Virtual and Digital Health Digest
This digest covers key virtual and digital health regulatory and public policy developments during March and early April 2025 from the United States, United Kingdom, and European Union.
In this issue, you will find the following:
U.S. News
- FDA Regulatory Updates
- Health Care Fraud and Abuse Updates
- Corporate Transactions Updates
- Privacy and AI Updates
- Policy Updates
U.S. Featured Content
Earlier this month, the Congressional Research Service (CRS) published a report raising considerations related to the use of generative artificial intelligence (GenAI), such as any potential underlying bias, testing transparency, workforce impacts, research and development, and regulatory oversight. The report states that Congress might consider whether the deployment of GenAI models in high-risk scenarios, such as mental health therapy, requires restrictions.
EU and UK News
EU/UK Featured Content
The biggest change this month is that as of March 25, 2025, the European Health Data Space Regulation (EHDS Regulation) is now in force. This means that, as it is gradually implemented, companies will be able to request access to electronic health data for health care purposes, including for use in scientific research, and may be required to share certain health data that they hold. The implementation of the EHDS Regulation is likely to raise a number of questions, which future European Commission implementing regulations or guidelines may clarify.
U.S. News
FDA Regulatory Updates
FDA Issues Warning Letter to Manufacturer of Mobile Application. On February 10, 2025, the U.S. Food and Drug Administration (FDA) issued a Warning Letter to Exer Labs, Inc. The Warning Letter relates to the regulatory status of Exer Scan, which is a mobile app that allows health care providers to capture and analyze a patient’s motion to support clinical decision-making. The sponsor markets the app as a 510(k)-exempt device under the 21 C.F.R. 890.5360 classification for “measuring exercise equipment.” FDA asserts that Exer Scan exceeds the limitations to exemption under that classification. FDA explains that while exempt devices under that regulation can “include exercise measurement capabilities,” Exer Scan is being marketed for a different intended use than the use allowed by the exemption because it uses “artificial intelligence-based algorithms to screen, diagnose, and treat musculoskeletal and neurological disorders.” FDA points to related claims on the company’s website. FDA further states that “[p]erforming proprietary analyses of patient data for the screening and diagnosis of specific conditions or disorders represents a new intended use compared to use in rehabilitation or physiotherapy to provide or facilitate exercise rehabilitation and to include exercise measurement capabilities[.]” (emphasis added). Accordingly, FDA concludes that the device is not exempt from premarket notification.
FDA Plans to Incorporate the Digital Health Center of Excellence Into a New Office of Strategic Programs and Innovation. Inside Health Policy obtained a document that indicates that FDA plans to create an Office of Strategic Programs and Innovation, which will combine “OC modernization efforts, FDA Digital Health Center of Excellence, [and] advanced analytics teams.” The document also states that this new office will focus on “cross-agency initiatives, modernization (e.g., artificial intelligence, data analytics), quality management systems, and digital transformation.”
Health Care Fraud and Abuse Updates
Florida Man Sentenced for Electronic Prescribing Fraud Scheme. On March 26, 2025, after pleading guilty to wire fraud and aggravated identity theft, Colton Neal was sentenced to two years and six months in federal prison. The U.S. Department of Justice (DOJ) alleged that between June 2022 and July 2023, Neal used an electronic health record and digital telehealth platform to issue electronic prescriptions. In doing so, Neal allegedly used a physician’s name and National Provider Identifier, which he obtained without permission or consent. Neal’s scheme resulted in approximately 144 prescriptions for controlled substances to individuals across the country.
West Virginia Physician Practice Settles Allegations Related to Incorrect Billing Practices. On April 2, 2025, West Virginia-based Med-Surg Physician Group (Med-Surg) and its owner, Dr. Oluyemisi Sangodeyi, agreed to pay $152,382.70 to resolve allegations that they submitted false claims for payment to Medicare and Medicaid related to telehealth services. DOJ alleged that Med-Surg repeatedly billed for originating site facility fees for telehealth visits when the patient was located at their home. Such facility fees are intended to compensate the facility where a patient is located when the patient connects with an outside provider via telehealth; providers may not bill for this facility fee when the patient is located at home. DOJ alleged that Med-Surg received $76,191 from Medicare and Medicaid as a result of their inappropriate billing practices.
Kansas Doctor Pleads Guilty to Accepting Kickbacks to Commit Health Care Fraud. On April 4, 2025, Dr. Scott Taggart Roethle pleaded guilty to one count of health care fraud. Roethle admitted that he contracted with multiple health care companies as a telemedicine doctor and ordered medically unnecessary durable medical equipment, pain creams, and genetic tests. Roethle admitted to receiving $674,000 in kickbacks from five health care companies and that Medicare paid out at least $1.5 million while relying on his fraudulent orders.
Corporate Transactions Updates
Kandu Health, Neurolutions Merger Brings Brain-Computer Interface Technology to Telehealth Platforms. On April 8, 2025, it was announced that Kandu Health, an artificial intelligence-powered telehealth company, and Neurolutions Inc., a Washington University startup leveraging brain-computer interface (BCI) technology, merged. The merged company will allow users of Kandu Health’s digital, post-discharge support platforms to access Neurolutions’ BCI technology, IpsiHand, which supports stroke patients’ outcomes after they leave the hospital. IpsiHand is the first BCI technology cleared by the FDA for stroke rehabilitation. It differs from other developing BCI technologies because IpsiHand is worn on the head, not implanted in the brain, allowing it to capture brain signals non-invasively.
On the same day as the merger, it was announced that the new combined company raised $30 million in financing. The proceeds will be used to support its ongoing commercialization and mission of supporting stroke recovery at home. The financing was co-led by Ally Bridge Group and AMED Ventures and had participation from other existing investors.
Patient Advocacy Platform Receives $60 Million in Series B Funding. On April 3, 2025, Solace, a digital health platform that connects patients with expert health advocates, announced it closed its $60 million Series B funding round led by Menlo Ventures with participation from previous investors Craft Ventures, Inspired Capital, and Torch Capital. Solace provides patients with support to navigate the complexities of the health care system and aims to make patient advocacy an expected and reimbursable part of the health care experience. Solace is currently covered by Medicare and major Medicare Advantage insurers, including Aetna, Blue Cross Blue Shield, Cigna, Humana, and UnitedHealthcare. Since its launch in 2022, Solace has received total funding of over $85 million, indicating a need in the market for patient advocacy.
Privacy and AI Updates
California Regulations on AI Will Be Less Restrictive Than Initially Proposed. At a meeting on April 4, 2025, the board of the California Privacy Protection Agency, which is charged with issuing regulations under the California Consumer Privacy Act (CCPA), reportedly decided to withdraw certain aspects of the regulations it proposed late last year on permissible uses of artificial intelligence (AI) by entities subject to the CCPA. The agency apparently was persuaded by interested businesses, particularly those in the technology sector, that its proposed rules were unnecessarily restrictive and costly to implement and would stifle artificial AI innovation.
Among the changes the agency determined were appropriate was a narrowing of the definition of a “significant decision” made with the use of AI. The CCPA, like other state laws, gives consumers the right to access information related to “significant decisions” made about them using AI and to opt out of the use of their personal information for such AI-based decision-making. The agency had initially proposed that consumers have the right to opt out of the use of their personal information for, among other things, AI-driven behavioral advertising and AI model training. Upon consideration of industry input and the balance of risks and benefits to consumers, the agency decided to narrow the circumstances in which consumers must be able to opt out of such uses.
With respect to training AI models, the agency recognized that the benefits of additional data to develop accurate and sophisticated AI tools outweighed the risks to consumers of limiting their right to opt out of their personal data for all such training. Other guardrails in the planned regulations are anticipated to protect consumers from abuses of AI that is trained on personal information.
Policy Updates
CRS Publishes Report on Generative Artificial Intelligence. On April 2, 2025, the CRS published a report recommending Congress consider several factors related to GenAI, such as any potential underlying bias, testing transparency, workforce impacts, research and development, and regulatory oversight. The report recommended Congress consider sector-specific guidance regarding the deployment of GenAI models in high-risk scenarios, including mental health therapy or generating forensic sketches. The report warned that while GenAI has “impressive” abilities, the tendency of GenAI to produce “incorrect or misleading results” could unintentionally spread mass disinformation.
Senate Confirms Dr. Oz as CMS Administrator. On April 3, 2025, the Senate confirmed Dr. Mehmet Oz to serve as the Administrator of the Centers for Medicare and Medicaid Services (CMS) by a party-line vote of 53-45. In March, Dr. Oz testified to the Senate Finance Committee that he hopes to harness the power of AI to automate the Medicare Advantage prior authorization process and further limit the number of pre-authorized procedures from around 5,500 to 1,000.
EU and UK News
Regulatory Updates
European Medicines Agency (EMA) Issues First Qualification Opinion on an AI Tool (AIM-NASH). AIM-NASH is an AI-based machine learning tool designed to assess the severity of inflammatory liver disease (MASH) in liver biopsy scans. It aims to improve the accuracy, repeatability, and reproducibility in MASH disease activity assessments. The EMA’s Committee for Medicinal Products for Human Use (CHMP) concluded that AIM-NASH reduces variability in determining MASH disease activity compared to the current standard and that it can be used in MASH clinical trials. The qualification opinion means that evidence generated by AIM-NASH can be considered scientifically valid by CHMP in future applications for authorization when used as agreed in the opinion.
UK Government Responds to Recommendations on the Regulation of AI as a Medical Device. In November 2022, the Regulatory Horizons Council (RHC) published a report on how the UK can encourage innovation and improve safety in the area of AI as a medical device through changes to the regulatory system. The UK government has now published its response, accepting all 15 of the RHC’s recommendations. The recommendations are grouped by four themes: (1) regulatory capacity and capability, (2) whole product lifecycle, (3) open transparency, patient, and public involvement, and (4) UK leadership and international collaboration.
The UK MHRA Publishes an Update on the AI Airlock Pilot. The AI airlock is a regulatory sandbox aimed at testing and improving the safety of AI-based medical devices (read our June 2024 and October 2024 Digests for more detail). It is being piloted with the projects of four developers, after one developer has withdrawn. The MHRA reports that the “Simulation Airlock testing” stage has been completed, in which key stakeholders brain-stormed solutions to challenges that had been identified. The next steps include drafting outputs based on the insights from the simulations and virtual testing, and the preparation of an AI Airlock program report summarizing the learning points from each project.
Bill to Establish Central AI Authority Reintroduced in the UK. A Private Members’ Bill relating to the regulation of AI has been reintroduced in the House of Lords. The bill was originally introduced in November 2023, as reported in our December 2023 Digest, but failed to progress when the UK parliament was dissolved in May 2024 for the general election. The main purpose of the bill is to establish a central AI authority to act as a dedicated regulatory body for overseeing the regulatory approach to AI. Private Members’ Bills do not often succeed in becoming law, but the reintroduction of this bill will put pressure on the UK government to strengthen regulatory safeguards surrounding AI.
Privacy and Cybersecurity Updates
The European Health Data Space Regulation Is Now Law. On March 5, 2025, Regulation 2025/327, creating the EHDS Regulation, was published in the European Union Official Journal, and came into force on March 25. Under the regulation, companies handling health data must share their health data when requested by a national Health Data Access Body. Companies can also request access to health data for secondary purposes (e.g., scientific research). Requesting access is also possible for non-EU companies, but only when their country is recognized by the European Commission as being compliant with the EHDS Regulation and where it grants equivalent access to EU health data applicants. While already in force, implementation of the EHDS Regulation will be gradual. The European Federation of Pharmaceutical Industries and Associations has issued recommendations to support the implementation. More details on the EHDS Regulation can be found in our March 2025 Advisory.
WHO Issues Health Data Governance Recommendations for EU Policymakers. To enhance interoperability and the adoption of AI in health systems, the World Health Organization urges policymakers in the EU Member States to take four actions: (1) to strengthen national health data governance; (2) to develop robust health data standards for primary and secondary exchange and use; (3) to develop mechanisms to coordinate national data providers to facilitate collection, management, and dissemination of consistent and complete data; and (4) to engage stakeholders in developing health data governance frameworks that support AI implementation.
The UK’s ICO Fines NHS Software Provider £3 Million for Failing to Protect Patients’ Personal Data. The UK Information Commissioner’s Office (ICO) has ruled that Advanced Computer Software Group Ltd broke data protection laws by failing to fully implement security measures prior to a ransomware incident. The company provides IT and software services to the national health service (NHS), which includes the processing of patient personal data. In August 2022, the company was the target of a cyber-attack and the personal information of over 79,000 people was taken. The investigation found various shortcomings. The company agreed to a voluntary settlement of a reduced fine (down from £6 million) after the ICO took into account the company’s proactive cooperation with the authorities.
UK Government Responds to Call for Views on Code of Practice for Software Vendors. In the June 2024 Digest, we reported that the UK government announced and invited views on the voluntary Code of Practice for Software Vendors (the Code). The UK government has now published its response to the call for views. Respondents have confirmed that the Code would be a useful tool to help enhance software security practices and better secure digital supply chains across the UK and the digital economy. The government will make minor edits and publish the final version of the Code in 2025, alongside implementation guidance developed with the National Cyber Security Centre.
Antitrust Updates
The Swedish Competition Authority (SCA) Fines Digital Health Care Providers for Participation in an Online Ad Cartel. On April 3, 2025, the SCA announced that it had fined three digital health care companies a combined SEK 26.5 million (approximately GBP 2.1 million) because they had entered anticompetitive agreements in 2020 regarding their online advertising practices on Google. Keyword advertising allows businesses to purchase ad space on Google Search. In order for the ad to be visible when googling a competitor’s brand, companies bid on keywords that correspond to competitors’ brand names such that their ads are displayed when users search for keywords that correspond to a competitor’s brand name. However, in this case, the companies agreed to refrain from marketing themselves on Google Search to consumers who searched for the other party’s brand name; this meant that consumers did not have the opportunity to see alternatives to the online medical company they had searched for. In its press release, the SCA noted that agreements limiting consumers’ ability to become aware of competing suppliers when searching on the internet are harmful to consumers and competition. Four companies were involved in the agreements: Doktor.Se, Min Doktor, Doktor24, and Kry — competing health care providers offering digital primary care services to individuals in Sweden, including consultations with health care professionals via video calls or chats on their apps. However, Kry was not fined on the basis that it had proactively reported the agreements to the SCA and therefore benefitted from the SCA’s leniency program.
IP Updates
Whoop Triumphs in “Smart Bra” UK Patent Dispute With Prevayl. Deep-tech company, Prevayl, has a broad patent portfolio for innovations designed to be integrated into a diverse set of wearable products and industries. On February 27, 2025, the UK Intellectual Property Enterprise Court invalidated Prevayl’s patent relating to a “smart bra” with embedded biosignal sensors for lack of inventive step, resulting in the rejection of Prevayl’s patent infringement claim against fitness tracker brand Whoop.
Judge Hacon ruled that placing sensors in a side region rather than an under band was an obvious design choice in light of the prior art and as a result, the patent was invalidated. He added that, had the patent been upheld, he would have reached a finding of indirect infringement in relation to the Whoop Bra and the Whoop 4.0 module.
Judge Hacon remarked in the decision that “simple inventions can be especially vulnerable to hindsight” highlighting the importance of the care that should be taken when drafting patent specifications to highlight how the problem being solved is not obvious and reaffirming the importance of genuine innovation in wearable technology.
*The following individuals contributed to this Newsletter:
Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Joy Wee is a trainee solicitor at Arnold & Porter’s London office. Joy is not admitted to the practice of law.
© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Key Contacts
