare coverage of Prescription Digital Therapeutics (PDTs). Chair Jason Smith (R-MO) and Rep. Kevin Hern (R-OK) spoke in favor of the legislation, highlighting the positive impact PDTs can have for patients seeking treatment for mental health disorders.

Privacy and AI Updates

House Energy and Commerce Halts Action on Federal Privacy Bill. On June 27, 2024, shortly before it was scheduled to meet to advance the latest version of the draft American Privacy Rights Act (APRA) (among other bills), the House Energy and Commerce Committee cancelled the meeting. The cancellation took many by surprise, as the APRA had moved quickly through the Innovation, Data, and Commerce Subcommittee in late May and was widely expected to gain approval by the full committee. Apparently, some Republican members were uncomfortable with the bill’s provision for a privacy right of action, among other things. In a statement issued after the meeting was cancelled, Committee Chair Cathy McMorris Rodgers (R-WA), the draft’s principal sponsor, vowed to “continue our pursuit to give Americans privacy rights online” and underscored that “[a]t its core, the massive commercial surveillance of data is fueling the problem. Nearly every data point imaginable is being collected on us with no accountability. They are using our data against us, sowing division, manipulating truth, and diminishing our personal identities.”

Federal District Court Vacates Part of HHS OCR Guidance Regarding Online Tracking Technologies. On June 20, 2024, the federal district court of the Northern District of Texas vacated a portion of guidance issued by HHS’ Office for Civil Rights (OCR) about certain uses of online tracking technologies by entities subject to the privacy regulations implementing the Health Insurance Portability and Accountability Act (the HIPAA Privacy Rule). The court found that OCR lacked statutory authority for its position in the guidance that information collected through online tracking technologies about a visitor to a health-related unauthenticated public webpage (UPW) (a webpage accessible without user verification or login credentials) constitutes “individually identifiable health information” (IIHI) under the HIPAA Privacy Rule. The judge reasoned that, even when such visit information is combined with the IP address of the webpage visitor, that combination of information does not constitute IIHI as defined under HIPAA. The judge therefore vacated the guidance to the extent that it characterizes the combination of (1) an individual’s IP address and (2) information about the individual’s visit to a health-related UPW as IIHI. The judge did not, however, vacate any other aspect of the guidance.

The court’s decision is significant in several respects. First, although it could be appealed, it brings relief to HIPAA-regulated entities by clarifying that the HIPAA Privacy Rule’s restrictions on uses and disclosures of IIHI do not apply to information collected solely through technologies tracking an individual’s visit to a health-related UPW, even if that information is combined with the user’s IP address. As the plaintiffs in the case (including the American Hospital Association) argued, there was an apparent threat that OCR would seek to enforce the HIPAA Privacy Rule based on its contrary view expressed in the guidance. As the plaintiffs noted, in late 2022, OCR and the U.S. Federal Trade Commission sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other companies in the health care industry to warn of the “serious privacy and security risks” associated with the collection of information from online tracking technologies integrated into their websites and mobile apps.

Second, beyond its direct implications for enforcement of the HIPAA Privacy Rule, the court’s ruling indicates that there are limits to the theory that information collected through online tracking technologies is properly understood to be “individually identifiable” information or “personal information” within the meaning of privacy laws generally. That might inform, for example, the actions taken by other courts, state enforcement authorities, and even the U.S. Federal Trade Commission in cases involving alleged misuse or unauthorized disclosure of certain information collected through online tracking technologies.

EU and UK News

Regulatory Updates

MHRA Publishes Guiding Principles on Transparency in Machine-Learning Enabled Medical Devices. On June 13, 2024, the MHRA published its guiding principles on transparency for machine learning-enabled medical devices, developed jointly by the MHRA, the FDA, and Health Canada. The principles are intended to promote transparency for machine-learning medical devices (MLMDs), but should be taken into account for all medical devices.

The principles explain that the relevant audience must be considered in order to have effective transparency. Further, the motivation for transparency in the case of MLMDs should be safety and efficacy of the device, as well as being crucial to patient-centered care.

The information that is of relevance will vary depending on the MLMD. However, the principles provide guidance on the type of information that may be suitable, including how a device can be described clearly and accurately and how the safety of the device can be maintained throughout its lifecycle.

Where the information is placed and when it is communicated should also be considered. The principles suggest providing information to users in a way that is responsive and enabling information to be personalized and implementing human-centered design principles in order to support transparency. This could mean, for example, involving parties and users in the design and development, and communicating with a suitable level of detail and language for the intended audience.

The International Medical Device Regulators Forum Opened a Consultation on Its Draft Guiding Principles on Good Machine Learning Practice for Medical Device Development. On July 1, 2024, the IMDRF published a consultation on its draft Guiding Principles on good machine learning practice for medical device development. The document sets out 10 principles that are intended to promote the safe and effective development of high-quality AI medical devices. They address a broad range of areas, such as demonstrating and measuring the performance of the device, software engineering practices, and transparency.

At the forefront of the principles is the importance of understanding the intended use and purpose of the device. This theme can be seen throughout the document, including in relation to the choice of reference standards, model and design, and the information to be provided to users. Users of the AI-enabled medical device must be provided with information that is clear and appropriate for their needs. This is in line with the approach taken by the MHRA in its guiding principles on transparency in machine-learning enabled medical devices (discussed above).

The principles also highlight the importance of using appropriate datasets. Datasets should be representative of the whole patient population, and data that have been used to train the algorithm should not be used for testing.

The consultation is open until August 30, 2024.

It is also worth noting that in 2021, the MHRA, the FDA, and Health Canada published a joint statement identifying 10 guiding principles to help inform the development of Good Machine Learning Practice. There is some similarity between this document and the recent consultation. You can read more about this in our November 2021 Blog.

IP Updates

Global Patent Dispute Over Continuous Glucose Monitoring Technology Heats up in Europe. An ongoing global dispute between Abbott and manufacturers and distributors of continuous glucose monitoring (CGM) devices and technology, used to remotely measure blood glucose levels, has led to a string of decisions including from the Unified Patent Court (UPC) and the UK Patents Court. There are multiple claims of patent infringement and counterclaims for revocation in the U.S. and Europe. In this digest, we provide a summary of one recent decision from the UK Patents Court and two from The Hague local division of the UPC.

UK Patents Court Reject’s Abbott’s Claim Against Dexcom for Continuous Glucose Monitoring Device Patent Infringement and Invalidates Abbott’s Patent for Obviousness. In a UK Patents Court decision dated June 28, 2024, Justice Mellor rejected Abbott’s patent infringement claim against Dexcom in relation to Dexcom’s G7 CGM device (launched October 2022) which competes with Abbott’s flagship integrated CGM product. The judge further held that Abbott’s patent was invalid for obviousness over a prior U.S. patent.

The judge’s conclusion that Dexcom’s device was non-infringing largely hinged on the interpretation of the wording in claim 1 “coupled to the housing.” This wording related to the physical relationship between the introducer needle and the device housing, and whether it should be interpreted narrowly (as argued by Dexcom) as the needle and the housing needing to be “physically yoked together so that they move together” via a manual process or broadly (as argued by Abbott) as the needle and housing merely being in contact to enable either manual or automatic movement. Applying a purposive construction, the judge agreed with Dexcom that “coupled” should be interpreted as limiting the claim to a manual insertion of the needle, meaning that Dexcom’s G7 CGM device did not infringe Abbott’s patent.

The judge also concluded that Abbott’s patent was invalid for obviousness over a U.S. patent (Heller) which described a device similar to Abbott’s. The judge concluded that the process through which the skilled team would go to get from Heller to the claims in the patent were not the list of “steps” between different inventions, as argued by Abbott, but rather were an inevitable part of any practical implementation by a notional skilled team of the teaching disclosed in Heller. Any differences between the CGM devices described in Heller and in the Abbott patent claims were minimal and merely routine design implementation choices.

This case illustrates the impact a few words can have on claim construction and the value to paying close attention to claim drafting.

UPC Preliminary Injunction Granted Against Sibio’s CGM Device. On June 19, 2024, the Unified Patent Court Local Division of The Hague handed down separate rulings on two preliminary injunction (PI) applications made by Abbott against Sibio Technology Limited (Sibio) in relation to continuous glucose monitoring technology. The glucose monitors in question were in vivo analyte monitoring systems, which use an insertable in vivo sensor along sensor electronics in an integrated unit along with a display device with proprietary software (typically on a smartphone).

In the first ruling, the court denied the PI, concluding that it is more likely than not that claim 1 of the patent-in-suit would be held to be invalid on the basis that amendments made by Abbott to the patent extended beyond the content of the original application and so constituted unallowable “added matter.” The UPC applied the “gold standard” disclosure test, acknowledging that this was the standard test used in many UPC member states. Namely, this means that any amendment to a European patent application or European patent relating to disclosure (i.e., the description, claims, and drawings), must only be made within the limits of what a skilled person would derive directly and unambiguously using common general knowledge, as seen objectively and relative to the date of filing in relation to the whole of the application as filed. Interestingly, this patent had been opted out of the UPC’s competence but this opt-out was withdrawn in March 2024.

In the second ruling, Abbott asserted another patent and, in this case, the court (made up of the same three legal judges, as well as a technical judge) granted the PI in Germany, France, The Netherlands, and Ireland. The fact that the court deemed that it was competent to grant a PI in Ireland is notable as Ireland has yet to ratify the UPC Agreement. Abbott’s submissions mentioned the fact that the patent-in-suit was in force in the UK. However, the court noted that, since the UK is no longer a UPC contracting member state, the court did not understand the PI application to involve the UK. These cases are an interesting case study on how multiple PI applications can be deployed to stop alleged infringers of digital health products from marketing and selling such products.

European AI Act: Copyright Implications. Digital health companies offering AI related goods and services should be preparing themselves to ensure that they will be compliant with the upcoming EU Artificial Intelligence Act (the EU AI Act), as discussed in previous digests.

The EU AI Act contains a specific set of rules that apply to general purpose AI (GPAI) models, i.e., those trained on a large amount of data using self-supervision at scale that displays significant generality and that are able to perform competently a wide range of distinct tasks. Examples of GPAI models include generative AI applications such as ChatGPT. The provisions relating to GPAI models will not enter force until 12 months after the EU AI Act itself enters force.

The obligations on providers of GPAI models include putting in place policies to comply with EU copyright law irrespective of the jurisdiction in which the copyright-relevant acts underpinning the training of the GPAI model take place (Art 53(1)(c) and Recital 106).

The EU AI Act also confirms that the process of scraping copyright works to train AI models benefits from the text and data mining exception in Article 4 of the Copyright in the Digital Single Market Directive 2019/790, subject to the right of rights holders of being entitled to expressly reserve their rights to enforce copyright (i.e., they can “opt-out,” so long as they do so explicitly).

*The following individuals contributed to this Newsletter:

Amanda Cassidy is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Katie Brown is employed as a policy advisor at Arnold & Porter’s Washington, D.C. office. Katie is not admitted to the practice of law.
Jonathon Mellor is employed as a trainee solicitor at the firm's London office. Jonathan is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.