Virtual & Digital Health Digest

This digest covers key virtual and digital health regulatory and public policy developments during April and early May 2026 from the United States, United Kingdom, and European Union.

In this issue, you will find the following:

U.S. News

• Health Care Fraud and Abuse Updates
• FDA Updates
• Privacy and Artificial Intelligence (AI) Updates
• Policy Updates

U.S. Featured Content

This month’s edition includes updates on health care fraud and abuse enforcement, U.S. Food and Drug Administration (FDA) artificial intelligence (AI) modernization, AI-enabled medical device regulation, state privacy and AI developments, and federal policy activity. Key items include U.S. Health and Human Services Administration Office of Inspector General’s (HHS-OIG) April 2026 audit identifying $2.3 million in improper Medicare payments for virtual check-ins and e-visits from 2019 to 2022; the sentencing of Reyad Salahaldeen and Mohamad Mustafa for a genetic testing fraud and kickback scheme involving approximately $522 million in false claims; FDA’s launch of Elsa 4.0 and the HALO data platform to support AI-enabled regulatory review and workflow automation; International Medical Device Regulators Forum’s (IMDRF) draft framework for life cycle management of AI-enabled medical devices; Utah’s decision to continue its AI prescription-renewal pilot with physician oversight; Colorado’s proposed bill to replace its existing AI consumer protection law; and several federal AI policy developments, including the American Leadership in AI Act, a congressional investigation into Chinese-developed AI models, reintroduction of the CREATE AI Act, and MACPAC’s recommendation for greater state oversight of automation in Medicaid managed care coverage and authorization processes.

EU and UK News

• Regulatory Updates
• Privacy Updates

EU/UK Featured Content

Regulatory activity in the EU and UK over the past month has focused on AI in health care, health data access, and digital innovation frameworks. Recent regulatory developments in the EU and UK point to a decisive shift from high level policy ambition to the practical mechanics of enabling AI driven health care, with particular emphasis on health data governance, regulatory pilots, and institutional readiness.

At the EU level, attention is increasingly focused on building durable frameworks to support innovation while maintaining regulatory confidence. The European Medicines Agency is preparing to pilot enhanced regulatory support for breakthrough medical devices and in vitro diagnostics (IVD), an initiative expected to shape future reforms of the EU medical device and IVD regimes. In parallel, the European Commission has taken further steps to operationalize the European Health Data Space (EHDS) through new implementing rules on the governance of the European Health Data Space Board, signaling a move from legislation to execution. The European Data Protection Board (EDPB) has also issued draft guidelines on the application of the General Data Protection Regulation (GDPR) to scientific research, offering long awaited clarification on lawful bases, consent models, and secondary use of data, issues that are central to data intensive research and AI development and likely to influence practice across Member States once finalized.

In the UK, scrutiny has centered on whether existing data and regulatory structures are capable of supporting personalized medicine and AI at scale. Evidence to the House of Lords Science and Technology Committee highlighted the UK’s rich but underexploited health data assets and the persistence of access barriers since the pandemic, with witnesses pointing to fragmented governance and delays in data access as ongoing constraints. At the same time, the expansion of the Medicines and Healthcare products Regulatory Agency’s (MHRA) AI Airlock program, continued work by the National AI Commission, and targeted support for AI driven drug discovery reflect a more iterative, test and learn approach to AI regulation, focused on post market oversight rather than wholesale reform.

U.S. News

Health Care Fraud And Abuse Updates

HHS-OIG Audit on Improper Payments for Virtual Check-In and E-visit Services. On April 23, 2026, HHS-OIG released an audit titled, “CMS Could Strengthen Medicare Program Safeguards To Prevent and Detect Potentially Improper Payments for Virtual Check-in and E-visit Services.” The purpose of the audit was to determine vulnerabilities associated with improper payments for virtual care services. OIG’s audit found that between 2019 and 2022, Centers for Medicare & Medicaid Services (CMS) paid $2.3 million in improper Medicare payments involving virtual check-ins and e-visits. As a result, OIG recommended that (1) CMS develop system edits for billing technology-based Medicare services; (2) CMS strengthen the Healthcare Common Procedure Coding System (HCPCS) code descriptions for virtual check-ins; and (3) CMS educate providers on billing requirements for virtual check-ins and e-visits. CMS concurred with the first and third recommendations.

Two Georgia Men Sentenced for Role in Genetic Testing Fraud and Kickback Scheme. On May 4, 2026, two Georgia men, Reyad Salahaldeen and Mohamad Mustafa, were sentenced for their roles in a Medicare, Medicaid, and private health insurance fraud scheme. Salahaldeen controlled four laboratories, two of which Salahaldeen controlled with Mustafa. From 2018 through August 2020, the two paid kickbacks and bribes to marketers who targeted Medicare and Medicaid beneficiaries and individuals covered by private insurance to obtain health information and DNA samples for genetic tests. The marketers obtained DNA samples via telemarketing and methods of in-person solicitation. Additionally, at the direction of Salahaldeen and Mustafa and in exchange for kickbacks, the marketers obtained fraudulent lab forms for tests from medical providers who did not treat or consult with the patients. Salahaldeen then falsified lab forms, letters for medical necessity, and other medical records.

In total, the four laboratories controlled by the defendants submitted approximately $522 million in false claims, of which Medicare, Medicaid, and private insurers paid approximately $84 million.

FDA Updates

FDA Announces Launch of Updated Elsa AI Platform. On May 6, 2026, FDA announced significant advancements in its agency-wide AI modernization efforts, including the launch of “Elsa 4.0,” an upgraded internal AI platform now available to all FDA staff, and the consolidation of more than 40 applications and submission systems into a unified data platform called HALO (Harmonized AI & Lifecycle Operations for Data). By integrating Elsa with HALO, FDA aims to enable staff to query data, automate workflows, and access agency information more efficiently without manual document uploads. FDA leadership described the initiative as a major step toward embedding AI directly into regulatory operations to accelerate scientific review processes and support faster delivery of treatments to patients.

The updated Elsa platform introduces expanded capabilities such as custom AI agents, document generation, quantitative data analysis and visualization, secure web search functionality, voice-to-text dictation, optical character recognition (OCR), and enhanced search tools for large document repositories. FDA emphasized that Elsa operates within a FedRAMP High Secure Google Cloud environment, does not train on industry-submitted data, and maintains human oversight throughout all AI-assisted processes. FDA characterized these developments as part of a broader strategy to streamline operations, reduce administrative burdens on reviewers and investigators, and advance regulatory science through responsible AI deployment.

IMDRF Releases Technical Framework for AI Management. On April 7, 2026, the IMDRF released a draft technical framework addressing life cycle management for AI-enabled medical devices (Draft Framework), with public comments open through June 10, 2026. The draft document outlines a globally harmonized approach for the design, development, validation, deployment, monitoring, and retirement of AI-enabled medical technologies, building on the IMDRF’s prior Good Machine Learning Practice principles. The Draft Framework addresses key issues, including quality management systems, risk management, cybersecurity, human oversight, data governance, clinical evaluation, and real-world performance monitoring, while emphasizing patient safety, transparency, and responsible innovation.

The Draft Framework also highlights emerging regulatory considerations unique to AI-enabled and machine learning-based medical devices, including risks related to automation bias, data drift, explainability, cybersecurity vulnerabilities, and adaptive or generative AI models. Notably, the Draft Framework places significant emphasis on post-market monitoring, real-world performance evaluation, traceability, and transparency in labeling and user communications. While the document is not intended to establish binding regulatory requirements, it signals increasing international alignment around expectations for AI-enabled medtech products and may help shape future regulatory approaches across jurisdictions, including FDA oversight of AI-driven medical devices.

Privacy and AI Updates

Utah’s Office of Artificial Intelligence Policy Rejects Medical Licensing Board’s Call to Suspend AI Prescription Renewal Pilot. On April 20, 2026, the Utah Medical Licensing Board sent a letter to Utah’s Office of Artificial Intelligence Policy (OAIP) requesting immediate suspension of the state’s AI prescription-renewal pilot program, which was launched in January pursuant to an agreement between the state and health technology startup Doctronic, LLC. Under the pilot program, Doctronic deploys AI to automate guideline-based prescription renewals. In its letter, the Board stated that it was not consulted before the pilot launched and that prescription renewals require individualized clinical reassessment. The OAIP and the Utah Department of Commerce’s Division of Professional Licensing promptly declined the Board’s request, explaining that the OAIP was created by the Utah Legislature under SB 149 with a mandate to operate an AI regulatory mitigation program authorizing temporary waivers of regulatory requirements to test AI technologies in controlled environments, and that the Doctronic pilot was reviewed by medical professionals prior to launch. The agencies further noted that the pilot is currently in Phase One, during which a licensed physician reviews and approves every AI-generated prescription renewal before it is transmitted to a pharmacy, and that the OAIP retains authority to modify or cancel the pilot if safety benchmarks are not met. The agencies invited the Board to collaborate going forward by reviewing pilot data, providing feedback on future proposals, and connecting OAIP with subject matter experts.

Colorado Senate Bill Proposed to Replace the State’s AI Consumer Protection Law. On May 7, 2026, several Colorado Senators introduced state Senate Bill 26-189, which would repeal and replace the Colorado Consumer Protection for Artificial Intelligence Act, which was enacted in May 2024 and is currently scheduled to take effect on June 30, 2026. SB 26-189 is largely based on recommendations from a working group convened by Governor Jared Polis and, unlike the existing law, would not require companies to explain how their AI systems work, but would require developers and deployers to notify consumers when AI is used to make consequential decisions and to provide consumers with an opportunity to appeal and request human review. If enacted, the bill would take effect on January 1, 2027.

Policy Updates

Former Bipartisan Artificial Intelligence Task Force Co-Chairs Introduced the American Leadership in AI Act. On April 27, 2026, former Bipartisan Artificial Intelligence Task Force Co-Chairs Ted Lieu (D-CA) and Jay Obernolte (R-CA) introduced the American Leadership in AI Act (H.R. 8516, text). According to their press release, the bill includes over 20 bipartisan proposals from the House Bipartisan AI Taskforce report published last Congress, including proposals that would codify AI literacy efforts at the National Science Foundation (NSF), establish an AI education scholarship program at NSF, expand research on AI in education, and establish community college and area career and technical education centers of AI excellence. While bipartisan, the bill has no additional cosponsors and is unlikely to make significant progress this Congress. Additionally, we expect Rep. Obernolte to release a separate AI legislative package aligned with Congressional Republican and White House AI priorities.

House Committee Chairs Announce a Joint Investigation Into the National Security and Cybersecurity Risks Posed by Chinese-Developed AI Models. On April 29, 2026, House Select Committee on China Chairman John Moolenaar (R-MI) and House Committee on Homeland Security Chairman Andrew R. Garbarino (R-NY) announced a joint investigation into the national security and cybersecurity risks posed by Chinese-developed AI models, including DeepSeek, Alibaba, Moonshot AI, and MiniMax. The investigation reflects concerns that some China based AI companies may be using unauthorized techniques to derive capabilities from U.S. models and incorporate them into lower cost systems that are subsequently offered to American users, developers, or businesses.

Senators Reintroduce the Creating Resources for Every American to Experiment With Artificial Intelligence Act (CREATE AI Act). On April 29, 2026, Sens. Todd Young (R-IN), Martin Heinrich (D-NM), Mike Rounds (R-SD), and Cory Booker (D-NJ) reintroduced the CREATE AI Act (S. 4441). The bill would establish the National Artificial Intelligence Research Resource (NAIRR), a shared national research infrastructure to connect individuals to tools to advance AI research and development (R&D).

Medicaid and CHIP Payment and Access Commission (MACPAC) Holds May 2026 Public Meetings. On May 7, 2026, MACPAC held its May 2026 Public Meeting featuring a panel titled, “Automation in Medicaid Prior Authorization: Recommendations.” During the session, MACPAC Commissioner Michael Nardone suggested further review is needed to discuss the benefits of AI and the need for federal regulations of Medicaid decision-making that are flexible for AI. He noted that AI is evolving faster than state and federal regulations can be developed and implemented. 

The commission voted affirmatively on the following recommendation: State Medicaid agencies should amend their Medicaid managed care plan contracts to require disclosure or other reporting of the use of automation in plans’ coverage and authorization processes. Disclosure should facilitate state visibility into the applications of automation tools and other elements of automation. States should also modify existing reporting requirements and oversight processes to minimize administrative burden. 

EU and UK News

Regulatory Updates

European Medicines Agency (EMA) Will Launch Pilot to Support Breakthrough Medical Devices and IVDs. The pilot is expected to be launched in the second quarter of 2026 to support breakthrough medical devices and IVDs, with the objective of testing a pathway that accelerates patient access to highly innovative technologies while maintaining the EU’s high standards for safety and performance. Under the pilot, manufacturers of devices granted designated breakthrough will benefit from enhanced regulatory support, including priority scientific advice from EMA- administered medical device expert panels. The initiative builds on the MDCG 2025-9 Guidance on Breakthrough Devices adopted by the Medical Device Coordination Group (MDCG) in December 2025. Importantly, the pilot is intended to inform and shape a future EU breakthrough devices framework proposed by the European Commission in its December 2025 legislative revisions to Regulation (EU) 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR), including the introduction of new Article 52a of the MDR and new Article 48a of the IVDR. As such, the pilot represents a key step in strengthening an innovation friendly regulatory environment for medical technologies within the EU. 

IMDRF Opens Public Consultation on a Draft Technical Framework for AI Lifecycle Management.The framework builds on the IMDRF’s previously published Good Machine Learning Practice guiding principles and sets out an internationally harmonized set of considerations and concepts spanning the entire life cycle of AI-enabled medical devices, from design and development through deployment, performance monitoring, and change management. The framework is intended primarily for manufacturers of AI-enabled medical devices, including those incorporating machine learning, and recognizes that devices using generative, autonomous, or adaptive AI technologies may require additional or heightened considerations. It aims to promote harmonized concepts and regulatory considerations across jurisdictions by describing common terminology, risk based concepts, and life cycle practices that authorities may align with their own regulatory frameworks. The document is non-binding and is not intended to serve as regulation or jurisdiction-specific guidance. The IMDRF invites stakeholder feedback on the draft until July 10, 2026.

MHRA Announces Expansion of Its AI Airlock Program, Along With Major Additional Funding. The MHRA has secured a £3.6 million multi-year funding uplift to expand its AI Airlock program, the UK’s first regulatory sandbox for artificial intelligence as a medical device (AIaMD). As reported in the November 2025 Digest, Phase two of the program explored the challenges of regulating AI-powered diagnostics. Following the conclusion of the second phase, the Department of Health and Social Care has committed £1.2 million per year over the next three years (2026 to 2029). The MHRA anticipates that it will be able to support more ambitious and longer-term testing models. Reporting is expected in summer 2026, along with the findings from the pilot phase, informing the design of phase three. 

UK National AI Commission Publishes Blog on the Future of AI in Health Care. Professor Henrietta Hughes, the Patient Safety Commissioner, has authored a blog post on the work of the National AI Commission into the regulation of AI in health care. She provides insight into the responses received to the call for evidence, aimed at helping to inform the commission with its recommendations. The post refers to concerns raised in responses to the call for evidence, including the post-market monitoring of AIaMD, uncertainty around liability when AI is involved in clinical decision-making, and the need for strong safeguards alongside innovation. Broader engagement work, including MHRA-led sector roundtables involving over 30 organizations and 117 clinicians, showed that the public is more comfortable with AI supporting clinicians than making high-stakes decisions independently. The commission’s recommendations are on track to be published in Summer 2026.

UK’s Government-Backed Sovereign AI Unit Announces Support for Companies Pioneering AI in Drug Discovery. Sovereign AI is the UK’s £500 million national initiative to support promising AI companies to start, scale, and compete globally from the UK. Designed to operate like a venture capital fund with the backing of the state, the Unit combines direct investment with a comprehensive support package, including fully funded access to the UK’s largest AI supercomputers and hands-on government support navigating data access, procurement, product validation, and routes into new regulatory approaches. The first companies to receive support include a company using AI to tackle brain diseases such as Alzheimer’s and Parkinson’s, and a company developing a foundation model for AI-driven strain design in engineering biology and biomanufacturing. In addition, several startups are receiving access to the AI Research Resource supercomputer network, enabling them to train advanced models and scale cutting edge AI technologies on sovereign UK infrastructure. 

UK MHRA Strengthens Its Digital Health and Technology Expertise With New Appointment From the U.S. Centers for Disease Control and Prevention. It has been announced that Jason Bonander will join the MHRA as Chief Digital and Technology Officer from late May 2026, bringing extensive experience from his role as Chief Information Officer at the U.S. Centers for Disease Control and Prevention. In his new role at the MHRA, he will work to modernize the MHRA’s services and platforms to support efficiency, transparency, and faster regulation. 

House of Lords Science and Technology Committee Holds Further Oral Evidence Sessions on Personalized Medicine and AI as Part of Its Inquiry Into NHS Innovation. On April 14, 2026, evidence was heard from Professor Andrew Morris (Director of Health Data Research UK) and Professor Cathie Sudlow (Director of the Usher Institute, University of Edinburgh, and author of the 2024 “Uniting the UK’s Health Data” review). Both witnesses highlighted that the UK possesses uniquely rich health data assets but continues to under-utilize their value due to fragmented access arrangements and persistent barriers to the linkage of individual level datasets, which they described as essential to enabling large scale research, innovation, and the effective deployment of AI. The work during the pandemic was praised as a proof-of-concept for how data can be leveraged at scale. However, it was noted that since then, access barriers to health data for bona fide research purposes have become more difficult, with delays, inconsistent decision making, and uncertainty in approval routes deterring researchers and innovators. The newly established Health Data Research Service (HDRS) was broadly welcomed as a potential national coordinating body for data access and governance. Key recommendations included treating health data as critical national infrastructure, streamlining the legal framework for data access, closing the primary care data gap, embedding continuous public engagement, and fostering public trust through transparency.

Privacy Updates

European Data Protection Board Adopts Guidelines 1/2026 on Processing of Personal Data for Scientific Research Purposes. The guidelines provide clarification on how the General Data Protection Regulation (EU) 2016/679 (GDPR) applies for scientific research purposes. In particular, the guidelines clarify the scope of “scientific research” under the GDPR and introduce six indicative factors (e.g., adherence to ethical standards, societal objectives), which, if met, create a presumption that an activity constitutes scientific research under the GDPR. The guidelines also provide guidance on the legal bases for data processing, and confirm that data controllers may rely on broad consent and dynamic consent, or a combination of both, under certain conditions. In addition, the guidelines confirm that further processing of the data for scientific research purposes is presumed compatible with the original purpose of collection under Article 5(1)(b) GDPR, and that personal data may be stored for longer periods of time for scientific research purposes, even if the original purposes for processing the data have been fulfilled. The EDPB has opened a public consultation on the guidelines, which closes on June 25, 2026.

European Commission Adopts Implementing Regulation (EU) 2026/771 on the EHDS. The Implementing Regulation sets out the rules for the implementation of the EHDS Regulation (EU) 2025/327 (see our March 2025 Advisory) in regard to the establishment, management, and functioning of the EHDS Board. The EHDS Board, which will be composed of representatives from EU Member States and the European Commission, will serve as a forum for cooperation and exchange of information among EU Member States. Some responsibilities of the EHDS Board include supporting the consistent implementation of the EHDS Regulation across EU Member States, and issuing guidance and opinions to national competent authorities and other stakeholders involved in the implementation of the EHDS Regulation. 

UK Information Commissioner’s Office (ICO) Finalizes Guidance on Storage and Access Technologies (SATs). This guidance covers how the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR apply to cookies, tracking pixels, and device fingerprinting, reflecting changes introduced by the Data (Use and Access) Act 2025. It is intended to provide clarification on the law as it currently stands and is separate from the ICO’s ongoing work to review Regulation 6 of PECR for online advertising purposes. This guidance is relevant to life sciences companies operating patient-facing digital platforms, apps, and wearable device interfaces that use tracking technologies.

Amalia White is employed as a trainee solicitor at Arnold & Porter’s London office. Amalia is not admitted to the practice of law.
Jack Chisem is employed as a paralegal at Arnold & Porter’s London office. Jack is not admitted to the practice of law.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Newsletter is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.