This digest covers key virtual and digital health regulatory and public policy developments during January and early February 2025 from the United States, United Kingdom, and European Union.
In this issue, you will find the following:
U.S. News
- FDA Regulatory Updates
- Health Care Fraud and Abuse Updates
- Corporate Transactions Updates
- Provider Reimbursement Updates
- Privacy and AI Updates
- Policy Updates
U.S. Featured Content
On February 6, 2025, the National Science Foundation, on behalf of the Office of Science and Technology Policy, released a Request For Information (RFI) related to the development of the Trump administration's "AI Action Plan." The RFI is broad, seeking input on artificial intelligence (AI)-related priorities from academia; industry groups; private sector organizations; state, local, and tribal governments; and any other interested parties. The RFI encourages respondents to address "any relevant AI policy topic," including, for example, AI application and use, explainability and assurance of AI model outputs, cybersecurity, and data privacy and security throughout the lifecycle of AI system development and deployment. RFI submissions are due by March 15, 2025.
EU and UK News
- Regulatory Updates
- Liability Updates
- Privacy and Cybersecurity Updates
- IP Updates
EU/UK Featured Content
There have been some useful international guidance documents published this month from the International Medical Device Regulators Forum (IMDRF). These include Guiding Principles on Good Machine Learning Practices (GMLP) that build on the principles previously set out by the U.S. Food and Drug Administration (FDA), UK Medicines and Healthcare products Regulatory Agency (MHRA), and Health Canada, and guidance on characterization and risks of medical device software. The continued development of international guidance in this area highlights the importance of coordination between regulatory authorities and standardized guidance for these products. There have also been important developments in ongoing litigation relating to digital technologies, although whether these developments provide clear guidance to manufacturers remains to be seen.
U.S. News
FDA Regulatory Updates
FDA Denies Citizen
Petition Asking to Rescind the 2022 Clinical Decision Support (CDS)
Software Functions Final Guidance. On January 17,
2025, FDA replied to two citizen petitions submitted by the CDS
Coalition, the first being a 2016 petition requesting FDA issue
guidance on FDA's policies for CDS software, and the second a
2023 petition in which the CDS Coalition requested FDA rescind the
agency's 2022 final guidance on CDS software functions. In the
2023 petition, the CDS Coalition had taken issue with certain
aspects of FDA's interpretation of the 21st Century Cures Act
CDS exemption. In responding to the petitions, FDA found the CDS
Coalition's 2016 petition to be moot and denied their 2023
petition requests.
FDA Alerts Patients and
Their Caregivers to Reports of Missed Alerts From Diabetes
Devices. On February 5, 2025, FDA issued an alert to
patients who use diabetes devices and their caregivers regarding
reports where users of such devices did not receive or did not hear
alerts from their smartphones. In the alert, FDA identifies certain
configurations, changes, and updates that could lead to critical
alerts not being received as expected and also recommends steps
that patients, caregivers, and health care providers can take to
help prevent missed alerts.
FDA also explains that the agency is working with manufacturers to
ensure (1) that smartphone alert configurations of their
diabetes-related medical devices are carefully evaluated before use
by patients and (2) that settings in smartphones and mobile medical
apps that may impact safety alerts are continuously tested, and any
updates to recommended configurations are communicated quickly and
clearly to users.
Former FDA Commissioner
Expresses Concerns About FDA's CDS Software
Guidance. On February 6, 2025, the Journal of the
American Medical Association Health Forum published an article by
Scott Gottlieb, former Commissioner of FDA. In the article,
Gottlieb expresses concerns that under FDA's current CDS
software guidance, integrating AI functionality into an electronic
medical record (EMR) could result in the EMR being considered a
medical device. Gottleib suggests that FDA return to the intent of
the 21st Century Cures Act and the agency's policies from 2017
to 2019.
Health Care Fraud and Abuse Updates
Iowa Health Care Practitioners Involved in a Telemedicine Scheme Agreed to Pay $150,000 to Resolve Civil Allegations. On January 16, 2025, in separate enforcement actions in the Southern District of Iowa, two health care practitioners entered into civil settlement agreements to resolve False Claims Act allegations. In both cases, health care practitioners participated in telemedicine schemes where they placed orders based on cold calls to Medicare beneficiaries.
From October 2021 to November 2022, Iowa nurse practitioner Cori Lempiainen placed orders for orthotic braces and other unnecessary durable medical equipment, resulting in over 650 false Medicare claims without any patient contact. Lempiainen agreed to pay $150,000 to resolve the Medicare overbilling claims.
Similarly, from May 2022 to August 2022, Idaho doctor Paul Baumert billed Medicare for office visits and medical discussions that did not occur. During this same time period, Baumert placed orders for orthotic braces and other unnecessary durable medical equipment resulting in 380 false claims billed to Medicare. Baumert agreed to pay $14,325.96 to resolve these allegations.
Corporate Transactions Updates
Not Just a Pandemic Fad: Continued Deal Activity
Suggests Digital Health Sector Still a Cash Cow. As the
COVID-19 pandemic faded, there was speculation that the digital
health industry would similarly wane. Nearly five years after the
onset of the pandemic, digital health is still entrenched in the
health care system and appears to be booming with potentially
lucrative strategic partnerships and acquisitions.
On February 5, 2025, Teladoc Health, a top telemedicine provider
by market share, announced it would
acquire at-home testing startup Catapult Health in an all-cash deal
worth $65 million, with up to $5 million in additional contingent
earnout consideration. Teladoc Health plans to leverage Catapult
Health's at-home health care offerings platform,
VirtualCheckup, which allows patients to collect blood samples,
check blood pressure, and obtain other health screening data from
home to enhance telehealth visits. The acquisition, which will
build on Teladoc Health's 93-million-member base, is expected
to close by the end of March 2025. This announcement comes less
than a month after Teladoc Health shared its
partnership with Amazon Health Services, which will allow
Amazon Health Services customers who are eligible for Teladoc
Health's virtual cardiometabolic programs to enroll in benefits
available through their employer or health plan at no extra cost
via Amazon's health benefits connector.
On February 6, 2025, DarioHealth Corp. (Nasdaq: DRIO), a digital
health company specializing in chronic condition management, announced its new
partnership with a Blue Cross Blue Shield (BCBS) health plan.
The partnership allows DarioHealth Corp. to integrate its
AI-powered coaching and monitoring tools into BCBS' offerings.
DarioHealth Corp. has framed this partnership as a strategic move
to secure a spot in the cardiometabolic disease care market, which
is projected to surpass $1.2 trillion by 2033.
Provider Reimbursement Updates
Medicare Administrative Contractors Await Telehealth
Guidance. As we covered in our January 2025 Digest, in December 2024,
Congress extended Medicare telehealth flexibilities through March
31, 2025. Because these flexibilities were set to expire at the end
of 2024, they were not included in the Physician Fee Schedule for
2025. Despite the 90-day extension, the Centers for Medicare and
Medicaid Services has yet to release guidance updating payment
codes for the telehealth services extended through March, which has
created an uncertain reimbursement landscape.
Drug Enforcement
Administration Proposes Special Registration Framework for
Telehealth Prescribing. In the final days of the Biden
administration, the U.S. Drug Enforcement Administration (DEA)
proposed a special registration framework to allow the prescription
of controlled substances through telehealth, incorporating several
more restrictive requirements compared to the telehealth
flexibilities established during the COVID-19 Public Health
Emergency (PHE).1
As we covered in our December 2024 Digest, for the third time, DEA
extended temporary exceptions originally authorized under the
COVID-19 PHE regarding the prescription of controlled substances
via telehealth through December 31, 2025. DEA stated the extension
would provide time for the agency to develop final regulations on
the issue.
DEA proposes three types of special registrations for telemedicine
(Telemedicine Prescribing Registration, Advanced Telemedicine
Prescribing Registration, and Telemedicine Platform Registration),
under which clinician practitioners, certain specialized clinician
practitioners, and telemedicine platforms would need to apply to
prescribe or dispense controlled substances via telehealth without
a prior in-person evaluation. Such special registrations would be
limited to practitioners who demonstrate a "legitimate
need" to prescribe controlled substances through telehealth;
authority to prescribe Schedule II controlled substances would be
reserved for only the "most compelling" use
cases.2
DEA proposes several restrictions regarding special registration
prescriptions. For example, prior to issuing a telehealth
prescription, special registrants would be required to check
prescription drug monitoring programs (PDMPs) in all 50 states and
any U.S. district or territory that maintains its own
PDMP.3 Moreover, given the higher potential for abuse
and dependence of Schedule II controlled substances, DEA would
require that the number of special registration prescriptions for
Schedule II controlled substances be less than half of the total
number of Schedule II prescriptions issued by the clinician special
registrant in their telemedicine and non-telemedicine practice in a
calendar month.4
It is uncertain whether the Trump administration will finalize
these proposals.
On the same day, DEA also issued a final rule
authorizing the telehealth prescription of a six-month supply of
buprenorphine, a Schedule III narcotic, for use in the treatment of
opioid use disorder.5 No special registration is
required for such prescriptions. The agency also issued a final rule
authorizing U.S. Department of Veterans Affairs (VA) practitioners
to prescribe controlled substances via telehealth to VA patients
without conducting an in-person medical evaluation, provided that
another VA practitioner has, at any time, previously conducted an
in-person medical evaluation.6
Privacy and AI Updates
Trump Administration Requests Input on Development of AI
Action Plan. On February 6, 2025, the National Science
Foundation, on behalf of the White House Office of Science
Technology and Policy, issued an RFI on the development of an
"AI Action Plan." As stated in the RFI, the AI Action
Plan is to be developed pursuant to the executive order
issued by President Trump in January, which directed the Assistant
to the President for Science and Technology, the White House AI and
Crypto Czar, and the National Security Advisor to spearhead the
development of an AI Action Plan to further the U.S. policy of
"sustaining and enhancing America's AI dominance in order
to promote human flourishing, economic competitiveness, and
national security." The RFI seeks input from interested
parties, including industry groups and private sector
organizations, regarding priority actions that should be included
in the plan. Responses to the RFI are due no later than March 15,
2025.
National AI Advisory Committee Issues AI Policy
Recommendations. The National AI Advisory Committee, a
committee established under the National Artificial Intelligence
Initiative Act of 2020, recently released a draft report
outlining "near-term actionable steps" that the Trump
administration can take to "advance shared AI policy goals
that further America's competitiveness and leadership" and
to "initiate a sustained dialogue with the
administration's AI leadership." The draft report
recommends solutions for 10 priority AI policy issues, including
those relevant to AI in science and health, and AI governance.
- AI in Health: The draft report recommends that the National Science and Technology Council Select Committee on AI establish a subcommittee on health care focused on the "safe, responsible use of linked, longitudinal clinical and administrative personal health information." Expanding the availability of health data for AI model development, the draft report contends, can help "unleash" a marketplace of AI-powered tools to "detect disease progression, personalize recommendations, uncover rare patterns in health data, and accelerate research."
- AI in Science: The draft report recommends that the Trump administration develop an AI funding strategy for evaluating AI investments by federal agencies such as the National Institutes of Health. The draft report identifies several ways in which to advance national priorities for AI in science, including "[e]xpanding AI expertise across a wider spectrum of scientific inquiry to enrich human capital within industry, government, academic, and nonprofit spheres."
- AI Governance: The draft report advocates developing evaluation practices that provide baselines for AI model security, and increasing funding to support the AI Safety Institute's "capacity to advance robust evaluation of AI and the science of AI safety."
Policy Updates
Senate Confirms RFK Jr.
as HHS Secretary. On January 29 and 30, 2025, the Senate Finance and
HELP Committees
considered Robert F. Kennedy Jr.'s nomination as U.S.
Department of Health and Human Services (HHS) Secretary, and Senate
Finance subsequently voted in favor of his nomination in a 14-13
party-line vote on February 4, 2025. RFK Jr. was then confirmed by
the Senate on February 13, 2025. As head of HHS, Sec. Kennedy said
he would promote the use of AI and eliminate "unnecessary
regulatory barriers" for innovators. While not committing to
support its permanent extension, Sec. Kennedy spoke favorably about
telehealth's potential for rural and underserved
communities.
California Attorney
General Issues Legal Advisories on AI Compliance. On
January 13, 2025, California Attorney General (AG) Rob Bonta issued
two legal advisories providing guidance to businesses that develop,
see, and use AI about their obligations to follow California law.
The California AG specifically notes that "AI systems are
already widespread within healthcare" and that entities must
ensure their AI systems comply with laws protecting consumers. The
advisories provide guidance on the application of several existing
California laws to AI use in health care, including
California's consumer protection and professional licensing
laws, anti-discrimination laws, and patient privacy laws. The
advisories identify various practices involving AI that may be
unlawful in California, including denying health insurance claims
using AI in a manner that overrides doctors' views about
necessary treatment, using generative AI to draft patient notes
that include wrong or misleading information, and determining
patients' treatments using AI systems that make predictions
based on past health care claims data. The AG's advisories
emphasize the importance of being transparent about what patient
data is being used in AI systems and ensuring those systems are
trained and validated to maintain patient safety and minimize
bias.
EU and UK News
Regulatory Updates
International Medical Device Regulators Forum Publishes Guiding Principles on Good Machine Learning Practices in Medical Device Development. Intended to promote GMLP and foster collaboration, the 10 principles highlight the importance of using representative datasets with separate sets for training and testing, as well as ensuring that the model design is suited to the data and the intended use of the device. Other principles include that the intended use of the device should be clearly defined and aligned with the context in which it will be used. This follows an earlier consultation, set out in our July 2024 Digest, and the principles previously published by the MHRA, FDA, and Health Canada.
IMDRF Publishes Guidance
on Characterization Considerations for Medical Device Software and
Software-Specific Risk. The guidance is aimed at
ensuring clear and accurate characterization of medical device
software, including developing the intended use statement. It also
sets out a general strategy for characterizing software-specific
risks.
MHRA Publishes Guidance
Aimed at Manufacturers of Digital Mental Health
Technologies. The guidance explains how the intended
purpose of a mental health technology can be defined and
communicated, and outlines key considerations to understand whether
the technology is regulated as a medical device. It also provides
guidance on how the appropriate risk classification is determined
for a device, emphasizing that where mental health is being
assessed, it is likely that this would constitute providing a
"direct diagnosis," which would fall within medical
device Class IIa.
International AI Safety
Report Published. The report, mandated by 30 countries
and encompassing 100 independent expert insights, informed
discussions at the AI Action Summit in France, which took place on
February 10 and 11, 2025. The report addresses the capabilities of
AI, including the associated risks and how to mitigate such risks.
It identifies areas where further research is needed, such as how
AI models can be designed to behave reliably.
Hamburg Higher Regional Court Agrees That a Modified
Version of an App Designed to Review Skin Conditions Is Not a
Medical Device. In the August 2024 Digest, we reported that the
German court of appeal (OLG Hamburg) handed down a decision that
considered the status of a dermatologic telemedicine app under the
Medical Devices Regulation, and found that the app was a Class IIa
medical device. In a recent decision, the Regional Court has
confirmed that a modified version of the app, which removed some of
the functionality, is significantly different from the original app
and therefore can remain on the market. This continuing litigation
has been much criticized and discussed given some arguments that
are inconsistent with the legislation and guidance. This latest
decision is unlikely to be the last.
Liability Updates
Industry Calls on EU Legislators to Withdraw the AI Liability Directive (AILD) Proposal. The call was made by a coalition of industry associations, including the European Federation of Pharmaceutical Industries and Associations and MedTech Europe, warning that the AILD could create legal uncertainty and regulatory burdens for AI. Originally published by the European Commission in 2022, the AILD proposal has been on hold and is now set to be updated by the EU legislators to align with legislative developments, including the EU AI Act. However, industry argues that the AILD overlaps with existing frameworks (such as the Product Liability Directive, the EU AI Act, and the GDPR), and that the AILD is unnecessary in the current legal landscape.
Privacy and Cybersecurity Updates
Council of the European
Union Formally Adopts the European Health Data Space (EHDS)
Regulation. The EHDS Regulation sets out rules
allowing access to electronic health data across the EU for
permitted secondary uses (e.g., research) by any natural or legal
person, provided that the access request is approved. The
regulation also imposes obligations on health data holders,
including medical technology companies, to share specific
categories of health data (e.g., personal health data automatically
generated through medical devices), and to disclose the data they
hold. To facilitate the access and sharing of the health data, HealthData@EU, a cross-border platform for
secondary data use, has been established. The EHDS Regulation is
expected to become law in March 2025, and will apply gradually,
with provisions on secondary use taking effect as of March
2029.
EU Action Plan to
Strengthen Cybersecurity in the Health Sector
Published. Aimed at improving detection, preparedness,
crisis response, and protection from cyber threats in hospitals and
health care providers, the action plan builds on existing
frameworks such as the NIS2 Directive. Some measures planned for
2025 and 2026 include developing a regulatory mapping tool, a
European known exploited vulnerabilities catalogue for medical
devices, a framework for cybersecurity maturity assessments, and
guidelines on critical cybersecurity practices and procurement in
health care. The plan also includes pilot projects to develop best
practices for cyber hygiene and security risk assessment, along
with an EU-wide early warning subscription service for
near-real-time alerts on emerging cyber threats.
IP Updates
Abbott and Dexcom Settle CGM Patent Disputes.
In December 2024, Abbott and Dexcom announced they had
settled their ongoing global patent disputes regarding continuous
glucose monitoring devices. (See our July 2024, September 2024, and January 2025 Digests for further
context.)
Although the details of the settlement are confidential, the
companies have disclosed that all pending cases will be dismissed
and that they will refrain from litigating patent, trade dress, or
design right disputes with each other for the next 10 years, with
no money changing hands.
Footnotes
1 90 Fed. Reg. 6541 (Jan. 17, 2025).
2 90 Fed. Reg. at 6549.
3 Id. at 6543.
4 Id. at 6556.
5 90 Fed. Reg. 6504 (Jan. 17, 2025).
6 90 Fed. Reg. 6523 (Jan. 17, 2025).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
