Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during October and early November 2024 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• FDA Regulatory Updates
• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Provider Reimbursement Updates
• Privacy and AI Updates
• Policy Updates

U.S. Featured Content

Women’s health and reproductive care transactions have seen an uptick in the corporate world. Maven Clinic secured $125 million in a series F funding round last month, valuing the startup at $1.7 billion. Maven plans to deploy the new funds to further support its fertility benefits administration platform, Maven Managed Benefit. Oura Health Ltd, the maker of the popular smart ring that provides personalized health data on over 20 biometrics including fertility and sleep tracking, announced it will acquire data company Sparta Science, a Silicon Valley-based software company, which will enable customizable solutions to either integrate with a customer’s existing system or create customized dashboards and workflows directly.

EU and UK News

• Regulatory Updates
• Reimbursement Updates
• Privacy Updates

EU/UK Featured Content

Regulatory and legislative reform is on the horizon in both the UK and in the EU, which will impact software and artificial intelligence (AI) medical devices. The UK government recently published the new medical devices post-market surveillance rules, which could be in place by summer 2025. Further, the Medicines and Healthcare products Regulatory Agency’s (MHRA) priorities until spring 2025 are focused on the draft pre-market rules for devices, the in vitro diagnostics (IVD) roadmap, and guidance on AI development and deployment. In the EU, industry should watch the potential upcoming reform of the Medical Devices and In-Vitro Medical Devices Regulations, with increasingly urgent calls for reform from key stakeholders gaining traction with the institutions.

U.S. News

FDA Regulatory Updates

FDA Publishes Article on AI in the Journal of the American Medical Association (JAMA). On October 15, 2024, JAMA published a Special Communication titled, “FDA Perspective on the Regulation of Artificial Intelligence in Health Care and Biomedicine,” which U.S. Food and Drug Administration (FDA) Commissioner Robert Califf, M.D. and other FDA officials authored. The article highlights issues that are relevant to FDA’s regulation of AI, including: AI regulation within the broader U.S. government and global context; keeping up with the pace of change in AI; flexible approaches across the spectrum of AI models; the use of AI in medical product development; preparing for the unknowns of large language models and generative AI; the central importance of AI life cycle management; the responsibilities of regulated industries; maintaining robust supply chains; finding the balance between big tech, start-ups, and academia; and the tension between using AI to optimize financial returns versus improving health outcomes. The article also provides examples of current and potential uses of AI in drug development and clinical research, such as: predicting efficacy and adverse events based on compounds’ specificity and affinity for a target; aiding in dose optimization in populations with limited data (i.e., pregnant populations); detecting and evaluating adverse event associations from medical literature and social media.

Health Care Fraud and Abuse Updates

North Carolina Physician Assistant Sentenced to Six Years in Prison for Role in $10 Million Genetic Testing Fraud Scheme. On October 4, 2024, Colby Edward Joyner was sentenced to 72 months in prison for his role in a $10 million genetic testing scheme. Between 2018 and 2019, Joyner, a physician assistant, signed fraudulent prescriptions for medically unnecessary genetic testing for over 600 North Carolina Medicare beneficiaries with whom Joyner either only had brief telephone conversations or no interactions at all. See further coverage of the Joyner case in the July 2023 digest.

Senators Question Manufacturers on New Telehealth Platforms. On October 21, 2024, U.S. Senators Dick Durbin, Peter Welch, Elizabeth Warren, and Bernie Sanders issued letters to Pfizer and Eli Lilly, addressing the pharmaceutical companies’ recent implementation of direct-to-consumer telehealth platforms PfizerForAll and LillyDirect, respectively. The letters probed the companies on various aspects of their relationships with telehealth providers.

Various Members of Moscow-Based Criminal Organization Plead Guilty in $1.7 Billion International Telemedicine Scheme. On October 22, 2024, Hafizullah Ebady pleaded guilty to health care fraud conspiracy for his role in a $1.7 billion international telemedicine scheme to obtain pharmacies across the country with pre-existing relationships with private health insurance companies. Under this scheme, Brian Sutton, the leader of the organization, led co-conspirators to oversee call centers based in Utah and later operated in Russia and other foreign nations. Call center employees called beneficiaries enrolled in private insurer health care plans to offer prescription medication at little to no cost without concern of whether these medications were medically necessary. The defendants also allegedly recruited doctors to review prescriptions by nurse practitioners and physician’s assistants after telemedicine visits. However, in many instances, there were no telemedicine visits between the beneficiaries and any medical professionals. Many beneficiaries never received the medications. Six of Ebady’s co-defendants previously pleaded guilty while Sutton currently remains at large.

Corporate Transactions Updates

Will Digital Health Shape the Future of Female Care? While reproductive issues were on the ballot in 10 states in the November 2024 election, a couple of deals and funding rounds for companies focusing on women’s health and reproductive care were also making headlines.

On October 8, 2024, Maven Clinic, a women-focused digital health care startup and the largest virtual clinic for women’s and family health, secured $125 million in a series F funding round, valuing the startup at $1.7 billion. The funding round brings Maven’s total funding to over $425 million and was led by StepStone Group. It also had participation from other investors including General Catalyst, Oak HC/FT, Sequoia, and Lux Capital. Maven plans to deploy the new funds to further support its fertility benefits administration platform, Maven Managed Benefit.

On October 31, 2024, Oura Health Ltd, the maker of the popular smart ring used primarily by women that provides personalized health data on over 20 biometrics including fertility and sleep tracking, announced it will acquire data company Sparta Science, a Silicon Valley-based software company. This marks Oura’s third acquisition in two years, including its acquisition of Veri, a metabolic health company, in September 2024. Oura’s latest acquisition will enable customizable solutions to either integrate with a customer’s existing systems (such as athlete management systems, electronic medical records, and research and operational data platforms) or create customized dashboards and workflows directly. Earlier this month, the U.S. Defense Health Agency awarded a $96.1 million firm-fixed-price contract to Oura Health Ltd to allow the U.S. Department of Defense to better track the health and wellness of personnel and “put smart rings and services in the hands of service members.”

Provider Reimbursement Updates

Physician Fee Schedule Final Rule. On November 1, 2024, CMS issued the calendar year (CY) 2025 Medicare Physician Fee Schedule (PFS) final rule. Among other updates, CMS finalized several proposals regarding Medicare payment for telehealth services and digital health therapeutics.

Telehealth Services. As we covered in the July 2024 digest, CMS made a number of proposals regarding Medicare payment for telehealth services, including extending some flexibilities. CMS finalized the following proposals:

• Expanding the list of services payable under the PFS when furnished via telehealth to include caregiver training and counseling for pre-exposure prophylaxis to prevent human immunodeficiency virus
• Continuing to suspend the frequency limitations for CY25 for telehealth subsequent care services in inpatient and nursing facility settings, as well as for critical care consultation services
• Revising the regulatory definition for “interactive telecommunications” to allow telehealth services furnished to a beneficiary in their home (where it is a permissible originating site) to occur via two-way, real-time audio-only communication technology, but only if the physician or practitioner is technically capable of using an interactive telecommunications system and the patient is not capable of, or does not consent to, the use of video technology
• Extending the definition of “direct supervision” to include audio-video communications technology through CY25, and permanently for a subset of incident-to services furnished by employed auxiliary personnel for level 1 office or other outpatient evaluation or management visits

Digital Therapeutics. Historically, CMS has faced challenges in attempting to fit digital therapeutics into the existing benefit structure under the PFS. In a major advancement in reimbursement policy for such items, CMS finalized three codes (G0552, G0553, and G0554) for purposes of paying practitioners for furnishing digital mental health treatment (DMHT) devices furnished incident to professional behavioral health services, in association with ongoing treatment under a plan of care by the billing practitioner. In order for payment to be available, the billing practitioner must diagnose the patient with a mental health condition, prescribe or order the device, and incur the cost of furnishing the device to the patient. Payment for code G0552 (supply of DMHT device, initial education, and onboarding) will be based on contractor pricing and valuing of codes G0553 and G0554 (timed monthly treatment management with a HMHT device intended as a therapeutic intervention) based on direct crosswalk to codes for remote therapeutic monitoring.

CMS clarified that the new codes apply to devices cleared under section 510(k) of the FD&C Act or granted de novo authorization by FDA. In both cases, the device must be classified under 21 CFR 882.5801 for mental or behavioral health treatment, and the device must be used in accordance with its classification. While CMS reiterated that the DMHT definition encompasses only part of a broad spectrum of digital therapeutics, and that broader coverage under the PFS might require a new statutory Medicare benefit category, this nevertheless represents a win for industry and new pathways.

Privacy and AI Updates

AI Standards Coalition Releases Draft Frameworks for Certification of Health AI Tools. On October 18, 2024, the Coalition for Health AI (CHAI), a non-profit organization founded by, among others, the Mayo Clinic, Johns Hopkins Medicine, and Kaiser Permanente, whose mission is to establish standards for the responsible use of AI in health care, released advanced draft frameworks for certification of independent “AI assurance labs” to test health AI models based on criteria set forth in so-called “Model Cards.” CHAI’s goal is that certified assurance labs will provide a reliable and consistent source of information on the quality and integrity of health AI tools by testing AI developers’ algorithms against a set of industry-approved guidelines. Among the requirements for labs to be certified under the CHAI certification program framework are that they disclose any conflicts of interest they may have with model developers, and commit to the protection of the security and integrity of data and intellectual property.

Although CHAI is a nongovernmental organization, FDA and other U.S. Department of Health and Human Services (HHS) officials reportedly participate in CHAI working groups, and the draft Model Cards incorporate the 31 requirements for transparency under the final Health IT Certification Program regulations (HTI-1 Rule) promulgated by the HHS Office of the National Coordinator for Health Information Technology in December 2023. Under the HTI-1 Rule, health IT developers must disclose specific information about their clinical decision support (CDS) algorithms, including (among many other things) the algorithms’ intended use, what populations the algorithms were trained on, the fairness of the algorithms’ outcomes, and what kind of ongoing changes developers are making to the algorithms to promote equal outcomes.

As explained by CHAI, the draft CHAI Model Cards are designed to assist organizations in evaluating AI models during the procurement process, including vendors of electronic health records regulated under HTI-1 Rule. CHAI completed an assessment of all of the HTI-1 requirements and considered recommendations from clinicians, health system organizational data custodians, and developers about what additional information should be included in the Model Cards beyond the existing regulatory requirements. As currently drafted, the Model Cards would disclose the identity of the AI tool’s developer, the tool’s intended uses, target patient populations, AI model type, data types, key performance metrics, security and compliance accreditations, maintenance requirements, known risks and out-of-scope uses, known bias, ethical considerations, and third-party information (such as relevant clinical studies).

CHAI anticipates finalizing the AI assurance lab certification process and the Model Card design by the end of April 2025, following a process of review and feedback by CHAI members, partners, and the public.

Policy Updates

Senate Finance Chairman Probes UnitedHealth Group on Cyberattack Response. On October 18, 2024, Chairman Ron Wyden (D-OR) sent a letter to the CEO of UnitedHealth Group asking for additional responses to questions that were not “satisfactorily answered” during the Senate Finance Committee’s May 2024 hearing assessing the Change Healthcare cyberattack. Chairman Wyden requests responses to several questions by November 8, 2024, including information related to the company’s previous auditing records, techniques used to hack into Change Healthcare’s active directory server, and defensive steps that UnitedHealth Group has taken to avoid future cyberattacks.

EU and UK News

Regulatory Updates

New Post-Market Surveillance (PMS) Legislation Could Be Introduced in the UK by Summer 2025. On October 21, 2024, the UK government laid before Parliament the draft statutory instrument setting out proposed new PMS requirements for medical devices in Great Britain. The amendments will bring PMS requirements in Great Britain broadly into alignment with those in the EU Medical Devices Regulation 2017/745 (MDR) and the EU In Vitro Diagnostic Medical Devices Regulation 2017/746 (IVDR). Further, the new PMS requirements will apply to all medical devices placed on the market in Great Britain, including devices CE marked under the EU regimes and made available in Great Britain under transitional arrangements. Read more in our Blog post.

MHRA Sets Out Key Points To Expect From Its Regulatory Reforms to Medical Devices in 2024 and 2025. In a recent blog post, the MHRA sets out its priorities for the reform of the rules for medical devices over the next year. The industry can expect an early draft of the pre-market legislation by the end of the year, and the full text by spring 2025. In addition, the MHRA expects to publish draft guidance on AI development and deployment, as well as a revised IVD roadmap by spring. The MHRA also reminds readers about the transition timelines that will be included in the regulations that are being developed, noting that next year will not be a regulatory “cliff edge.”

European Parliament Calls on the European Commission To Revise the MDR and IVDR. On October 23, 2024, the European Parliament adopted a resolution on the urgent need to revise the MDR and IVDR. Given implementation difficulties, delays, and lack of harmonization across the EU, the Parliament calls on the European Commission and notified bodies to take various actions to ensure advances in digital health, AI diagnostics, and personalized medicine. However, as the Parliament cannot initiate amendments to the MDR or IVDR itself, we will need to wait for the European Commission’s response before the full impact of this resolution is known. You can read more in our Blog post.

EFPIA Recommendations on Use of AI in Medicines Lifecycle. The European Federation of Pharmaceutical Industries and Associations (EFPIA) published its position on the use of AI in the medicinal product lifecycle, and proposed six recommendations: (1) leveraging EU regulations and guidance for AI in medicines; (2) entrusting the European Medicines Agency (EMA) with the regulatory oversight of AI in medicine development; (3) clarifying EMA’s risk-based approach to AI within the regulatory framework; (4) having AI policies that balance transparency and innovation protection when sharing AI models and datasets; (5) aligning global regulatory approaches through collaboration to foster safe innovation; and (6) building trust and capabilities in AI use through collaboration with industry, regulators, patients, and stakeholders. These recommendations were published shortly after the EMA reflection paper on the use of AI, which you can read about in our Blog post.

A UK National Quantum Facility Has Opened to Further Research in AI and Health Care. The newly opened National Quantum Computing Centre will house state-of-the-art quantum computers that will be harnessed to fuel advancements in areas such as AI, drug discovery, energy, and climate prediction, and help cement the UK’s position as a global leader in quantum technology.

Reimbursement Updates

UK National Institute for Health and Care Excellence (NICE) Consults on Recommendations for Four Different AI Tools for Examination of X-Rays. Missed fractures are one of the most common errors in the emergency department. The hope is that using AI, along with the assessment of a health care professional, will reduce the number of undetected fractures at initial presentation and promote an equal standard of care across the country. Clinical evidence suggests that the AI technologies may improve fracture detection on X-rays in urgent care, compared with a professional reviewing on their own, without increasing the risk of incorrect diagnoses. NICE has issued draft guidance for consultation recommending the use of four AI technologies to help professionals detect fractures in urgent care settings.

NICE Recommends Remote-Monitoring Technologies Shown To Reduce Hospitalizations by Half. The new technologies can detect signs of heart failure by monitoring individuals’ general activity, heart rate variability, and heart sounds. Data can be sent in real time to hospital staff who can provide care over the phone and determine if hospitalization is required.

Privacy Updates

ICO Publishes Report on the Use of Personal Data in Quantum Technologies. Quantum technology is a broad term for a range of technologies that deploy principles of quantum mechanics in computing, sensing, timing, and imaging, among others. Future uses of quantum technologies within medicine are being explored by researchers, such as simulating novel chemicals and complex modelling in the context of drug discovery and personalized medicine. The Information Commissioner’s Office (ICO) report considers the impact of these technologies on personal data, and individuals’ privacy and information rights. It calls for responsible innovation and for the early consideration of privacy and data protection implications.

Data Use and Access Bill Laid Before UK Parliament. The new bill aims to enhance data access in order to support economic growth. Among the draft provisions are proposals to enable the transfer of patient data across the National Health Service to promote faster and higher quality care. The ICO has published a response which highlights that the bill provides positive reform while maintaining high data protection standards.

*The following individuals contributed to this Newsletter:

Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Amanda Cassidy is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Katie Brown is employed as a policy advisor at Arnold & Porter’s Washington, D.C. office. Katie is not admitted to the practice of law.
Mimi Simmons is employed as a trainee lawyer in the firm's London office. Mimi is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.