Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation.

Federal Regulatory and Executive Branch Updates

OMB Issues Policy Memorandum Establishing Agency Use of AI (March 28, 2024)

The White House Office of Management and Budget (OMB) issued a government-wide policy directing federal departments and agencies' use of artificial intelligence (AI), which was mandated by President Biden's Executive Order (EO) 14110, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence." The OMB memorandum establishes new agency requirements and guidance for AI governance, innovation, and risk management, including through specific minimum risk management practices for certain AI uses. Specifically, it requires each agency to designate a Chief AI Officer (CAIO) within 60 days of the date of the memorandum; record inventory AI use cases on an annual basis; establish an agency program that supports identifying and managing risks from the use of AI, especially for safety-impacting and rights impacting AI; and conduct risk assessments to ensure compliance with the OMB memorandum. OMB also issued a request for information (RFI) to help inform its development of an initial means to ensure that agency contracts for the acquisition of AI systems and services align with the guidance provided in the memorandum. The comment period for the RFI closes April 29, 2024.

FTC Releases 2023 Privacy and Data Security Update (March 28, 2024)

The Federal Trade Commission (FTC) issued its 2023 Privacy and Data Security Update , which highlights its work to protect consumer privacy and respond to companies' use of consumer data in various systems and technologies, including consumers' non-Health Insurance Portability and Accountability Act of 1996 (HIPAA) health data and the development of AI tools. The FTC update outlines its privacy and data security work (e.g., enforcement actions, rulemaking and other policy work) which occurred between 2021 and 2023. Relevant to healthcare stakeholders, the FTC has initiated enforcement actions against several companies the shared sensitive health data with third-party companies for advertising purposes and violated the Health Breach Notification Rule (HBNR). It also mentions the June 2023 Notice of Proposed Rulemaking (NPRM) to strengthen and modernize the HBNR, including by clarifying its application to health apps and similar technology. Additionally, the FTC brought a number of AI-related enforcement actions related to the collection, retention, or use of consumers' personal information to develop machine learning (ML) or similar algorithms.

ONC Requests Comments on the Draft 2024-2030 Federal Health IT Strategic Plan (March 27, 2024)

The Office of the National Coordinator for Health Information Technology (ONC) released and requested public comment on the 2024-2030 Federal Health IT Strategic Plan (the Draft 2024-2030 Strategic Plan), which establishes goals and objectives to serve as a roadmap for federal health information technology (IT) initiatives and activities, and as a catalyst for private sector action. ONC developed the Draft 2024-2030 Strategic Plan with more than 25 federal organizations. The Draft 2024-2030 Strategic Plan includes the following four goals:



Promote health and wellness; Enhance the delivery and experience of care; Accelerate research and innovation; and Connect the health system with health data.

FDA Issues a White Paper to Outline AI Medical Device Regulation (March 15, 2024)

The U.S. Food and Drug Administration (FDA) released a white paper , which outlines how FDA's medical product centers are working together to develop regulatory approaches that would advance responsible use of AI for medical products. FDA is taking the following actions, focused on four areas, regarding the uses of AI across the medical product life cycle:



Foster collaboration to safeguard public health; Advance the development of regulatory approaches that support innovation; Promote the development of standards, guidelines, best practices, and tools for the medical product life cycle; and Support research related to the evaluation and monitoring of AI performance.

Notably, the white paper states that during 2024 the agency will issue draft guidance on life cycle management considerations and premarket submission recommendations for AI-enabled medical devices, draft guidance on the use of AI for regulatory decision making on drugs and biological products, and final guidance on marketing submission recommendations for predetermined change control plans. The white paper also states that FDA will organize demonstration projects to detect and mitigate bias in AI development, support projects on health inequity in AI, and conduct ongoing monitoring of AI within demonstration projects to promote standards adherence and performance reliability.

Why it matters for you : Stakeholders that develop and market AI-enabled medical devices should be aware of upcoming guidance and the FDA's plan to regulate these products as this can impact go-to-market strategies and regulatory compliance obligations for innovative technologies. We expect that FDA and other federal health agencies will increase scrutiny on these technologies.

President Biden Proposes Healthcare Sector Cybersecurity and Other Health Provisions in the FY 2025 President's Budget (March 11, 2024)

On March 11, 2024, President Biden issued the fiscal year (FY) 2025 President's Budget, which included numerous healthcare proposals to reduce health care costs, increase access to health care coverage, and strengthen U.S. public health infrastructure. Notably, the FY 2025 President's Budget proposes implementing through the existing Medicare Promoting Interoperability (PI) Program, incentives and penalties to encourage acute care hospitals and critical access hospitals (CAHs) to upgrade their cybersecurity practices. The President's Budget also includes provisions to build upon the Inflation Reduction Act to reduce prescription drug prices, make permanent expanded Affordable Care Act premium tax credits, and provide Medicaid-like coverage to individuals in states that have not adopted Medicaid expansion.

President Biden Issues Executive Order to Protect Americans' Sensitive Personal Data (February 28, 2024)

On February 28, 2024, President Biden issued an Executive Order (Data Protection EO) directing federal agencies to issue regulations to protect sensitive personal data from exploitation by countries of concern that threaten U.S. national security and foreign policy. The Data Protection EO explains that countries of concern try to gain access to Americans' bulk sensitive personal data (e.g., genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers) or U.S. Government-related data in order to use that data for a wide range of malicious activities. The Data Protection EO includes directives for HHS and those related to the healthcare sector, including ensuring that federal resources are not used to facilitate access to Americans' sensitive health data by countries of concern and issuing a report assessing the risks and benefits of transactions involving types of human 'omic data (i.e., human proteomic data, human epigenomic data, and human metabolomic data).

HHS Finalizes Significant Modifications Aligning Part 2 Regulations with HIPAA (February 16, 2024)

HHS issued a final rule modifying regulations at 42 C.F.R. part 2 (Part 2) governing the confidentiality of substance use disorder (SUD) records to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and more closely align Part 2 with privacy rules under HIPAA. At a high level, the final rule relaxes some of Part 2's stringent requirements, which have historically limited the ability to include SUD data in health information exchange and care coordination efforts. The final rule's most significant changes are related to consent to use, disclose, and redisclose Part 2 records. Compliance with the final rule is required by February 16, 2026.

NIST Finalizes an Updated Special Publication Supporting HIPAA Security Rule Implementation (February 14, 2024)

The National Institute of Standards and Technology (NIST), in collaboration with the HHS Office for Civil Rights (OCR), issued an updated special publication for HIPAA-regulated entities to follow to improve cybersecurity and compliance with the HIPAA Security Rule, superseding the previous version (October 2008). The updated publication, Revision 2 of NIST Special Publication 800-66: Implementing the HIPAA Security Rule (NIST SP 800-66r2), provides guidance for HIPAA-regulated entities on assessing and managing risks to electronic protected health information (ePHI); identifies questions and activities that a HIPAA-regulated entity might consider in designing and implementing an information security program that complies with the HIPAA Security Rule standards and implementation specifications; and lists additional resources that HIPAA-regulated entities may find useful when implementing the Security Rule.

CMS Issues Guidance on HIPAA-Compliant Secure Texting Platforms (February 8, 2024)

The Centers for Medicare & Medicaid Services (CMS) issued a quality standard memorandum clarifying that hospitals and CAHs may transmit patient information and orders via text message under certain conditions. Specifically, although Computerized Provider Order Entry (CPOE) continues to be the preferred method of order entry, healthcare team members are permitted to share patient information and orders among themselves through a HIPAA-compliant secure texting platform (STP) in accordance with Medicare and Medicaid Conditions of Participation (CoPs). The Memorandum reverses CMS's position in a January 2018 memorandum and is effective immediately.

Draft Common Agreement Version 2.0 and Updated TEFCA Materials are Released (January 19, 2024)

The Trusted Exchange Framework and Common Agreement (TEFCA) Recognized Coordinating Entity® (RCE), the Sequoia Project requested public comment on the draft Common Agreement Version 2.0 in addition to other draft TEFCA materials, including the Qualified Health Information Network (QHIN)" Technical Framework Version 2.0, Participant/Subparticipant Terms of Participation, and various Standard Operating Procedures documents. The overall goal of TEFCA is to establish a universal governance, policy, and technical floor for nationwide interoperability. The Common Agreement is the legal contract that the RCE will sign with each QHIN. We expect that the RCE will release soon the finalized Common Agreement and other TEFCA materials.

CMS Issues Interoperability and Prior Authorization Final Rule (January 17, 2024)

CMS issued the Interoperability and Prior Authorization Final Rule , which establishes requirements applicable to certain impacted payers, which are intended to improve the electronic exchange of health information and prior authorization processes. This final rule builds upon policies included in the CMS Interoperability and Patient Access Final Rule and adds several new provisions to increase data sharing and reduce overall payer, healthcare provider, and patient burden through improvements to prior authorization practices and data exchange practices.

CMS Innovation Center Announces New Value-based Care Models (January 2024)

Earlier this year, the CMS Innovation Center (Innovation Center) announced opportunities for different healthcare stakeholders and released details on a number of models in order to provide access to alternative methods of payment and to expand access to value-based care. We have highlighted recent developments below: The Innovation in Behavioral Health Model (IBH Model) : On January 18, 2024, the Innovation Center announced the IBH Model to test approaches for addressing the behavioral and physical health and health-related social needs (HRSNs) of Medicaid and Medicare beneficiaries. CMS states that the overall goal of the IBH Model is to improve the quality of care and outcomes for adults with mental health conditions and/or SUD by connecting them with the physical, behavioral, and social supports needed to manage their care. The IBH model will also promote interoperability by incentivizing health IT capacity building through infrastructure payments and other activities. Led by state Medicaid Agencies, the IBH is a state-based model with a goal of aligning payment between Medicaid and Medicare for integrated services. CMS will release a Notice of Funding Opportunity (NOFO) in Spring 2024, and up to eight states will be selected to participate. The model will launch in Fall 2024 and run for eight years. The ACO Primary Care Flex Model (ACO PC Flex Model) : On March 19, 2024, the Innovation Center announced the ACO PC Flex Model to provide funding to primary care providers in eligible Accountable Care Organizations (ACOs) to treat people with Medicare using innovative, team-based proactive care. It provides a one-time advanced shared savings payment and monthly prospective primary care payments (PPCPs) to ACOs in order to shift payment for primary care away from fee-for-service to enhance the predictability and amount of primary care funding for low revenue ACOs. The ACO PC Flex Model is a five-year voluntary model test within the Shared Savings Program that begins January 1, 2025.

Why it matters for you : The recent release of these models demonstrates the Innovation Center's focus to address barriers for certain populations and increase access to care, including behavioral health and primary care. Health care organizations should consider if taking advantage of these new models.

Federal Legislative Updates

Senate HELP Committee Ranking Member Releases a Report Including Digital Health Data Privacy Policy Recommendations (February 21, 2024)

Senator Bill Cassidy (R-LA), Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report to propose policy recommendations to revise the HIPAA framework and ensure privacy protections for health data and information. In the report , Senator Cassidy highlights recent reports of breaches and violations of patients' health data privacy and outlines several proposals to modernize the HIPAA framework and other privacy regulations and to fill in gaps left by the current frameworks. Senator Cassidy released an RFI in late 2023 regarding updating health privacy laws. In response to the RFI, trade association, hospitals, electronic health record (EHR) vendors, health technology companies, and think tanks submitted responses. The report includes recommendations based on public comment in addition to those developed by Senator Cassidy.

House Leaders Launch a Bipartisan AI Task Force (February 20, 2024)

S. House of Representatives Speaker Mike Johnson (R-LA) and Democratic Leader Hakeem Jeffries (D-NY) announced and appointed 24 bipartisanmembers to a task force to create a report that will include "guiding principles, forward-looking recommendations and bipartisan policy proposals" on AI. In a press release, Speaker Johnson emphasized the importance of Congress working in a bipartisan way to both understand and address regulatory gaps around the advancing technology. The task force will be co-chaired by Representatives Jay Obernolte (R-CA) and Ted Lieu (D-CA) and will include representatives from the key committees of jurisdiction.

House Members Launch the Congressional Digital Health Caucus (February 1, 2024)

Representatives Troy Balderson (R-OH) and Robin Kelly (D-IL) announced the launch of the bipartisan Congressional Digital Health Caucus to inform policymakers of the rapid advancements in digital health innovation, work and partner with stakeholders across the health care system, and democratize access to digital health tools. The caucus will act as a public-private partnership to educate policymakers about the latest developments in digital health by serving as a hub for collaboration between government agencies, private sector innovators, and healthcare professionals. Additionally, the caucus will advocate for regulatory policies that will aim to foster innovation and ensure patient safety and data security. The announcement was followed by a panel discussion on healthcare AI and generative AI, featuring representatives from Microsoft, Amazon Web Services, Google, and Hippocratic AI.

Upcoming Policy Developments

In the coming months, we are watching out for the following policy updates from the Administration. For additional information, please see our blog that outlines our healthcare policy expectations for 2024.

The Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability Proposed Rule (HTI-2) (Q2 2024) : The HTI-2 Proposed Rule is under review by OMB. ONC has stated that the HTI-2 Proposed Rule will propose new standards to enable interoperability; establish certification requirements for APIs focused on use cases such as electronic prior authorization (ePA), patient engagement, care management, and care coordination; address information blocking; and bolster public health data infrastructure.

