Skip to main content

This digest covers key virtual and digital health regulatory and public policy developments during August 2023 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

  • FDA Regulatory Updates
  • Health Care Fraud and Abuse Updates
  • Corporate Transactions Updates
  • Privacy Updates
  • Provider Reimbursement Updates
  • Policy Updates

U.S. Featured Content:

Are AI Powered Digital Health Startups Shooting Stars or Crashing Meteors? Arnold & Porter’s corporate attorneys break down the promises and pitfalls in the investment in and expansion of these “telehealth unicorns” in an increasingly complex financial landscape bolstered by increased demand for telehealth visits and remote monitoring.

EU and UK News

  • Regulatory Updates
  • Reimbursement Updates

EU/UK Featured Content:

Report on Digital Health in the WHO European Region. The WHO has published a report on the status of digital health implementation in the European Region. It considers how different countries are dealing with digital health governance through strategies and policies, and areas where improvement is necessary. It concludes with five insights to support digital health transformation. The report provides an important summary of the current situations across Europe and provides insight on areas of development over the coming months. It is hoped that legislative and regulatory bodies take these insights into account to ensure continued development in this area. See here for an overview.

U.S. News

FDA Regulatory Updates

FDA Issues New Guidance on Off-The-Shelf (OTS) Software Use in Medical Devices. On August 11, FDA issued a new version of the guidance titled “Off-The-Shelf Software Use in Medical Devices” (OTS Guidance), which supersedes the previous versions issued in 2019 and 1999. The guidance provides information regarding the recommended documentation that sponsors should include in a premarket submission for FDA’s evaluation of OTS software used in a device. The recommended documentation for a premarket submission depends on the OTS software device’s risk to a patient, a user of the device, or others in the environment of use. As further detailed in the OTS Guidance and in the guidance titled “Content of Premarket Submissions for Device Software Functions,” FDA intends to take a risk-based approach to determine a device’s documentation level (either “basic” or “enhanced”). The OTS Guidance includes a chart with recommendations for documentation depending on such level of risk (e.g., description of OTS software, risk assessment of OTS software, verification/validation testing plans, assurance of continued maintenance of OTS software). For example, for “enhanced” documentation devices, FDA recommends providing assurance that the product development methodologies used by the OTS software developer are appropriate and sufficient for the intended use of the OTS software within the specific medical device.

Other topics addressed in the OTS Guidance include device master files, compliance with FDA’s investigational device exemption (IDE) requirements, premarket approval for OTS software devices, labeling recommendations, maintenance considerations for devices that employ OTS software, as well as artificial intelligence and machine learning considerations. The OTS Guidance also include an appendix with examples of devices that use OTS software, describing the reasoning for determination of the documentation level for each example. One example discussed in the guidance is a traumatic brain injury assessment aid intended to track a patient’s eye movement using a commercial OTS mobile phone and camera.

FDA Publishes Questions for Consideration When Deciding Whether to Use Augmented Reality and Virtual Reality Medical Devices. On September 1, FDA launched an “Augmented Reality and Virtual Reality Medical Devices: Questions to Consider” webpage with questions and infographics intended to inform patient and health care provider (HCP) decisions on use of medical extended reality (XR), which includes augmented reality (AR) and virtual reality (VR) medical devices, in a patient’s care. For patients, questions include whether there is clinical evidence for use of XR, the benefits and risks to using XR, and the patient’s HCP’s experience with using XR. Some of the same questions are covered on the HCP list, as well as additional questions regarding limitations to who can use the XR, training and education needed for safe and effective use, and how to transition to alternative treatment techniques when needed. The webpage also links to various other FDA resources relevant to use and marketing of devices that employ XR.

Health Care Fraud and Abuse Updates

DOJ and State AGs Continue to Target Medically Unnecessary Prescribing Schemes. On August 16, Elan Yaish, former President of Apogee Bio-Pharm LLC, pleaded guilty for conspiracy to violate the Federal Anti-Kickback Statute for his role in a health care kickback conspiracy involving prescriptions for Medicare and TRICARE beneficiaries. Yaish and his co-conspirators engaged in a scheme to pay marketing companies to direct prescriptions for expensive medications to the pharmacies. The marketing companies allegedly identified federal health care program beneficiaries, contacting them by telephone to pressure them into agreeing to try expensive pain creams, scar creams, eczema creams, and migraine medication. The marketing companies then transmitted recordings of telephone calls with the beneficiaries, together with pre-marked prescription pads for particular drugs that would yield high reimbursement rates, to telemedicine companies. The marketers paid the telemedicine companies for every beneficiary referred for a prescription, and the telemedicine companies paid doctors to approve the prescriptions. The marketing companies also directed the prescriptions to pharmacies, including Apogee Bio-Pharm LLC, with which they had kickback arrangements. The pharmacies filled the prescriptions and sought reimbursement from federal health care programs. The pharmacies, including Apogee, then paid a portion of each reimbursement to the marketing companies as a kickback. The scheme resulted in over US$32 million in false claims submitted to federal health care programs.

In a different prescribing scheme, on August 22, Patrick Fitchner, operator of multiple marketing call centers, pleaded guilty to conspiracy to commit health care fraud for his role in a durable medical equipment (DME) and telemedicine kickback scheme. Specifically, Fitchner and his co-conspirators used telemedicine companies to obtain medically unnecessary prescriptions for DME. They then solicited and received kickbacks and bribes in exchange for providing companies with completed doctors’ orders for DME. Department of Justice (DOJ) estimates Fitchner and his co-conspirators caused at least US$3.6 million in false claims to be submitted to federal health care programs.

Case Update: Lab Executive Charged in Large Genetic Test Scheme Receives Hefty Sentence. On August 18, Mina Patel, owner of Lab Solutions LLC, was sentenced to 27 years in prison for his role in a conspiracy to defraud Medicare by submitting over US$463 million in genetic and other medically unnecessary laboratory tests. Patel conspired with patient brokers, telemedicine companies, and call centers to target Medicare beneficiaries with telemarketing calls falsely stating that Medicare covered expensive cancer genetic tests. See the January 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest for more coverage on this case. The DOJ claims Patel’s case is “one of the largest genetic testing fraud cases ever tried to verdict.” According to DOJ, Patel’s hefty prison sentence reflects DOJ’s commitment to “seek justice for those who put profits above patient care, including owners and executives.”

Corporate Transaction Updates

Are AI-Powered Digital Health Startups Shooting Stars or Crashing Meteors? AI-powered digital health startups, nicknamed “telehealth unicorns” in terms of their ability to increase valuations, are raising funds through buzzwords like “Generative AI” and promise to revolutionize medical treatment and monitoring. AI startups received greater than $1 in every $4 invested in U.S. startups this year, with a large percentage of the funding focused on AI capabilities associated with digital health. This is consistent given that the global digital health market was valued at US$235.70 billion in 2022 and is projected to be worth US$612.40 billion in 2028 predominantly due to increased demand for telehealth visits and remote monitoring, which can be significantly aided by AI.

However, this outpouring of funds into AI-powered digital health is tempered by certain AI-focused digital health startups trading significantly below their valuations, with some even filing for bankruptcy. For example, Babylon Health, a multinational digital health company that went public via a US$4.2 billion Special Purpose Acquisition Company (SPAC) deal in 2021 and mentioned AI over 25 times in its registration statement, filed for bankruptcy on August 9. It ultimately sold its business to eMed via a Chapter 7 process on September 5.

In light of the historically high interest rates and their effect on capital, AI-powered digital health startups looking for new capital are more frequently turning to established partners. During the first half of 2023, 71% of digital health deals were done by repeat digital health investors, signaling that the digital health market is increasingly controlled by a smaller, more powerful group of investors. For example, recent data shows that Google, Microsoft, and Tencent are parties to over 70% of reported digital health agreements. These economic pressures will continue to provide opportunities for larger companies such as Amazon, Walmart, Apple, Microsoft, and Google, which are already some of the biggest investors in digital health and can easily fund off of their balance sheets, to partner with, invest in, and acquire cash-hungry AI digital health companies at reasonable valuations.

Provider Reimbursement Updates

DEA Holds Listening Sessions on Prescribing Rules. During the public health emergency (PHE), the Drug Enforcement Agency (DEA) made two major changes related to prescribing controlled substances. First, qualified practitioners were permitted to prescribe a controlled substance to a patient via a two-way, audio-video telemedicine appointment. Second, during the PHE, qualifying practitioners were also permitted to prescribe buprenorphine to new and existing patients with an opioid use disorder based only on a telephone evaluation.

As we described in the March 2023 issue of Arnold & Porter’s Virtual and Digital Health Digest, anticipating the end of the PHE, DEA and HHS issued two proposed rules (available here and here), that if finalized, would significantly curtail the prescribing rules for controlled substances via telemedicine permitted during the PHE. For example, one of the proposed rules proposes to limit each prescription for controlled substances furnished via telemedicine to a 30-day supply until there has been a form of in-person visit. See 88 FR 12895.

DEA received 38,369 comments in response to these proposed rules. In response, on May 10, DEA, in concert with the Substance Abuse and Mental Health Services Administration, published a temporary rule extending all telemedicine flexibilities regarding the prescribing of controlled substances that were in place during the PHE until November 11. See 88 FR 30037.

On September 11 and 12, DEA also hosted two-day public listening sessions. According to DEA, the sessions aimed to gather feedback and information on: (1) the advisability of permitting telemedicine prescribing of certain controlled substances without any in-person medical evaluation at all, (2) the availability and types of data that would be useful in detecting diversion of controlled substances via telemedicine that are either already reported or could be reported, and (3) “additional safeguards that could be placed around the prescribing of schedule II controlled substances via telemedicine.” See 88 FR 52210. During these sessions, DEA suggested that it may offer an additional written comment period for the proposed rules on prescribing controlled substances via telemedicine, but no formal extension has been made yet.

Policy Updates

The Senate returned to session on September 5, and the House returned on September 12. While the most urgent legislative priority facing Congress remains funding the federal government to avoid a federal shutdown before September 30, many members of Congress continue to express interest in developing a federal AI framework this year, and several committees have held recent hearings on the topic. On September 1, Senate Majority Leader Chuck Schumer (D-NY) shared a Dear Colleague letter discussing his intent to hold a series of “AI Insight Forums” beginning on September 13, which convened some of the “leading minds in AI” to develop legislative AI recommendations regarding several policy areas, including technology, national security, and health care.

Privacy Updates

Ranking Member Cassidy Issues Letter Seeking Input on How to Protect Health Data Privacy in the Context of Digital and Other Technological Health Innovations. In addition to publishing the white paper on AI mentioned above, on September 7, Senate HELP Committee Ranking Member Bill Cassidy issued a request for comments from interested parties on how the committee can and should take action to “leverage technology to improve patient care, while safeguarding the privacy of this data.” The letter notes that while the privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) have given patients assurance that their health information is being protected in the context of health care treatment and health insurance coverage, new technologies, including wearable devices, smart devices, and health and wellness apps, have expanded the creation and collection of health data in many contexts where HIPAA does not apply. Among the questions on which the letter seeks feedback are: What entities outside of HIPAA’s scope should be accountable for the handling of health data? Should Congress expand the scope of HIPAA? How should location data collected at a health care facility, website, or other digital presence maintained by a health care entity be treated? How should AI-enabled software and applications implement privacy by design? Comments on these and the other issues raised in the letter are due on September 28 and may be submitted to

HHS and FTC Release Letters Sent to Telehealth Providers Regarding the Privacy Risks of Tracking Technologies. On September 1, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) published the letters the agencies jointly sent in July 2023 to approximately 130 hospital systems and telehealth providers. Copies of each of the joint letters are available here. As HHS explained at the time the letters were sent, both agencies have serious concerns about the use of online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities in connection with information about the user’s health. The letters highlight the harms that can result from misuse of personal health information, including identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others. The letters echo concerns expressed by OCR in a bulletin issued in 2022 to remind HIPAA-regulated entities of their responsibilities to protect health data in the context of online tracking technologies.

California Privacy Protection Agency Publishes Discussion Drafts of Regulations on Cybersecurity Audits and Privacy Risk Assessments. The California Privacy Protection Agency (the Agency) recently published discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments, which will implement certain of the California Privacy Rights Act’s amendments to the California Consumer Privacy Act (CCPA). The discussion drafts describe in detail the types of compliance obligations CCPA-regulated businesses will likely have under the planned regulations. According to the drafts, regulated entities would need to, among other things, conduct and document risk assessments if they process identifiable health information or other sensitive personal data, or if they engage in any of a wide variety of other activities, including, for example: (1) selling personal data or sharing such data for purposes of cross-context behavioral advertising, (2) using automated decision-making technology to further decisions about the provision or denial of health care services, or (3) processing the personal information of consumers to train artificial intelligence or automated decision-making technology. The Agency likely expects to engage with stakeholders over the next few months to assess reactions to the discussion draft; actual proposed regulations will follow.

EU and UK News

Regulatory Updates

UK Government Announces Funding for AI Health Care Projects and Preparations Ahead of the AI Safety Summit. On August 10, the UK government made two announcements in relation to AI. The first was the appointment of two tech and diplomacy experts (Matt Clifford and Jonathan Black) to coordinate preparations for the first global AI Safety Summit, which is due to be held in the UK on November 1-2. The summit aims to bring together leading tech companies and experts to discuss how to best monitor and mitigate the risks of AI in a coordinated international approach (see here for the government’s five objectives). The second announcement was the grant of £13 million in funding for 22 university projects related to AI in health care. Projects include the development of a real-time AI “assisted decision support framework” to improve surgical outcomes, tools to predict the likelihood of future health problems, and programs to improve the analysis of mammograms. A full list of the projects being funded can be found here.

Publication of Interim Report on the Governance of AI in the UK. On August 31, the UK’s Science, Innovation and Technology Committee published an interim report on the governance of AI. The report highlights twelve challenges with AI which need to be addressed by policymakers in order to gain the public’s confidence in AI: (1) bias; (2) privacy; (3) misrepresentation; (4) access to data; (5) access to compute; (6) black box; (7) open-source; (8) intellectual property and copyright; (9) liability; (10) employment; (11) international coordination; and (12) existential. Many of these challenges are applicable to the health care industry, such as ensuring that health data cannot be traced back to individuals and the liability consequences if an AI program causes harm. The committee also raised concerns that the UK’s proposed approach to regulating AI, as set out in the government’s white paper (see the April 2023 issue of Arnold & Porter's Virtual and Digital Health Digest), risks “falling behind the pace of development of AI,” especially with efforts by the EU and U.S. to set international standards. The committee suggested that there should be a “tightly focussed AI Bill” in the new session of Parliament to ensure that the UK remains at the forefront of statutory regulation of AI across the world. The UK government has two months to respond to the report before the committee publishes a final set of policy recommendations.

Report on Digital Health in the WHO European Region. On September 1, the World Health Organization (WHO) published a report on the status of digital health implementation in the WHO European Region. The report used 2022 survey data to discuss the utilization, role, and challenges of various aspects of digital health, such as electronic health records, telehealth services, mobile health applications, and large amounts of health data.

The report shows that 100% of the reporting countries had public funding available for the implementation of digital health programs, but only just over half had developed strategies for digital health literacy and digital health inclusion. Similarly, 91% of Member States reported having at least one government-sponsored mobile health program, but 72% of Member States reported not having an entity that is responsible for the regulatory oversight of mobile apps for quality, safety, and reliability. The report includes multiple case studies demonstrating progress in the UK — such as the digital health literacy initiative in Leeds, the digital health technology assessment criteria developed by NHS England, and the AI roadmap to consider the educational needs of health care professionals for using new technologies — but also includes a variety of examples from across reporting countries, such as how telehealth is regulated in Hungary.

The report concludes with five insights to support digital health transformation: (1) establish effective governance, in particular establishing and expanding national bodies and agencies dedicated to digital health, (2) develop robust evaluation guidelines and increase digital health literacy, (3) ensure sustainable financing and collaboration, (4) address interoperability and standardize health data, and (5) promote patient-centered care and digital inclusion.

Why is this important: This report considers how different countries are dealing with digital health governance through strategies and policies, and areas where improvement is still necessary or where there are barriers to guide the successful implementation of digital health in Member States. The insights and recommendations for Member States also demonstrate the continued commitment to the regional digital health action plan for the WHO European Region 2023-2030. It is hoped that legislative and regulatory bodies take these insights into account to ensure further progress to enable digital health technologies to be available to patients.

Reimbursement Updates

NICE Guidance on Use of AI Technologies to Aid Auto-Contouring for Radiotherapy Treatment. On August 11, the National Institute for Health and Care Excellence (NICE) published draft guidance recommending that nine AI technologies, which draw contours on medical scans to outline target volumes and organs at risk ahead of radiotherapy treatment, can be used in the NHS once they have Digital Technology Assessment Criteria (knowns as DTAC) approval. Importantly, the contours created by the AI must be reviewed by a health care professional (HCP) and edited as needed prior to being used. It is thought that the technologies can save between 3-80 minutes per contoured plan of a HCP’s time, such that they can carry out other tasks. The guidance is part of NICE’s Early Value Assessment program, whereby technologies can be used while more evidence is collected. After three years of evidence collection, developers must submit the evidence to NICE for its review and decision on whether the technologies should be routinely adopted in the NHS. According to NICE, this is the first piece of guidance “to recommend the use of AI to aid healthcare professionals in their roles”.

*Amanda Cassidy contributed to this Newsletter. Amanda is employed as a Senior Health Policy Advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.

*Eugenia Pierson contributed to this Newsletter. Eugenia is employed as a Senior Health Policy Advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.

*Mickayla Stogsdill contributed to this Newsletter. Mickayla is employed as a Senior Policy Specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.

*Katie Brown contributed to this Newsletter. Katie is employed as a Policy Advisor at Arnold & Porter’s Washington, D.C. office. Katie is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.