Virtual and Digital Health Digest
This digest covers key virtual and digital health regulatory and public policy developments during April and early May 2025 from the United States, United Kingdom, and European Union.
In this issue, you will find the following:
U.S. News
- Health Care Fraud and Abuse Updates
- Corporate Transactions Updates
- Privacy and AI Updates
- Policy Updates
U.S. Featured Content
The National Academy of Medicine recently released a special publication evaluating the risks and opportunities of integrating generative artificial intelligence in the medical field. The report examines the potential of large language models to reduce administrative burden and assist physicians in making diagnoses, while urging health providers to ensure the responsible use of artificial intelligence, including concerns regarding data privacy, bias, and algorithmic limitations.
EU and UK News
EU/UK Featured Content
Cybersecurity is a hot topic this month. In both the EU and UK, cybersecurity plans are developing, with the European Commission conducting a consultation on the EU Action Plan to strengthen cybersecurity within hospitals and health care providers, and the UK Cyber Security and Resilience Bill being published, introduced partly because of cyberattacks on UK hospitals. This is clearly an important area for developers of digital products and services, who should watch the progress of these policies closely.
U.S. News
Health Care Fraud and Abuse Updates
Florida DME Owner and Operator Found Guilty of Health Care Fraud. On April 29, 2025, a federal jury found Lino Mallari Gutierrez guilty of conspiracy to commit health care and wire fraud, conspiracy to violate the federal anti-kickback statute, five substantive counts of health care fraud, and four substantive counts of payment of kickbacks in connection with a health care program. The government alleges that Guiterrez and his co-conspirators owned and operated durable medical equipment (DME) companies and paid kickbacks to marketing companies in exchange for signed doctors’ orders for unnecessary DME. The marketing companies, in turn, used call centers to solicit Medicare patients and telemedicine companies to obtain prescriptions for unnecessary DME. To conceal his involvement in this scheme, Gutierrez allegedly registered the DME companies in the names of straw owners and filed false records with his employer and a private regulatory agency. Together, Gutierrez and his co-conspirators collectively billed more than $10.9 million to Medicare for medically unnecessary DME and received $5 million in payments.
Louisiana Nurse Practitioner Convicted of Health Care Fraud. On May 2, 2025, a federal jury convicted a Louisiana nurse practitioner of five counts of health care fraud for her role in a $2 million health care fraud scheme. Shanone Chatman-Ashley, a nurse practitioner and enrolled Medicare provider, worked as an independent contractor for companies that claimed to offer telehealth services to Medicare beneficiaries. The government alleges that from 2017 to 2019, Chatman-Ashley ordered DME for patients who had not been examined by either she or any other medical provider, falsely certifying that she had personally conducted assessments of them. In exchange for these orders, Chatman-Ashley received bribes and kickbacks from the telehealth service companies. Chatman-Ashley’s actions resulted in more than 1,000 orders of medically unnecessary DME, leading to over $2 million in fraudulent Medicare claims and more than $1 million in reimbursements.
New Compliance Resources for Medicare Remote Patient Monitoring. In response to a 2024 Report by the U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) that recommended additional oversight of remote patient monitoring (RPM) in Medicare, the Centers for Medicare & Medicaid Services (CMS) has added resources to its website to inform providers on how to correctly use and bill for RPM. RPM, a Medicare-covered service, enables patients to collect their own health data using medical devices that transmit the information directly to their health care providers. The OIG’s report noted a dramatic uptick from 2019 to 2022 in use of RPM and raised concerns about fraud and whether monitoring was being used as intended. CMS’ website now features a comprehensive Booklet on Telehealth and RPM, and outlines the essential components of RPM — education and set up, device supply, and treatment and management — as well as best practices for compliance. CMS also has a dedicated RPM webpage to further assist providers.
Corporate Transactions Updates
Full Body Scans Are in Vogue, and Now More Accessible. On May 5, 2025, Function Health, a preventive health startup that offers a subscription-based service that includes over 160 blood tests and ongoing health tracking for $499 annually, acquired full-body MRI scanning company Ezra. The acquisition will allow Function Health to offer its subscribers a full-body MRI powered by FDA-cleared artificial intelligence (AI) that can help patients detect cancer and other conditions such as strokes, developing aneurysms, and spinal disorders.
The full-body MRI offered by Ezra prior to the acquisition was a 60-minute scan costing $1,500. Following the acquisition, Function Health includes the scan in its annual subscription fee and has reduced the scan time to 22 minutes. Competitor Prenuvo, which closed a $120 million funding round in February 2025, recently completed its 100,000th scan and offers full-body MRI scans for $2,499, with a reduced price for veterans and other qualifying individuals. Another full-body MRI scan competitor, Neko Health, raised $260 million in a funding round last January.
The financial details of the acquisition of Ezra were not disclosed.
Teladoc Acquires Mental Health Company UpLift To Boost BetterHelp. On April 30, 2025, Teladoc Health (NYSE: TDOC), a virtual care company, acquired UpLift, a digital health company specializing in therapy, psychiatry, and medication management in a $30 million all-cash transaction, with the potential for up to an additional $15 million in earnout consideration. The deal is intended to directly benefit Teladoc Health’s digital mental health entity BetterHelp, which offers a large network of mental health professionals for its users.
The acquisition further solidifies Teladoc’s strong position in the virtual mental health market, despite a $1 billion loss in 2024 due in large part to a non-cash goodwill impairment charge incurred by BetterHelp. Executives hope the acquisition of UpLift will improve BetterHelp’s direct-to-consumer segment and increase member duration.
Privacy and AI Updates
Connecticut Attorney General Reports on Privacy Enforcement Against Telehealth Providers. On April 17, 2025, the Connecticut Office of the Attorney General (OAG) released a report describing enforcement actions taken under the Connecticut Data Privacy Act (CTDPA) in 2024 and has recommended legislative changes to enhance the statute’s protections for personal information, including health information. As the report notes, Connecticut, along with several states such as California, has spearheaded consumer privacy protections and “the OAG was the first office in the country to create a standalone Privacy Section.”
The CTDPA requires regulated entities to obtain affirmative consent from an individual before collecting, using, or disclosing any “consumer health data” — i.e., information relating to health that may be personally linked to the individual. According to the OAG report, the OAG sent inquiry letters in 2024 to two telehealth companies that were found to be using tracking technologies that, among other things, transmitted sensitive health information to third-party platforms, including Meta and Google. The OAG reportedly sent a notice to one of those companies warning it to change its practices to cure the alleged CTDPA violation caused by such transmission, which was not undertaken with consumers’ prior consent. According to the OAG, in response to the cure notice, the targeted company implemented a new consumer consent process, provided consumers with additional disclosures specific to Connecticut law, and conducted a data protection assessment for “consumer health data” as defined by the CTDPA.
Noting that “the CTDPA has become a model for states considering and passing comprehensive consumer data privacy laws,” the OAG report asserts that “it is imperative that the CTDPA be updated to provide a strong foundation for future legislation.” Among other things, the OAG report urges the state legislature to narrow certain of the exemptions the law currently contains, including its exemption for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA). The report states: “we have seen telehealth companies use this HIPAA exemption to avoid having to comply with the CTDPA despite the fact that much of the data they process is not protected health information.”
As the report highlights, privacy law violations involving personal health information are a key enforcement priority, and telehealth providers, whose marketing to and servicing of patients typically involves such information, are subject to particularly close scrutiny.
Policy Updates
Senators Introduce Bipartisan Bill To Expedite Medicare Approval of AI Medical Devices. On April 10, 2025, Senate AI Caucus co-chairs Mike Rounds (R-SD) and Martin Heinrich (D-NM) introduced the Health Tech Investment Act (S. 1399), which would enhance Medicare reimbursement for certain AI-enabled medical devices in order to expedite innovation and new approvals. The bill would classify FDA-approved Algorithm-Based Healthcare Services devices under a New Technology Ambulatory Payment Classification in the Hospital Outpatient Prospective Payment System for at least five years before assigning a permanent payment code. The bill is endorsed by AdvaMed, the Alliance for Aging Research, the National Health Council, and others.
NAM Releases Publication With Recommendations on AI. On April 10, 2025, the National Academy of Medicine (NAM) released a special publication evaluating the risks and opportunities of integrating generative AI (GenAI) in the medical field. The report examines the potential of large language models to decrease the overall amount of time required to streamline clinical workflows, reduce administrative burden, assist physicians in making diagnoses, evaluate treatment options for rare diseases, and offer patients more accessible and customized health information. The report urges health providers to ensure the responsible use of GenAI, including concerns regarding data privacy, bias, and algorithmic limitations.
Congressman Kennedy Discusses AI in Health Care. On the RegulatingAI podcast, Representative Mike Kennedy (R-UT), who served as both a family physician and lawyer before running for office, addressed the potential of AI “augmenting what a doctor does” to improve a patient’s experience. Specifically, he discussed the potential for AI to generate a list of patient diagnoses before a doctor even meets with the patient. Representative Kennedy highlighted the possibility for AI to expand access to specialized care by allowing surgeons to “remote in” and perform robotic surgery in rural communities. He cautioned that future federal regulations should prioritize responsible use of AI while not limiting innovation.
MACPAC Discusses AI Automation. During the Medicaid and CHIP Payment and Access Commission (MACPAC) meetings held on April 10 and 11, 2025, panel experts discussed how AI and automation can streamline health providers’ administrative processes and improve patient care. The panel explored the latest advancements in AI technology and stressed the importance of protections for ethical considerations and data privacy.
HHS Hires New Chief AI Officer. In late April 2025, HHS reportedly appointed Peter Bowman-Davis, an undergraduate Yale University student studying physics, as acting Chief AI Officer. Peter previously served as a fellow at Andreessen Horowitz, a venture capital firm whose founders endorsed President Trump during his 2024 campaign.
EU and UK News
Regulatory Updates
European Commission Launches Consultations on the EU Strategy for AI in Science and Apply AI EU Strategy. The consultations seek input to define the priorities of the upcoming strategies, both expected to be adopted by the European Commission in the second half of 2025. The EU Strategy for AI in Science aims to facilitate the use and development of AI technologies in scientific research. Potential measures include modernizing the scientific data ecosystem, facilitating access to AI infrastructure, and ultimately creating an EU AI research council in the future. The Apply AI EU Strategy aims to promote new industrial uses of AI technologies in strategic industrial sectors, while also boosting innovation in EU companies. Potential measures include promoting fast and responsible adoption of AI technologies and facilitating scientists’ access to AI infrastructure. The consultation on the EU Strategy for AI in Science closes on June 5, 2025, while the consultation on the Apply AI EU Strategy closes on June 4, 2025.
The UK Government Announces Plans To Create New Health Data Research Service To Improve Access to NHS Data. This is part of the government’s efforts to boost economic growth and to make Britain best in the world for health research. The new service, expected to be operational in 2026, will act as a single access point for data from the National Health Service (NHS) for use in health research. Since the announcement, the Health Research Authority has emphasized its role in the use of patient information, including that Research Ethics Committees review research proposals to ensure data use is ethical, necessary, and proportionate.
Privacy and Cybersecurity Updates
European Commission Launches a Consultation on the EU Action Plan To Strengthen Cybersecurity in the Health Sector. The consultation seeks input on the action plan published by the European Commission in January 2025, which is aimed at improving detection, preparedness, crisis response, and protection from cyber threats in hospitals and health care providers (see our February 2025 Digest). The input received is intended to help refine the measures proposed in the action plan and ensure their effective implementation in the EU. The consultation closes on June 30, 2025.
Details of the UK Cyber Security and Resilience Bill Published. In July 2024, the government announced its intentions to introduce a Cyber Security and Resilience Bill to address the increased threats of cyber criminals and state actors and the potential effect on public services and infrastructure, such as attacks that have previously taken place affecting NHS hospitals. The government has now published details of the measures to be included in the bill, such as expanding the scope of the entities that will need to comply with the regulatory framework. This includes entities deemed to be “Critical Suppliers.” The policy statement references suppliers of critical goods or services whose disruption could cause a significant adverse effect on the essential or digital service supported. This may not be intended to capture manufacturers of medical devices and medicinal products, however the bill will be closely monitored as it progresses.
Liability Updates
Consumers Call On the European Commission To Prepare New EU AI Liability Rules. The call was made by a coalition of consumer organizations, including the European Consumer Organization known as BEUC, warning that the European Commission’s withdrawal of the AI Liability Directive (see our March 2025 Digest) has left legal gaps regarding compensation for individuals harmed by AI systems. Consumers argue that the new AI liability rules should include a non-fault-based liability compensation system. They insist that this would not impose new obligations on AI operators before placing their AI systems on the market, as the rules would only apply in case of harm. They also argue that new AI liability rules would enhance consumer trust in AI and reduce fragmentation across EU countries.
*The following individuals contributed to this Newsletter:
Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Key Contacts
