In the United States, “digital healthcare” is a broad term that covers a variety of health-related products, tools and services distributed through, or making use of, technological solutions to improve mental and physical health and overall wellbeing. These can range from consumer health and wellness apps that are not regulated by the US Food & Drug Administration (eg, the suite of “Apple Health” apps that are available on devices such as the Apple Watch and iPhone) to digital treatments that are regulated by the Food & Drug Administration (FDA) and meet the agency’s definition of “software as a medical device” (SaMD; this could, for example, include computer-aided detection software that processes images to help detect breast cancer) – and a host of products, tools and services in between.

Generally speaking, “digital medicine” and “digital therapeutics” are somewhat interchangeable terms that refer to tools, solutions and processes that actively prevent, diagnose, treat or provide therapeutics to address specific diseases or conditions. As such, digital medicine and digital therapeutics are somewhat narrower categories that fall under the umbrella of digital healthcare.

From the perspective of providers, patients and payers, digital medicine and digital therapeutics typically include products and services such as office visits, remote consultations, prescription drugs, surgical procedures, etc, that require the direct involvement of a provider and a patient (and/or the patient’s designated caregivers), most of which can be billed and reimbursed through private or public insurance programmes or paid for out of pocket by the responsible party. Technology solutions such as electronic health records, workflow management, staffing software, decision-support software, etc, that are directed toward operational, disease prevention, community health, infrastructure support, accounting and finance, hospital administration and other areas of modern medical practice – but are not directly related to the treatment of individual conditions – are seen as falling under the digital healthcare framework.

In the United States there is no single or universal definition of digital health or digital medicine. Despite the generally understood difference between digital health and digital medicine solutions noted in 1.1 Digital Healthcare, Digital Medicine and Digital Therapeutics, federal and state legislation, the regulations that arise out of such legislation, and the agencies that define and enforce these regulations often provide specific definitions that conform to the specific issues, services, conditions, solutions, tools and technologies that are the focus of that particular piece of legislation.

These laws and regulations cover areas such as:

• the collection, use, management, storage and disposal of protected health information;
• data breach reporting and response;
• biometrics;
• product advertising;
• reimbursement;
• government contracts and procurement;
• genetic testing;
• the full suite of “tele-” services (telemedicine, teledentistry, tele-counselling, etc);
• diagnostics;
• therapeutics;
• online pharmacies; and
• practitioner licensing, etc.

The definitions of digital health and digital medicine provided in one piece of legislation, regulation or other federal and state guidance cannot be assumed to apply, exactly, in legislation regarding other issues.

Most of the technologies that support advances in digital healthcare are not exclusive to this industry. Mobile devices and networks are becoming faster, more reliable, more accessible and more user-friendly – advancements that apply in the healthcare industry as well as in manufacturing, retail, real estate, etc. Improvements in data processing speed, storage and transfer are fuelling the growth in online and streamed entertainment and news services in the same way that they are driving better imaging and radiology services. In other words, technology is expanding and improving in healthcare as much (and as little) as in any other field.

That said, certain technologies have seen rapid growth within the healthcare space, including:

• health-promoting mobile apps and wearables such as continuous glucose monitors, fitness apps, and digital virtual assistants and natural language processing tools;
• telemedicine solutions, including behavioural health counselling, substance abuse treatment, primary care, cardiology and management of chronic disease;
• robotics;
• artificial intelligence (AI) and machine learning (ML);
• genetic sequencing and personalised medicine;
• clinical decision-support software; and
• the internet of things (IoT), and more.

In virtually every industry, technology-related legal issues follow a similar pattern: researchers and scientists develop new technologies; businesses and investors move quickly to commercialise these solutions; and legislators and regulators struggle to keep up. Where laws and rules are enshrined, they often occur after the proverbial horse has left the barn.

With respect to digital health in particular, there are two areas of growing concern for lawmakers and regulators:

• data privacy and security; and
• AI and ML.

Federal legislation regarding the privacy of healthcare data (sometimes referred to as “protected health information” or “personal health information”, both using the acronym PHI) has been in existence for several decades. The two main laws that govern the collection and use of PHI are the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

At the state level, a number of states are enacting laws to further protect personal information. While many such laws are more consumer-focused, cover a broad range of data types and are not exclusive to health information, per se, they typically contain language that applies to PHI. Major examples of such legislation include:

• the Biometric Information Privacy Act in Illinois;
• the California Consumer Privacy Act, the Genetic Information Privacy Act and the California Privacy Rights Act; and
• Virginia’s Consumer Data Protection Act.

With respect to AI and ML in digital health, significant attention has been paid to the use of these technologies in patient triage, communications between patients and providers (including so-called chatbots), data mining and analysis, and clinical decision support systems. The public release of OpenAI and other systems has likewise increased public awareness of the benefits and pitfalls of AI, at least in its current state. While lawmakers are beginning to hold hearings on the opportunities and challenges of using AI for a broad range of purposes, very little action has been taken to limit or regulate the use of these technologies. For supporters of AI technology, this means that developers will have an opportunity to move quickly and profit from their inventions; for critics, this means that the AI “seeds of destruction” are already being sown.

The COVID-19 global pandemic created an unexpected stress test for digital health solutions, with particular respect to telehealth/telemedicine. Immediately before and following the declaration of the public health emergency (PHE), federal and state agencies quickly announced measures to temporarily limit restrictions on the use of telemedicine and the technologies that support it, and noted that they would use their enforcement discretion to decline to enforce certain requirements.

Among other federal efforts, the FDA announced that it would allow manufacturers of certain FDA-cleared, non-invasive vital-sign measuring devices and clinical decision support software to modify their technology, claims or functionality to facilitate remote monitoring and home use of such devices without obtaining additional clearance for the modifications or expanded indications. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) likewise provided clarification on reduced enforcement and the waiver of prior regulations governing certain patient data privacy regulations, as well as expanded reimbursement for the use of telemedicine and related tools and technologies. Similarly, state and local agencies across the United States issued guidance allowing for increased use of telemedicine.

Although the US federal PHE has officially ended, federal, state and local regulators have acknowledged many of the benefits that accrued as a result of digital health tools. Many of the emergency use authorisations extended to certain medical devices during the pandemic have been allowed to continue on a temporary basis; US Centers for Medicare and Medicaid Services (CMS) reimbursement codes for telehealth services have been extended until 31 December 2023; and states across the country are taking rapid action to make permanent what were temporary exceptions to regulations, in order to expand the availability and use of effective digital health solutions.

At the federal level in the United States, HHS is responsible for enhancing the health and well-being of all Americans and for fostering sound, sustained advances in the sciences underlying medicine, public health and social services.

Within HHS, the FDA is tasked with administering and enforcing the provisions of the Federal Food, Drug, and Cosmetic Act (FFDCA), which is the primary legislation that governs the manufacture, sale and use of products classified as food, dietary supplements, drugs and cosmetics, including digital health products that meet the definition of medical devices.

Within the FDA, the Digital Health Center of Excellence provides regulatory advice and other support with respect to digital health policy, cybersecurity of medical devices, clinical studies, regulatory review support and co-ordination, AI and ML, strategic partnerships, and more. The FDA concentrates its digital health enforcement efforts on the safety of SaMD and other solutions, with an emphasis on patient safety.

Other key agencies within HHS that play a role in the regulation of digital healthcare include:

• the CMS, which has oversight of the Medicare programme, the federal portion of the Medicaid programme, the Children's Health Insurance Program, the Health Insurance Marketplace and related quality assurance activities;
• the Agency for Healthcare Research and Quality, whose mission is to produce evidence to make health care safer, higher quality and more accessible, equitable and affordable, and to work within HHS and with other partners to make sure that the evidence is understood and used;
• the Centers for Disease Control and Prevention (CDC), which provides leadership and direction in the prevention and control of diseases and other preventable conditions, and the federal response to public health emergencies;
• the National Institutes of Health, which supports biomedical and behavioural research in the United States and abroad, conducts research in its own laboratories and clinics, trains promising young researchers and promotes the collecting and sharing of medical knowledge;

• the OCR, which, among other responsibilities, ensures that individuals can access and trust the privacy and security of their health information; and
• the Office of the National Coordinator for Health Information Technology, which provides counsel for the development and implementation of a national health information technology framework.

On 29 December 2022, the Consolidated Appropriations Act of 2023 was signed into law. Section 3305 of the act, “Ensuring Cybersecurity of Medical Devices,” amended the FFDCA by adding Section 524B. Effective as of 29 March 2023, a sponsor of a premarket submission for a cyber device must include information to demonstrate that the cyber device meets the cybersecurity requirements in Section 524B(b) of the FFDCA.

With respect to health information privacy, HIPAA does not require providers to report on their cybersecurity measures; however, HHS does publish a range of guidance with respect to administrative, physical and technical PHI safety measures, remote and mobile use of PHI, and so forth. Things change when a data breach occurs, however; in the event of a breach affecting 500 or more patients, the HIPAA Breach Notification Rule requires covered entities to notify affected patients, HHS and, in some cases, the media. Such notifications must occur without reasonable delay and no later than 60 days after discovering the breach. Notifications of breaches that affect fewer than 500 patients can be reported to HHS annually. The Breach Notification Rule also requires business associates to notify a provider of breaches at or by the business associate.

The HHS OCR enforces the HIPAA Privacy, Security and Breach Notification Rules, violations of which may result in civil monetary penalties. In some cases, US Department of Justice-enforced criminal penalties may apply. Common violations include:

• unpermitted PHI use and disclosure;
• use or disclosure of more than the minimum necessary PHI;
• lack of PHI safeguards;
• lack of administrative, technical or physical ePHI safeguards; and
• lack of patients’ access to their PHI.

Given the influx of investment dollars into digital health solutions, as well as increased research, development and commercialisation activity, state-level corporate practice of medicine laws and regulations are gaining importance. Corporate practice of medicine laws are aimed at avoiding the commercialisation of the practice of medicine, minimising potential conflicts of interest between corporations’ shareholders and physicians’ obligations to their patients, and preventing interference with practitioners' medical judgement.

This gives rise to a number of potential issues, particularly as they relate to the employment and management of physicians who provide telemedicine and other virtual health services across multiple jurisdictions. For example, digital health solutions involve patient triage and care decisions, which may raise questions with respect to physician independence when diagnosing and treating medical conditions. Complicating matters, state corporate practice of medicine doctrines vary between states, which means that hospitals, health systems and other organisations must identify and make efforts to accommodate the strictest legal requirements in the geographic regions in which they operate.

Since the US Supreme Court’s decision in Dobbs, in which it overturned Roe v Wade, declared that the US Constitution does not provide a right to abortion and returned the authority to regulate abortion to the states, a patchwork system of legislation and regulation has been developed and is being actively litigated. One of the major effects of these new laws is to restrict the ability of individuals to access – and the ability of physicians, pharmacists and other practitioners to provide – reproductive medicine and maternal care services, particularly medication-based abortions (a significant number of which are managed via online prescription services and telehealth).

A growing area of focus for regulators and law enforcement officials, particularly at the federal level, is telehealth fraud and overutilisation. In September 2022, the HHS Office of Inspector General (HHS-OIG) issued guidance identifying Medicare provider billing practices that it saw as being high risk. In April 2023, HHS-OIG followed up and issued a new toolkit and framework that would enable public and private entities, health plans, state Medicaid fraud units and federal healthcare entities to conduct internal audits and self-assessments, self-report potential violations, and work with agency officials to take corrective action and potentially reduce penalties.

While there is no clear evidence that digital medicine processes and billing methodologies lead to higher rates of fraud, as compared to in-person care delivery, the expanded use of telemedicine services is likely to increase the value of total, fraud-derived reimbursements. In other words, if one in every thousand billing physicians is a bad apple, after doubling the amount of such physicians it is likely there will be two bad apples in the newly expanded population.

Among non-healthcare regulators that nonetheless have some oversight responsibility for digital health products, perhaps the most important of these – at the US federal level – is the Federal Trade Commission (FTC). Primarily a consumer protection agency, the FTC focuses its efforts in the digital health space on the enforcement of product safety, compliance with advertising laws, and other issues with respect to health-related products and devices.

At the state level, attorneys general have begun working together to call for fitness and health application developers, large tech companies and other solution providers to strengthen data privacy protections. For example, in 2022 and following the Supreme Court’s decision in Dobbs, a group of state attorneys general requested that Apple add new protections for reproductive health data collected and used by third-party apps made available on the company’s App Store.

Preventative care focuses on evaluating an individual’s current health, preventing disease and providing routine care such as check-ups, annual wellness visits, immunisations and preventative screening tests. Preventative care is often provided at no cost, and the types of tests that fall under the umbrella of preventative care are typically based on recommendations from the United States Preventive Services Task Force.

On the other hand, diagnostic care usually involves investigating and/or treating a specific health issue, and may include management of symptoms, assessments of risk factors, ongoing care for chronic illnesses, and lab or other tests used to manage and/or treat a medical issue or health condition. Diagnostic care is typically paid for, to at least a certain degree, by the insurer, although insureds might owe money for deductibles, copays and/or coinsurance.

The Affordable Care Act (also known as Obamacare, or ACA) requires private health plans to cover services provided under four broad categories:

• evidence-based screenings and counselling services that have a rating of “A” or “B” in the current recommendations of the US Preventive Services Task Force;
• routine immunisations;
• preventative services for women; and
• preventative services for children and youth.

As the US population ages, a number of “lifestyle-related” illnesses are on the rise, such as obesity, diabetes, hypertension, osteoporosis, Alzheimer’s disease, dementia and other conditions. At the same time, decades-long changes in population behaviour, including eating habits, work schedules, use of technology to streamline or reduce manual labour, substance abuse and low-activity lifestyles, are increasing the prevalence of these conditions in younger populations as well.

Much of the growth in the digital health space is a result of efforts to reverse these trends. Wearable and handheld devices are being marketed to promote health-sustaining behaviours and combat unhealthful activities. Among other incentive-based digital health tools, insurance companies are establishing online and app-based self-reporting tools and offering financial discounts on premiums and other “rewards” for working out regularly at pre-screened gyms and fitness facilities. Healthcare providers, insurers, public health agencies and ancillary health-and-fitness organisations are also creating streaming webinars and online content aimed at educating consumers about fitness issues, and manufacturers are increasingly developing connected devices (stationary bikes, workout equipment, etc) that deliver real-time workouts and track fitness data over time.

Health, wellness and fitness data is subject to a broad range of data privacy, security and breach notification regulations, as described in 2.1 Healthcare Regulatory Agencies. With respect to HIPAA, PHI includes any information in the medical record or designated record set that can be used to identify an individual and that was created, used or disclosed in the course of providing a healthcare service such as diagnosis or treatment.

The following 18 identifiers have been specified:

• patient names;
• geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes;
• all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, etc, with some restrictions;
• telephone numbers;
• fax numbers;
• email addresses;
• Social Security numbers;
• medical record numbers;
• health plan/insurance beneficiary numbers;
• account numbers;
• certificate/licence numbers;
• vehicle identifiers and serial numbers, including licence plate numbers;
• device identifiers and serial numbers;
• digital identifiers, such as web universal resource locators (URLs);
• internet Protocol (IP) addresses;
• biometric identifiers, including finger, retinal and voice prints;
• full-face photographic images and any comparable images; and
• any other unique identifying number, characteristic or code.

Along with information on the above list, other data that can be associated with a particular individual that may be collected by hardware, software, an app or some other method that does not meet the FDA’s definition of a medical device may still be subject to other federal and state privacy laws and regulations.

As one of the largest and most consequential pieces of healthcare legislation of the past several decades, the ACA stands out for its provisions aimed at supporting preventative healthcare. Among other areas, the ACA requires insurance plans to cover a range of preventative services, including immunisations and vaccinations, screenings and counselling without requiring copays, deductibles or other cost-sharing payments from insured patients. By supporting the implementation of state health insurance marketplaces, the ACA also expanded access to healthcare, the result of which was to enable patients and providers to identify potential risks and existing medical issues earlier in their progression, thereby improving outcomes.

The CDC also plays a major role in pursuing public health research and initiatives, as does the CMS; these focus on providing healthcare coverage and services to older and lower-income individuals and families, respectively. State health departments and Medicaid programmes also serve as an important backstop against the spread of disease and the promotion of health and wellness.

A significant effect of the expiration of the US federal PHE is that millions of Medicaid recipients across the country will no longer be eligible for healthcare benefits, which could cause an upsurge in otherwise preventable illness.

One of the most interesting developments in healthcare delivery is the entrance of “big box” retailers into the marketplace, such as Amazon, CVS, Walgreens, Best Buy and other companies. These and other entities are launching or acquiring primary care, urgent care, specialty care, pharmacy, in-home health, telehealth and other services – often disrupting traditional methods for providing healthcare.

In addition to giving rise to corporate practice of medicine concerns (see 2.2 Recent Regulatory Developments), these new enterprises are creating anxiety about the weakening of data privacy and security protections. For example, a May 2023 article in The Washington Post (“To become an Amazon Clinic patient, first you sign away some privacy”) noted that, at the time of writing, Amazon Clinic’s authorisation form requests patients’ approval for the “use and disclosure of protected health information”, authorises Amazon to access one’s “complete patient file” and notes that the information “may be re-disclosed”, at which point it “will no longer be protected by HIPAA”. Of course, there is no negotiation: either the would-be patients accept Amazon’s terms or they go elsewhere for healthcare services. Among its rationale for seeking permission to sidestep HIPAA protections, Amazon claims that it is not a “healthcare” provider but is, instead, a provider of storefront software that directs patients to outside healthcare providers.

With nearly one third of the world’s data volume generated by the healthcare sector (and with the annual growth rate of healthcare data expected to reach 36% by 2025), the internet of medical things (IoMT) is poised to become a major contributor to this information surge. IoMT devices range from those that monitor blood glucose, heart rate, depression, Parkinson’s disease and other disease states, to so-called smart pills with microscopic sensors that can travel through a patient’s digestive system.

Key concerns about connected devices include data privacy, cybersecurity and patient safety. Providers must ensure that processes are in place to address device failures, lack of connectivity, data hacking and other potential risks. Management of such risks requires patients to accept a higher level of responsibility for their own care, which may not be appropriate for all individuals or for all conditions.

At the present time, there are no specific legal regimes focused on liability for adverse health outcomes relating to wearable, implantable or digestible medical devices that can be described as “connected” or IoMT. However, broader legal frameworks that can be brought to bear include federal and state product liability laws, medical malpractice laws, FDA oversight of medical and healthcare products, and HIPAA, HITECH and other data privacy and information security laws described elsewhere in this article.

Medical device reporting is one of the post-market surveillance tools used by the FDA to monitor device performance, detect potential safety issues and contribute to risk-benefit assessments of these products. Manufacturers, device user facilities, importers and other “mandatory reporters” are required to submit certain types of reports for adverse events and product problems about medical devices to the FDA. The FDA also encourages healthcare professionals, patients, caregivers and consumers to submit voluntary reports about serious adverse events that may be associated with a medical device, as well as use errors, product quality issues and therapeutic failures.

The Voluntary Malfunction Summary Reporting programme was established in 2018 and allows eligible manufacturers to report certain device malfunction medical device reports for certain kinds of devices and malfunctions. These are made in summary form on a quarterly basis. Healthcare professionals, patients, caregivers and consumers can submit voluntary reports to MedWatch, the FDA’s Safety Information and Adverse Event Reporting Program.

Interconnected medical devices can deliver numerous benefits that increase the ability of physicians and other practitioners to deliver high-quality care, expand patient access to various prevention, diagnostic and treatment modalities, and improve healthcare outcomes. However, they do give rise to specific information-security risks and vulnerabilities, some of which may be determined by the specific nature of the computing environment.

With respect to cloud-based computing, for example, medical data and services are typically hosted and managed by third-party service providers. Significant threats include data breaches, unauthorised access, data loss and other provider-specific vulnerabilities. With respect to on-premises and local computing environments, key cybersecurity risks include device vulnerabilities (allowing for exploitation by attackers), insider threats (eg, unauthorised access to, misuse of, or theft of devices and/or data, whether by malicious intent or negligence), network vulnerabilities (eg, weak authentication protocols or unencrypted communications channels), failure to apply security patches and updates, physical theft of devices, and compromised device integrity.

Risk-mitigation strategies include strong, clear terms in vendor contracts that outline specific cybersecurity roles and responsibilities, the implementation of strong encryption and protocols, ongoing security assessments and, perhaps most important, staff training.

Healthcare and information security regulation is an ongoing process. A number of federal government agencies provide guidance on health information privacy, cybersecurity and medical devices. The Computer Security Resource Center of the National Institute of Standards and Technology (NIST –part of the US Department of Commerce) has published dozens of “800 Series” special publications that focus on computer/information security across a range of industries, including healthcare, as well as “1800 Series” cybersecurity practice guides, NIST internal reports and Information Technology Laboratory bulletins that give wide-ranging advice on establishing, governing and managing information and communications technology risks.

Similarly, the FDA and its Digital Health Center of Excellence provide extensive information and have published numerous regulatory guidance documents on digital health-specific issues, including software functions, mobile medical applications, updates to medical software policies resulting from Section 3060 of the 21st Century Cures Act, medical device data systems, medical image storage devices, medical image communications devices, clinical decision-support software, and more.

The FDA uses the definition of SaMD provided by the International Medical Device Regulators Forum (IMDRF): “software intended to be used for one or more medical purposes that performs these purposes without being part of a hardware medical device.”

The IMDRF is a global, voluntary group of medical device regulators pursuing the harmonisation of medical device regulation. In 2013, IMDRF formed the Software as a Medical Device Working Group to develop guidance supporting innovation and timely access to safe and effective SaMD globally. Chaired by the FDA, the working group agreed upon the key definitions for SaMD, a framework for risk categorisation of SaMD, the Quality Management System for SaMD, and the clinical evaluation of SaMD.

In the United States, nearly 2,000 distinct types of medical devices have been categorised by the FDA into either Class I, Class II or Class III, based on the level of control necessary to ensure the safety and effectiveness of the device. Class I devices are viewed as the least risky; Class III includes devices that pose the greatest risk.

The regulatory controls for each device class include:

• Class I (low to moderate risk): general controls;
• Class II (moderate to high risk): general controls and special controls; and
• Class III (high risk): general controls and pre-market approval.

Most Class I and II devices are exempt from pre-market notification (501(k)) requirements, and may also be exempt from current Device Good Manufacturing Practices requirements under the Quality System Regulation. However, exempt devices must still comply with other general regulatory controls relating to the registration of producers of devices, banned devices, notifications and other remedies, records and reports on devices (including adverse event reporting and device tracking), and other general provisions with respect to the control of devices intended for human use.

Special controls for Class II devices are usually device-specific and include performance standards, post-market surveillance, patient registries, special labelling requirements, pre-market data requirements, and other guidelines.

Pre-market approval is required of Class III devices that are intended to be used in supporting or sustaining human life or preventing the impairment of human health, but which may present a potential, unreasonable risk of illness or injury for which general and special controls are insufficient to provide reasonable assurance of the safety and effectiveness of the device, or for which there is insufficient evidence to make such a determination.

Regulators acknowledge the speed of innovation within SaMD and are pursing ongoing efforts to improve the various processes involved in regulating these important healthcare tools.

In recent years (before and during the COVID-19 global pandemic), it has become increasingly clear that telemedicine has earned its place in the pantheon of care-delivery methodologies available to practitioners and patients. Telemedicine stands out from in-person treatment in the way that it can offer rural communities, colleges and universities, major employers, chronically ill or homebound individuals, underserved populations, and patients in general (even during non-pandemic times) effective diagnostic, prevention and treatment services.

Telehealth in the future will be on its strongest footing when advocates and users recognise that one-size fits all solutions are better described as “one size fits none”. As hospitals, health systems, clinics and other providers apply the lessons learned during the COVID-19 pandemic to their own long-term objectives – including quality of care and cost-effectiveness – telemedicine will cement its position as a cornerstone of healthcare delivery.

Providers can take the following actions now to help make the most effective use of telemedicine in the long run:

• require the same standard of care for telehealth visits as for in-person visits;
• understand when telemedicine is appropriate and when it is not;
• share information, data and best practices at the industry level;
• develop strategies to promote patient buy-in and engagement in telemedicine and personal health management;
• integrate artificial intelligence and other technologies to improve diagnostics and treatment; and
• work closely with state and federal regulators to resolve licensure, corporate practice of medicine and other regulatory issues.

With respect to the latter point, the Federation of State Medical Boards supports the Interstate Medical Licensure Compact, which is an agreement among 37 states, the District of Columbia and the Territory of Guam to work together to streamline the licensing process for physicians wishing to practise in multiple states. Similar licensing compacts are also gaining momentum. Since the beginning of 2023, dozens of US states have passed or are actively pursuing legislation that allows participation in licensure compacts covering audiologists, speech pathologists, occupational therapists, mental health counsellors, and more.

In the early months of the pandemic, HHS, the FDA, CMS and other federal agencies engaged in a co-ordinated effort to ease restrictions governing the use of telehealth and related digital health technologies. These included:

• waivers of certain HIPAA and HITECH non-compliance sanctions and penalties against covered entities and providers using telehealth and non-public facing technologies for remote communications (including good-faith use of video applications such as Zoom, Skype and FaceTime);
• waiver of the “originating site requirement”, allowing Medicare beneficiaries to receive telehealth services anywhere and not just at a designated healthcare facility or rural site;
• waiver of the requirement that physicians and non-physician practitioners be licensed in the state where the patient is located (subject to certain conditions);
• waiver of the “relationship requirement, which, prior to the current national health emergency, meant that a provider or someone in the practice must have seen the patient in-person before initiating subsequent telehealth services;
• removal of limits on the number of times certain services can be provided by Medicare telehealth;
• encouragement for Medicaid programmes (which vary by state) to increase access to telehealth; and
• application of non-enforcement policies to situations where a plan or issuer adds benefits, or reduces or eliminates cost sharing, for telehealth and other remote care services.

Since the expiration of the federal PHE in early May 2023, many of the above exemptions and policies have been extended at least until 31 December 2023. A significant effort is being made at the federal level, and among the states, to make permanent these waivers as well as other digital health best practices that were introduced and/or stress tested during the pandemic.

From a reimbursement perspective, the early pandemic initiatives emanating from federal agencies (see 7.2 Regulatory Environment) also included:

• expanded telehealth codes for which providers can be reimbursed; and
• equalised payment rates such that in-person (facility) and telehealth visits are reimbursed at the same level.

CMS telehealth codes will remain in effect through the remainder of 2023, although it appears possible that expanded reimbursement for telehealth services and parity for telehealth and in-person services will be enshrined in forthcoming proposed and final rules.

The IoMT enables providers to deliver more personalised care, support early detection of medical conditions, take advantage of remote monitoring of patients and improve overall patient outcomes. Key technological developments that have facilitated the creation and expanded use of connected devices, wearables, implantables and high-volume, high-speed data exchange and analysis include:

• high-speed internet connections and standardised protocols, including Wi-Fi, Bluetooth and cellular networks;
• technology miniaturisation, which has allowed for more effective implantable devices, such as insulin pumps and pacemakers, that can also transmit data wirelessly;
• AI and ML, which are capable of analysing large volumes of data, analysing patterns and offering predictive assistance that helps providers diagnose disease, identify potential disease outbreaks and disease vectors, and deliver precision medicine solutions;
• interoperability and data standards, which have allowed for seamless communication and data exchange (including electronic health records) between devices, systems, networks and platforms; and
• cloud-based data storage and computing, which support the collection and analysis of healthcare data from virtually anywhere.

As noted in 5.1 Internet of Medical Things and Connected Device Environment, however, IoMT solutions give rise to a host of cybersecurity risks. Bad actors and cyberthreats are growing exponentially, and a number of hospitals and health systems have found themselves vulnerable to cyberattacks, data hacking, ransomware and other threats. Privacy advocates also call attention to the need to protect PHI wherever and however it is stored, used and transmitted, whether via apps on mobile devices, during telehealth visits, or through other activities relating to healthcare delivery.

Any telecommunications technology that delivers increased speed and bandwidth and reduces latency is a win for healthcare in general, and for digital healthcare in particular. High-resolution imaging and file transfers, improved videoconferencing, emerging treatment modalities such as robot-assisted surgery, remote consultations between emergency-room staff and far-flung specialists, and more, all benefit from faster, more reliable networks.

Likewise, as healthcare research and clinical practice create ever-increasing volumes of data, the ability to share such information quickly and safely will further contribute to disease prevention and treatment modalities, whether conducting personalised medicine (also known as “precision medicine”) to, eg, fight specific cancers in individuals, or developing, testing and implementing broad-scale public health strategies.

While the benefits of 5G networks are manifold, those who stand to see the greatest benefit are patients who live in – and practitioners who provide services to – rural, low-income and other under-served communities. In urban cities, high-speed broadband connections using digital subscriber lines, cable modems, fibre-optic technology and other technologies are widespread and relatively available to healthcare providers and patients alike. In rural, poorer communities, however, internet services may be limited and/or slow, requiring the use of wireless technologies. Connecting such communities to 5G networks can significantly increase access to care and improve the speed, delivery and quality of such care.

In some respects, the growth of digital healthcare has had a minimal impact on the use and sharing of personal health information in clinical and research settings. Protected health information is protected health information, no matter how it is acquired, stored, used, shared or disposed of. In essence, paper records must comply with the same regulatory standards as electronic files.

That said, digital healthcare is, by definition, an information phenomenon, and the modalities, processes and technologies through which this information is gathered raise unique risks. Where, for example, data thieves were once required to physically break into a physician’s office to steal or destroy files (significantly limiting the impact of such actions), today’s remote hackers can reach virtually anywhere in the world and launch attacks that affect hundreds of thousands, even millions, of patient records at a single pass. Hospitals and health systems have been key targets for ransomware attacks, creating chaos for patients, providers and healthcare administrators, not to mention law enforcement and regulatory officials.

Although there are a number of global and national efforts to increase cybersecurity through consistent, well-documented standards, protocols and policies, most patients and providers operate within a patchwork of competing systems. Under these conditions, developers, vendors, suppliers and users of digital health technology must make an extra effort to scrutinise business partners’ cybersecurity policies and practices, negotiate clear, comprehensive terms in contracts, collaborate to perform regular security maintenance, and quickly and completely notify relevant law enforcement and regulatory officials in the event of a data breach or cyberattack.

The potential of AI in healthcare appears virtually limitless, but it is important to recognise that AI is far from flawless. Although AI solutions can offer unique opportunities to improve healthcare delivery and patient outcomes, AI-enabled medical products can and have resulted in inaccurate and possibly harmful treatment recommendations. Errors can be introduced through inaccurate or biased data used to build and train ML tools, through algorithms that give inappropriate weight to certain data points, and other flaws. Stakeholders across the spectrum – individual providers, health systems, technology developers, legislators, regulators and patients – must work together to ensure the effectiveness and safety of AI-driven healthcare technology.

To ensure accuracy and reliability, the datasets used to train AI algorithms must be large, diverse and unbiased. However, assembling such datasets can be complex and expensive, particularly given the fragmentation of the US healthcare system. A recent analysis of data used to train image-based diagnostic AI systems found that approximately 70% of studies that were included used data from three states, and that 34 states were not represented at all in the dataset. Similarly, if images used to train an algorithm to detect skin cancers consist primarily of patients with light skin tones, the AI may fail to detect – or over-detect – possible skin cancers in patients with darker skin tones. This is an important issue when people of colour are already typically diagnosed later in the progression of skin diseases.

Furthermore, many AI programmes are referred to as “black box” systems because the datasets, calculations and techniques used to identify patterns and present results are too complex for even the programmers and developers to understand. If AI fails to perform as expected, it can be very difficult to identify why the failure is occurring.

For the time being, one of the basic tenets for using AI is that it may be used to “inform” decisions but must not be used to “make” or drive decisions. In addition, the FDA has outlined an approach to managing adaptive learning, based on four core principles:

• establish clear expectations on quality systems and good ML practices;
• conduct pre-market assessments of SaMD products;
• engage in routine monitoring of SaMD products to determine when an algorithm change requires FDA review; and
• embrace transparency and real-world performance monitoring.

AI and ML technologies are subject to the same data privacy regulatory frameworks that apply to all health-related products and services.

Other core concerns relating to the training and implementation of AI often revolve around:

• appropriateness (the process of deciding how the algorithm should be used in the local context and matching the ML model to the target population);
• bias (the systematic tendency of a model to favour one demographic group over another); and
• fairness (understanding the impact of AI on various demographic groups and choosing definitions of fairness that satisfy legal, cultural and ethical requirements).

In December 2022, the HHS OCR issued a bulletin noting that the collection of sensitive information via tracking technologies such as AI-driven Google Analytics and Meta Pixel, and stating that it is critical for regulated entities to ensure that PHI is only disclosed as expressly permitted or required by the HIPAA Privacy Rule. This bulletin followed a 2022 regulation proposed by the OCR explicitly prohibiting healthcare providers enrolled in Medicare from discriminating based on race, sex and other protected characteristics through the use of clinical algorithms in decision-making.

State-level regulatory oversight of AI is also happening in places such as California, where the state’s attorney general initiated an ongoing probe into how algorithmic tools are exacerbating racial and ethnic disparities.

Many of the legal issues facing companies operating in the digital healthcare space have been described elsewhere in this document. The following are additional, emerging issues of which such companies should be aware.

• Increased federal antitrust enforcement – following the lead of President Biden, who launched his administration by singling out anti-competitive activity and consolidation in the US hospital and health systems marketplace as a primary cause of reduced access to healthcare services, particularly in rural communities, the US Department of Justice and FTC have been aggressively pursuing the application of antitrust law to the healthcare sector. As large retailers such as Amazon, Best Buy, CVS and Walgreens expand their service lines, it is likely that such scrutiny will only increase.
• Uncertainty regarding implementation of the No Surprises Act – in February 2023, HHS announced a temporary halt to reimbursement decisions under the National Security Agency while it reviewed a court ruling that vacated portions of the implementing regulations and held that independent dispute resolution between providers and payers for reimbursement of out-of-network services unfairly favoured payers.

In its 2021 forum on the Future of Digital Healthcare after COVID-19, the Organisation for Economic Co-operation and Development determined that “the main barriers to building a 21st century healthcare system are not technical, but can be found in the institutions, processes and workflows forged long before the digital era”. Simply put, a digital healthcare system cannot work if it is simply laid on top of aging infrastructure designed to support traditional care delivery.

Understanding that investment in infrastructure is necessary to realise the full transformative potential of digital health, some countries (including Australia and the UK) have committed billions of dollars toward building new – and reinforcing existing – systems and platforms. In the United States, however, a recent study by the American Society of Health Engineers, which examined financial measures that demonstrate how well hospitals are keeping their facilities current, found that facilities are not just out of date – they are degrading at an increasing pace.

Key principles to keep in mind when preparing infrastructure for a future, digital information-dependent healthcare system include maintaining a focus on human-centred design and sustainability and the creation of innovative spaces that enable the integration of innovative technologies. Healthcare companies must invest now in an infrastructure that should not quickly face an inevitable replacement, but have the capacity to evolve as rapidly as the technologies that support them.

In December 2022, CMS issued a proposed rule that would improve patient and provider access to health information and streamline processes related to prior authorisation for medical items and services. The proposed rule includes requiring implementation of a Health Level 7® (HL7®) Fast Healthcare Interoperability Resources® (FHIR®) standard Application Programming Interface (API) to support electronic prior authorisation. Other policy proposals include:

• expanding the current Patient Access API to include information about prior authorisation decisions;
• allowing providers to access their patients’ data by requiring payers to build and maintain a Provider Access FHIR API, to enable data exchange from payers to in-network providers with which the patient has a treatment relationship; and
• creating longitudinal patient records by requiring payers to exchange patient data using a Payer-to-Payer FHIR API when a patient moves between payers or has concurrent payers.

With respect to cybersecurity, the FTC, FDA, Department of Transportation, Department of Energy, Securities and Exchange Commission, Cybersecurity and Infrastructure Security Agency and other federal agencies are all working on the development of new regulations and enforcement activity. Throughout the past 18 months, nearly every US state has enacted cybersecurity legislation. Although this activity does not target the healthcare industry specifically, the bulk of this new legislation and rulemaking will have an impact on payers, providers and patients.

Another area of focus is the creation of “software bills of materials” that enable companies to quickly and accurately identify and manage all of the various software programs embedded in their increasingly complex computer systems and platforms. This can help vendors and users identify vulnerabilities that arise from multiple layers of software bundling.

Today’s software programs are no longer the product of a lone inventor or programmer, sitting in a cold garret or garage and quietly working away at the product of the century. Rather, technology development often involves far-flung partnerships across multiple borders and time zones. Digital health products often comprise numerous distinct inventions brought together to create a unique product. Technology transfers, outsourcing and joint development agreements, public-private partnerships and more are increasingly creating a complex web of intellectual property right claims and disputes.

Add one more wrinkle to the mix: if an AI program creates an invention, who owns it? In declining to hear an appeal by computer scientist Stephen Thaler challenging the US Patent and Trademark Office’s refusal to issue patents for inventions created by an AI algorithm, the US Supreme Court agreed with the US Court of Appeals for the Federal Circuit in saying “It’s not the AI”. The courts agreed that patent law unambiguously requires inventors to be human beings.

Given the complexities of intellectual property law and ownership, it is impossible to lay out the multiple issues at play in determining ownership of IP rights, including trade marks, copyrights and patents. Companies operating in the digital health space should work closely with experienced legal counsel to identify, protect and license any health-related technologies they develop.

Intellectual property protection confers specific and limited legal rights and safeguards to protect inventors’ investments of time and resources, and stimulate broader economic growth. In the United States, the following forms of IP protection are available, each of which has certain advantages and disadvantages.

• Patents grant inventors exclusive rights to their inventions and disallow other parties from making, using or selling the patented invention. Filing for a patent requires disclosure of the details of an invention that can add to the growing body of technological know-how and increase scientific knowledge. However, patent application processes are costly, complex and time-consuming, and patents have a limited duration, after which the invention enters the public domain.
• Copyright protection is granted automatically upon the creation of an original work, and does not require registration (although, in many cases, registering a copyright helps to prevent or minimise potential disputes). Copyright holders have exclusive rights to reproduce, display, market or modify their works. While encouraging creativity and offering economic incentives, copyrights do not extend to ideas, facts or concepts – only the unique expression of these ideas. And while copyright protection generally lasts for the lifetime of the creator (and sometimes beyond that timeframe), the fair-use doctrine does allow others limited use of copyrighted works without permission.
• Trade marks protect brands, logos and other signs that differentiate products and services, and help companies build or increase their profile and customer loyalty. The trade mark registration process can also be expensive and time-consuming, and trade marks offer only limited protection.
• Trade secrets can be protected indefinitely, as long as the information remains secret or confidential. Trade secret protection does not require registration and can protect a wide range of formulas, processes, customer and vendor lists, business strategies and more. However, once a trade secret is exposed, it loses its protection. Legal remedies for trade secret misappropriation can be difficult to enforce, and the recovery of damages is often challenging.

Several licensing structures can be applied in the context of digital healthcare that allow for the lawful and controlled use of relevant IP. Such structures include:

• end-user licence agreements, also known as terms and conditions;
• data licensing agreements, involving patient health records, research data, etc;
• software as a service agreements, often used in the context of cloud-based solutions;
• IP licensing agreements, involving patents, copyrights, trade marks and trade secrets, and defining the rights granted by IP owners to licensees; and
• supplier and vendor agreements, often used when multiple parties contribute hardware, software or services to the creation of an end product – they frequently include terms covering warranties, licensing, liability and dispute resolution.

According to the World Intellectual Property Organization (WIPO), a self-funding agency of the United Nations, effective IP policies and agreements between universities and research institutions, physician/inventors and private sector digital health technology companies should seek to provide structure, predictability and a beneficial environment in which partners and stakeholders can access and share knowledge, technology and intellectual property. WIPO maintains a database of institutional IP policies that provide examples from different institutions across the globe and help users understand options and alternatives for dealing with IP issues.

Key stakeholders typically include:

• universities and research institutions;
• employees of these institutions;
• inventors’ research groups and departments;
• graduate and post-graduate students;
• post-graduate and post-doctoral fellows;
• visiting researchers;
• sponsors and industry collaborators;
• national patent offices;
• funding agencies;
• industry representatives; and
• government representatives.

Every collaboration is unique, and relevant contracts should take into account the specific requirements and goals of all parties involved in the contract. In addition to obtaining legal and expert advice, the following are some best practices when negotiating contracts:

• define project objectives and scope clearly;
• determine ownership and rights to the IP developed during the collaboration – among other options, IP may be jointly owned, individually owned, or licensed to one or more parties;
• allocate collaborators’ contributions and responsibilities, including financial arrangements;
• establish clear decision-making processes and accountability;
• take regulatory compliance into account; and
• identify and address potential challenges, risks, disputes, etc.

Theories of liability arising out of medical decisions based on digital health technologies, including AI, ML, SaMD and data analytics, include the following.

• Medical malpractice, potentially arising out of a failure to critically evaluate AI recommendations and deviating from the standard of care. Health systems that employ physicians and other practitioners may also be liable for practitioner errors.
• Other negligence, possibly implicating physicians, health systems, hospitals and medical practices that all play a role in and have some responsibility for the well-being of patients. This could include, for example, making a poor choice of an AI solution because it has been trained on a database and/or population information from a demographic group different from the patient (or patients) receiving care.
• Products liability, in which poor design, manufacturing defects or failure to warn about potential risks lead to injury. Current case law in this area, with respect to digital health, remains unsettled.

During the COVID-19 pandemic, force majeure became a hot-button topic as businesses across industries were forced to address supply chain disruptions, labour shortages, remote work, cybersecurity threats and other issues that negatively affected organisational performance – including their (and their business partners’) ability to fulfil contract terms.

Depending on the circumstances of the matter, negligence, breach of contract, strict liability, vicarious liability, warranty claims, fraud or misrepresentation and other theories of liability may come to bear in the dispute. Given the unique nature of each matter, it is important to seek effective, experienced counsel in order to identify and pursue effective remedies.