Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during December 2024 and early January 2025 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Privacy and AI Updates
• Policy Updates

U.S. Featured Content

The U.S. Department of Health and Human Services recently proposed significant modifications to the security regulations implementing the Health Insurance Portability and Accountability Act (the HIPAA Security Rule). The proposed modifications would impose numerous new requirements on HIPAA-regulated entities to enhance their protection of the confidentiality, integrity, and availability of electronic “protected health information” (ePHI). These requirements will impact the flow of ePHI by hospitals, clinics, health insurers, and entities acting as “business associates” of those “covered entities,” affecting digital health at numerous levels. Comments on the proposed rule are due no later than March 7, 2025.

EU and UK News

• Regulatory Updates
• Reimbursement Updates
• Privacy and Cybersecurity Updates
• IP Updates

EU/UK Featured Content

The emerging trends in digital health in 2024 have been highlighted in IQVIA’s recent report. The IQIVA report is a yearly summary of digital health trends and gives a good snapshot of the market. The latest report notes that Germany continues to lead in its approval and reimbursement of digital therapeutics, followed by the United States and UK. There are also interesting differences in countries’ preferences for standalone therapies versus blended therapies and care solutions. The report also notes increases in sensor-based digital measures and digital endpoints in clinical trials.

U.S. News

Health Care Fraud and Abuse Updates

Telehealth Company Agrees To Pay $386,000 To Resolve Medicare Overbill Allegations. On January 3, 2025, the United States Attorney’s Office for the Western District of Kentucky announced that CompreCare Health LLC, and its affiliates, doing business as Meditelecare LLC, agreed to pay $358,514 to resolve overbilling allegations. The U.S. Department of Justice (DOJ) alleged that between January 2017 and November 2022, Meditelecare submitted and caused submission of claims to Medicare of telehealth services which failed to meet minimum time requirements for payments. The DOJ also alleged that Meditelecare relied on false time reports in support of these claims for telehealth services. The settlement agreement arises from a federal whistleblower suit filed in Bowling Green, Kentucky.

Montana Doctor Sentenced to Six Months in Prison for Medicare Telemedicine Conspiracy. On December 13, 2024, Ronald David Dean, a Montana physician, was sentenced to six months in prison followed by six months of home confinement after admitting to defrauding Medicare and other federal government health programs through a telemedicine conspiracy. The DOJ alleged that between January 2022 and July 2022, Dean was paid by a telemedicine company to sign orders for durable medical equipment, including braces and COVID-19 tests, that patients did not need. The defendant then charged Medicare, CHAMPVA, and the Railroad Retirement Board programs for telemedicine visits that did not occur. Dean’s scheme resulted in $31,432,000 of fraudulent claims being billed to Medicare, CHAMPVA, and the Railroad Retirement Board programs, of which $13,785,724 was paid.

These charges are a part of the DOJ’s 2024 National Health Care Fraud Enforcement Action, as described in further detail in our July 2024 digest.

Corporate Transactions Updates

New Year, New Mergers Funded by Digital Health Venture Capital Power Players. On January 8, 2025, Denver-based digital health company Transcarent announced it would acquire on-demand health benefits platform Accolade (NASDAQ:ACCD) for approximately $621 million, or $7.03 per share, in a take-private deal backed by General Catalyst and 62 Ventures, a fund created by Transcarent’s CEO. The combination of Transcarent, a digital health company known for its use of generative artificial intelligence (AI) to streamline health care benefits and physician guidance, and Accolade, a digital health platform that focuses on connecting employees to health benefits and affordable health care providers, promises to enhance Transcarent’s mission to provide a single platform for patients to access benefits navigation, clinical guidance, and care delivery. After the acquisition, the new combined company and platform will boast over 18 million members. The purchase price represents a value of more than twice Accolade’s market value on the day prior to the announcement and is expected to close in the second quarter of 2025.

Also on January 8, 2025, New York-based health care analytics company H1 closed its acquisition of Ribbon Health, a startup backed by General Catalyst that helps patients find doctors who participate in their insurance. Ribbon Health’s platform will “join the H1 family of products as H1 for Health Plans & Digital Health,” which provides insurers, providers, and digital health companies including Transcarent, a customer of Ribbon Health, with provider data. While the deal’s specific financial terms have not been disclosed, the transaction involved a mix of cash and stock options.

Privacy and AI Updates

The U.S. Department of Health and Human Services (HHS) has proposed major updates to the HIPAA Security Rule to strengthen protections for electronic protected health information. These changes aim to address growing vulnerabilities in digital health systems, including hacking and ransomware, by closing gaps in existing data protection measures. The proposed rule impacts hospitals, clinics, health insurers, as well as service providers (“business associates”) of those “covered entities” handling ePHI. Public comments on the proposed rule are due by March 7, 2025.

Key proposed changes include requiring HIPAA-regulated entities to:

• Maintain a technology asset inventory and a network map, updated annually or sooner to address operational changes affecting ePHI.
• Encrypt and decrypt ePHI using prevailing cryptographic standards.
• Establish contingency plans to restore critical electronic systems and data within 72 hours of loss.
• Implement anti-malware protection and removing extraneous software.
• Use multi-factor authentication for access to ePHI, with limited exceptions.
• Conduct vulnerability scans every six months and penetration testing annually.

HHS is also seeking input on how emerging technologies such as quantum computing, AI, and virtual/augmented reality impact the security and integrity of ePHI. The department has requested feedback on, for example, whether the proposed rule adequately addresses these technologies, what modifications may be needed, and what additional tools could protect ePHI in future technological landscapes.

The proposed updates reflect the evolving cybersecurity landscape and aim to enhance measures to protect ePHI from unauthorized access, exfiltration, destruction, manipulation, or other tampering in light of new technologies. Comments can be submitted electronically via regulations.gov by the March 7, 2025 deadline.

Policy Updates

Trump Administration Promises Shift in AI Policies and Regulations. President Trump has pledged to rescind President Biden’s October 2023 executive order on AI, signaling significant changes to AI policy under the new administration and Republican-controlled Congress. In November 2024, House Energy & Commerce Chair Brett Guthrie (R-KY) and other Republicans urged HHS to reduce federal AI regulation. On December 30, 2024, the Congressional Research Service published a report on AI in health care, addressing key topics like AI’s role in prior authorization, patient privacy, and regulatory requirements for AI-developed products.

Congress Averts Federal Shutdown, Passes Funding Bill and Telehealth Flexibilities. In December 2024, bipartisan negotiations led by House Speaker Mike Johnson (R-LA) failed to pass a Continuing Resolution (CR) that included health care provisions like Medicare telehealth flexibilities and pharmacy benefit manager reforms. A revised CR with a two-year debt limit increase also failed in a House vote. However, on December 20, 2024, Congress passed the American Relief Act, a CR funding the government through March 14, 2025, and extending telehealth flexibilities until March 31, 2025. The bill was signed into law by President Biden, averting a government shutdown.

HHS Releases Regulatory AI Framework. On January 10, 2025, HHS released the AI Strategic Plan, outlining priorities for responsible AI use in health care, public health, and medical research. The plan emphasizes collaboration with federal agencies, industry, and academia while addressing workforce and privacy challenges. Key domains include medical research, product development, and health care delivery.

HHS Hires New Chief AI Officer. HHS appointed Dr. Meghan Dierks as Chief AI Officer on January 13, 2025. Previously with the FDA and Komodo Health, Dr. Dierks will lead efforts to align AI initiatives across federal agencies and advance AI-driven innovations in health care.

EU and UK News

Regulatory Updates

MHRA Publishes a Revised MedTech Roadmap. The roadmap highlights policy areas that the Medicines and Healthcare products Regulatory Agency (MHRA) would like to develop, including in relation to Software as a Medical Device and AI. In relation to new regulations for post-market surveillance, the roadmap states that this is targeted to come into force around July 2025, with guidance being published in June.

The roadmap also sets out that the focus for the new regulations on pre-market requirements in the first quarter of 2025 will be on publishing responses to assimilated EU law, laying down the Statutory Instrument and bringing this into law, as well as publishing responses to the consultations. The Parliamentary debates are expected to occur at the end of the year, with the new regulation entering into force early 2026.

Further, in the first half of 2025, the MHRA aims to publish separate guidance regarding Good Machine Learning Practice, AI development and deployment, Software as a Medical Device for Cybersecurity, and digital mental health technologies.

UK National Health Service Using AI to Assist in Ensuring Patients Receive Help at an Earlier Stage. This program aims at identifying individuals who are frequent users of emergency services to assess why they are presenting for care so frequently and to help resolve the situation by offering immediate preventative care. The AI-powered prediction software uses routinely collected hospital data to identify patients who require immediate preventative support to avoid future, unplanned visits to the hospital.

Reimbursement Updates

IQVIA Publishes Report Outlining the Digital Health Trends of 2024. The report examines key trends in digital health, including in relation to digital therapeutics (DTx). It found that DTx are offered as standalone products in some countries, whereas in others there is a preference for digital care solutions. Germany is leading globally in the approval and reimbursement of prescription DTx as standalone products. In the UK, digital care solutions seem to be preferred as a blended therapy, several of which have been endorsed by the National Institute for Health and Care Excellence (NICE). DTx have, for example, been applied in relation to weight management programs alongside obesity medication, and digital care programs have been used to reduce waiting lists for traditional care for obesity by distributing patients to various levels of care.

In relation to digital tools for disease assessment, risk screening tools are expected to have the greatest impact in enabling a faster diagnosis as they have potential to reach large numbers of patients. NICE has recommended AI-based tools for detecting skin cancers in primary care to assess whether referral to a specialist is appropriate. NICE found that AI has a proven track record of improving accuracy in detecting melanoma compared to the standard of care. At the same time, it recognizes that more real-world practical testing and further data in relation to minority groups is needed. Remote monitoring tools have grown significantly, and have proven valuable for health providers to remotely track chronic and high risk condition patients, and personalize their care. This increase has led to developing accelerated reimbursement pathways for remote monitoring tools in Germany and France.

The report also examines trends in consumer health apps, sensor-based digital measures, digital diagnostics and health assessment tools, and uptake of digital health technologies.

Privacy and Cybersecurity Updates

UK’s Information Commissioner’s Office (ICO) Publishes Report Based on Responses to Its Consultations on Generative AI. The report primarily focuses on the ICO’s policy positions in relation to the legal basis for data scraping on the web in order to train generative AI models and the integration of data subjects’ rights into generative AI models. The ICO revised its position regarding legitimate interest as a legal basis for web scraping when training generative AI, emphasizing the need for transparency by AI developers. Any Terms of Use with deployers of AI will need to contain effective data protection measures and must demonstrate that these measures are met. Further, the ICO updated its stance on how individual’s rights are integrated into generative AI, including that organizations relying on Article 11 of UK’s General Data Protection Regulation regarding processing that does not require identification, will need to justify that this is appropriate, and demonstrate that people cannot in fact be identified. People must also be given the chance to provide further information in order to enable identification.

Seven Sites Have Been Selected To Host the First European AI Factories. The selection of the sites was made by the European High Performance Computing Joint Undertaking, a joint initiative between the EU, EU countries, and private partners. Set to be deployed during 2025, the AI factories are expected to drive innovation by fostering new industrial applications of AI in sectors such as health care. They will also provide industry access to AI-optimized high-performance computing resources, experimental platforms, and other advanced AI tools.

IP Updates

Unified Patent Court Revokes Third Dexcom Patent in Ongoing Continuous Glucose Monitoring Dispute. On December 11, 2024, the Paris Local Division of the Unified Patent Court (UPC) dismissed Dexcom Inc.’s infringement claim against Abbott, revoking Dexcom’s patent EP3831282, titled “Remote Monitoring of Analyte Measurements.” The court found the patent obvious and rejected auxiliary amendment requests for added matter. Adopting a “whole-content approach,” the court assessed whether a skilled person would find new technical information beyond what was directly and unambiguously derivable from the original application. It concluded that amended claim 1 extended beyond the earlier application. This marks the third Dexcom patent revoked in the global continuous glucose monitoring dispute with Abbott, showcasing the UPC’s growing influence on medical device patent litigation strategies. This dispute, which we reported on in our July 2024 and September 2024 digests, highlights the emerging role of the UPC in reshaping global patent litigation strategy for medical device patents.

UK Government Launches Consultation on Copyright and AI. The UK government has launched a consultation for views on how to deliver a copyright and AI framework solution that balances AI developer’s access to copyright content with rights holders’ protections. Proposals will be evaluated on their ability to: (1) give rights holders control, (2) enable lawful AI development, and (3) improve trust and transparency between AI sector and rightsholders. This consultation is significant for industries using AI in health care, including diagnostics, patient management, and drug discovery. The consultation will run until February 25, 2025.

European Patent Office (EPO) Publishes Patent Insight Report on Assistive Robotics. On December 3, 2024, the International Day of Persons with Disabilities, EPO published a report analyzing trends in assistive robotics patents for individuals with special needs. Based on over 25,000 inventions filed in over 80 countries, the report highlights a 20-fold growth in patent filings since 2000, far outpacing other technical fields.

*The following individuals contributed to this Newsletter:

Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
 Joy Wee is a trainee solicitor at Arnold & Porter’s London office. Joy is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.