Virtual and Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during July and early August 2025 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• Health Care Fraud and Abuse Updates
• Corporate Transactions Updates
• Privacy and AI Updates
• Policy Updates

U.S. Featured Content

On July 30, 2025, the White House and CMS held a “Make Health Tech Great Again” meeting with more than 60 technology companies, including Amazon, Anthropic, Apple, Google, and OpenAI, at which the companies agreed to support the voluntary data exchange initiative underlying CMS’ interoperability framework. CMS also announced updates to several health IT initiatives, including the development of a national provider directory and an enhanced Plan Finder for Medicare beneficiaries.

EU and UK News

• Regulatory Updates
• IP Updates
• Product Liability Updates

EU/UK Featured Content

The UK government has published a number of initiatives and responses to consultations this month that have included important proposals for devices and digital health. The 10 Year Health Plan and Life Sciences Sector Plan both refer to integration of digital health into the National Health Service. Further, the Medicines and Healthcare products Regulatory Agency’s statement on the future regulation of devices makes some key changes relevant to software, including that the proposed international reliance pathways will include software. There has also been some useful guidance on synthetic data, and on reporting adverse events for software devices. These initiatives continue to demonstrate that digital technologies are seen as a growth area and are important for delivering the government’s long-term healthcare plans. 

U.S. News

Health Care Fraud and Abuse Updates

Senate Report on Direct-To-Consumer Telehealth Platforms. On July 17, 2025, Senators Dick Durbin, Bernie Sanders, Elizabeth Warren, and Peter Welch released an investigative report that documents the findings of the senators’ investigation into direct-to-consumer telehealth arrangements. The investigation scrutinized whether arrangements involving two pharmaceutical manufacturers and several telehealth companies violate the federal Anti-Kickback Statute and impact patient safety, provider independence, and data-sharing practices. The report does not identify any specific legislative or enforcement steps that they intend to pursue.

The Senate report identifies four areas of concern:

1. Challenges to the Independence of Medical Judgment: Patients’ ability to express interest in a specific branded drug during the intake process may undercut a telehealth provider’s independent clinical judgment.
2. Issues Related to Care Quality and Continuity: Brief and cursory appointments by telehealth providers may impair the quality of comprehensive patient evaluations and continuity of care.
3. Financial Arrangements and Prescriber Incentives: The nature of separate financial arrangements with the pharmaceutical manufacturers and individual telehealth health care professionals that include speaker fees, free meals, and samples may increase prescribing of the manufacturer’s products.
4. Patient and Provider Data Sharing: Data sharing arrangements that include the transmission of “extensive patient information.”

Louisiana Nurse Practitioner Convicted for Telehealth Medicare Fraud Scheme. On July 24, 2025, a jury convicted Louisiana nurse practitioner Scharmaine Lawson Baker of six counts of health care fraud. From 2018 to 2019, Lawson Baker worked as an independent contractor for a telehealth services company and held herself out as an expert in Medicare regulations. In this role, Baker allegedly signed hundreds of orders for unnecessary cancer genetic tests, only after brief phone calls with patients and without conducting any physical exams. During this scheme, Baker falsely diagnosed patients to justify the unnecessary tests, including diagnosing one male patient with cervical cancer. Baker also participated in phone calls that misled patients into believing they were being screened for cancer at no cost. In exchange for her participation, Baker accepted kickbacks and bribes from the telehealth company. Baker’s participation in the scheme caused over $12.1 million in fraudulent Medicare claims, and she faces a maximum penalty of 10 years in prison for each count.

Corporate Transactions Updates

Positive Development Secures $51.5 Million To Grow DRBI Autism Therapy Model. On August 6, 2025, Positive Development, a Virginia-based digital health company that provides developmental therapy for children with autism, secured $51.5 million in Series C funding to expand its care model, Developmental Relationship-Based Interventions (DRBI). The funding round was led by new investor aMoon and existing investors B Capital and Flare Capital Partners, with continued participation from Digitalis Ventures, Healthworx, and other investors.

DBRI, a specialized type of therapy focusing on building relationships and supporting natural development, is provided by Positive Development to autistic children at their homes. DBRI is advertised to be over 50% lower cost than traditional Applied Behavior Analysis (ABA) therapy typically used for children with autism. Also like ABA, DBRI is covered by alternative payment models and a number of major insurers and state Medicaid programs. Positive Development plans to utilize the funding to expand its presence in new and existing geographic markets and strengthen partnerships with health plans and Medicaid.

Trinity Capital Provides $20 Million in Growth Capital to B.well Connected Health to Expand Its FHIR-Based Digital Health Platform. On July 30, 2025, Trinity Capital Inc. (Nasdaq: TRIN) announced it committed $20 million in growth capital to b.well Connected Health, a digital health company founded to solve health care’s fragmentation problem. B.well Connect Health provides a Fast Healthcare Interoperability Resources (FHIR)-based digital health platform that leverages artificial intelligence (AI) to unify health care data, solutions, and services in a single platform for health care organizations. The funding is intended to support b.well’s operational scaling and market expansion efforts.

Privacy and AI Updates

HHS Announces Data-Sharing Initiatives. On July 30, 2025, the U.S. Department of Health and Human Services (HHS) announced a new “Living Open Data Plan” and the availability of a revised HealthData.gov website. As described by HHS, the Living Open Data Plan is designed to, among other things, give researchers, entrepreneurs, and policymakers access to datasets that can help advance scientific, technological, and public health developments, including by making real-world data available for evidence-based research and policy decision-making; fostering public-private partnerships across sectors; and encouraging interested parties to “collaboratively ‘co-create’” by providing input and feedback to HHS. Input and feedback can be provided through the new HHS GitHub website.

As noted below, on the same day, the White House and Centers for Medicare & Medicaid Services (CMS) held a “Make Health Tech Great Again” meeting with more than 60 technology companies, including Amazon, Anthropic, Apple, Google, and OpenAI, at which the companies agreed to support the voluntary data exchange initiative underlying CMS’ Health Technology Ecosystem. CMS also stated that it is developing a Fast Healthcare Interoperability Resources-based application programming interface that enables apps to find “provider networks, participants, and relevant endpoints” while also enhancing data quality and “mapping complex provider hierarchies.” While these initiatives could enhance health care by integrating mobile health applications and electronic health records, they also present new privacy and security risks.

California Privacy Protection Agency Approves New CCPA Regulations. On July 24, 2025, the California Privacy Protection Agency (CPPA) approved new regulations implementing the California Consumer Privacy Act’s provisions regarding the use of personal information in certain types of AI; specifically automated decision-making technologies, which include “any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making.” The new rules also include requirements for risk assessments, cyber audits, and insurance, and updates to certain of the existing CCPA regulations. The regulations will become effective on a date determined by the California Office of Administrative Law, although the risk assessment requirements will become effective no later than December 31, 2027.

Policy Updates

Senate Considers Cybersecurity and HIPAA Updates. On July 9, 2025, the Senate Committee on Health, Education, Labor, and Pensions held a hearing titled “Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy.” Committee Chairman Bill Cassidy (R-LA) highlighted the promise of technology, such as AI, to transform patient care. He expressed interest in opportunities to modernize the Health Insurance Portability and Accountability Act (HIPAA) as the health care landscape continues to evolve with AI and wearable devices.

Congresswoman Chu Announces Legislation to Crack Down on AI in Medicare Advantage (MA) Plans. On July 22, 2025, the House Ways & Means Health and Oversight Subcommittees held a joint hearing titled, “Medicare Advantage: Past Lessons, Present Insights, Future Opportunities.” Rep. Judy Chu (D-CA) raised concerns about AI tools denying prior authorization requests for chemotherapy, rehabilitation, and post-acute care. Rep. Chu announced plans to introduce the Medicare Artificial Intelligence Transparency and Accountability Act of 2025, which she said would require transparency in how MA plans utilize AI; ensure AI systems comply with traditional Medicare coverage standards; mandate physician review before any adverse determinations are issued; and require CMS to audit AI algorithms and evaluate the impact on patient access.

White House Launches Digital Health Interoperability Pledge. On July 30, 2025, the White House reportedly unveiled a voluntary industry pledge to improve digital health data sharing and access to AI technologies. Backed by the Trump administration, the initiative encourages industry alignment with CMS’ interoperability framework. Over 60 organizations, including Amazon, Apple, Microsoft, and OpenAI, committed to ensuring real-time data access, eliminating manual check-ins, and supporting personalized care tools. CMS also announced updates to several health information technology initiatives, including launching a national provider directory and enhancing Blue Button 2.0, which allows patients to share medical data with third-party applications and research programs.

AI in Senate L-HHS Appropriations Report. On July 31, 2025, the Senate Appropriations Committee advanced its Fiscal Year (FY) 2026 Department of Defense appropriations bill and its FY26 Labor-HHS-Education (L-HHS) appropriations bill. The accompanying L-HHS appropriations report includes several AI provisions, including:

• Language encouraging the research of AI for various medical treatments, including cancer treatment and bacteriophage therapy
• $135 million for the Office of Data Science Strategy to build the National Institute of Health’s (NIH) capacity to leverage AI to “accelerate” innovation
• Language in support of the NIH’s use of emerging technologies, including AI

EU and UK News

Regulatory Updates

European Commission Launches Public Consultation on Proposed AI Updates to GMP Guidelines. On July, 7 2025, the European Commission published a consultation on proposed updates to the EU Good Manufacturing Practice (GMP) guidelines to reflect the implementation of AI systems in pharmaceutical manufacturing. In particular, a new Annex 22 specific to AI has been introduced that sets out the type of AI models that are allowed in critical and non-critical GMP applications and imposes obligations for companies in relation to how AI systems are validated and monitored. For further details on the amendments, read our July 2025 BioSlice Blog. The consultation ends on October 7, 2025.

Notified Body White Paper on Implications of EU AI Act for AI-Driven Medical Devices. As set out in our July 2025 Digest, the EU Medical Devices Coordination Group and the AI Board have published a FAQ document on the interplay of the EU AI Act with the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Now, the Notified Body TÜV SÜD has published a paper on the regulatory overlap and misalignment between the EU AI Act and the MDR/IVDR in relation to risk classification, transparency, medical device software, and conformity assessments. Medical device manufacturers are encouraged to: (1) engage notified bodies experienced in both the EU AI Act and MDR; (2) implement a robust AI risk management system and GDPR-aligned data governance practices; (3) start voluntary compliance with the EU AI Act ahead of the August 2027 enforcement date; and (4) track national regulatory sandboxes for innovative AI systems.

European Medicines Agency (EMA) Publishes First AI Observatory Report on AI Use in Medicines. The report outlines AI applications in medicine development and regulation across the EU in 2024. Alongside this, the EMA published a horizon scanning report on AI/machine learning applications, highlighting AI and machine learning opportunities and challenges throughout the medicines lifecycle. The report notes that most AI use cases in 2024 focused on pre-authorization stages, although it notes that potential AI uses include predicting long-term clinical outcomes, screening social media to detect adverse events, or assessing endpoints from digital health technologies.

UK Government’s 10 Year Health Plan and Life Sciences Sector Plan Support Integration of Digital Health Into the NHS. Under the “analogue to digital” aim of the 10 Year Health Plan, the government proposes expanding the National Health Service (NHS) app into a single access point for all of an individual’s health needs and introducing a “HealthStore” for patients to access approved digital tools to manage their conditions. Data, AI, and wearables are identified as key transformative technologies that will help to deliver reform, and the National Institute for Health and Care Excellence’s technology appraisal process will be expanded to cover devices and digital products. Under the Life Sciences Plan, a major action includes the establishment of a new secure and AI-ready Health Data Research Service to enhance access to NHS data for research and innovation. Further, an innovator passport will be launched to accelerate the rollout of new medical technologies across the NHS. This will allow technologies that have been robustly assessed by one NHS organization to be adopted more widely, without requiring repeated compliance evaluations by other NHS trusts. Read more about these two plans in our July 2025 BioSlice Blog, together with the response from the Association of British HealthTech Industries.

MHRA Publishes Results From Various Consultations on Medical Device Regulations. As part of reforms to medical device legislation, the Medicines and Healthcare products Regulatory Agency (MHRA) will implement an international reliance framework based on Australia, Canada, and the U.S., with different access routes depending on the device class and type. In particular, the proposed scope of Route 4 will be expanded to include software as a medical device. In relation to EU CE marks, the MHRA proposes to conduct a further consultation on the recognition of such marks being extended indefinitely. Regarding in vitro-diagnostic (IVD) devices, the MHRA updated the proposal in relation to Class B IVDs, including software, so that manufacturers will be required to self-declare conformity and have quality management system certification to ISO13485. Please refer to our August 2025 BioSlice Blog for further information on the outcome of the consultation.

MHRA Guidance on Adverse Event Reporting in Digital Mental Health Technologies (DMHTs). The MHRA has published updated guidance on how new post-marketing surveillance rules, which came into force on June 16, 2025 (as discussed in our June 2025 BioSlice Blog), apply to DMHTs that qualify as software as a medical device. The guidance provides examples of serious incidents that could occur with DMHTs. For example, a malfunction in a virtual reality therapy could lead to adverse psychological effects, and incorrect AI assessments could lead to misdiagnosis and inappropriate treatment. The aim of the updated guidance is to provide clarity on the risks and mitigating measures that should be put in place by manufacturers and to improve regulatory compliance, and it is likely to be useful for software development beyond DMHT.

Expert Report on the Use of Synthetic Data in the Development of AI as a Medical Device (AIaMD). An expert working group within the MHRA and the PHG Foundation (a non-profit think tank that aims to influence health care policy in relation to emerging technologies) has published a report summarizing regulatory considerations for manufacturers when artificially generated data is used in the development of AIaMD. Key points include that use of synthetic data should be clearly justified based on technical, ethical, regulatory, or lifecycle considerations, and that companies should assess the quality and suitability of synthetic data, as well as the impact on safety and performance. Although not official MHRA guidance, the principles and recommendations are likely to help companies navigate regulatory submissions where synthetic data has been used in AIaMD development.

IP Updates

UKIPO Rejects NVIDIA’s Patent Application Related to AI Medical Technology. On June 27, 2025, the UK Intellectual Property Office (UKIPO) rejected NVIDIA’s patent application for an invention that concerned training a neural network using medical imaging and clinical data to determine the appropriate treatment for patients, one example being, predicting how long a patient may need to use an Intensive Care Unit bed. The UKIPO applied the four-step test in Aerotel and considered the AT&T signposts, concluding that while NVIDIA’s invention generated a recommendation to a medical practitioner, the decision-making process to follow that recommendation was not part of the claimed invention. Although NVIDIA argued that the system provided objective, technical recommendations for resource allocation, the UKIPO found the problem, as well as the solution, to be purely administrative (i.e., non-technical) in nature. The previous case of Emotional Perception, which we have previously reported on in our December 2023 Digest and our September 2024 Digest, was distinguished on the basis that NVIDIA’s invention lacked a concrete technical output. Ultimately, the application was excluded under Section 18(3) of the Patents Act 1977, as the neural network was treated as a computer program, and a method of doing business as such. The UK Supreme Court heard Emotional Perception’s appeal in July 2025, and its judgment is likely to have a significant impact on how patent applications relating to AI will be handled in the UK.

Product Liability Updates

Review Underway Into the UK Product Liability Rules. The UK’s Law Commission announced it has started a review into whether the Consumer Protection Act 1987, the UK’s current strict liability regime for damage caused by defective products, is still fit for purpose, particularly in the context of digital technologies. The review will propose what law reforms may be required to make the regime more appropriate for the digital age and establish a better balance between protecting consumers from harm caused by defective products and supporting innovation. These are similar reasons for the reform of the revised EU Product Liability Directive, which will apply beginning on December 9, 2026, in Member States, but not in the UK. The Law Commission invites stakeholders to share their views on these issues.

Study on the Civil Liability for AI Systems Published by the European Parliament. The study starts by noting that existing tort and contract law regimes should be able to protect novel harms, and a dedicated set of rules is not necessary. However, dedicated rules do provide predictability, efficiency, and harmonization, where otherwise Member States might create divergent regulatory frameworks for AI liability. The study critically analyzes the limitations of the original Product Liability Directive from 1985 and whether the revised Product Liability Directive addresses these limitations. Following the European Commission’s withdrawal of its proposal for an AI Liability Directive in February 2025, the study presents four policy options. It primarily advocates for the creation of a new, standalone strict liability regime for high-risk AI systems, which imposes liability on a single operator that controls the AI system and benefits economically from its use. But failing that, a specific fault-based liability for high-risk AI systems would be an improvement on the AI Liability Directive in its current form.

*The following individuals contributed to this Newsletter:

Eugenia Pierson is employed as a senior health policy advisor at Arnold & Porter’s Washington, D.C. office. Eugenia is not admitted to the practice of law.
Sonja Nesbit is employed as a senior policy advisor at Arnold & Porter’s Washington, D.C. office. Sonja is not admitted to the practice of law.
Mickayla Stogsdill is employed as a senior policy specialist at Arnold & Porter’s Washington, D.C. office. Mickayla is not admitted to the practice of law.
Caroline Oliver is employed as a policy specialist at Arnold & Porter’s Washington, D.C. office. Caroline is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.