Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during May and early June 2025 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Privacy and AI Updates
• Policy Updates

U.S. Featured Content

Several U.S. agencies have taken steps to promote the development and use of AI this month. On June 3, 2025, NIH released a Request for Information inviting public comment on the agency’s development of an AI Strategic Plan that will promote the progression of AI tools from analytics to “fully autonomous, self-documenting biomedical AI beings,” with comments accepted through July 15, 2025. Additionally, on June 2, 2025, FDA launched an agency-wide generative AI tool called “Elsa” that will support FDA staff by summarizing adverse events, accelerating clinical protocol reviews, and generating code for nonclinical applications.

EU and UK News

• Regulatory Updates
• Privacy and Cybersecurity Updates
• IP Updates

EU/UK Featured Content

There has been a lot of focus on AI this month. The European Commission has launched a consultation on high-risk AI systems, which includes medical devices and is therefore highly relevant for digital health companies. The European Medicines Agency has published a workplan on data and AI use, which sets out how the European Medicines Regulatory Network plans to leverage large volumes of regulatory and health data to support regulatory decision-making for better medicines. There has also been international guidance published on the use of AI in pharmacovigilance. However, there has also been controversy as the UK Data Use and Access Bill continues through the parliamentary process, as there is disagreement on its treatment of copyright-protected material in the development of AI systems. As uses of AI continue and authorities seek to put in place relevant legislation and guidance to match the speed of development, expect this focus to continue.

U.S. News

Health Care Fraud and Abuse Updates

New Jersey Federal Judge Dismissed Telemedicine Licensing Suit. On May 13, 2025, the U.S. District Court for the District of New Jersey dismissed MacDonald v. Sabando, a challenge to New Jersey’s telehealth licensing law requiring telehealth providers to be licensed in-state. The plaintiffs argued that the law violated the Privileges and Immunities Clause, the First Amendment, and the Commerce Clause by burdening out-of-state specialists with national practices, citing the cost and administrative challenges of maintaining multiple state licenses. The plaintiffs also claimed the law unconstitutionally restricted patient access to specialists. In dismissing the suit, the court held that since the law treats in-state and out-of-state providers equally, the plaintiffs’ arguments raise policy questions rather than constitutional questions.

Louisiana Doctor Pleaded Guilty to Conspiracy to Commit Health Care Fraud. On May 27, 2025, Robert Tassin pleaded guilty to conspiracy to commit health care fraud for his role in a scheme to bill Medicare for medically unnecessary cancer genetic tests. According to court documents, between February and September 2019, Tassin worked for several telemedicine companies to sign orders for cancer genetic tests for Medicare beneficiaries whom he never saw, spoke to, or treated. Medicare reimbursed over $2 million for these fraudulent orders. Tassin allegedly concealed the scheme by making false statements to support the orders he submitted, including falsely certifying in medical records that the tests were medically necessary. Under the terms of his plea agreement, Tassin agreed to forfeit the $106,757 that he received from the telehealth companies and to pay restitution of over $2 million to Medicare.

Missouri Man Pleaded Guilty to Health Care Fraud. On May 29, 2025, Jamie McNamara, who operated several laboratories in Louisiana and Texas, pleaded guilty to orchestrating a scheme to defraud Medicare by billing for medically unnecessary cancer genetic testing and cardiovascular genetic testing. McNamara allegedly obtained genetic testing orders signed by telemedicine doctors who did not treat, consult with, or follow up with Medicare beneficiaries. McNamara allegedly obtained the orders by paying kickbacks and bribes, which he disguised as “sham” contracts. To conceal the fraud, McNamara shifted billing between his laboratories and concealed his ownership by falsely listing the names of his family members as owners. Over the course of a year and a half, McNamara’s scheme led to the submission of $174 million in claims to Medicare, of which $55 million were reimbursed.

Health Care Software Company CEO Convicted for His Role in a $1 Billion Fraud Conspiracy. On June 3, 2025, a federal jury convicted Gary Cox, Chief Executive Officer of Power Mobility Doctor Rx, LLC (DMERx), for his role in a scheme to defraud Medicare and other federal health care programs. According to court documents, Cox and his co-conspirators operated DMERx, an internet-based platform that generated orders for medically unnecessary orthotic braces, pain creams, and other items. As part of the scheme, Cox allegedly connected pharmacies, durable medical equipment suppliers, and marketers with telemedicine companies that would accept kickbacks in exchange for signed doctors’ orders using the DMERx platform. These telehealth companies paid doctors to sign the orders with little or no patient contact and without regard for medical necessity, leading to over $1 billion in claims billed to Medicare and other insurers.

Corporate Transactions Updates

Omada Health and Hinge Health IPOs: Has Investors’ Appetite for the Digital Health IPO Market Returned? On May 22, 2025, Hinge Health, an artificial intelligence (AI)-powered digital health platform for physical therapy and rehabilitation services, went public on the New York Stock Exchange under the ticker symbol “HNGE,” debuting at $32 per share — the top of its price range — and rising 22% shortly thereafter, indicating the IPO was well-received by investors. Daniel Perez, co-founder and CEO of Hinge Health, noted the company’s excitement in opening the IPO markets after years of limited IPO activity in the digital health sector. Hinge Health raised $437 million in its IPO and sold 8.5 million shares, with 5.1 million shares sold by existing shareholders, totaling 13.7 million.

On June 6, 2025, just weeks after Hinge Health’s IPO, Omada Health, a virtual-care company specializing in managing chronic conditions like diabetes and hypertension, went public on the Nasdaq under the ticker symbol “OMDA.” Omada Health closed its first day of trading at $23 a share, a 21% increase over its IPO price of $19. Omada Health raised $150 million in its IPO by selling 7.9 million shares of its common stock. President Wei-Li Shao indicated it was the perfect time for an IPO because GLP-1 drugs such as Ozempic, Wegovy, and Mounjaro have renewed interest in weight-related chronic illnesses.

After three years of a bleak IPO market in the digital health sector, the two nearly back-to-back, largely successful IPOs follow a broader resurgence in IPO activity and indicate increased investor confidence in the digital health market. Hinge Health and Omada Health, which were both founded over 10 years ago, may inspire other digital health companies that have delayed their IPOs to finally go public.

Privacy and AI Updates

National Institutes of Health Requests Public Input on AI Strategic Plan. On June 3, 2025, the National Institutes of Health (NIH) released a request for information (RFI) inviting public comment on the AI strategic plan that NIH is currently developing. As stated in the RFI, NIH envisions a plan for progression from (1) current data-science-driven analytics through (2) semi-autonomous AI agents to (3) “fully autonomous, self-documenting biomedical AI beings.” To help shape this strategic plan, NIH is requesting input from the public on a range of topics, including:

• Potential actions and milestones for transitioning from analytics to “AI beings capable of hypothesis generation, reproducibility studies, and continuous learning”
• Best-practice frameworks, testbeds, and regulatory-science collaborations (e.g., with the U.S. Food and Drug Administration (FDA)) to evaluate the safety, efficacy, and equity of clinical AI tools
• Preferred modalities for NIH to collaborate with other federal agencies, state and local partners, international bodies, patient organizations, industry, and/or philanthropic entities
• Governance approaches to balance open science, privacy, national security and competitiveness, and intellectual property considerations

The RFI solicits comments on these as well as any other relevant topic through July 15, 2025.

Class Actions Under Washington State’s “My Health My Data” Act Focus on Digital Tools and Data Security. The first wave of class actions alleging violations of Washington state’s “My Health My Data” Act (MHMDA) underscores that digital health tools are potential targets for complaints under the statute. In the first class action complaint filed in federal court, the plaintiffs claim that Amazon.com, Inc. and Amazon Advertising, LLC (Amazon) violated the MHMDA by tracking and using their sensitive location data without their consent. According to the complaint, because some of this location data “provides insights into the diverse and intimate aspects of an individual’s health, such as ‘visiting a cancer clinic,’” it may not be collected, used, or shared without consent. Yet thousands of developers have integrated the Amazon ads software development kit (SDK) into their mobile apps, such that when a user of an app shares their location, the Amazon ads’ SDK can automatically access that location data to “exfiltrate and monetize.” The other class actions allege MHMDA violations by behavioral health care providers (among others) who allegedly failed to employ “administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care” principles established by relevant industry groups, the U.S. Federal Trade Commission, and the U.S. Department of Health and Human Services. Deployers of digital health tools are particularly vulnerable to MHMDA claims given the statute’s unusually strict requirements for consent to collect, use, and share consumer health data and the breadth of the definition of “consumer health data.”

Policy Updates

NIH Director Testifies on Agency’s AI Goals. On June 10, 2025, the Senate Appropriations Committee’s Subcommittee on Labor, Health and Human Services, Education, and Related Agencies held a hearing on the Fiscal Year 2026 NIH budget with NIH Director Dr. Jayanta “Jay” Bhattacharya. In his opening statement, Dr. Bhattacharya discussed how NIH’s budget request promotes the integration of AI and other emerging technologies for use in critical research. In NIH’s accompanying Congressional Justification, NIH plans to advance the safe and responsible use of AI in biomedical research by: (1) supporting development of AI algorithms for research; (2) contributing to AI-ready data and infrastructure across the U.S., including computing and datasets that accelerate discovery of patient-specific treatments; and (3) encouraging multi-disciplinary partnerships that drive transparency, privacy, and equitable health.

House Appropriations Urges FDA To Create AI Expert Panel. On June 10, 2025, the House Appropriations Committee released its Fiscal Year 2026 Agriculture, Rural Development, Food and Drug Administration, and Related Agencies appropriations report. The report supports the FDA Commissioner creating a dedicated team of experts in AI-enabled drug development and requests a Congressional briefing summarizing FDA’s progress no later than 180 days after enactment.

FDA Rolls Out AI Tool To Assist Agency Review Process. On June 2, 2025, FDA launched an agency-wide generative AI tool called “Elsa,” a large language model built within the GovCloud platform of Amazon Web Services to support FDA staff by summarizing adverse events, accelerating clinical protocol reviews, and generating code for nonclinical applications. According to FDA Chief AI Officer Jeremy Walsh, Elsa will “grow with the needs of employees and the agency,” as FDA plans to expand Elsa’s capabilities and integrate additional AI tools in the future.

NAM Releases AI Code of Conduct for Health Care Industry. On May 28, 2025, the National Academy of Medicine (NAM) released a report titled, “An Artificial Intelligence Code of Conduct for Health and Medicine: Essential Guidance for Aligned Action AI Code of Conduct.” The report provides a framework to guide the ethical, equitable, and effective use of AI in health and medicine across six core “Code Commitments”: (1) advancing human health, (2) ensuring equity, (3) engaging impacted individuals, (4) supporting workforce well-being, (5) monitoring performance, and (6) fostering innovation. As AI tools rapidly evolve across the health sector, NAM hopes that the Code Commitments serve as a guide to ensure AI technologies are directed toward improving health outcomes.

EU and UK News

Regulatory Updates

European Commission Launches Public Consultation on High-Risk AI Systems. The consultation will collect practical examples and seek to clarify issues relating to high-risk AI systems, which includes medical devices. This feedback will be taken into account in the upcoming European Commission guidelines, which will focus on classifying high-risk AI systems, as well as requirements and obligations for high-risk AI systems for those in the supply chain. There is also a question on the need for amendment of the list of high-risk use cases. The consultation will be open until July 18, 2025. 

European Medicines Agency and Heads of Medicines Agencies Publish 2025-2028 Workplan on Data and AI Use. The workplan was developed for the EU Network Data Steering Group, an advisory group tasked with maximizing data interoperability, access to data, and the use of AI within the European Medicines Regulatory Network (i.e., the EU national competent authorities, the European Medicines Agency, and the European Commission). The workplan outlines targeted actions across six areas, including:

1. Strategy and governance (e.g., developing a new data strategy)
2. Data analytics (e.g., launching a pilot on clinical study data)
3. AI (e.g., developing a framework for AI tool sharing and collaboration)
4. Data interoperability (e.g., developing a data catalog for critical data assets)
5. Stakeholder engagement and change management (e.g., developing a data change management)
6. Guidance and international initiatives (e.g., developing a guidance on AI use in medicinal products)

Draft Guidance Published on Best Practices for Using AI in Pharmacovigilance. The Council for International Organizations of Medical Sciences, which represents the international biomedical scientific community, has published draft guidance setting out six guiding principles that should be considered by pharmacovigilance (PV) departments or organizations developing AI solutions for pharmacovigilance. The six principles are: (1) a risk-based approach, (2) human oversight, (3) validity and robustness, (4) transparency, (5) data privacy, and (6) governance and accountability. The report proposes best practices for integrating and implementing AI within PV to ensure AI is used ethically and reliably. Feedback on the draft guidance is open until June 6, 2025.

Privacy and Cybersecurity Updates

European Commission Proposes Simplified EU General Data Protection (GDPR) Obligation for Small- and Medium-Sized Companies (SMEs) and Small Mid-Cap Companies (SMCs). The proposal uses the existing EU definition of SMEs (i.e., companies with fewer than 250 employees and either an annual turnover of under €50 million or a total balance sheet below €43 million), and defines SMCs as organizations that do not meet the SME definition but have a size threshold about three times that of SMEs. The proposal limits the GDPR obligation for data controllers and processors to maintain records of processing activities (ROPA) for SMEs and SMCs to cases where processing is likely to pose a high risk to individuals. However, processing special categories of data, such as health data, may involve a high risk, so life sciences SMEs and SMCs may not be exempt from the ROPA obligation. The proposal now needs to be adopted by the European Parliament and the Council of the European Union, which may further amend the GDPR. You can read more in our May 2025 BioSlice Blog.

UK Government Publishes Code of Practice for Software Vendors (Code). In our April 2025 digest, we reported that the UK government published its response to its call for views on the Code, which was published in its final form on May 7, 2025. The Code, although voluntary, outlines the government’s expectations for the security and resilience of organizations’ software through 14 principles across four themes, including secure design and development, secure deployment and maintenance, and communication with customers. The principles are seen as fundamental and achievable for organizations of any size across different sectors. The Code aims to support both vendors and users by establishing a minimum level of software security and resilience across the market, with the aim of reducing the occurrence of supply chain attacks and other issues.

IP Updates

UK Courts Provide Guidance on Lawful Reverse Engineering or Contractual Breach. On March 10, 2025, the High Court handed down the judgment in IBM United Kingdom Ltd v LzLabs GmbH and others [2025] EWHC 532 (TCC) which included a claim for the breach of a software licensing agreement between IBM and a subsidiary of LzLabs and another claim for conspiracy to develop software via reverse engineering of the licensed software.

In reaching its decision in favor of IBM, the court:

• Set out how reverse engineering restrictions in licensing agreements should be construed to be compatible with UK copyright laws and are, therefore, enforceable
• Considered the meaning and scope of the contractually agreed restrictions on reverse engineering in light of the defendants’ conduct
• Delineated the narrow scope of the statutory exceptions to reverse engineering for the purposes of achieving interoperability, and observing, studying, and testing computer programs with a view to determining the ideas and elements that underpin them

The court’s analysis in this case provides important guidance points on lawful reverse engineering and other key takeaways for developers of proprietary software as a medical device, manufacturers of connected medical devices, and licensees of software with medical applications more generally.

The UK’s Data Use and Access Bill Sparks AI Copyright Controversy. UK information law reform is nearing the final stages of the parliamentary process through the Data (Use and Access) Bill (DUA Bill) which, among other things, aims to facilitate lawful data sharing across industry sectors, with the aim of supporting innovation. See our May 2025 Advisory for information regarding the likely impact on UK data protection compliance for businesses.

Most recently, the House of Lords has raised concerns on the DUA Bill’s treatment of copyright protected material in the development of AI systems and the failure to require AI developers to seek consent or disclose information regarding the text and data used in pre-training, training, and fine-tuning AI models that are protected by copyright. The UK government argues that such additional restrictions on the DUA Bill could stifle AI development and harm the UK’s competitive standing in global technology. As the bill progresses toward Royal Assent, the tension between enabling AI innovation and protecting intellectual property remains unresolved. Digital health organizations developing or deploying AI systems should monitor developments to ensure appropriate compliance.

*The following individuals contributed to this Newsletter:

Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Eleanor Brittain is employed as a trainee solicitor at Arnold & Porter’s London office. Eleanor is not admitted to the practice of law.
George Zografos is employed as a trainee solicitor at Arnold & Porter’s London office. George is not admitted to the practice of law.
Zainab Olowu is is employed as a paralegal at Arnold & Porter’s London office. Zainab is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.