Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during June and early July 2025 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Provider Reimbursement Updates
• Privacy and AI Updates
• Policy Updates
• FTC Updates

U.S. Featured Content

Earlier this month, the Centers for Medicare & Medicaid Services (CMS) published the calendar year 2026 Medicare Physician Fee Schedule proposed rule, which includes several key updates to telehealth policy aimed at maintaining and expanding access to telehealth services and digital therapeutics. Among other changes, the agency proposes adding new remote patient monitoring payment codes and expanding Medicare coverage for digital mental health treatment devices to include devices for Attention Deficit Hyperactivity Disorder. CMS also seeks comment on whether the agency should establish payment codes for digital therapeutics that treat or manage the symptoms of chronic diseases. Comments are due by September 12, 2025.

EU and UK News

• Regulatory Updates
• Privacy and Cybersecurity Updates

EU/UK Featured Content

There has been a flurry of new guidance from the Medical Device Coordination Group this month, including guidance on classification of medical device software, on supply of software apps through online platform such as the App Store and Google Play, and on the interaction between the Medical Device Regulation and the EU AI Act. These are welcome guidance documents to provide important clarification for manufacturers as they develop software medical devices, although the guidance documents inevitably cannot cover every situation and leave some questions unanswered. 

U.S. News

Health Care Fraud and Abuse Updates

DOJ Announces Largest Health Care Fraud Takedown in History. On June 30, 2025, the U.S. Department of Justice (DOJ) announced the results of its unprecedented 2025 National Health Care Fraud Takedown (the Takedown), involving 324 defendants and alleged health care fraud schemes resulting in approximately $14.6 billion in intended loss. As a part of the Takedown, 49 individuals were charged in connection with $1.17 billion in allegedly fraudulent Medicare claims related to telemedicine and genetic testing schemes. For example, in Florida, the owner of a telemedicine and durable medical equipment company allegedly used deceptive telemarketing tactics to target Medicare beneficiaries. These tactics were used to submit fraudulent claims to Medicare for durable medical equipment and genetic tests.

Michigan Physician Sentenced for Medicare Fraud Scheme. On June 26, 2025, Sophie Toya, a Michigan physician, was sentenced to four years in prison for her role in a Medicare telemedicine fraud scheme that targeted elderly and disabled patients. Toya allegedly worked with telemedicine companies to solicit Medicare beneficiaries and persuade them to accept orthotic braces they did not need. In exchange for signing orders for more than 7,600 medically unnecessary braces, often for patients she had minimal contact with, Toya received $120,000 from telemedicine companies. As a result of this scheme, approximately $6.3 million in fraudulent claims were billed to Medicare.

Ohio Physician Pleads Guilty to Telemedicine Medicare Fraud Scheme. On July 10, 2025, Mohammed Ahmad, an Ohio physician, pleaded guilty to submitting orders for patients in connection with a durable medical equipment (DME) scheme that led to unnecessary billing to Medicare. Ahmad worked as a contractor for a telemedicine service provider company that purchased “leads” of Medicare beneficiaries to target individuals who were eligible to receive orthotic braces and other DME. Ahmad allegedly signed orders for DME, falsely certifying that the DME was medically necessary, even though he never examined the patients or performed the tests that his orders indicated he had performed. Ahmad’s participation in this scheme caused approximately $267,402 in false claims to be submitted to Medicare.

Corporate Transactions Updates

Abridge, Commure, and Tennr Ride AI-Powered Digital Health Funding Wave. For the first time, artificial intelligence (AI)-powered digital health companies secured the majority (62%) of digital health venture funding in the first half of 2025, totaling $3.95 billion. One such funding round was secured by Abridge, a digital health company that uses generative AI to increase the speed and accuracy of medical note-taking, which raised $300 million in its Series E funding backed by Andreessen Horowitz and Khosla Ventures on June 24, 2025. Other notable recent H1 2025 funding recipients include Commure Inc., a digital health startup that developed AI-powered software for health care organizations, which raised $200 million in growth financing from General Catalyst on June 19, 2025, and Tennr, a health tech startup that developed an AI model to improve the front office patient referral system by automating workflows and documentation intake, which raised $101 million in its Series C funding round backed by investors including Andreessen Horowitz, GV, and Foundation Capital on June 18, 2025.

Samsung to Acquire Seattle-Based Digital Health Company Xealth. On July 8, 2025, Samsung announced it had signed an agreement to acquire digital health company Xealth, a Seattle-based digital health company that helps health care providers connect digitally with patients through remote patient monitoring, digital therapeutics, mobile health apps, and patient education resources. Xealth, which works with a network of over 500 U.S. hospitals and has over 70 digital health solution partners, is the first technology spinout from Providence’s Digital Innovation Group. 

In the press release announcing the deal, Samsung, which already offers a suite of technology devices to monitor health at home, said the two companies hoped to create “synergy between Samsung’s advanced wearable technology and Xealth’s digital health platform.” Financial details of the Xealth acquisition were not disclosed. 

Provider Reimbursement Updates

Physician Fee Schedule Proposed Rule. On July 16, 2025, CMS published the calendar year (CY) 2026 Medicare Physician Fee Schedule (PFS) proposed rule. CMS proposes several updates to payment and coverage policies for telehealth services, remote monitoring services, and digital therapeutics.

Medicare Telehealth Services List. As we discussed in our November 2023 digest, CMS previously adopted a five-step process to make additions, deletions, or changes to the Medicare Telehealth Services List beginning with CY 2025. In the proposed rule, CMS proposes, beginning for the CY 2026 Telehealth List, to simplify its review process by eliminating steps 4 and 5, and retain steps 1 through 3, which focus on whether the service is: (1) separately payable under the PFS; (2) subject to the statutory provision governing the Medicare Telehealth Services List; and (3) capable of being furnished using an interactive telecommunications system. CMS claims the proposal would “simplify and reduce the administrative burden of submission and review of services” and allow patients and physicians to “determine the most appropriate service modality for an individual patient while continuing to ensure patient safety.”

CMS also proposes eliminating the “permanent” and “provisional” designation for telehealth services. Instead, all services listed on or added to the Telehealth Services List would be considered included on a permanent basis — though the agency reserves the right to remove services based on internal reviews or feedback from interested parties. For CY 2026, of the requests CMS received to add services to the Telehealth Services List (see Table 8, Proposed Rule), the agency proposes adding the following: multiple-family group psychotherapy (CPT code 90849), group behavioral counseling for obesity (CPT code G0473), infectious disease add-on services (CPT code G0545), and auditory osseointegrated sound processor services (CPT codes 92622 and 92623).

Frequency Limitations. As noted in our November 2024 digest, for CY 2025, CMS continued to use its enforcement discretion to suspend frequency limitations for how often telehealth may be used with regard to subsequent care services in inpatient and nursing facility settings, as well as for critical care consultation services. CMS now proposes to permanently remove these frequency limitations in those settings for specified codes (see 90 Fed. Reg. 32393).

Direct Supervision. In response to “overwhelming support” for existing flexibilities, CMS proposes to permanently expand the definition of “direct supervision” to include audio-video real-time communications for all services incident to a physician’s professional service described under 42 C.F.R. § 410.26, except for services that have a global surgery indicator of 010 or 090. CMS explains that this exclusion is meant to ensure the ability of the supervising practitioner to intervene if complications arise during complex, higher-risk procedures.

Virtual Presence. CMS previously adopted a temporary policy allowing teaching physicians in all residency training sites to satisfy supervision requirements through their virtual presence, but only “in clinical instances when the service is furnished virtually (for example, a three-way telehealth visit, with all parties in separate locations).” Rationalizing that the prior flexibility is no longer necessary and to better align with its statutory obligations under section 1842(b)(7)(A)(i)(I) of the Social Security Act, CMS now proposes to roll back this policy, requiring that teaching physicians be physically present for services involving residents provided within metropolitan statistical areas.

Remote Monitoring. As part of its valuation of codes for CY 2026, CMS proposes to update and add new codes for remote physiologic monitoring (RPM) and remote therapeutic monitoring (RTM) services (see Tables 18, 19, and 20, Proposed Rule). Among other changes, CMS proposes to add new codes for certain RPM and RTM services with 2-15 days of data transmission within a 30-day period (CPT codes 99XX4, 98XX4, and 98XX5), as well as RPM or RTM management services requiring less than 20 minutes of communication with a patient or caregiver per month (CPT codes 99XX5 and 98XX7). The agency also seeks comments on its valuation of these services.

Digital Therapeutics. As we discussed in our July 2024 digest, CMS previously created three codes (G0552, G0553, and G0554) for purposes of paying practitioners for furnishing digital mental health treatment (DMHT) devices furnished incident to or integral to professional behavioral health services in association with ongoing treatment under a plan of care by the billing practitioner. As a condition of payment, CMS required DMHT devices to be classified under U.S. Food and Drug Administration (FDA) regulations as computerized behavioral therapy devices for psychiatric disorders.

In the CY 2026 proposed rule, CMS proposes to expand its payment policies for these codes to also make payment for DMHT devices classified under FDA regulations as digital therapy devices for Attention Deficit Hyperactivity Disorder. CMS also seeks comment on whether it should establish coding and payment policies for devices classified under FDA regulations that were recommended by interested parties: (1) computerized behavioral therapy devices for treating symptoms of gastrointestinal conditions, (2) digital therapy devices to reduce sleep disturbances for psychiatric conditions, and (3) computerized behavioral therapy devices for the treatment of fibromyalgia symptoms. CMS recognizes that technologies and DMHT therapies are “evolving rapidly” and that its “payment policy, too, will evolve.”

In response to Executive Order 14221, Establishing the President’s Make America Healthy Again Commission, which directs agencies to “ensure the availability of expanded treatment options and the flexibility for health insurance coverage to provide benefits that support beneficial lifestyle changes and disease prevention,” CMS also seeks comment on whether the agency should consider creating separate coding and payment for FDA-cleared digital therapeutics that treat or manage the symptoms of chronic diseases.

Software as a Service. In the CY 2026 proposed rule, CMS continues to acknowledge the challenges of adopting payment policy for Software as a Service (SaaS) under the PFS and in particular, the Practice Expense methodology, which does not account adequately for software algorithms and AI. Accordingly, CMS solicits comments on how it should consider paying for SaaS under the PFS and poses specific questions and issues to interested parties in its attempt to obtain meaningful feedback. Notably, CMS also included a similar solicitation regarding SaaS devices in the CY 2026 Hospital Outpatient Prospective Payment System proposed rule.

Privacy and AI Updates

FDA Issues Final Guidance on Medical Device Cybersecurity. In late June, the FDA released the final version of its guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” (the Guidance). The Guidance is intended, among other things, to help manufacturers of “cyber devices” satisfy requirements for demonstrating that such devices meet the cybersecurity requirements of Section 534B(b) of the Food, Drug and Cosmetics Act (titled “Ensuring Cybersecurity of Devices”), which was added to the statute in 2022. A “cyber device” in this context is a device that “(1) includes software validated, installed, or authorized by the sponsor as a device or in a device; (2) has the ability to connect to the internet; and (3) contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to cybersecurity threats.”
Although it has a specific focus, the Guidance sets forth recommendations that are generally applicable to digital health technologies in contexts other than premarket submissions. Among the core recommendations in the Guidance for cyber device premarket submissions is that they:

• Include information that describes how the above security objectives are addressed by and integrated into the device design. This recommendation echoes the longstanding data protection principle of “privacy by design.”
• Document how device users will have access to information pertaining to the device’s cybersecurity controls, potential risks to the medical device system, and other relevant information. This recommendation underscores the importance of transparency for device users.
• Document how design controls used during the development of the device as a way to demonstrate reasonable assurance of safety and effectiveness. For example, for a simple, non-connected thermometer, there may need to be documentation of only a limited security architecture (i.e., addressing only device hardware and software) and few security controls, but if the thermometer were used in a safety-critical control loop, or connected to networks or other devices, then more substantial cybersecurity risk controls would be needed.

The Guidance provides substantial detail on recommended approaches to security risk management, including threat modeling and conducting cybersecurity assessments, and includes detailed appendices, including specific recommendations for security controls and their implementation.

Policy Updates

Leadership Transitions at FDA’s Center for Drug Evaluation and Research (CDER). CDER is reportedly undergoing significant leadership changes with the resignation of its top AI official, Tala Fakhouri, and the upcoming retirement of Acting Director Jacqueline Corrigan-Curay. Fakhouri, who co-chaired the FDA’s Artificial Intelligence Council, significantly impacted the agency’s draft guidance on AI in drug development. Anindita “Annie” Saha will reportedly take over Fakhouri’s work on AI, while also retaining her role as Associate Director for Strategic Initiatives in the agency’s Digital Health Center of Excellence. Saha has been with FDA for 20 years, having worked on AI action plans and guidance. On July 21, Dr. George Tidmarsh was announced as the new CDER Director.

HHS Promises Campaign Promoting Wearable Health Tech. During a June 24, 2025 House Energy & Commerce Health Subcommittee hearing, U.S. Department of Health and Human Services (HHS) Secretary Robert F. Kennedy Jr. announced a forthcoming campaign encouraging Americans to use wearable health devices, such as continuous glucose monitors (CGMs), to improve health management and promote cost-savings. The campaign aligns with the Trump administration’s broader digital health strategy but has drawn scrutiny due to Secretary Kennedy’s proposal for a national health data registry. Rep. Diana Harshbarger (R-TN) praised CGM technology, but raised concerns about data privacy, while Rep. Jake Auchincloss (D-MA) questioned the influence of HHS Advisor Calley Means and whether his company, Truemed, could profit from HHS’ new campaign.

Congress Examines Digital Health Tools. On June 25, 2025, the House Ways & Means Health Subcommittee held a hearing titled “Health at Your Fingertips: Harnessing the Power of Digital Health Data.” The discussion focused on the health care industry’s expanding role of AI, remote patient monitoring, and prescription digital therapeutics. Some lawmakers, like Reps. Kevin Hern (R-OK) and David Schweikert (R-AZ), raised concerns about how Medicare reimbursement cuts could threaten the sustainability of digital health technologies and urged CMS to support the infrastructure and data resources needed to scale them. Rep. Hern urged Congress to pass the Access to Prescription Digital Therapeutics Act (H.R. 3288), which would require Medicare reimbursement for certain FDA-approved digital treatments.

Congress Passes Megabill With Telehealth Expansion. The Senate-passed version of the One Big Beautiful Bill Act (H.R. 1; OBBBA) included a provision that permanently authorizes high-deductible health plans to cover telehealth visits before an individual reaches their deductible. H.R. 1 ultimately passed the House with this provision included and was signed by President Trump on July 4, 2025.

FTC Updates

FTC Charges Telehealth Provider NextMed With Deceptive and Unfair Practices in GLP-1 Weight Loss Program Scheme. On July 9, 2025, the U.S. Federal Trade Commission (FTC) filed a complaint and accepted a proposed consent order against Southern Health Solutions, Inc., doing business as NextMed, and its executives Robert S. Epstein and Frank Pat Leonardo III, for deceptive and unfair practices in marketing GLP-1 weight-loss programs. The FTC alleged that the company misled consumers about the cost and contents of its programs, used fake testimonials and manipulated reviews, and enrolled customers in undisclosed one-year contracts with hidden fees. Under the consent order, the respondents are prohibited from misrepresenting costs, typical results, or endorsements; must obtain express informed consent before charging consumers; and must clearly disclose all material terms, including cancellation and refund policies. The order also bans the manipulation of consumer reviews and requires clear disclosure of any material connections in endorsements. NextMed must pay $150,000 in monetary relief, notify current customers of their right to cancel, and maintain compliance records and reporting for up to 20 years.

EU and UK News

Regulatory Updates

Revised EU Guidance on Qualification and Classification of Software. This revised guidance introduces a series of clarifications and expansions that impact how software is qualified and classified as a medical device under the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). While the core principles remain unchanged, the revised guidance provides more detailed examples, specifically includes software using AI, and addresses modular software and interoperability with electronic health records under the European Health Data Space. You can read more in our July 2025 BioSlice Blog.

Guidance on Placing Software Medical Devices on the EU Market. This guidance provides important clarifications on how Medical Device Software (MDSW) apps should be made available via online platforms such as the App Store and Google Play, and on the role of these online platforms. In essence, the guidance clarifies that digital distribution does not reduce regulatory obligations, and MDSW is subject to the same level of regulatory scrutiny and compliance as traditional, physical devices. You can read more in our June 2025 BioSlice Blog.

FAQ on the Interplay Between the EU MDR and the Artificial Intelligence Act. The EU Medical Devices Coordination Group and the AI Board have jointly published an FAQ document on the interplay of the EU Artificial Intelligence Act (AI Act) with the EU MDR and IVDR. The document provides guidance on how manufacturers/providers of AI medical devices and IVDs that are also high-risk AI systems under the AI Act can comply with the overlapping requirements of the two regulatory frameworks, including in relation to conformity assessment, post-market surveillance, oversight, and data governance. Importantly, the document helps clarify how manufacturers can lawfully conduct clinical investigations and performance studies of non-CE-marked AI devices in compliance with the AI Act.

European Association of Medical Devices Notified Bodies Updates Position Paper on Software Qualification Under the IVDR. The position paper clarifies notified bodies’ expectations for software used with in vitro diagnostics (IVDs) and helps manufacturers determine when software must be submitted for conformity assessment. The position paper outlines three “decision steps” to assess if software is covered by the IVDR: (1) if the software drives an IVD or is an integral part of an IVD; (2) if the software is an IVD in its own right; (3) if the software is an accessory for an IVD. Software not meeting these criteria is not covered by the IVDR.

Second Round of Applications for the UK MHRA AI Airlock Program. As previously reported in the June 2024 digest and our May 2024 BioSlice Blog, the AI Airlock aims to identify the regulatory challenges posed by AI medical devices (AIaMD). Following the conclusion of the pilot phase that tested four AIaMDs in the sandbox environment, the second round will consider applications for AIaMDs that (1) have potential for significant benefits for patients and the NHS; (2) have a new treatment approach; and (3) have a regulatory challenge that is ready to be tested.

UK MHRA Becomes First Member of Global Network of AI Health Regulators. The new network, known as the HealthAI Global Regulatory Network, has the aim of promoting safe and effective use of AI in health care. This will include sharing early safety warnings and gives the MHRA the platform to work with regulators worldwide to shape international standards of AI in health care. Singapore has also signed an agreement to be a part of the network.

Privacy and Cybersecurity Updates

The UK Data (Use and Access) Act 2025 (DUAA) Receives Royal Assent. The DUAA amends the UK GDPR and the Data Protection Act 2018. Some of the key changes in the DUAA include broadening consent in the context of scientific research to cover situations where the complete research objectives cannot be detailed at the point when consent is obtained, provided that all ethical standards are adhered to and that partial consent can be obtained. The new act has also expanded the scenarios in which further processing is compatible with the purpose limitation principle, including with respect to scientific research. Most provisions are expected to come into force within six months, while others will likely take up to one year to be implemented. Given that the DUAA creates further divergence between the UK and EU data protection regimes, it is important to note that the European Commission may make a new adequacy finding after December 27, 2025. However, it seems likely that a positive adequacy finding will be maintained. You can read more in our July 2025 Advisory.

*The following individuals contributed to this Newsletter:

Amanda Cassidy is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Amanda is not admitted to the practice of law.
Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Caroline Oliver is employed as a policy specialist at Arnold & Porter’s Washington, D.C. office. Caroline is not admitted to the practice of law.
Eleanor Brittain is employed as a trainee solicitor at Arnold & Porter’s London office. Eleanor is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.