Digital healthcare in the United States encompasses a broad range of health-related products, tools and services distributed through technological solutions that improve mental and physical health and well-being. These technologies include the following.

Telehealth and Telemedicine

These are remote healthcare services that connect patients with providers via video, phone or messaging platforms. During the COVID-19 pandemic, telehealth became a cornerstone of healthcare delivery, with Medicare exemptions supporting wider adoption. Some of these changes have been made permanent, such as allowing federally qualified health centres (FQHCs) and rural health clinics (RHCs) to serve as distant site providers for behavioural/mental telehealth services.

Mobile Health

This includes health-promoting mobile tools, applications and wearables such as continuous glucose monitors, fitness apps, digital virtual assistants, natural language-processing tools, and behavioural health apps that support patient monitoring and engagement.

Electronic Patient Records

These are digital systems for storing and accessing patient health information, which facilitate care co-ordination and data sharing between providers. These systems support interoperability and seamless communication across healthcare entities.

Remote Patient Monitoring

This includes connected devices that track patient health metrics outside traditional healthcare settings, including wearables, implantables and ingestible sensors that collect and transmit health data. The Internet of Medical Things (IoMT) enables more personalised care, supports early detection of medical conditions, and improves overall patient outcomes.

These various forms differ primarily in their functionality, regulatory oversight and integration with broader healthcare systems. For example, while consumer health apps may not be regulated by the Food and Drug Administration (FDA), software as a medical device (SaMD) must meet the agency’s definition and regulatory requirements.

Digital technology is extensively integrated into healthcare settings across the United States, with varying degrees of adoption based on geographic location, provider type and patient demographics. Key applications include the following.

Clinical Care Delivery

Healthcare providers increasingly rely on telehealth platforms for primary and specialty care. During the COVID-19 pandemic, regulatory changes facilitated broader adoption, with many exemptions now permanent or extended through 30 September 2025, including geographic restrictions removal and allowing audio-only services for certain conditions.

Hospital and Health System Operations

Electronic health records, workflow management, staffing software, decision-support systems and administrative tools enhance operational efficiency, disease prevention and community health initiatives.

Consumer Health Management

Wearable devices, health apps and patient portals enable individuals to monitor their health, connect with providers and access their medical information. Insurance companies have developed incentive-based digital health tools, offering premium discounts for healthy behaviours tracked through connected devices.

Preventative Care

Digital health technologies support early detection of health issues and ongoing monitoring of chronic conditions, reducing the burden of “lifestyle-related” illnesses through education and engagement.

Digital healthcare has become increasingly mainstream, accelerated by pandemic-driven adoption and regulatory flexibility. While urban areas typically have greater technology access, efforts to expand high-speed networks and 5G connectivity to rural, low-income and underserved areas in the United States aim to address geographic disparities in digital healthcare access.

Digital healthcare provides numerous advantages to patients, providers and the US healthcare system as a whole.

Improved Patient Experience and Outcomes

Digital healthcare enhances access to services, particularly for rural communities, homebound individuals and underserved populations. Telehealth eliminates transportation barriers and reduces wait times, while remote monitoring enables early intervention for deteriorating conditions. These technologies support personalised care delivery and foster greater patient engagement in health management.

Enhanced Clinical Decision-Making

AI and machine-learning tools assist providers with diagnostics, treatment planning and clinical workflows. These technologies can analyse large datasets to identify patterns, predict disease progression and recommend evidence-based interventions. Clinical decision support systems help reduce medical errors and standardise care protocols.

Operational Efficiency

Digital health solutions streamline administrative tasks, optimise resource allocation and automate routine processes. Electronic health records enable seamless information sharing across care settings, reducing duplication of services and enhancing co-ordination.

Data-Driven Insights

The aggregation and analysis of health data supports population health management, research initiatives and quality improvement efforts. These insights inform public health strategies and healthcare policy decisions.

Cost Impact

Digital healthcare has demonstrated potential for cost reduction through several mechanisms. For example, telehealth services often cost less than in-person visits, reducing overhead expenses. Remote monitoring can prevent costly hospitalisations through early intervention. Automated administrative functions decrease operational costs. Additionally, improved disease management and prevention reduce long-term healthcare expenditures associated with chronic conditions.

While implementation costs can be substantial, the long-term economic benefits of digital healthcare include reduced utilisation of expensive services, improved workforce productivity, and more efficient resource allocation across the healthcare system.

In the United States, there is no single or universal definition of digital health or digital healthcare. Federal and state legislation, regulations and enforcement agencies often provide specific definitions that conform to the discrete issues, services, conditions, solutions, tools and technologies addressed in particular legislative or jurisdictional contexts.

Generally speaking, “digital healthcare” is understood as a broad term covering various health-related products, tools and services distributed through technological solutions to improve mental and physical health and overall well-being. These range from consumer health and wellness apps not regulated by the FDA to digital treatments regulated as software as a medical device (SaMD).

More specific terms such as “digital medicine” and “digital therapeutics” refer to narrower categories of tools, solutions and processes that actively prevent, diagnose, treat or provide therapeutics to address specific diseases or conditions. These typically include products and services such as office visits, remote consultations, prescription drugs and surgical procedures that require direct involvement of providers and patients.

In contrast, technology solutions supporting healthcare operations, disease prevention, community health, infrastructure and administration that do not directly treat individual conditions generally fall under the broader digital healthcare framework.

Without a universal definition, stakeholders often rely on context-specific understandings within relevant regulatory schemes, industry standards and international frameworks, such as those developed by the International Medical Device Regulators Forum (IMDRF).

Key Regulatory Framework

The legal framework governing digital healthcare in the United States encompasses multiple federal and state laws and regulations addressing various aspects of technology use in healthcare settings, as follows.

Health information privacy and security:

• the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
• the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH); and
• state-level privacy laws (eg, the California Consumer Privacy Act, the Virginia Consumer Data Protection Act, and the Biometric Information Privacy Act in Illinois).

Medical device and software regulation:

• the Federal Food, Drug, and Cosmetic Act (FFDCA);
• the Medical Device Amendments to the FFDCA;
• the 21st Century Cures Act; and
• Section 524B of the FFDCA (added in 2023) addressing cybersecurity of medical devices.

Telehealth and remote care delivery:

• Interstate Medical Licensure Compact legislation;
• the Ryan Haight Online Pharmacy Consumer Protection Act;
• state-level telehealth parity laws; and
• Medicare telehealth provisions under the Consolidated Appropriations Act and other federal and state legislation, waivers and exemptions.

AI and machine learning (ML):

• ongoing state-level legislation (in 2025, to date, at least 45 states have introduced more than 550 AI bills); and
• voluntary AI standards and frameworks developed by federal agencies.

Reimbursement and payment

• Affordable Care Act provisions supporting preventative healthcare;
• Centers for Medicare & Medicaid Services (CMS) rules on telehealth billing; and
• No Surprises Act provisions affecting digital health billing.

The complex patchwork of regulations creates compliance challenges, particularly for digital health solutions operating across state lines or addressing multiple aspects of healthcare delivery.

Policymakers in the United States employ several strategies to stay current with technological developments in healthcare and ensure appropriate regulation.

Regulatory Sandboxes and Innovation Pathways

The FDA’s Digital Health Center of Excellence provides regulatory advice on digital health policy, cybersecurity and AI/ML applications. The Digital Health Software Precertification Program pilots new approaches to regulate software-based medical devices.

Public-Private Partnerships

Government agencies collaborate with industry leaders and academic institutions to develop standards and best practices. For example, in 2023 the Biden administration secured voluntary commitments from major healthcare providers and payors regarding responsible AI use.

Stakeholder Engagement

Regulatory agencies conduct public workshops, request comments on proposed rules, and establish advisory committees with technology experts to inform policy development.

Flexible Guidance

Agencies issue non-binding guidance documents that can be updated more rapidly than formal regulations, allowing for responsiveness to evolving technologies.

Specialised Expertise

Regulatory bodies have established dedicated divisions focused on digital health technologies, recruiting staff with relevant technical backgrounds.

Legislative Reform

Congress periodically updates healthcare laws to address emerging technologies, as demonstrated by provisions in the 21st Century Cures Act that clarified the FDA’s authority over certain software functions.

Despite these efforts, regulatory frameworks often struggle to keep pace with rapid innovation. The pattern typically follows a reactive cycle: researchers develop new technologies, businesses commercialise these solutions, and regulators subsequently attempt to address potential risks and establish guardrails.

Technical standards play a crucial role in digital healthcare, providing frameworks that ensure safety, effectiveness, interoperability and security across technologies. Key aspects include the following.

Interoperability Standards

Standards organisations such as Health Level Seven International (HL7) develop frameworks such as Fast Healthcare Interoperability Resources (FHIR) that enable different systems to exchange data seamlessly. The 2024 CMS Interoperability and Prior Authorization Final Rule requires implementation of FHIR-based APIs to support electronic prior authorisation and data exchange.

Medical Device Standards

The FDA recognises consensus standards developed by organisations such as ASTM International, the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO) that address medical device safety, performance and cybersecurity requirements.

Cybersecurity Frameworks

The National Institute of Standards and Technology (NIST) has published numerous “800 Series” special publications on computer/information security and “1800 Series” cybersecurity practice guides providing comprehensive frameworks for protecting healthcare information systems.

Quality Management Systems

International standards such as ISO 13485 establish requirements for quality management systems in medical device development, including software as a medical device (SaMD).

Clinical Decision Support Standards

Organisations develop guidelines for the development, validation and implementation of AI and ML algorithms in healthcare applications.

These technical standards support regulatory compliance, guide industry development, establish minimum performance requirements and promote technological compatibility across healthcare systems. Standards are often incorporated by reference into regulations or used by regulatory bodies to assess whether products meet safety and effectiveness requirements.

Various aspects of digital healthcare are subject to specialised regulatory frameworks.

Software as a Medical Device (SaMD)

The FDA regulates software intended for medical purposes without being part of hardware medical devices based on risk classification (Class I, II or III). The agency’s Digital Health Center of Excellence provides guidance on SaMD policy, clinical studies and regulatory review. The 21st Century Cures Act excludes certain low-risk software functions from FDA regulation.

Self-Care, Wellness and Fitness IT Products

Consumer health applications and wearables generally fall outside FDA oversight unless they make specific medical claims. However, they must comply with Federal Trade Commission (FTC) rules regarding advertising claims and state-level consumer protection and privacy laws. The My Health, My Data Act in Washington State exemplifies new protections for health-related data collected by non-HIPAA-covered entities.

Cybersecurity and Data Protection

HIPAA and the HITECH Act establish federal standards for protecting health information, requiring covered entities to implement administrative, physical and technical safeguards. The Consolidated Appropriations Act of 2023 added Section 524B to the FFDCA, requiring medical device manufacturers to include cybersecurity information in pre-market submissions. The HIPAA Breach Notification Rule mandates reporting procedures for data breaches affecting protected health information.

AI and ML

Regulatory oversight is evolving rapidly, with the FDA developing frameworks for managing adaptive ML algorithms based on quality systems, pre-market assessment, monitoring and transparency principles. In March 2024, the HHS Office for Civil Rights (OCR) issued guidance on AI-driven tracking technologies, requiring compliance with HIPAA for use of protected health information.

Environmental, Social and Governance (ESG)

Although the current administration is pressuring regulators and businesses to turn away from or minimise ESG efforts, digital health companies continue to face expectations regarding sustainability, equity and ethical governance. While not specifically regulated under healthcare laws, these considerations affect investment decisions, partnerships and reputational standing.

Telehealth

State licensing requirements traditionally limited cross-border practice, but the Interstate Medical Licensure Compact (adopted by a majority of US states) has streamlined multi-state licensing. Medicare telehealth coverage expanded dramatically during COVID-19, with some provisions being made permanent while others remain temporary through September 2025. State telehealth parity laws often mandate insurance coverage for virtual visits comparable to in-person services.

These specialised frameworks continue to evolve as technologies advance and new challenges emerge in digital healthcare implementation.

The current legal and regulatory framework for digital healthcare in the United States presents a mixed picture, with significant gaps, despite substantial coverage in certain areas.

Areas of Relative Regulatory Sufficiency

These include:

• health information privacy through HIPAA/HITECH (though limited to covered entities);
• traditional medical device regulation through established FDA processes;
• telehealth practice standards through state medical board regulations; and
• reimbursement mechanisms for established telehealth services.

Identified Regulatory Gaps

These include:

• protection of health data collected by non-HIPAA-covered entities (eg, consumer health apps, wearables);
• oversight of AI and ML systems in healthcare;
• regulation of integrated digital health ecosystems spanning multiple regulatory domains;
• cross-border telehealth services that challenge state-based licensure systems; and
• cybersecurity requirements for internet-connected medical devices.

The fragmented nature of healthcare regulation in the United States creates particular challenges for digital health innovations that often operate across traditional boundaries. State-by-state variations in licensure, privacy laws and corporate practice of medicine doctrines further complicate compliance for digital health providers operating nationally.

Additionally, the rapid pace of technological innovation frequently outstrips regulatory frameworks. By the time regulations are developed and implemented, technologies may have evolved significantly, creating an ongoing cycle of regulatory catch-up.

Regulatory bodies have attempted to address these gaps through flexible guidance, enforcement discretion and regulatory sandboxes, though comprehensive legislative solutions remain elusive. Future regulatory development will likely require balancing innovation promotion with appropriate safeguards for patient safety, privacy and equitable access.

Several federal agencies share responsibility for regulating digital healthcare in the United States, with each focusing on specific aspects based on their statutory authority.

The Department of Health and Human Services (HHS)

This is the primary federal department responsible for enhancing the health and well-being of Americans and fostering advances in medicine, public health and social services.

The Food and Drug Administration (FDA)

Within the HHS, the FDA administers and enforces the Federal Food, Drug, and Cosmetic Act (FFDCA), which governs medical devices, including software as a medical device (SaMD). The FDA’s Digital Health Center of Excellence provides specialised oversight of digital health technologies, focusing on patient safety, product efficacy and cybersecurity.

The Centers for Medicare & Medicaid Services (CMS)

This oversees Medicare, Medicaid, CHIP and Health Insurance Marketplace programmes, establishing coverage and reimbursement policies for digital health services and technologies.

The HHS Office for Civil Rights (OCR)

This enforces HIPAA Privacy, Security and Breach Notification Rules, ensuring that individuals can access and trust the privacy and security of their health information in digital formats.

The Office of the National Coordinator for Health Information Technology (ONC)

This co-ordinates nationwide efforts to implement health information technology and promote the secure electronic exchange of health information.

The Agency for Healthcare Research and Quality

This produces evidence to make healthcare safer and more accessible, and works to ensure that evidence is understood and used.

The Centers for Disease Control and Prevention (CDC)

This provides leadership in disease prevention and public health emergency response, utilising digital health tools for population health monitoring.

These agencies frequently collaborate on digital health initiatives but may sometimes apply differing standards or priorities based on their specific missions. Their collective oversight aims to ensure that digital healthcare technologies are safe, effective and accessible, and protect patient privacy while enabling innovation.

Several non-healthcare regulatory bodies play important roles in overseeing aspects of digital healthcare.

The Federal Trade Commission (FTC)

As the primary consumer protection agency, the FTC regulates health-related product advertising claims, privacy practices of non-HIPAA covered entities, and competition in digital health markets. For example, the FTC monitors health apps and devices to ensure that they do not make unsubstantiated medical claims and that developers, manufacturers and retailers follow truth-in-advertising principles.

The Securities and Exchange Commission (SEC)

This oversees publicly traded digital health companies, ensuring accurate disclosure of business operations, risks and financial performance to investors. Digital health start-ups seeking investment must comply with securities regulations.

The Federal Communications Commission (FCC)

This regulates telecommunications aspects of telehealth, including broadband infrastructure essential for remote care delivery. The FCC’s Connected Care Pilot Program supports telehealth for low-income patients and veterans.

The Department of Justice (DOJ)

This enforces antitrust laws in healthcare markets, increasingly scrutinising mergers and acquisitions in digital health. The DOJ also prosecutes criminal violations of HIPAA and fraud in telehealth billing.

State Attorneys General

These enforce state consumer protection, data privacy and antitrust laws that affect digital health companies. State attorneys general are increasingly active in addressing health data privacy concerns, exemplified by Washington State’s My Health, My Data Act.

State Medical and Professional Licensing Boards

These establish and enforce standards for telehealth practice, remote prescribing and professional conduct in virtual care environments.

These entities exercise jurisdiction over digital healthcare because many aspects extend beyond traditional healthcare regulation into areas such as consumer protection, telecommunications, securities regulation and professional licensure. Their involvement reflects the increasingly complex regulatory landscape as healthcare adopts digital technologies that intersect with multiple domains of economic and social activity.

Regulatory authorities enforce digital healthcare laws and regulations through various mechanisms, with enforcement intensity varying across domains.

FDA Enforcement

The FDA employs a risk-based approach to enforcement, focusing on products that pose the greatest potential harm to patients. Enforcement actions include warning letters, product recalls, injunctions and civil penalties. The agency has increased scrutiny of software as a medical device (SaMD), particularly those making diagnostic or treatment claims without proper authorisation.

HIPAA/Privacy Enforcement

The HHS OCR enforces HIPAA violations through civil monetary penalties and corrective action plans. Common violations include unpermitted use/disclosure of protected health information (PHI), inadequate safeguards and failure to provide patient access to their information. OCR investigations often follow data breaches affecting 500 or more individuals, which must be reported promptly under the Breach Notification Rule.

FTC Enforcement

The FTC targets deceptive advertising claims and unfair privacy practices in digital health, typically resulting in consent decrees requiring companies to implement comprehensive privacy programmes and undergo regular assessments.

Medicare Fraud Enforcement

The CMS and the HHS Office of Inspector General (OIG) have increased scrutiny of telehealth billing practices. In April 2023, HHS-OIG issued a toolkit for identifying telehealth fraud and improper payments, focusing on high-risk billing patterns.

State-Level Enforcement

State attorneys general increasingly enforce data privacy laws and consumer protection statutes against digital health companies, particularly concerning sensitive health information collected outside HIPAA’s scope.

Areas subject to stricter enforcement include:

• false or misleading marketing claims about clinical effectiveness;
• inadequate security measures protecting sensitive health data;
• billing fraud in telehealth services;
• unauthorised practice of medicine across state lines; and
• non-compliance with informed consent requirements.

Enforcement intensity has increased as digital health adoption has expanded, with regulators adapting traditional enforcement mechanisms to address novel challenges presented by emerging technologies while attempting to balance innovation promotion with consumer protection.

The current regulatory framework for digital healthcare offers significant strengths as well as limitations in addressing emerging risks.

Current strengths include:

• established pathways for traditional medical device oversight through the FDA;
• a HIPAA framework for protecting health information by covered entities;
• growing expertise within regulatory agencies regarding digital technologies;
• flexible guidance approaches that can adapt more quickly than formal rule-making; and
• public-private collaborations to develop standards and best practices.

Notable limitations include the following:

• regulatory fragmentation across multiple agencies creates co-ordination challenges;
• significant gaps in oversight of health data collected outside HIPAA-covered entities;
• limited resources for enforcement relative to the rapidly expanding digital health sector;
• difficulty in keeping pace with technological innovation, particularly in AI/ML applications; and
• variation in state regulations, creating compliance complexities for national services.

Proposed enhancements include:

• expanded statutory authority to address health information collected by non-covered entities;
• enhanced co-ordination mechanisms between federal and state regulators;
• increased resources for technical expertise within regulatory agencies;
• development of pre-competitive research collaborations to establish validation methodologies; and
• harmonisation of state telehealth and licensure requirements.

Several reform initiatives are under consideration, including:

• federal privacy legislation that would provide comprehensive protection for health data, regardless of the collecting entity;
• expanded FDA oversight frameworks for AI/ML-enabled medical software;
• enhanced cybersecurity requirements for connected medical devices; and
• permanent telehealth flexibilities beyond the current temporary provisions.

The sufficiency of oversight varies significantly across digital healthcare domains. While traditional medical devices have well-established regulatory pathways, newer technologies such as AI diagnostics and consumer health platforms operate in areas where regulatory frameworks are still evolving. Striking the appropriate balance between enabling innovation and ensuring adequate protection remains an ongoing challenge for regulators.

Digital healthcare presents numerous legal risks and challenges across several domains.

Non-compliance with regulations includes:

• HIPAA/HITECH violations resulting from inadequate data security measures, improper disclosure of protected health information, or failure to conduct required risk assessments;
• FDA regulatory violations related to marketing unapproved medical devices or making claims exceeding authorised indications;
• licensing infractions when telehealth services cross state lines without appropriate provider licensure;
• corporate practice of medicine violations when technology companies improperly influence clinical decision-making; and
• reimbursement compliance issues, particularly as telehealth billing rules continue to evolve.

Enforcement by regulatory authorities includes:

• investigations by the HHS OCR following data breaches or privacy complaints;
• FDA enforcement actions, including warning letters, product recalls, or marketing prohibitions;
• FTC scrutiny of deceptive marketing claims or unfair privacy practices;
• DOJ and HHS-OIG investigations into telehealth fraud and improper billing;
• state attorney general actions enforcing state privacy and consumer protection laws; and
• professional licensing board disciplinary actions against providers.

Liability risks include:

• medical malpractice claims resulting from misdiagnosis or treatment errors in telehealth settings;
• product liability claims for defective digital health technologies that cause patient harm;
• negligence claims related to cybersecurity breaches exposing sensitive patient information;
• contractual liability for service disruptions or performance failures in digital health platforms;
• intellectual property disputes regarding proprietary algorithms or software components;
• class action litigation following data breaches or privacy violations; and
• vicarious liability for health systems when affiliated providers use digital technologies.

The interconnected nature of digital health technologies often creates complex liability scenarios involving multiple parties. For example, a telehealth consultation that results in patient harm might implicate the treating physician, the telehealth platform provider, the health system, and potentially the developers of any clinical decision support software used during the encounter.

Additionally, as AI and ML play increasingly prominent roles in clinical decision-making, questions of liability attribution become more complicated. When algorithms influence or drive medical decisions, determining responsibility for adverse outcomes presents novel legal challenges not fully addressed in existing liability frameworks.

The legal exposures associated with digital healthcare are addressed through multiple liability frameworks.

Statutory frameworks include the following:

• the HITECH Act authorises civil monetary penalties for HIPAA violations, with tiered penalty structures based on violation severity and culpability;
• the Federal Food, Drug, and Cosmetic Act provides for civil and criminal penalties for violations of medical device regulations;
• state data breach notification laws establish requirements for disclosing security incidents and may create private rights of action;
• the False Claims Act imposes significant penalties for fraudulent billing practices, including in telehealth services; and
• state consumer protection statutes frequently provide remedies for deceptive practices in digital health marketing.

Tort liability includes the following:

• medical malpractice claims follow state-specific standards of care, increasingly addressing telemedicine practice;
• product liability frameworks apply to digital health technologies through theories of design defect, manufacturing defect or failure to warn; and
• negligence claims may address breaches of the duty of care in safeguarding health information.

Contractual liability includes the following:

• business associate agreements under HIPAA establish contractual obligations for handling protected health information;
• service-level agreements (SLAs) between healthcare providers and technology vendors define performance expectations and remedies; and
• end user licence agreements and terms of service establish rights and responsibilities for consumers using digital health applications.

Formal redress mechanisms include:

• an OCR complaint process for HIPAA violations;
• an FDA adverse event reporting system for medical device issues;
• FTC complaint procedures for deceptive practices;
• state medical board complaint processes for provider misconduct; and
• alternative dispute resolution provisions in many digital health contracts.

The applicability of these frameworks varies based on the specific digital health application, the parties involved and the nature of the harm. Certain digital health innovations operate in regulatory gray areas where existing liability frameworks must be adapted or extended to address novel circumstances. This creates uncertainty for providers and patients regarding rights, responsibilities and available remedies when issues arise.

Several mechanisms exist to mitigate or defend against liability exposures in digital healthcare.

Regulatory compliance defences include:

• demonstrating adherence to FDA quality system regulations and software development best practices;
• maintaining comprehensive HIPAA compliance programmes with regular risk assessments;
• following state-specific telemedicine practice standards and documentation requirements; and
• implementing appropriate informed consent processes that disclose technology limitations.

Risk-management strategies include:

• robust cybersecurity frameworks with encryption, access controls and incident response plans;
• clear documentation of clinical decision-making, particularly when algorithmic tools are utilised;
• comprehensive testing and validation of software before deployment;
• regular audits and assessments of digital health systems and processes; and
• thorough documentation of provider credentials and licensing across jurisdictions.

Contractual protections include:

• limitation-of-liability clauses in vendor agreements and user terms of service;
• indemnification provisions allocating responsibility among technology partners;
• carefully drafted scope-of-service descriptions that accurately represent capabilities; and
• clear disclaimers regarding technology limitations and appropriate use cases.

Insurance coverage includes:

• specialised cyber liability insurance for data breach incidents;
• technology errors and omissions insurance for software failures;
• professional liability coverage extended to telehealth activities; and
• directors and officers (D&O) insurance addressing management decisions.

Affirmative defences include:

• statutes of limitations restricting the timeframe for claims;
• contributory negligence or comparative fault when patient actions contribute to harm;
• a learned intermediary doctrine potentially shielding technology vendors when healthcare providers intervene; and
• pre-emption arguments when federal regulations may supersede state requirements.

Successful defence strategies typically combine multiple approaches, emphasising both technical compliance and process excellence. Organisations often develop comprehensive risk management frameworks that integrate legal compliance, technical safeguards and clinical governance to address the multifaceted nature of digital health risks.

The evolving regulatory landscape requires continuous monitoring and adaptation of defence strategies. As new technologies such as AI and ML become more prevalent in healthcare, defence approaches must address novel liability scenarios not fully contemplated in existing frameworks.

Several significant developments are reshaping the digital healthcare regulatory landscape.

AI Governance

The rapid advancement of AI in healthcare has prompted increased regulatory attention. In March 2024, the HHS issued updated guidance on AI-driven tracking technologies such as Google Analytics and Meta Pixel, emphasising HIPAA compliance requirements. State-level initiatives, such as California’s investigation into algorithmic discrimination in healthcare, signal growing scrutiny of AI fairness and transparency.

Expanded Data Privacy Frameworks

Beyond traditional HIPAA protections, comprehensive state privacy laws are increasingly addressing health-related information. Washington State’s My Health, My Data Act exemplifies this trend, establishing consent requirements and private rights of action for health data collected outside HIPAA’s scope. More than a dozen states have enacted consumer privacy laws, with almost two dozen considering similar legislation.

Telehealth Permanence

As pandemic-era telehealth waivers transition to permanent policies, new regulatory frameworks are emerging. CMS has made certain Medicare telehealth provisions permanent, while others remain temporary through September 2025. This phased approach creates both opportunities and compliance challenges as organisations adapt to evolving reimbursement requirements.

Digital Therapeutics Classification

Regulatory agencies are developing frameworks to address prescription digital therapeutics (PDTs) – software-based interventions that prevent, manage or treat medical conditions. These novel products challenge traditional regulatory categories, prompting discussions about appropriate oversight mechanisms and reimbursement pathways.

Cybersecurity Requirements

The Consolidated Appropriations Act of 2023 amended the FFDCA to require cybersecurity information in pre-market submissions for “cyber devices”. This marks a shift towards more explicit regulatory attention to security vulnerabilities in connected health technologies.

Non-Traditional Healthcare Entrants

The entrance of major retailers and technology companies into healthcare delivery raises questions about corporate practice of medicine restrictions, data privacy protections and regulatory oversight. Companies such as Amazon, CVS and Walgreens are expanding primary care, pharmacy and telehealth services, challenging traditional healthcare models.

Interoperability Mandates

The CMS Interoperability and Prior Authorization Final Rule, issued in January 2024, requires implementation of FHIR-based APIs to streamline health information exchange. These requirements represent significant regulatory efforts to address fragmentation in health information systems.

These emerging issues reflect the increasing complexity of digital healthcare regulation as technologies evolve and cross traditional boundaries between healthcare, consumer products and information services.

Several significant legislative and regulatory reforms are reshaping the digital healthcare landscape, driven by policy objectives including expanded access, enhanced privacy protections, improved interoperability and appropriate oversight of emerging technologies.

Telehealth expansion initiatives include the following:

• recent federal guidance has extended certain Medicare telehealth flexibilities through September 2025, providing temporary continuity while permanent policies are developed;
• the proposed Telehealth Modernization Act aims to permanently remove geographic restrictions for Medicare telehealth services; and
• state-level legislation continues to expand participation in interstate licensure compacts, with dozens of states passing legislation in 2024 covering various health professions.

Privacy and data protection includes the following:

• the American Data Privacy and Protection Act, while currently stalled in Congress, represents ongoing efforts to establish a national privacy framework that would address health data outside HIPAA’s scope;
• the FTC’s final Health Breach Notification Rule, which became effective in July 2024, clarifies requirements for non-HIPAA covered entities handling health information; and
• state comprehensive privacy laws continue to proliferate, with growing attention to sensitive health data categories.

Interoperability advancement includes the following:

• the CMS Interoperability and Prior Authorization Final Rule of January 2024 establishes requirements for FHIR-based APIs to improve data exchange and streamline prior authorisation processes; and
• the Trusted Exchange Framework and Common Agreement (TEFCA) implementation continues to advance nationwide health information-exchange capabilities.

AI governance includes the following:

• Executive Order 14110 on Safe, Secure, and Trustworthy Artificial Intelligence includes provisions specifically addressing AI use in healthcare;
• in January 2025, the FDA published the Draft Guidance: Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations – this draft guidance proposes both life cycle considerations and specific recommendations to support marketing submissions for AI-enabled medical devices; and
• the proposed federal Algorithmic Accountability Act would require impact assessments for automated decision systems, including those used in healthcare.

Cybersecurity enhancement includes the following:

• implementation of FFDCA Section 524B establishes cybersecurity requirements for medical device pre-market submissions; and
• the proposed federal Healthcare Cybersecurity Act aims to improve collaboration between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA).

These reforms collectively seek to balance innovation promotion with appropriate safeguards for patient safety, privacy and equity. Policy drivers include:

• pandemic-era lessons regarding healthcare access;
• growing recognition of digital health’s potential to address healthcare disparities;
• concerns about health data monetisation; and
• the need for appropriate oversight of increasingly sophisticated healthcare technologies.

The reform landscape reflects an evolving understanding that digital healthcare requires regulatory frameworks that can accommodate rapid technological change while maintaining fundamental protections for patients and healthcare systems.