Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during January and early February 2025 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• FDA Regulatory Updates
• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Provider Reimbursement Updates
• Privacy and AI Updates
• Policy Updates

U.S. Featured Content

On February 6, 2025, the National Science Foundation, on behalf of the Office of Science and Technology Policy, released a Request For Information (RFI) related to the development of the Trump administration’s “AI Action Plan.” The RFI is broad, seeking input on artificial intelligence (AI)-related priorities from academia; industry groups; private sector organizations; state, local, and tribal governments; and any other interested parties. The RFI encourages respondents to address “any relevant AI policy topic,” including, for example, AI application and use, explainability and assurance of AI model outputs, cybersecurity, and data privacy and security throughout the lifecycle of AI system development and deployment. RFI submissions are due by March 15, 2025.

EU and UK News

• Regulatory Updates
• Liability Updates
• Privacy and Cybersecurity Updates
• IP Updates

EU/UK Featured Content

There have been some useful international guidance documents published this month from the International Medical Device Regulators Forum (IMDRF). These include Guiding Principles on Good Machine Learning Practices (GMLP) that build on the principles previously set out by the U.S. Food and Drug Administration (FDA), UK Medicines and Healthcare products Regulatory Agency (MHRA), and Health Canada, and guidance on characterization and risks of medical device software. The continued development of international guidance in this area highlights the importance of coordination between regulatory authorities and standardized guidance for these products. There have also been important developments in ongoing litigation relating to digital technologies, although whether these developments provide clear guidance to manufacturers remains to be seen.

U.S. News

FDA Regulatory Updates

FDA Denies Citizen Petition Asking to Rescind the 2022 Clinical Decision Support (CDS) Software Functions Final Guidance. On January 17, 2025, FDA replied to two citizen petitions submitted by the CDS Coalition, the first being a 2016 petition requesting FDA issue guidance on FDA’s policies for CDS software, and the second a 2023 petition in which the CDS Coalition requested FDA rescind the agency’s 2022 final guidance on CDS software functions. In the 2023 petition, the CDS Coalition had taken issue with certain aspects of FDA’s interpretation of the 21st Century Cures Act CDS exemption. In responding to the petitions, FDA found the CDS Coalition’s 2016 petition to be moot and denied their 2023 petition requests.

FDA Alerts Patients and Their Caregivers to Reports of Missed Alerts From Diabetes Devices. On February 5, 2025, FDA issued an alert to patients who use diabetes devices and their caregivers regarding reports where users of such devices did not receive or did not hear alerts from their smartphones. In the alert, FDA identifies certain configurations, changes, and updates that could lead to critical alerts not being received as expected and also recommends steps that patients, caregivers, and health care providers can take to help prevent missed alerts.

FDA also explains that the agency is working with manufacturers to ensure (1) that smartphone alert configurations of their diabetes-related medical devices are carefully evaluated before use by patients and (2) that settings in smartphones and mobile medical apps that may impact safety alerts are continuously tested, and any updates to recommended configurations are communicated quickly and clearly to users.

Former FDA Commissioner Expresses Concerns About FDA’s CDS Software Guidance. On February 6, 2025, the Journal of the American Medical Association Health Forum published an article by Scott Gottlieb, former Commissioner of FDA. In the article, Gottlieb expresses concerns that under FDA’s current CDS software guidance, integrating AI functionality into an electronic medical record (EMR) could result in the EMR being considered a medical device. Gottleib suggests that FDA return to the intent of the 21st Century Cures Act and the agency’s policies from 2017 to 2019.

Health Care Fraud and Abuse Updates

Iowa Health Care Practitioners Involved in a Telemedicine Scheme Agreed to Pay $150,000 to Resolve Civil Allegations. On January 16, 2025, in separate enforcement actions in the Southern District of Iowa, two health care practitioners entered into civil settlement agreements to resolve False Claims Act allegations. In both cases, health care practitioners participated in telemedicine schemes where they placed orders based on cold calls to Medicare beneficiaries.

From October 2021 to November 2022, Iowa nurse practitioner Cori Lempiainen placed orders for orthotic braces and other unnecessary durable medical equipment, resulting in over 650 false Medicare claims without any patient contact. Lempiainen agreed to pay $150,000 to resolve the Medicare overbilling claims.

Similarly, from May 2022 to August 2022, Idaho doctor Paul Baumert billed Medicare for office visits and medical discussions that did not occur. During this same time period, Baumert placed orders for orthotic braces and other unnecessary durable medical equipment resulting in 380 false claims billed to Medicare. Baumert agreed to pay $14,325.96 to resolve these allegations.

Corporate Transactions Updates

Not Just a Pandemic Fad: Continued Deal Activity Suggests Digital Health Sector Still a Cash Cow. As the COVID-19 pandemic faded, there was speculation that the digital health industry would similarly wane. Nearly five years after the onset of the pandemic, digital health is still entrenched in the health care system and appears to be booming with potentially lucrative strategic partnerships and acquisitions.

On February 5, 2025, Teladoc Health, a top telemedicine provider by market share, announced it would acquire at-home testing startup Catapult Health in an all-cash deal worth $65 million, with up to $5 million in additional contingent earnout consideration. Teladoc Health plans to leverage Catapult Health’s at-home health care offerings platform, VirtualCheckup, which allows patients to collect blood samples, check blood pressure, and obtain other health screening data from home to enhance telehealth visits. The acquisition, which will build on Teladoc Health’s 93-million-member base, is expected to close by the end of March 2025. This announcement comes less than a month after Teladoc Health shared its partnership with Amazon Health Services, which will allow Amazon Health Services customers who are eligible for Teladoc Health’s virtual cardiometabolic programs to enroll in benefits available through their employer or health plan at no extra cost via Amazon’s health benefits connector.

On February 6, 2025, DarioHealth Corp. (Nasdaq: DRIO), a digital health company specializing in chronic condition management, announced its new partnership with a Blue Cross Blue Shield (BCBS) health plan. The partnership allows DarioHealth Corp. to integrate its AI-powered coaching and monitoring tools into BCBS’ offerings. DarioHealth Corp. has framed this partnership as a strategic move to secure a spot in the cardiometabolic disease care market, which is projected to surpass $1.2 trillion by 2033.

Provider Reimbursement Updates

Medicare Administrative Contractors Await Telehealth Guidance. As we covered in our January 2025 Digest, in December 2024, Congress extended Medicare telehealth flexibilities through March 31, 2025. Because these flexibilities were set to expire at the end of 2024, they were not included in the Physician Fee Schedule for 2025. Despite the 90-day extension, the Centers for Medicare and Medicaid Services has yet to release guidance updating payment codes for the telehealth services extended through March, which has created an uncertain reimbursement landscape.

Drug Enforcement Administration Proposes Special Registration Framework for Telehealth Prescribing. In the final days of the Biden administration, the U.S. Drug Enforcement Administration (DEA) proposed a special registration framework to allow the prescription of controlled substances through telehealth, incorporating several more restrictive requirements compared to the telehealth flexibilities established during the COVID-19 Public Health Emergency (PHE).¹

As we covered in our December 2024 Digest, for the third time, DEA extended temporary exceptions originally authorized under the COVID-19 PHE regarding the prescription of controlled substances via telehealth through December 31, 2025. DEA stated the extension would provide time for the agency to develop final regulations on the issue.

DEA proposes three types of special registrations for telemedicine (Telemedicine Prescribing Registration, Advanced Telemedicine Prescribing Registration, and Telemedicine Platform Registration), under which clinician practitioners, certain specialized clinician practitioners, and telemedicine platforms would need to apply to prescribe or dispense controlled substances via telehealth without a prior in-person evaluation. Such special registrations would be limited to practitioners who demonstrate a “legitimate need” to prescribe controlled substances through telehealth; authority to prescribe Schedule II controlled substances would be reserved for only the “most compelling” use cases.²

DEA proposes several restrictions regarding special registration prescriptions. For example, prior to issuing a telehealth prescription, special registrants would be required to check prescription drug monitoring programs (PDMPs) in all 50 states and any U.S. district or territory that maintains its own PDMP.³ Moreover, given the higher potential for abuse and dependence of Schedule II controlled substances, DEA would require that the number of special registration prescriptions for Schedule II controlled substances be less than half of the total number of Schedule II prescriptions issued by the clinician special registrant in their telemedicine and non-telemedicine practice in a calendar month.⁴

It is uncertain whether the Trump administration will finalize these proposals.

On the same day, DEA also issued a final rule authorizing the telehealth prescription of a six-month supply of buprenorphine, a Schedule III narcotic, for use in the treatment of opioid use disorder.⁵ No special registration is required for such prescriptions. The agency also issued a final rule authorizing U.S. Department of Veterans Affairs (VA) practitioners to prescribe controlled substances via telehealth to VA patients without conducting an in-person medical evaluation, provided that another VA practitioner has, at any time, previously conducted an in-person medical evaluation.⁶

Privacy and AI Updates

Trump Administration Requests Input on Development of AI Action Plan. On February 6, 2025, the National Science Foundation, on behalf of the White House Office of Science Technology and Policy, issued an RFI on the development of an “AI Action Plan.” As stated in the RFI, the AI Action Plan is to be developed pursuant to the executive order issued by President Trump in January, which directed the Assistant to the President for Science and Technology, the White House AI and Crypto Czar, and the National Security Advisor to spearhead the development of an AI Action Plan to further the U.S. policy of “sustaining and enhancing America’s AI dominance in order to promote human flourishing, economic competitiveness, and national security.” The RFI seeks input from interested parties, including industry groups and private sector organizations, regarding priority actions that should be included in the plan. Responses to the RFI are due no later than March 15, 2025.

National AI Advisory Committee Issues AI Policy Recommendations. The National AI Advisory Committee, a committee established under the National Artificial Intelligence Initiative Act of 2020, recently released a draft report outlining “near-term actionable steps” that the Trump administration can take to “advance shared AI policy goals that further America’s competitiveness and leadership” and to “initiate a sustained dialogue with the administration’s AI leadership.” The draft report recommends solutions for 10 priority AI policy issues, including those relevant to AI in science and health, and AI governance.

• AI in Health: The draft report recommends that the National Science and Technology Council Select Committee on AI establish a subcommittee on health care focused on the “safe, responsible use of linked, longitudinal clinical and administrative personal health information.” Expanding the availability of health data for AI model development, the draft report contends, can help “unleash” a marketplace of AI-powered tools to “detect disease progression, personalize recommendations, uncover rare patterns in health data, and accelerate research.”
• AI in Science: The draft report recommends that the Trump administration develop an AI funding strategy for evaluating AI investments by federal agencies such as the National Institutes of Health. The draft report identifies several ways in which to advance national priorities for AI in science, including “[e]xpanding AI expertise across a wider spectrum of scientific inquiry to enrich human capital within industry, government, academic, and nonprofit spheres.”
• AI Governance: The draft report advocates developing evaluation practices that provide baselines for AI model security, and increasing funding to support the AI Safety Institute’s “capacity to advance robust evaluation of AI and the science of AI safety.”

Policy Updates

Senate Confirms RFK Jr. as HHS Secretary. On January 29 and 30, 2025, the Senate Finance and HELP Committees considered Robert F. Kennedy Jr.’s nomination as U.S. Department of Health and Human Services (HHS) Secretary, and Senate Finance subsequently voted in favor of his nomination in a 14-13 party-line vote on February 4, 2025. RFK Jr. was then confirmed by the Senate on February 13, 2025. As head of HHS, Sec. Kennedy said he would promote the use of AI and eliminate “unnecessary regulatory barriers” for innovators. While not committing to support its permanent extension, Sec. Kennedy spoke favorably about telehealth’s potential for rural and underserved communities.

California Attorney General Issues Legal Advisories on AI Compliance. On January 13, 2025, California Attorney General (AG) Rob Bonta issued two legal advisories providing guidance to businesses that develop, see, and use AI about their obligations to follow California law. The California AG specifically notes that “AI systems are already widespread within healthcare” and that entities must ensure their AI systems comply with laws protecting consumers. The advisories provide guidance on the application of several existing California laws to AI use in health care, including California’s consumer protection and professional licensing laws, anti-discrimination laws, and patient privacy laws. The advisories identify various practices involving AI that may be unlawful in California, including denying health insurance claims using AI in a manner that overrides doctors’ views about necessary treatment, using generative AI to draft patient notes that include wrong or misleading information, and determining patients’ treatments using AI systems that make predictions based on past health care claims data. The AG’s advisories emphasize the importance of being transparent about what patient data is being used in AI systems and ensuring those systems are trained and validated to maintain patient safety and minimize bias.

EU and UK News

Regulatory Updates

International Medical Device Regulators Forum Publishes Guiding Principles on Good Machine Learning Practices in Medical Device Development. Intended to promote GMLP and foster collaboration, the 10 principles highlight the importance of using representative datasets with separate sets for training and testing, as well as ensuring that the model design is suited to the data and the intended use of the device. Other principles include that the intended use of the device should be clearly defined and aligned with the context in which it will be used. This follows an earlier consultation, set out in our July 2024 Digest, and the principles previously published by the MHRA, FDA, and Health Canada.

IMDRF Publishes Guidance on Characterization Considerations for Medical Device Software and Software-Specific Risk. The guidance is aimed at ensuring clear and accurate characterization of medical device software, including developing the intended use statement. It also sets out a general strategy for characterizing software-specific risks.

MHRA Publishes Guidance Aimed at Manufacturers of Digital Mental Health Technologies. The guidance explains how the intended purpose of a mental health technology can be defined and communicated, and outlines key considerations to understand whether the technology is regulated as a medical device. It also provides guidance on how the appropriate risk classification is determined for a device, emphasizing that where mental health is being assessed, it is likely that this would constitute providing a “direct diagnosis,” which would fall within medical device Class IIa.

International AI Safety Report Published. The report, mandated by 30 countries and encompassing 100 independent expert insights, informed discussions at the AI Action Summit in France, which took place on February 10 and 11, 2025. The report addresses the capabilities of AI, including the associated risks and how to mitigate such risks. It identifies areas where further research is needed, such as how AI models can be designed to behave reliably.

Hamburg Higher Regional Court Agrees That a Modified Version of an App Designed to Review Skin Conditions Is Not a Medical Device. In the August 2024 Digest, we reported that the German court of appeal (OLG Hamburg) handed down a decision that considered the status of a dermatologic telemedicine app under the Medical Devices Regulation, and found that the app was a Class IIa medical device. In a recent decision, the Regional Court has confirmed that a modified version of the app, which removed some of the functionality, is significantly different from the original app and therefore can remain on the market. This continuing litigation has been much criticized and discussed given some arguments that are inconsistent with the legislation and guidance. This latest decision is unlikely to be the last.

Liability Updates

Industry Calls on EU Legislators to Withdraw the AI Liability Directive (AILD) Proposal. The call was made by a coalition of industry associations, including the European Federation of Pharmaceutical Industries and Associations and MedTech Europe, warning that the AILD could create legal uncertainty and regulatory burdens for AI. Originally published by the European Commission in 2022, the AILD proposal has been on hold and is now set to be updated by the EU legislators to align with legislative developments, including the EU AI Act. However, industry argues that the AILD overlaps with existing frameworks (such as the Product Liability Directive, the EU AI Act, and the GDPR), and that the AILD is unnecessary in the current legal landscape.

Privacy and Cybersecurity Updates

Council of the European Union Formally Adopts the European Health Data Space (EHDS) Regulation. The EHDS Regulation sets out rules allowing access to electronic health data across the EU for permitted secondary uses (e.g., research) by any natural or legal person, provided that the access request is approved. The regulation also imposes obligations on health data holders, including medical technology companies, to share specific categories of health data (e.g., personal health data automatically generated through medical devices), and to disclose the data they hold. To facilitate the access and sharing of the health data, HealthData@EU, a cross-border platform for secondary data use, has been established. The EHDS Regulation is expected to become law in March 2025, and will apply gradually, with provisions on secondary use taking effect as of March 2029.

EU Action Plan to Strengthen Cybersecurity in the Health Sector Published. Aimed at improving detection, preparedness, crisis response, and protection from cyber threats in hospitals and health care providers, the action plan builds on existing frameworks such as the NIS2 Directive. Some measures planned for 2025 and 2026 include developing a regulatory mapping tool, a European known exploited vulnerabilities catalogue for medical devices, a framework for cybersecurity maturity assessments, and guidelines on critical cybersecurity practices and procurement in health care. The plan also includes pilot projects to develop best practices for cyber hygiene and security risk assessment, along with an EU-wide early warning subscription service for near-real-time alerts on emerging cyber threats.

IP Updates

Abbott and Dexcom Settle CGM Patent Disputes. In December 2024, Abbott and Dexcom announced they had settled their ongoing global patent disputes regarding continuous glucose monitoring devices. (See our July 2024, September 2024, and January 2025 Digests for further context.)

Although the details of the settlement are confidential, the companies have disclosed that all pending cases will be dismissed and that they will refrain from litigating patent, trade dress, or design right disputes with each other for the next 10 years, with no money changing hands.

*The following individuals contributed to this Newsletter:

Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Amanda Cassidy is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.