Virtual And Digital Health Digest - January 2026

Happy New Year, and welcome to our new readers of the Virtual and Digital Health Digest. As we enter our fourth year of publication, we look forward to continuing to provide you with an easy-to-use resource to stay current on key regulatory and public policy developments impacting virtual and digital health. We encourage you to refer to past publications to track issues over time. As always, we welcome feedback from our readers as to how the digest could be improved to meet your needs.

This digest covers key virtual and digital health regulatory and public policy developments during December 2025 and early January 2026 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• Health Care Fraud and Abuse Updates
• Provider Reimbursement Updates
• Privacy and AI Updates
• Policy Updates
• FTC Updates

U.S. Featured Content

This month's issue highlights significant developments across the health care landscape, including notable enforcement actions involving a $500,000 False Claims Act settlement with a medical software company over inflated breast cancer risk scores and a $7.8 million durable medical equipment (DME) fraud scheme resulting in sentencing. We also track key regulatory and technology updates, including new guidance from the U.S. Food and Drug Administration (FDA) easing oversight of certain artificial intelligence (AI)‑enabled wearable devices and clinical decision support tools, as well as the U.S. Department of Health and Human Services' request for information on integrating AI into clinical care. On the policy front, Congress advanced a January funding package that includes an extension of Medicare telehealth flexibilities through December 2027, while House committees and leadership continue to focus on AI‑related health policy and oversight. Additionally, the Federal Trade Commission (FTC) announced an upcoming workshop on age‑verification technologies and issued warning letters to companies over potential violations involving consumer reviews and testimonials. Together, these developments reflect ongoing federal scrutiny of health care fraud, rapid regulatory evolution around AI and digital health, and continued policymaker attention to patient access, program integrity, and emerging technologies.

EU and UK News

• Regulatory Updates
• Privacy Updates
• Product Liability Updates

EU/UK Featured Content

December 2025 saw a significant wave of regulatory, policy, and technological developments across the UK and EU that will shape the digital health landscape in 2026 and beyond. The UK advanced its focus on safe and effective AI integration in health care through the Medicines and Healthcare products Regulatory Agency's (MHRA) open call for evidence on AI regulation, and the publication of the AI Security Institute's (AISI) Frontier AI Trends Report, which underscores both the promise and risks of rapidly advancing AI capabilities. In parallel, the EU proposed substantial amendments to the Medical Devices Regulation (EU) 2017/745 (MDR) and In Vitro Diagnostic Regulation (EU) 2017/746 (IVDR) — introducing new rules for software, cybersecurity, and digital compliance — alongside publishing the first part of the Biotech Act and a new Code of Practice on transparency for AI-generated content, each reinforcing expectations for trustworthy and innovation supportive digital health ecosystems. Globally, the International Medical Device Regulators Forum's (IMDRF) 2026-2030 strategic plan emphasized harmonization in response to emerging technologies. Finally, product liability frameworks are also being modernized, as the UK Law Commission launched a comprehensive review of the Consumer Protection Act to ensure it adequately captures risks associated with AI-enabled technologies, including iterative updates and latent defects.

U.S. NEWS

Health Care Fraud and Abuse Updates

Medical Software Company Agrees To Pay $500,000 To Resolve False Claims Act Allegations for Medically Unnecessary Breast Cancer Screenings. On December 15, 2025, PenRad Technologies, Inc. (PenRad), a medical software company, agreed to pay $500,000 to resolve federal and Massachusetts state False Claims Act allegations related to medically unnecessary breast cancer screenings.

The settlement agreement details PenRad's use of the Tryer-Cusick model risk-assessment tool, which helps providers calculate a patient's risk of developing breast cancer and make treatment decisions. Starting in 2020, health care providers began assessing patients' breast cancer risk using the Tyrer-Cusick risk calculator through PenRad's software. The Tyrer-Cusick documentation recommended enabling competing mortality in clinical settings, which typically lowers a patient's risk score. However, PenRad sometimes installed the Tryer-Cusick risk calculator with competing mortality disabled, leading to higher risk scores for some patients. Consequently, these patients underwent unnecessary preventative magnetic resonance imaging (MRIs). These MRIs were then billed to Medicare and Medicaid in violation of the False Claims Act.

Connecticut Man Sentenced for His Role in $7.8 Million Health Care Fraud and Kickback Scheme. On December 18, 2025, Jesse Foote, was sentenced for his involvement in a DME health care fraud and kickback scheme. From December 2017 to March 2021, Foote allegedly worked with telemarketing call centers, DME suppliers, telemedicine companies, and doctors to submit fraudulent claims to federal health care benefit programs, including Medicare and TRICARE. During this period, telemarketing call centers allegedly targeted Medicare beneficiaries, persuading them to accept orthotic braces and other DME without considering medical necessity. Providers approved these orders without any patient contact or assessment. Foote then allegedly sold the approved DME orders to individuals with whom he had a kickback arrangement.

These orders were ultimately submitted to DME suppliers, including those controlled by Foote. As a result of Foote and his co-conspirators' scheme, $7.8 million in false or fraudulent claims were submitted to federal health care programs for unnecessary DME.

Provider Reimbursement Updates

CMS Provides Additional Information on Reimbursement for Tech-Enabled Chronic Care Model. As we covered in our December 2025 Digest, in early December, the Centers for Medicare & Medicaid Services (CMS) announced a voluntary pilot model called Advancing Chronic Care with Effective, Scalable Solutions (ACCESS), which will test an outcome-aligned payment approach in Original Medicare to "expand access to new technology-supported care options that help people improve their health and prevent and manage chronic disease." Care organizations that enroll in the model are expected to offer "integrated, technology-supported care," which may include using FDA-authorized devices or software.

Since then, CMS has released additional information on the reimbursement framework for participating organizations. According to the Request for Applications, ACCESS participants will receive a "standard per-patient payment for managing all qualifying conditions" of a beneficiary within one of four clinical "tracks": (1) early cardio-kidney-metabolic; (2) cardio-kidney-metabolic; (3) musculoskeletal; and (4) behavioral health. Full payment will be conditioned on achieving track-specific clinical outcomes, such as lowering blood pressure by 10 mmHg. To prevent duplicate payments, CMS announced that participating care organizations must not submit Medicare fee-for-service claims for beneficiaries receiving services under the model, which may limit the scope of organizations willing to participate in the model.

CMS stated that payment rates and related model parameters will be announced in 2026 in advance of the April 1, 2026 application deadline.

Privacy and AI Updates

FDA Releases Guidance Indicating Relaxed Scrutiny of Certain AI-Enabled Health Wearable Devices and Clinical Decision Support Software. On January 6, 2026, the FDA released two guidance documents setting forth the agency's position that certain devices and software will not be subject to FDA scrutiny, provided certain criteria are met. One guidance concerns low-risk wellness devices, which are products (1) "intended for only general wellness use" and (2) "present a low risk to the safety of users and other persons." "General wellness uses" are uses related to "maintaining or encouraging a general state of health or a healthy activity" and a wellness product is considered "low risk" if it is not invasive or implanted, and does not involve "an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied." The other document, a new clinical decision support software guidance, details the specific types of software that meet all four statutory criteria for exemption from treatment as a "device," i.e., software that (1) is not intended to analyze medical images or signals from either in vitro diagnostic devices or signal acquisition systems; (2) is intended only for the purpose of "displaying, analyzing, or printing medical information about a patient or other medical information;" (3) is intended to support or provide recommendations to health care professionals "about prevention, diagnosis, or treatment of a disease or condition;" and (4) is intended to enable such professionals to independently review the basis for those software recommendations.

HHS Issues RFI Regarding the Adoption of AI as Part of Clinical Care. On December 19, 2025, HHS issued a Request for Information (RFI) seeking comment on its adoption and use of AI as part of clinical care. The request seeks input on how HHS and the private sector can most effectively "integrate AI in care delivery and create new, long-term market opportunities that improve the health and well-being of all Americans," posing questions such as:

• "What are the biggest barriers to private sector innovation in AI for health care and its adoption and use in clinical care?"
• "How can HHS best support private sector activities (e.g., accreditation, certification, industry-driven testing, and credentialing) to promote innovative and effective AI use in clinical care?"
• "Where have AI tools deployed in clinical care met or exceeded performance and cost expectations and where have they fallen short? What kinds of novel AI tools would have the greatest potential to improve health outcomes, give new insights on quality, and help reduce costs?"

The deadline for submitting responses to the HHS request is February 23, 2026.

Policy Updates

Congress Faces End-of-January Government Funding Deadline and Expiration of Health Provisions. On January 20, 2026, House and Senate appropriators released a "minibus" consisting of the four remaining fiscal year (FY) 2026 spending bills: Labor-HHS-Education (L-HHS), U.S. Department of Defense, Transportation-HUD (T-HUD), and U.S. Department of Homeland Security. On January 22, 2026, the House passed the FY26 minibus, including L-HHS, Defense, and T-HUD spending bills (H.R. 7148) by a vote of 341-88 and the FY26 Homeland Security appropriations bill (H.R. 7147) by a vote of 220-207. Both bills will now be sent to the Senate for consideration before federal funding expires at the end of January.

The bill includes an extension of Medicare telehealth flexibilities through December 2027, and topline funding for HHS is approximately $116.6 billion, nearly the same as FY25-enacted levels. Of note, the president's FY26 budget request for HHS had proposed $94.7 billion in discretionary spending for the agency.

House Energy and Commerce Health Subcommittee Discusses WISeR Model. On January 8, 2026, the House Energy & Commerce (E&C) Health Subcommittee held a hearing titled "Legislative Proposals to Support Patient Access to Medicare Services." During the hearing, Subcommittee Members discussed the Ban AI Denials in Medicare Act (H.R. 6361), which would prohibit the Center for Medicare and Medicaid Innovation (CMMI) from implementing the Wasteful and Inappropriate Service Reduction (WISeR) model and any future models that would test prior authorization, including with AI, in Medicare Part A or B. Several Democratic Members expressed concerns about AI prior authorization denials and delays of medically necessary care. Implementation of the WISeR model began on January 1, 2026, in six states: New Jersey, Ohio, Oklahoma, Texas, Arizona, and Washington.

House Minority Leader Hakeem Jeffries Holds First Meeting With House Democratic AI Commission. House Minority Leader Hakeem Jeffries (D-NY) reportedly held a first meeting with the House Democratic Commission on AI and the Innovation Economy during the first week of the House session in 2026. Minority Leader Jeffries announced the new House Democratic AI Commission in early December with Reps. Ted Lieu (D-CA), Josh Gottenheimer (D-NJ), and Valerie Foushee (D-NC) serving as co-chairs. The meeting and formation of the commission demonstrates a continued focus and priority on AI policy and regulation in the new year.

FTC Announces Workshop on Age Verification Technologies. In early December, the FTC announced it will hold a workshop on age verification and estimation technologies on January 28, 2026. The workshop will bring together industry stakeholders to discuss the importance of age verification, age verification and estimation tools, the regulatory landscape, how to deploy age verification at scale, and the Children's Online Privacy Protection Act (COPPA) Rule. House E&C Chairman Brett Guthrie (R-KY) and Rep. Gus Bilirakis (R-FL), who chairs E&C's Subcommittee on Commerce, Manufacturing, and Trade, thanked the FTC for its announcement of the workshop.

FTC Updates

FTC Issues Warning Letters to 10 Companies Over Potential Violations of the Rule on the Use of Consumer Reviews and Testimonials. On December 22, 2025, the FTC announced that it sent warning letters to 10 companies for potentially violating the Rule on the Use of Consumer Reviews and Testimonials, which prohibits deceptive practices involving product reviews and testimonials. The rule, which took effect in October 2024, bars a range of conduct, including posting or procuring fake or misleading reviews, paying for positive or negative reviews, using undisclosed insider reviews, presenting company controlled review sites as independent, suppressing negative feedback, and buying or selling fake social media influence indicators.
According to the FTC, the warning letters were prompted by consumer complaints and information submitted by the companies themselves. The letters do not constitute formal findings of wrongdoing, but rather remind recipients to ensure immediate compliance with the rule. The FTC cautioned that violations may result in federal enforcement actions and civil penalties of up to $53,088 per violation. The agency did not disclose the names of the companies that received the warnings.

EU AND UK NEWS

Regulatory Updates

UK MHRA Publishes an Open Call for Evidence on the Regulation of AI in Healthcare. This invites responses from both UK-based and international stakeholders. The responses gathered will help to inform the recommendations of the National Commission into the Regulation of AI in Healthcare (launched in September 2025 and discussed in the October 2025 Digest) when advising the MHRA on the regulation of new AI technologies in the NHS and wider health care system. The main topics covered are: how the UK regulatory framework covering AI in health care should be improved, how issues around the safe use of AI can be addressed, and the distribution of responsibility between regulators, companies, and health care organizations. The call for evidence closes on February 2, 2026.

European Commission Publishes Proposals To Amend the MDR and IVDR. The proposal marks a significant step in the reform of the EU medical devices regulatory framework. For medical devices and biotech companies, key elements of the proposals include: (1) revised classification rules for certain software medical devices, which could fall into lower risk classes with less onerous obligations; (2) new EU and national regulatory sandboxes to support innovative digital health technologies, including software medical devices; (3) new cybersecurity safety and performance requirements; and (4) further digitalization of compliance processes, including the possibility to submit EU declarations of conformity in digital form. The proposals have been submitted to the European Parliament and the Council of the European Union for review, and a public feedback period is open from January 7 to March 5, 2026. Further details on the proposals can be read in our December 2025 BioSlice Blog.

European Commission Publishes Proposal on the EU Biotech Act — Part 1. While primarily focused on the pharmaceutical sector, with a broader biotech initiative expected in 2026, the proposal includes certain elements relevant to medical device and biotech companies. These include (1) expanded EU and national regulatory sandboxes, which could extend to medical devices and novel health biotechnology products and therapies; (2) the possibility to submit a single application for authorization through the Clinical Trial Information System for combined studies (i.e. studies involving clinical trials of medicinal products alongside clinical investigations of medical devices or performance studies of in vitro diagnostic medical devices (IVDs)); (3) the possibility for AI-enabled IVDs or AI medical devices used in combined studies to be subject to a coordinated assessment for authorization; and (4) the obligation for the European Medicines Agency to issue guidance on the use of AI across the lifecycle of medicinal products. The proposal will now be discussed by the European Parliament and the Council of the European Union.

European Commission Publishes First Code of Practice on Transparency of AI-Generated Content. The code is intended to support companies placing AI systems on the market (AI deployers) and companies using AI systems to generate or manipulate content (AI providers) in complying with the transparency obligations under the EU AI Act, which will come into effect on August 2, 2026. The code clarifies the responsibilities imposed on AI providers and AI deployers by the EU AI Act. In particular, AI providers must ensure that any AI-generated or materially manipulated content is marked and detectable using layered technical measures, such as including the provenance information and watermarking. Separately, AI deployers must disclose the level of AI involvement in the content that has been generated or manipulated by AI where it could mislead the public, using an immediately visible indicator, with the code suggesting a linguistic acronym pending an EU-wide solution. Although voluntary, the code provides a useful guide for medical device companies on regulatory expectations. The final version of the code, which has been subject to a public consultation that is now closed, is expected to be published in 2026.

UK AI Security Institute (AISI) Frontier AI Trends Report Published. The report highlights rapid advances in frontier AI systems that are directly relevant to digital health. Models now surpass PhD level expertise in biology and chemistry, which signals new potential for digital health initiatives, such as AI enabled diagnostics, clinical decision support, and drug-disease modelling. The report also shows significant gains in autonomous task completion and cybersecurity capabilities, underscoring both opportunities for improving workflows and the need for robust safeguards as industries, including health care systems, adopt increasingly powerful AI tools.

International Medical Device Regulators Forum Publishes Strategic Plan for 2026-2030. The plan highlights that the advancement of innovative technologies, including AI and machine learning, may require the development of new procedures, which presents an opportunity for harmonization of risk-based and resource-proportionate approaches. To this end, the priorities of the IMDRF include publishing new technical documents on innovative technologies and continuing with joint workshops with the IMDRF industry group.

Privacy Updates

The UK Information Commissioner's Office (ICO) Publishes Response to the Cyber Security Resilience Bill. The bill, which was introduced to Parliament in November 2025, was prepared following public consultation and calls for views on proposals to improve the UK's cyber resilience. The response highlights efforts to strengthen the UK's cyber defense framework and improve the resilience of essential digital services. Although digital health is not directly named, the update is relevant since digital health systems — such as cloud based clinical platforms, remote care services, diagnostic AI tools, and electronic health records infrastructure — rely on the same digital service providers (e.g., cloud computing, online services, and managed service providers) that fall under the bill's expanded regulatory oversight. The reforms also include extending the scope of what is considered essential services — for example, suppliers to the National Health Service may be considered designated critical suppliers. The ICO has indicated a need for additional clarification of the criteria for assessing "critical suppliers" and further details on the duties involved.

European Commission Renews the UK Adequacy Decisions. Following Brexit, the UK is considered a "third country" to the EU, and as such, the transfer of personal data without an adequacy decision would ordinarily be prohibited. The adequacy decisions, originally made in 2021 and now renewed in December 2025, allow personal data to flow freely between the UK and the EU under the General Data Protection Regulation and under the Law Enforcement Directive.

Product Liability Updates

UK Law Commission Publishes Terms of Reference for Product Liability Law Review. The Law Commission notes that the current regime under the Consumer Protection Act does not sufficiently address challenges posed by technological advancement, such as AI. The issues that will be considered in the review include the definitions of "product" and "defect," to ensure that any harm that may be caused by the use of AI is taken into account. The Law Commission will also review the possibility of amending the "State of the Art" defense, that the defectiveness of a product is determined by the knowledge and the market at the date of supply, to take account of the fact that some technologies can be updated iteratively. Finally, the possibility of bringing latent defects (arising after the date of supply) in scope will also be considered.

*The following individuals contributed to this Newsletter:

Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter's Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter's Washington, D.C. office. Mickayla is not admitted to the practice of law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.