Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during November and early December 2024 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• FDA Regulatory Updates
• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Provider Reimbursement Updates
• Privacy and AI Updates
• Policy Updates
• FTC Updates

U.S. Featured Content

Since the November 5, 2024 election, artificial intelligence (AI) in health care has been at the forefront of the upcoming Trump administration. President-elect Trump’s nominee for Administrator of the Centers for Medicare and Medicaid Services (CMS), Dr. Mehmet Oz, has touted his support for digital health innovation, including the expansion of telehealth services and AI. Likewise, current Republican representatives are urging CMS to change its existing Practice Expense methodology so that providers can receive higher reimbursement for software as a medical device (SaMD) rather than as an indirect practice expense (PE).

EU and UK News

• Regulatory Updates
• Reimbursement Updates
• Privacy and Cybersecurity Updates
• IP Updates

EU/UK Featured Content

Health authorities in the EU continue to develop methods to assess and recommend health apps. The latest is in Denmark, where new guidance has been published on how health apps will be assessed by the Board for Health Apps (the Nævnet for Sundhedsapps). The assessment criteria includes evidence of clinical effectiveness, usability, price, and value to society. This guidance is another important step to ensure greater access to health apps across the EU.

U.S. News

FDA Regulatory Updates

FDA Issues Final Guidance on Predetermined Change Control Plans for AI-Enabled Device Software Functions. On December 4, 2024, the U.S. Food and Drug Administration (FDA) issued a final version of the “Marketing Submission Recommendations for a Predetermined Change Control Plan (PCCP) for Artificial Intelligence-Enabled Device Software Functions,” which the agency had issued in draft in April 2023. The final guidance provides recommendations on information to include in a PCCP for a device that includes one or more AI-enabled device software functions (AI-DSFs), including recommendations that a PCCP describe the planned AI-DSF modifications, the associated methodology to develop, validate, and implement those modifications, and an assessment of the impact of those modifications. While the recommendations and content in the final guidance are intended to be broadly applicable to all AI-enabled devices, the guidance explains that the majority of marketing submissions containing PCCPs that FDA has reviewed are submissions for devices that incorporate the subset of AI known as machine learning (ML). Consequently, many of the recommendations in the final guidance are tailored to devices that incorporate ML. For sponsors considering a PCCP, the final guidance encourages early engagement with the relevant FDA review division regarding a proposed PCCP, such as through FDA’s QSubmission Program.

For additional information about PCCPs, please see our April 2023 digest.

FDA Publishes Report on Non-Device Software Functions. On December 5, 2024, FDA published a report on the risks and benefits to health of non-device software functions, fulfilling a 21st Century Cures Act (Cures Act) requirement. The Cures Act, which was enacted in 2016, excludes certain health-related software functions from the statutory definition of a medical device, and requires the U.S. Department of Health and Human Services (HHS) to issue a report on the risks and benefits of such non-device software functions every two years. As with FDA’s 2022 report, the 2024 analysis “found more benefits than risks to patient safety and health related to these [non-device] software functions.” The report also describes best practices related to design, implementation, training techniques, and use that could promote safety, education, and competency related to the non-device software functions.

Health Care Fraud and Abuse Updates

Father and Son Charged in $28 Million Durable Medical Equipment and Prescription Drug Telemedicine Scheme. On November 12, 2024, father and son Nicholas A. Alberino and Nicholas P. Alberino were charged for participating in a durable medical equipment (DME) telemedicine scheme between February 2018 and April 2019, generating medically unnecessary prescriptions for certain medication and DME through several Florida companies they operated. The government alleges that the Alberinos utilized call centers to contact Medicare beneficiaries and coerce them into accepting expensive medication and DME, based on the potential for high reimbursement payment from insurance payers and not the beneficiaries’ medical needs. The Alberinos would then transmit the beneficiaries’ personal information, as well as pre-written doctor’s orders and prescriptions to an alleged telemedicine company, RediDoc, LLC. RediDoc would provide the received information to doctors that would sign prescriptions without speaking to or having any prior contact with a beneficiary or assessing whether or not the DME or medications were medically necessary. After the doctors signed the prescriptions, they were then delivered to third parties with whom the Alberinos allegedly had preexisting kickback and bribe arrangements with, and DME suppliers and pharmacies would fulfil the fraudulent orders and submit reimbursement claims to health care benefit programs such as Medicare.

Corporate Transactions Updates

End-of-Year Mad Dash for Digital Health Funding and Partnerships. Over 80 different AI partnerships between various health care players were announced in the past year alone, and the numerous digital health headlines over the past few weeks indicate no sign of slowing down in 2025.

On December 10, 2024, it was announced that Hyro AI, a platform that automates tasks including patient registration, IT help desk ticketing, and prescription refills, raised $35 million in its Series B funding round from Healthier Capital, a venture capital firm founded by Amir Rubin, the former chair and CEO of One Medical when it went public in 2020 and sold to Amazon for $3.9 billion in 2023. The total Series B funding brings the company’s total amount raised to $50 million. Hyro AI touts that its platform customers have reported saving a large percentage on call center operations and are seeing a fivefold return on investment.

On December 5, 2024, it was announced that Amazon partnered with Hinge Health to add a digital musculoskeletal component to its health conditions program, a new service it rolled out in January that aims to connect customers with virtual care benefits. This partnership marks the fourth company to join Amazon Health Services’ digital health benefits program, including Omada Health, Talkspace, and Rula Health.

Provider Reimbursement Updates

DEA Extends Telemedicine Prescribing Flexibilities. On November 19, 2024, the U.S. Drug Enforcement Administration (DEA) issued a temporary rule extending telehealth flexibilities — first established during the COVID-19 public health emergency (PHE) — for the prescribing of controlled substances.¹ It is DEA’s third such extension, reflecting the challenges in crafting a permanent policy solution that balances promoting access to care while preventing diversion.

As we covered in the December 2023 digest, during the PHE, DEA allowed physicians to prescribe controlled substances without an in-person visit in order to prevent lapses in care. According to advocates, these flexibilities have proven particularly helpful in facilitating access to treatments for opioid use disorder (OUD), such as buprenorphine. When DEA proposed rolling back some of these flexibilities at the end of the PHE, public opposition saw the agency instead issue two temporary extensions, with the second extension expiring on December 31, 2024.

In June 2024, DEA transmitted a new draft proposed rule on telemedicine prescriptions to the Office of Management and Budget for review. But this proposal — which reportedly includes a more restrictive special registration system — has not been published in the Federal Register.

With the expiration of the telemedicine flexibilities looming, DEA has now issued a third extension through December 31, 2025. The agency notes the extension will protect access to care, including OUD treatment, while providing more time for DEA to promulgate regulations that “expand access to telemedicine encounters … while effectively mitigating against the risk of possible diversion.”²

Privacy and AI Updates

Utah Office of Artificial Intelligence Engages ElizaChat To Develop Teenage Mental Health Mobile App. On December 2, 2024, the Utah Office of Artificial Intelligence (OAIP), a division of the Utah Department of Commerce, announced that it had executed its first regulatory mitigation agreement with ElizaChat, a company developing an app that schools can offer to teenage students to enable them to improve their mental wellness. According to the OAIP’s press release, the objective for the app is to facilitate discussions around enhancing teens’ relationships and improving teens’ ability to manage emotions and set personal goals.

The OAIP was established through legislation, Utah SB149, to enhance trust and innovation in AI technologies across Utah by coordinating with businesses, academic institutions, and other interested parties.

The OAIP has authority to enter into regulatory mitigation agreements with businesses, and in some cases relevant state regulators, regarding the businesses’ permissible use of AI in Utah. Among the possible terms of such agreements are limited exemptions from state laws and reduced fines for certain regulatory violations, to the extent needed to foster responsible AI development. Each of these agreements is to be negotiated individually based on the OAIP’s mission to balance AI innovation and safety.

Consistent with these guidelines, the new agreement with ElizaChat requires the company to implement a robust internal safety protocol, including for escalating severe cases of teen mental health problems to trusted adults. To the extent a teen’s communications through the app appear to call for responses that only a licensed therapist could legally provide, ElizaChat must connect the app user with such a therapist (the app is designed to complement, not replace, human therapists and personal relationships). According to OAIP’s announcement, ElizaChat will pilot the planned app with trusted testers and will then expand its user base to ensure safety throughout the deployment.

OAIP is inviting other companies that develop AI products and might be interested in negotiating a regulatory mitigation agreement to email them at ai@utah.gov.

Policy Updates

CMS Nominee Dr. Oz Sees Value in Digital Health Tools. Since the November 5, 2024 election, President-elect Trump’s transition team has worked quickly to fill key federal nominations, including nominating Dr. Mehmet Oz as the Administrator for the CMS. Dr. Oz has previously discussed his support for digital health innovation, including the expansion of telehealth services and AI. Dr. Oz reportedly invested in numerous digital health businesses, including heart monitoring stopwatch company iBeat, digital health company Sharecare, and remote patient monitoring company 100Plus.

House Republicans Encourage CMS To Revamp Reimbursement for Digital Health Software. On November 7, 2024, Reps. Vern Buchanan (R-FL), David Schweikert (R-AZ), and Michelle Steel (R-CA) sent a letter to CMS with concerns that the agency’s existing PE methodology creates “significant barriers to the uptake of digital health innovations.” The lawmakers urge CMS to change its existing PE methodology so that providers can receive higher reimbursement for SaMD rather than as an indirect PE.

Medicare Coverage for FDA Breakthrough Devices Could Cost Billions. On November 18, 2024, the Congressional Budget Office (CBO) published a budgetary score for the Ensuring Patient Access to Critical Breakthrough Products Act (H.R. 1691), which would require Medicare coverage and reimbursement for medical devices approved via the FDA’s Breakthrough Devices Program during a four-year transition period. CBO estimates the bill would increase the cost of the federal deficit by nearly $1 billion over 10 years. While members like Reps. Brad Wenstrup (R-OH), Suzan DelBene (D-WA), and 88 other bipartisan House members are advocating for this bill to pass, the high projected costs may complicate future progress.

Senators Release Bipartisan Health Care Cybersecurity Bill. On November 22, 2024, Senate Health, Education, Labor and Pensions Committee Ranking Member Bill Cassidy (R-LA) and Sens. Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) released bill text for the Health Care Cybersecurity and Resiliency Act, which came as a product of the Senators’ ongoing cybersecurity working group. Although the bill is expected to be a starting point for negotiations heading into a new Congress next year and will likely evolve, this current version would: (1) provide federal grants to health entities who improve cyberattack prevention through best practices training; (2) support rural health centers by providing cybersecurity best practices from federal agencies; (3) improve federal agency coordination between the HSS and the Cybersecurity & Infrastructure Security Agency; (4) modernize federal regulations so that entities covered under the Health Insurance Portability and Accountability Act use the highest quality cybersecurity practices; and (5) require HHS to develop and implement a cybersecurity incident response plan.

FTC Updates

FTC Likely To See a Pro-Innovation Approach To AI Under Chair Designee Andrew Ferguson. On December 10, 2024, President-elect Donald Trump announced FTC Commissioner Ferguson will replace current FTC chair Lina Khan. Ferguson, who has been serving as one of the two Republican FTC Commissioners since April 2024, has indicated through various statements that he is likely to take a pro-innovation stance with respect to AI, while remaining critical of online data practices. Notably, in a statement regarding the FTC’s September 2024 staff report on social media and video streaming services, Ferguson cautioned that the “pro-regulation side of the AI debate” is “the wrong one” and that “[a] knee-jerk regulatory response will only squelch innovation, further entrench Big Tech incumbents, and ensure that AI innovators move to jurisdictions friendlier to them — but perhaps hostile to the United States.” However, Ferguson appears to share his fellow Commissioners’ concerns with respect to data practices calling it the “online privacy crisis” and noting it is “alarming” the extent to which social media and video streaming services have been collecting, aggregating, disclosing, and indefinitely storing their users’ private data.

EU and UK News

Regulatory Updates

The UK Medicines and Healthcare products Regulatory Agency Launches a Consultation on the Medical Device Regulations. The consultation seeks input on the development of a risk proportionate medical devices regime that is aligned with international best practice, while ensuring requirements on safety are met and that the UK continues to promote innovation. In particular, there are a number of proposals on the up-classification of software, similar to the EU regime. There are also provisions on the international reliance procedure for medical devices that includes a number of exclusions for software (see our May 2024 Blog). The consultation closes on January 5, 2025.

MedTech Europe Publishes Recommendations on the Future of Medical Technology Frameworks. The recommendations, prepared by the European trade association for the medical technology industry, MedTech Europe, alongside other industry associations, aim to create a sustainable regulatory environment that fosters safety and innovation in medical technology. This is part of the broader comments from stakeholders on amendments to the EU regime, as set out in our October 2024 Blog. MedTech’s recommendations include: (1) short term measures that should be implemented without delay (including introducing accelerated pathways for breakthrough innovation or ensuring a harmonized interpretation and application of the EU Medical Devices Regulation and EU In Vitro Diagnostic Medical Devices Regulation) and (2) a mid-term measure of developing a unified governance structure for health technologies to address fragmentation and improve efficiency.

Consultation on Guidelines on the EU AI Act’s Prohibitions and AI System Definition. Launched by the European Commission’s AI Office, the consultation seeks input on the implementation of the EU AI Act’s definition of AI systems and the prohibited AI practices under the EU AI Act that pose unacceptable risks. The feedback will inform the Commission’s guidelines, expected in early 2025, aimed at assisting national authorities and AI providers to comply with the EU AI Act (which will apply from February 2, 2025). The consultation closed on December 11, 2024.

UK Government Publishes a Report on Assuring a Responsible Future for AI. The report sets out the actions that the government will take in order to mitigate risks and drive adoption of safe and responsible AI. The first action is to develop an AI Assurance Platform, which will provide information on AI assurance and resources to support startups and small- and medium-sized enterprises, and which will draw on existing AI-related standards and frameworks, including the EU AI Act. The government will also provide a roadmap in order to boost supply of third-party AI assurance and support research. Lastly, the government will develop a tool to enhance interoperability of AI assurance.

MHRA Publishes Information on the AI Airlock Pilot Cohort. The AI Airlock, as discussed in our June 2024 digest and our May 2024 Blog, is a regulatory sandbox for AI medical devices. The updated information from the MHRA sets out details of the five candidates that have been selected for the sandbox and provides an overview of the products.

Reimbursement Updates

Danish Health Applications Committee to Assess and Recommend Digital Health Applications. Following a meeting on November 6, 2024, the committee has determined the criteria by which health apps will be assessed, and published the application form. The assessment comprises four criteria, including evidence of clinical effectiveness (with guidance provided for CE marked and non-CE marked devices), usability (as the health app should meet the users’ needs and expectations), price (which must be proportionate to the effect that the health app is expected to deliver), and value to society (as the health app is expected to contribute to solving health and social challenges). It is anticipated that the assessment will be adapted as technology advances and the health application market develops. Apps that are recommended by the committee will be listed on Sundhed.dk, a well-known Danish public health website. Organizations who offer the health app may apply through the online form, following which the committee will carry out their assessment, using external experts if required, and may request follow-up information before discussion at a board meeting.

The UK National Institute for Health and Care Excellence (NICE) Publishes Recommendations on the Implementation of a Sandbox Approach in Health Technology Assessments. NICE sets out the key recommendations for implementation of a sandbox approach in health technology assessments (HTA) in this Blog post, further to the paper published on November 4, 2024. A sandbox provides a controlled environment for new products and ideas to be explored in order to support HTA agencies in keeping up with technological developments. NICE recommends that HTA agencies use sandboxes to prepare for and anticipate future challenges, focusing on those challenges that are expected to have technical rather than, for example, ethical solutions. Digital health is identified as such an area, and NICE also points to its current HTA lab projects including AI in HTA discussed in our September 2024 digest.

Privacy and Cybersecurity Updates

MedTech Europe Publishes Recommendations on EU Health Care Cybersecurity Action. MedTech Europe and the European trade association representing medical imaging, radiotherapy, health information and communication technologies, and electromedical industries (known as COCIR), have prepared recommendations following the upcoming European action plan on the cybersecurity of hospitals and health care providers announced by the commission president. The recommendations aim to strengthen the cybersecurity resilience of Europe’s health care systems by (1) increasing cybersecurity capacity and expertise in health care; (2) addressing risks posed by outdated medical technologies and software; (3) raising awareness and engaging stakeholders on cybersecurity in health care; (4) developing guidelines for the implementation of the NIS2 Directive in health care; (5) supporting a secure European cloud ecosystem for health care; and (6) integrating cybersecurity considerations in health care procurement.

IP Updates

UK Supreme Court Grants Leave to Appeal on Patentability of AI Inventions. Following the Court of Appeal decision mentioned in our September 2024 digest, it has been reported that the Supreme Court has granted Emotional Perception leave to appeal in Comptroller-General of Patents, Designs and Trade Marks v. Emotional Perception AI Limited [2024] EWCA Civ 825.

As reported in the December 2023 digest, the invention in question concerned an Artificial Neural Network (ANN), which the Intellectual Property Office of the United Kingdom (UKIPO) found was subject to the exclusion to patentability in the Patents Act 1977, concluding that an ANN was “a program for a computer … as such.” The High Court later overturned the UKIPO’s decision, but the Court of Appeal subsequently reversed the High Court decision, finding that an ANN was a computer, and the weights and biases of the particular ANN in question constituted a computer program, excluding the invention from patentability as it lacked a technical contribution unrelated to the computer program.

Readers of the digest and digital health innovators considering filing patent applications for inventions involving ANNs should note that the law on the patentability of such inventions may be subject to change following the consideration of this case by the High Court. In the interim, the UKIPO guidance that “patent examiners should treat ANN implemented inventions like any other computer implemented invention” still stands. Future digests will report on any further updates in these proceedings in due course.

*The following individuals contributed to this Newsletter:

Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Amanda Cassidy is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Katie Brown is employed as a policy advisor at Arnold & Porter’s Washington, D.C. office. Katie is not admitted to the practice of law.
Joy Wee is a trainee solicitor at Arnold & Porter’s London office. Joy is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.