Contributed By Jones Walker LLP
Digital healthcare in the United States encompasses a broad range of health-related products, tools and services distributed through technological solutions that improve mental and physical health and well-being. These technologies include the following.
Telehealth and Telemedicine
These are remote healthcare services that connect patients with providers via video, phone or messaging platforms. During the COVID-19 pandemic, telehealth became a cornerstone of healthcare delivery, with Medicare exemptions supporting wider adoption. Some of these changes have been made permanent, such as allowing federally qualified health centres (FQHCs) and rural health clinics (RHCs) to serve as distant site providers for behavioural/mental telehealth services.
Mobile Health
This includes health-promoting mobile tools, applications and wearables such as continuous glucose monitors, fitness apps, digital virtual assistants, natural language-processing tools, and behavioural health apps that support patient monitoring and engagement.
Electronic Patient Records
These are digital systems for storing and accessing patient health information, which facilitate care co-ordination and data sharing between providers. These systems support interoperability and seamless communication across healthcare entities.
Remote Patient Monitoring
This includes connected devices that track patient health metrics outside traditional healthcare settings, including wearables, implantables and ingestible sensors that collect and transmit health data. The Internet of Medical Things (IoMT) enables more personalised care, supports early detection of medical conditions, and improves overall patient outcomes.
These various forms differ primarily in their functionality, regulatory oversight and integration with broader healthcare systems. For example, while consumer health apps may not be regulated by the Food and Drug Administration (FDA), software as a medical device (SaMD) must meet the agency’s definition and regulatory requirements.
Digital technology is extensively integrated into healthcare settings across the United States, with varying degrees of adoption based on geographic location, provider type and patient demographics. Key applications include the following.
Clinical Care Delivery
Healthcare providers increasingly rely on telehealth platforms for primary and specialty care. During the COVID-19 pandemic, regulatory changes facilitated broader adoption, with many exemptions now permanent or extended through 30 September 2025, including geographic restrictions removal and allowing audio-only services for certain conditions.
Hospital and Health System Operations
Electronic health records, workflow management, staffing software, decision-support systems and administrative tools enhance operational efficiency, disease prevention and community health initiatives.
Consumer Health Management
Wearable devices, health apps and patient portals enable individuals to monitor their health, connect with providers and access their medical information. Insurance companies have developed incentive-based digital health tools, offering premium discounts for healthy behaviours tracked through connected devices.
Preventative Care
Digital health technologies support early detection of health issues and ongoing monitoring of chronic conditions, reducing the burden of “lifestyle-related” illnesses through education and engagement.
Digital healthcare has become increasingly mainstream, accelerated by pandemic-driven adoption and regulatory flexibility. While urban areas typically have greater technology access, efforts to expand high-speed networks and 5G connectivity to rural, low-income and underserved areas in the United States aim to address geographic disparities in digital healthcare access.
Digital healthcare provides numerous advantages to patients, providers and the US healthcare system as a whole.
Improved Patient Experience and Outcomes
Digital healthcare enhances access to services, particularly for rural communities, homebound individuals and underserved populations. Telehealth eliminates transportation barriers and reduces wait times, while remote monitoring enables early intervention for deteriorating conditions. These technologies support personalised care delivery and foster greater patient engagement in health management.
Enhanced Clinical Decision-Making
AI and machine-learning tools assist providers with diagnostics, treatment planning and clinical workflows. These technologies can analyse large datasets to identify patterns, predict disease progression and recommend evidence-based interventions. Clinical decision support systems help reduce medical errors and standardise care protocols.
Operational Efficiency
Digital health solutions streamline administrative tasks, optimise resource allocation and automate routine processes. Electronic health records enable seamless information sharing across care settings, reducing duplication of services and enhancing co-ordination.
Data-Driven Insights
The aggregation and analysis of health data supports population health management, research initiatives and quality improvement efforts. These insights inform public health strategies and healthcare policy decisions.
Cost Impact
Digital healthcare has demonstrated potential for cost reduction through several mechanisms. For example, telehealth services often cost less than in-person visits, reducing overhead expenses. Remote monitoring can prevent costly hospitalisations through early intervention. Automated administrative functions decrease operational costs. Additionally, improved disease management and prevention reduce long-term healthcare expenditures associated with chronic conditions.
While implementation costs can be substantial, the long-term economic benefits of digital healthcare include reduced utilisation of expensive services, improved workforce productivity, and more efficient resource allocation across the healthcare system.
In the United States, there is no single or universal definition of digital health or digital healthcare. Federal and state legislation, regulations and enforcement agencies often provide specific definitions that conform to the discrete issues, services, conditions, solutions, tools and technologies addressed in particular legislative or jurisdictional contexts.
Generally speaking, “digital healthcare” is understood as a broad term covering various health-related products, tools and services distributed through technological solutions to improve mental and physical health and overall well-being. These range from consumer health and wellness apps not regulated by the FDA to digital treatments regulated as software as a medical device (SaMD).
More specific terms such as “digital medicine” and “digital therapeutics” refer to narrower categories of tools, solutions and processes that actively prevent, diagnose, treat or provide therapeutics to address specific diseases or conditions. These typically include products and services such as office visits, remote consultations, prescription drugs and surgical procedures that require direct involvement of providers and patients.
In contrast, technology solutions supporting healthcare operations, disease prevention, community health, infrastructure and administration that do not directly treat individual conditions generally fall under the broader digital healthcare framework.
Without a universal definition, stakeholders often rely on context-specific understandings within relevant regulatory schemes, industry standards and international frameworks, such as those developed by the International Medical Device Regulators Forum (IMDRF).
Key Regulatory Framework
The legal framework governing digital healthcare in the United States encompasses multiple federal and state laws and regulations addressing various aspects of technology use in healthcare settings, as follows.
Health information privacy and security:
Medical device and software regulation:
Telehealth and remote care delivery:
AI and machine learning (ML):
Reimbursement and payment
The complex patchwork of regulations creates compliance challenges, particularly for digital health solutions operating across state lines or addressing multiple aspects of healthcare delivery.
Policymakers in the United States employ several strategies to stay current with technological developments in healthcare and ensure appropriate regulation.
Regulatory Sandboxes and Innovation Pathways
The FDA’s Digital Health Center of Excellence provides regulatory advice on digital health policy, cybersecurity and AI/ML applications. The Digital Health Software Precertification Program pilots new approaches to regulate software-based medical devices.
Public-Private Partnerships
Government agencies collaborate with industry leaders and academic institutions to develop standards and best practices. For example, in 2023 the Biden administration secured voluntary commitments from major healthcare providers and payors regarding responsible AI use.
Stakeholder Engagement
Regulatory agencies conduct public workshops, request comments on proposed rules, and establish advisory committees with technology experts to inform policy development.
Flexible Guidance
Agencies issue non-binding guidance documents that can be updated more rapidly than formal regulations, allowing for responsiveness to evolving technologies.
Specialised Expertise
Regulatory bodies have established dedicated divisions focused on digital health technologies, recruiting staff with relevant technical backgrounds.
Legislative Reform
Congress periodically updates healthcare laws to address emerging technologies, as demonstrated by provisions in the 21st Century Cures Act that clarified the FDA’s authority over certain software functions.
Despite these efforts, regulatory frameworks often struggle to keep pace with rapid innovation. The pattern typically follows a reactive cycle: researchers develop new technologies, businesses commercialise these solutions, and regulators subsequently attempt to address potential risks and establish guardrails.
Technical standards play a crucial role in digital healthcare, providing frameworks that ensure safety, effectiveness, interoperability and security across technologies. Key aspects include the following.
Interoperability Standards
Standards organisations such as Health Level Seven International (HL7) develop frameworks such as Fast Healthcare Interoperability Resources (FHIR) that enable different systems to exchange data seamlessly. The 2024 CMS Interoperability and Prior Authorization Final Rule requires implementation of FHIR-based APIs to support electronic prior authorisation and data exchange.
Medical Device Standards
The FDA recognises consensus standards developed by organisations such as ASTM International, the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO) that address medical device safety, performance and cybersecurity requirements.
Cybersecurity Frameworks
The National Institute of Standards and Technology (NIST) has published numerous “800 Series” special publications on computer/information security and “1800 Series” cybersecurity practice guides providing comprehensive frameworks for protecting healthcare information systems.
Quality Management Systems
International standards such as ISO 13485 establish requirements for quality management systems in medical device development, including software as a medical device (SaMD).
Clinical Decision Support Standards
Organisations develop guidelines for the development, validation and implementation of AI and ML algorithms in healthcare applications.
These technical standards support regulatory compliance, guide industry development, establish minimum performance requirements and promote technological compatibility across healthcare systems. Standards are often incorporated by reference into regulations or used by regulatory bodies to assess whether products meet safety and effectiveness requirements.
Various aspects of digital healthcare are subject to specialised regulatory frameworks.
Software as a Medical Device (SaMD)
The FDA regulates software intended for medical purposes without being part of hardware medical devices based on risk classification (Class I, II or III). The agency’s Digital Health Center of Excellence provides guidance on SaMD policy, clinical studies and regulatory review. The 21st Century Cures Act excludes certain low-risk software functions from FDA regulation.
Self-Care, Wellness and Fitness IT Products
Consumer health applications and wearables generally fall outside FDA oversight unless they make specific medical claims. However, they must comply with Federal Trade Commission (FTC) rules regarding advertising claims and state-level consumer protection and privacy laws. The My Health, My Data Act in Washington State exemplifies new protections for health-related data collected by non-HIPAA-covered entities.
Cybersecurity and Data Protection
HIPAA and the HITECH Act establish federal standards for protecting health information, requiring covered entities to implement administrative, physical and technical safeguards. The Consolidated Appropriations Act of 2023 added Section 524B to the FFDCA, requiring medical device manufacturers to include cybersecurity information in pre-market submissions. The HIPAA Breach Notification Rule mandates reporting procedures for data breaches affecting protected health information.
AI and ML
Regulatory oversight is evolving rapidly, with the FDA developing frameworks for managing adaptive ML algorithms based on quality systems, pre-market assessment, monitoring and transparency principles. In March 2024, the HHS Office for Civil Rights (OCR) issued guidance on AI-driven tracking technologies, requiring compliance with HIPAA for use of protected health information.
Environmental, Social and Governance (ESG)
Although the current administration is pressuring regulators and businesses to turn away from or minimise ESG efforts, digital health companies continue to face expectations regarding sustainability, equity and ethical governance. While not specifically regulated under healthcare laws, these considerations affect investment decisions, partnerships and reputational standing.
Telehealth
State licensing requirements traditionally limited cross-border practice, but the Interstate Medical Licensure Compact (adopted by a majority of US states) has streamlined multi-state licensing. Medicare telehealth coverage expanded dramatically during COVID-19, with some provisions being made permanent while others remain temporary through September 2025. State telehealth parity laws often mandate insurance coverage for virtual visits comparable to in-person services.
These specialised frameworks continue to evolve as technologies advance and new challenges emerge in digital healthcare implementation.
The current legal and regulatory framework for digital healthcare in the United States presents a mixed picture, with significant gaps, despite substantial coverage in certain areas.
Areas of Relative Regulatory Sufficiency
These include:
Identified Regulatory Gaps
These include:
The fragmented nature of healthcare regulation in the United States creates particular challenges for digital health innovations that often operate across traditional boundaries. State-by-state variations in licensure, privacy laws and corporate practice of medicine doctrines further complicate compliance for digital health providers operating nationally.
Additionally, the rapid pace of technological innovation frequently outstrips regulatory frameworks. By the time regulations are developed and implemented, technologies may have evolved significantly, creating an ongoing cycle of regulatory catch-up.
Regulatory bodies have attempted to address these gaps through flexible guidance, enforcement discretion and regulatory sandboxes, though comprehensive legislative solutions remain elusive. Future regulatory development will likely require balancing innovation promotion with appropriate safeguards for patient safety, privacy and equitable access.
Several federal agencies share responsibility for regulating digital healthcare in the United States, with each focusing on specific aspects based on their statutory authority.
The Department of Health and Human Services (HHS)
This is the primary federal department responsible for enhancing the health and well-being of Americans and fostering advances in medicine, public health and social services.
The Food and Drug Administration (FDA)
Within the HHS, the FDA administers and enforces the Federal Food, Drug, and Cosmetic Act (FFDCA), which governs medical devices, including software as a medical device (SaMD). The FDA’s Digital Health Center of Excellence provides specialised oversight of digital health technologies, focusing on patient safety, product efficacy and cybersecurity.
The Centers for Medicare & Medicaid Services (CMS)
This oversees Medicare, Medicaid, CHIP and Health Insurance Marketplace programmes, establishing coverage and reimbursement policies for digital health services and technologies.
The HHS Office for Civil Rights (OCR)
This enforces HIPAA Privacy, Security and Breach Notification Rules, ensuring that individuals can access and trust the privacy and security of their health information in digital formats.
The Office of the National Coordinator for Health Information Technology (ONC)
This co-ordinates nationwide efforts to implement health information technology and promote the secure electronic exchange of health information.
The Agency for Healthcare Research and Quality
This produces evidence to make healthcare safer and more accessible, and works to ensure that evidence is understood and used.
The Centers for Disease Control and Prevention (CDC)
This provides leadership in disease prevention and public health emergency response, utilising digital health tools for population health monitoring.
These agencies frequently collaborate on digital health initiatives but may sometimes apply differing standards or priorities based on their specific missions. Their collective oversight aims to ensure that digital healthcare technologies are safe, effective and accessible, and protect patient privacy while enabling innovation.
Several non-healthcare regulatory bodies play important roles in overseeing aspects of digital healthcare.
The Federal Trade Commission (FTC)
As the primary consumer protection agency, the FTC regulates health-related product advertising claims, privacy practices of non-HIPAA covered entities, and competition in digital health markets. For example, the FTC monitors health apps and devices to ensure that they do not make unsubstantiated medical claims and that developers, manufacturers and retailers follow truth-in-advertising principles.
The Securities and Exchange Commission (SEC)
This oversees publicly traded digital health companies, ensuring accurate disclosure of business operations, risks and financial performance to investors. Digital health start-ups seeking investment must comply with securities regulations.
The Federal Communications Commission (FCC)
This regulates telecommunications aspects of telehealth, including broadband infrastructure essential for remote care delivery. The FCC’s Connected Care Pilot Program supports telehealth for low-income patients and veterans.
The Department of Justice (DOJ)
This enforces antitrust laws in healthcare markets, increasingly scrutinising mergers and acquisitions in digital health. The DOJ also prosecutes criminal violations of HIPAA and fraud in telehealth billing.
State Attorneys General
These enforce state consumer protection, data privacy and antitrust laws that affect digital health companies. State attorneys general are increasingly active in addressing health data privacy concerns, exemplified by Washington State’s My Health, My Data Act.
State Medical and Professional Licensing Boards
These establish and enforce standards for telehealth practice, remote prescribing and professional conduct in virtual care environments.
These entities exercise jurisdiction over digital healthcare because many aspects extend beyond traditional healthcare regulation into areas such as consumer protection, telecommunications, securities regulation and professional licensure. Their involvement reflects the increasingly complex regulatory landscape as healthcare adopts digital technologies that intersect with multiple domains of economic and social activity.
Regulatory authorities enforce digital healthcare laws and regulations through various mechanisms, with enforcement intensity varying across domains.
FDA Enforcement
The FDA employs a risk-based approach to enforcement, focusing on products that pose the greatest potential harm to patients. Enforcement actions include warning letters, product recalls, injunctions and civil penalties. The agency has increased scrutiny of software as a medical device (SaMD), particularly those making diagnostic or treatment claims without proper authorisation.
HIPAA/Privacy Enforcement
The HHS OCR enforces HIPAA violations through civil monetary penalties and corrective action plans. Common violations include unpermitted use/disclosure of protected health information (PHI), inadequate safeguards and failure to provide patient access to their information. OCR investigations often follow data breaches affecting 500 or more individuals, which must be reported promptly under the Breach Notification Rule.
FTC Enforcement
The FTC targets deceptive advertising claims and unfair privacy practices in digital health, typically resulting in consent decrees requiring companies to implement comprehensive privacy programmes and undergo regular assessments.
Medicare Fraud Enforcement
The CMS and the HHS Office of Inspector General (OIG) have increased scrutiny of telehealth billing practices. In April 2023, HHS-OIG issued a toolkit for identifying telehealth fraud and improper payments, focusing on high-risk billing patterns.
State-Level Enforcement
State attorneys general increasingly enforce data privacy laws and consumer protection statutes against digital health companies, particularly concerning sensitive health information collected outside HIPAA’s scope.
Areas subject to stricter enforcement include:
Enforcement intensity has increased as digital health adoption has expanded, with regulators adapting traditional enforcement mechanisms to address novel challenges presented by emerging technologies while attempting to balance innovation promotion with consumer protection.
The current regulatory framework for digital healthcare offers significant strengths as well as limitations in addressing emerging risks.
Current strengths include:
Notable limitations include the following:
Proposed enhancements include:
Several reform initiatives are under consideration, including:
The sufficiency of oversight varies significantly across digital healthcare domains. While traditional medical devices have well-established regulatory pathways, newer technologies such as AI diagnostics and consumer health platforms operate in areas where regulatory frameworks are still evolving. Striking the appropriate balance between enabling innovation and ensuring adequate protection remains an ongoing challenge for regulators.
Digital healthcare presents numerous legal risks and challenges across several domains.
Non-compliance with regulations includes:
Enforcement by regulatory authorities includes:
Liability risks include:
The interconnected nature of digital health technologies often creates complex liability scenarios involving multiple parties. For example, a telehealth consultation that results in patient harm might implicate the treating physician, the telehealth platform provider, the health system, and potentially the developers of any clinical decision support software used during the encounter.
Additionally, as AI and ML play increasingly prominent roles in clinical decision-making, questions of liability attribution become more complicated. When algorithms influence or drive medical decisions, determining responsibility for adverse outcomes presents novel legal challenges not fully addressed in existing liability frameworks.
The legal exposures associated with digital healthcare are addressed through multiple liability frameworks.
Statutory frameworks include the following:
Tort liability includes the following:
Contractual liability includes the following:
Formal redress mechanisms include:
The applicability of these frameworks varies based on the specific digital health application, the parties involved and the nature of the harm. Certain digital health innovations operate in regulatory gray areas where existing liability frameworks must be adapted or extended to address novel circumstances. This creates uncertainty for providers and patients regarding rights, responsibilities and available remedies when issues arise.
Several mechanisms exist to mitigate or defend against liability exposures in digital healthcare.
Regulatory compliance defences include:
Risk-management strategies include:
Contractual protections include:
Insurance coverage includes:
Affirmative defences include:
Successful defence strategies typically combine multiple approaches, emphasising both technical compliance and process excellence. Organisations often develop comprehensive risk management frameworks that integrate legal compliance, technical safeguards and clinical governance to address the multifaceted nature of digital health risks.
The evolving regulatory landscape requires continuous monitoring and adaptation of defence strategies. As new technologies such as AI and ML become more prevalent in healthcare, defence approaches must address novel liability scenarios not fully contemplated in existing frameworks.
Several significant developments are reshaping the digital healthcare regulatory landscape.
AI Governance
The rapid advancement of AI in healthcare has prompted increased regulatory attention. In March 2024, the HHS issued updated guidance on AI-driven tracking technologies such as Google Analytics and Meta Pixel, emphasising HIPAA compliance requirements. State-level initiatives, such as California’s investigation into algorithmic discrimination in healthcare, signal growing scrutiny of AI fairness and transparency.
Expanded Data Privacy Frameworks
Beyond traditional HIPAA protections, comprehensive state privacy laws are increasingly addressing health-related information. Washington State’s My Health, My Data Act exemplifies this trend, establishing consent requirements and private rights of action for health data collected outside HIPAA’s scope. More than a dozen states have enacted consumer privacy laws, with almost two dozen considering similar legislation.
Telehealth Permanence
As pandemic-era telehealth waivers transition to permanent policies, new regulatory frameworks are emerging. CMS has made certain Medicare telehealth provisions permanent, while others remain temporary through September 2025. This phased approach creates both opportunities and compliance challenges as organisations adapt to evolving reimbursement requirements.
Digital Therapeutics Classification
Regulatory agencies are developing frameworks to address prescription digital therapeutics (PDTs) – software-based interventions that prevent, manage or treat medical conditions. These novel products challenge traditional regulatory categories, prompting discussions about appropriate oversight mechanisms and reimbursement pathways.
Cybersecurity Requirements
The Consolidated Appropriations Act of 2023 amended the FFDCA to require cybersecurity information in pre-market submissions for “cyber devices”. This marks a shift towards more explicit regulatory attention to security vulnerabilities in connected health technologies.
Non-Traditional Healthcare Entrants
The entrance of major retailers and technology companies into healthcare delivery raises questions about corporate practice of medicine restrictions, data privacy protections and regulatory oversight. Companies such as Amazon, CVS and Walgreens are expanding primary care, pharmacy and telehealth services, challenging traditional healthcare models.
Interoperability Mandates
The CMS Interoperability and Prior Authorization Final Rule, issued in January 2024, requires implementation of FHIR-based APIs to streamline health information exchange. These requirements represent significant regulatory efforts to address fragmentation in health information systems.
These emerging issues reflect the increasing complexity of digital healthcare regulation as technologies evolve and cross traditional boundaries between healthcare, consumer products and information services.
Several significant legislative and regulatory reforms are reshaping the digital healthcare landscape, driven by policy objectives including expanded access, enhanced privacy protections, improved interoperability and appropriate oversight of emerging technologies.
Telehealth expansion initiatives include the following:
Privacy and data protection includes the following:
Interoperability advancement includes the following:
AI governance includes the following:
Cybersecurity enhancement includes the following:
These reforms collectively seek to balance innovation promotion with appropriate safeguards for patient safety, privacy and equity. Policy drivers include:
The reform landscape reflects an evolving understanding that digital healthcare requires regulatory frameworks that can accommodate rapid technological change while maintaining fundamental protections for patients and healthcare systems.
Jones Walker LLP
201 St. Charles Ave
New Orleans
LA 70170-5100
USA
337 593 7634
337 593 7601
ndelahoussaye@joneswalker.com www.joneswalker.com