Digital healthcare in the United States encompasses a broad range of health-related products, tools and services distributed through technological solutions that improve mental and physical health and well-being. These technologies include the following.

Telehealth and Telemedicine

These are remote healthcare services that connect patients with providers via video, phone or messaging platforms. During the COVID-19 pandemic, telehealth became a cornerstone of healthcare delivery, with Medicare exemptions supporting wider adoption. Following a government shutdown that began on 1 October 2025, Congress passed the Consolidated Appropriations Act, 2026 on 3 February 2026, extending many Medicare telehealth flexibilities through 31 December 2027. Some provisions have been made permanent, such as allowing federally qualified health centres (FQHCs) and rural health clinics (RHCs) to serve as distant site providers for behavioural/mental telehealth services, and permanently removing geographic restrictions for behavioural/mental health telehealth services.

Mobile Health

This includes health-promoting mobile tools, applications and wearables such as continuous glucose monitors, fitness apps, digital virtual assistants, natural language-processing tools and behavioural health apps that support patient monitoring and engagement.

Electronic Patient Records

These are digital systems for storing and accessing patient health information, which facilitate care co-ordination and data sharing between providers. These systems support interoperability and seamless communication across healthcare entities.

Remote Patient Monitoring

This includes connected devices that track patient health metrics outside traditional healthcare settings, including wearables, implantables and ingestible sensors that collect and transmit health data. The Internet of Medical Things (IoMT) enables more personalised care, supports early detection of medical conditions and improves overall patient outcomes.

These various forms differ primarily in their functionality, regulatory oversight and integration with broader healthcare systems. For example, while consumer health apps may not be regulated by the Food and Drug Administration (FDA), Software as a Medical Device (SaMD) must meet the agency’s definition and regulatory requirements.

Digital technology is extensively integrated into healthcare settings across the United States, with varying degrees of adoption based on geographic location, provider type and patient demographics. Key applications include the following.

Clinical Care Delivery

Healthcare providers increasingly rely on telehealth platforms for primary and specialty care. During the COVID-19 pandemic, regulatory changes facilitated broader adoption. Following the government shutdown that lasted from 1 October to 12 November 2025, Congress retroactively reinstated Medicare telehealth waivers through 30 January 2026 via the Continuing Appropriations Act, passed 12 November 2025. Subsequently, the Consolidated Appropriations Act, 2026 extended many telehealth flexibilities through 31 December 2027, with certain provisions made permanent.

Hospital and Health System Operations

Electronic health records, workflow management, staffing software, decision-support systems and administrative tools enhance operational efficiency, disease prevention and community health initiatives.

Consumer Health Management

Wearable devices, health apps and patient portals enable individuals to monitor their health, connect with providers and access their medical information. Insurance companies have developed incentive-based digital health tools, offering premium discounts for healthy behaviours tracked through connected devices.

Preventative Care

Digital health technologies support early detection of health issues and ongoing monitoring of chronic conditions, reducing the burden of “lifestyle-related” illnesses through education and engagement.

Digital healthcare has become increasingly mainstream, accelerated by pandemic-driven adoption and regulatory flexibility. While urban areas typically have greater technology access, efforts to expand high-speed networks and 5G connectivity to rural, low-income and underserved areas in the United States aim to address geographic disparities in digital healthcare access.

Digital healthcare provides numerous advantages to patients, providers and the US healthcare system as a whole.

Improved Patient Experience and Outcomes

Digital healthcare enhances access to services, particularly for rural communities, homebound individuals and underserved populations. Telehealth eliminates transportation barriers and reduces wait times, while remote monitoring enables early intervention for deteriorating conditions. These technologies support personalised care delivery and foster greater patient engagement in health management.

Enhanced Clinical Decision-Making

AI and machine-learning tools assist providers with diagnostics, treatment planning and clinical workflows. These technologies can analyse large datasets to identify patterns, predict disease progression and recommend evidence-based interventions. Clinical decision support systems help reduce medical errors and standardise care protocols.

Operational Efficiency

Digital health solutions streamline administrative tasks, optimise resource allocation and automate routine processes. Electronic health records enable seamless information sharing across care settings, reducing duplication of services and enhancing co-ordination.

Data-Driven Insights

The aggregation and analysis of health data supports population health management, research initiatives and quality improvement efforts. These insights inform public health strategies and healthcare policy decisions.

Cost Impact

Digital healthcare has demonstrated potential for cost reduction through several mechanisms. For example, telehealth services often cost less than in-person visits, reducing overhead expenses. Remote monitoring can prevent costly hospitalisations through early intervention. Automated administrative functions decrease operational costs. Additionally, improved disease management and prevention reduce long-term healthcare expenditures associated with chronic conditions.

While implementation costs can be substantial, the long-term economic benefits of digital healthcare include reduced utilisation of expensive services, improved workforce productivity and more efficient resource allocation across the healthcare system.

In the United States, there is no single or universal definition of digital health or digital healthcare. Federal and state legislation, regulations and enforcement agencies often provide specific definitions that conform to the discrete issues, services, conditions, solutions, tools and technologies addressed in particular legislative or jurisdictional contexts.

Generally speaking, “digital healthcare” is understood as a broad term covering various health-related products, tools and services distributed through technological solutions to improve mental and physical health and overall well-being. These range from consumer health and wellness apps not regulated by the FDA to digital treatments regulated as SaMD.

More specific terms such as “digital medicine” and “digital therapeutics” refer to narrower categories of tools, solutions and processes that actively prevent, diagnose, treat or provide therapeutics to address specific diseases or conditions. These typically include products and services such as office visits, remote consultations, prescription drugs and surgical procedures that require direct involvement of providers and patients.

In contrast, technology solutions supporting healthcare operations, disease prevention, community health, infrastructure and administration that do not directly treat individual conditions generally fall under the broader digital healthcare framework.

Without a universal definition, stakeholders often rely on context-specific understandings within relevant regulatory schemes, industry standards and international frameworks, such as those developed by the International Medical Device Regulators Forum (IMDRF).

The legal framework governing digital healthcare in the United States encompasses multiple federal and state laws and regulations addressing various aspects of technology use in healthcare settings, as follows.

Health information privacy and security:

• the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
• the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH); and
• state-level privacy laws (eg, the California Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Biometric Information Privacy Act in Illinois).

Medical device and software regulation:

• the Federal Food, Drug, and Cosmetic Act (FFDCA);
• the Medical Device Amendments to the FFDCA;
• the 21st Century Cures Act; and
• Section 524B of the FFDCA (added in 2023) addressing cybersecurity of medical devices.

Telehealth and remote care delivery:

• Interstate Medical Licensure Compact legislation;
• the Ryan Haight Online Pharmacy Consumer Protection Act;
• state-level telehealth parity laws; and
• Medicare telehealth provisions under the Consolidated Appropriations Act, 2026 and other federal and state legislation, waivers and exemptions.

AI and machine learning (ML):

• ongoing state-level legislation (in 2025, all 50 states introduced 1,208 AI-related bills, with 145 enacted into law – as of March 2026, 45 states have already introduced 1,561 additional AI-related bills); and
• voluntary AI standards and frameworks developed by federal agencies.

Reimbursement and payment:

• Affordable Care Act provisions supporting preventative healthcare;
• Centers for Medicare & Medicaid Services (CMS) rules on telehealth billing; and
• No Surprises Act provisions affecting digital health billing.

The complex patchwork of regulations creates compliance challenges, particularly for digital health solutions operating across state lines or addressing multiple aspects of healthcare delivery.

Policymakers in the United States employ several strategies to stay current with technological developments in healthcare and ensure appropriate regulation.

Regulatory Sandboxes and Innovation Pathways

The FDA’s Digital Health Center of Excellence provides regulatory advice on digital health policy, cybersecurity and AI/ML applications. The Digital Health Software Precertification Program pilots new approaches to regulate software-based medical devices.

Public-Private Partnerships

Government agencies collaborate with industry leaders and academic institutions to develop standards and best practices.

Stakeholder Engagement

Regulatory agencies conduct public workshops, request comments on proposed rules and establish advisory committees with technology experts to inform policy development.

Flexible Guidance

Agencies issue non-binding guidance documents that can be updated more rapidly than formal regulations, allowing for responsiveness to evolving technologies.

Specialised Expertise

Regulatory bodies have established dedicated divisions focused on digital health technologies, recruiting staff with relevant technical backgrounds.

Legislative Reform

Congress periodically updates healthcare laws to address emerging technologies, as demonstrated by provisions in the 21st Century Cures Act that clarified the FDA’s authority over certain software functions.

Despite these efforts, regulatory frameworks often struggle to keep pace with rapid innovation. The pattern typically follows a reactive cycle: researchers develop new technologies, businesses commercialise these solutions and regulators subsequently attempt to address potential risks and establish guardrails.

Technical standards play a crucial role in digital healthcare, providing frameworks that ensure safety, effectiveness, interoperability and security across technologies. Key aspects include the following.

Interoperability Standards

Standards organisations such as Health Level Seven International (HL7) develop frameworks such as Fast Healthcare Interoperability Resources (FHIR) that enable different systems to exchange data seamlessly. The 2024 CMS Interoperability and Prior Authorization Final Rule requires implementation of FHIR-based APIs to support electronic prior authorisation and data exchange.

Medical Device Standards

The FDA recognises consensus standards developed by organisations such as ASTM International, the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO) that address medical device safety, performance and cybersecurity requirements.

Cybersecurity Frameworks

The National Institute of Standards and Technology (NIST) has published numerous “800 Series” special publications on computer/information security and “1800 Series” cybersecurity practice guides providing comprehensive frameworks for protecting healthcare information systems.

Quality Management Systems

International standards such as ISO 13485 establish requirements for quality management systems in medical device development, including SaMD.

Clinical Decision Support Standards

Organisations develop guidelines for the development, validation and implementation of AI and ML algorithms in healthcare applications.

These technical standards support regulatory compliance, guide industry development, establish minimum performance requirements and promote technological compatibility across healthcare systems. Standards are often incorporated by reference into regulations or used by regulatory bodies to assess whether products meet safety and effectiveness requirements.

Various aspects of digital healthcare are subject to specialised regulatory frameworks.

SaMD

The FDA regulates software intended for medical purposes without being part of hardware medical devices based on risk classification (Class I, II or III). The agency’s Digital Health Center of Excellence provides guidance on SaMD policy, clinical studies and regulatory review. On 6 January 2025, the FDA published draft guidance titled Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations, proposing life cycle considerations and recommendations to support marketing submissions for AI-enabled medical devices. The 21st Century Cures Act excludes certain low-risk software functions from FDA regulation.

Self-Care, Wellness and Fitness IT Products

Consumer health applications and wearables generally fall outside FDA oversight unless they make specific medical claims. However, they must comply with Federal Trade Commission (FTC) rules regarding advertising claims and state-level consumer protection and privacy laws. The My Health, My Data Act in Washington State exemplifies new protections for health-related data collected by non-HIPAA-covered entities.

Cybersecurity and Data Protection

HIPAA and HITECH establish federal standards for protecting health information, requiring covered entities to implement administrative, physical and technical safeguards. On 6 January 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) proposing the first major overhaul of the HIPAA Security Rule since 2003. The proposed rule eliminates the distinction between “required” and “addressable” implementation specifications, making encryption of all electronic protected health information (ePHI) at rest and in transit mandatory, requiring multi-factor authentication (MFA), mandating vulnerability scanning every six months and penetration testing annually, and establishing 72-hour disaster recovery and 24-hour incident notification timelines. The final rule is expected in May 2026, with an estimated 180-day compliance period.

The Consolidated Appropriations Act of 2023 added Section 524B to the FFDCA, requiring medical device manufacturers to include cybersecurity information in pre-market submissions. The HIPAA Breach Notification Rule mandates reporting procedures for data breaches affecting protected health information.

AI and ML

Regulatory oversight is evolving rapidly, with the FDA developing frameworks for managing adaptive ML algorithms based on quality systems, pre-market assessment, monitoring and transparency principles. In December 2024, the FDA issued final guidance on Predetermined Change Control Plans for AI/ML-enabled device software functions, and in January 2025 published draft guidance on life cycle management and marketing submission recommendations. In March 2024, the HHS Office for Civil Rights (OCR) issued guidance on AI-driven tracking technologies, requiring compliance with HIPAA for use of protected health information.

Environmental, Social and Governance (ESG)

Although the current administration is pressuring regulators and businesses to turn away from or minimise ESG efforts, digital health companies continue to face expectations regarding sustainability, equity and ethical governance. While not specifically regulated under healthcare laws, these considerations affect investment decisions, partnerships and reputational standing.

Telehealth

State licensing requirements traditionally limited cross-border practice, but the Interstate Medical Licensure Compact (IMLC) has been adopted by 40 states plus Washington, DC and the Territory of Guam, streamlining multi-state licensing. Michigan’s scheduled withdrawal from the compact, effective 28 March 2026, was averted when Governor Whitmer signed House Bill 5455 on 26 March 2026, ensuring Michigan’s continued participation.

Medicare telehealth coverage expanded dramatically during COVID-19. Following a government shutdown from 1 October to 12 November 2025, Congress passed the Continuing Appropriations Act on 12 November 2025, retroactively reinstating Medicare telehealth waivers through 30 January 2026. Subsequently, the Consolidated Appropriations Act, 2026, passed 3 February 2026, extended many telehealth flexibilities through 31 December 2027, with certain provisions made permanent, including home-based care for behavioural/mental health services and audio-only services for behavioural health. State telehealth parity laws often mandate insurance coverage for virtual visits comparable to in-person services.

These specialised frameworks continue to evolve as technologies advance and new challenges emerge in digital healthcare implementation.

The current legal and regulatory framework for digital healthcare in the United States presents a mixed picture, with significant gaps despite substantial coverage in certain areas.

Areas of Relative Regulatory Sufficiency

These include:

• health information privacy through HIPAA/HITECH (though limited to covered entities);
• traditional medical device regulation through established FDA processes;
• telehealth practice standards through state medical board regulations; and
• reimbursement mechanisms for established telehealth services.

Identified Regulatory Gaps

These include:

• protection of health data collected by non-HIPAA-covered entities (eg, consumer health apps, wearables);
• oversight of AI and ML systems in healthcare;
• regulation of integrated digital health ecosystems spanning multiple regulatory domains;
• cross-border telehealth services that challenge state-based licensure systems; and
• cybersecurity requirements for internet-connected medical devices.

The fragmented nature of healthcare regulation in the United States creates particular challenges for digital health innovations that often operate across traditional boundaries. State-by-state variations in licensure, privacy laws and corporate practice of medicine doctrines further complicate compliance for digital health providers operating nationally.

Additionally, the rapid pace of technological innovation frequently outstrips regulatory frameworks. By the time regulations are developed and implemented, technologies may have evolved significantly, creating an ongoing cycle of regulatory catch-up.

Regulatory bodies have attempted to address these gaps through flexible guidance, enforcement discretion and regulatory sandboxes, though comprehensive legislative solutions remain elusive. Future regulatory development will likely require balancing innovation promotion with appropriate safeguards for patient safety, privacy and equitable access.

Multiple federal agencies share responsibility for regulating digital healthcare in the United States, with each focusing on specific aspects based on their statutory authority.

The Department of Health and Human Services (HHS)

This is the primary federal department responsible for enhancing the health and well-being of Americans and fostering advances in medicine, public health and social services.

The Food and Drug Administration (FDA)

Within the HHS, the FDA administers and enforces the Federal Food, Drug, and Cosmetic Act (FFDCA), which governs medical devices, including SaMD. The FDA’s Digital Health Center of Excellence provides specialised oversight of digital health technologies, focusing on patient safety, product efficacy and cybersecurity.

The Centers for Medicare & Medicaid Services (CMS)

This oversees Medicare, Medicaid, CHIP and Health Insurance Marketplace programmes, establishing coverage and reimbursement policies for digital health services and technologies.

The HHS Office for Civil Rights (OCR)

This enforces HIPAA Privacy, Security and Breach Notification Rules, ensuring that individuals can access and trust the privacy and security of their health information in digital formats. In March 2025, the OCR confirmed that the long-awaited third phase of its HIPAA compliance audits is under way, initially consisting of audits of 50 covered entities and business associates, focusing on risk analysis and risk management requirements.

The Office of the National Coordinator for Health Information Technology (ONC)

This co-ordinates nationwide efforts to implement health information technology and promote the secure electronic exchange of health information.

The Agency for Healthcare Research and Quality

This produces evidence to make healthcare safer and more accessible, and works to ensure that evidence is understood and used.

The Centers for Disease Control and Prevention (CDC)

This provides leadership in disease prevention and public health emergency response, utilising digital health tools for population health monitoring.

These agencies frequently collaborate on digital health initiatives but may sometimes apply differing standards or priorities based on their specific missions. Their collective oversight aims to ensure that digital healthcare technologies are safe, effective and accessible and protect patient privacy while enabling innovation.

Since the beginning of the Trump administration, aggressive efforts have been made to reduce funding and the number of government employees across all federal agencies. Significant layoffs and firings, along with leadership changes, have already had a significant negative effect on the abilities of the above-mentioned agencies to pursue their traditional objectives with respect to the enforcement and application of digital healthcare laws and regulations.

Several non-healthcare regulatory bodies play important roles in overseeing aspects of digital healthcare.

The Federal Trade Commission (FTC)

As the primary consumer protection agency, the FTC regulates health-related product advertising claims, privacy practices of non-HIPAA covered entities and competition in digital health markets. For example, the FTC monitors health apps and devices to ensure that they do not make unsubstantiated medical claims and that developers, manufacturers and retailers follow truth-in-advertising principles.

The Securities and Exchange Commission (SEC)

This oversees publicly traded digital health companies, ensuring accurate disclosure of business operations, risks and financial performance to investors. Digital health start-ups seeking investment must comply with securities regulations.

The Federal Communications Commission (FCC)

This regulates telecommunications aspects of telehealth, including broadband infrastructure essential for remote care delivery. The FCC’s Connected Care Pilot Program supports telehealth for low-income patients and veterans.

The Department of Justice (DOJ)

This enforces antitrust laws in healthcare markets, increasingly scrutinising mergers and acquisitions in digital health. The DOJ also prosecutes criminal violations of HIPAA and fraud in telehealth billing.

State Attorneys General

These enforce state consumer protection, data privacy and antitrust laws that affect digital health companies. State attorneys general are increasingly active in addressing health data privacy concerns, exemplified by Washington State’s My Health, My Data Act.

State Medical and Professional Licensing Boards

These establish and enforce standards for telehealth practice, remote prescribing and professional conduct in virtual care environments. These entities exercise jurisdiction over digital healthcare as many aspects extend beyond traditional healthcare regulation into areas such as consumer protection, telecommunications, securities regulation and professional licensure. Their involvement reflects the increasingly complex regulatory landscape as healthcare adopts digital technologies that intersect with multiple domains of economic and social activity.

Regulatory authorities enforce digital healthcare laws and regulations through various mechanisms, with enforcement intensity varying across domains.

FDA Enforcement

The FDA employs a risk-based approach to enforcement, focusing on products that pose the greatest potential harm to patients. Enforcement actions include warning letters, product recalls, injunctions and civil penalties. The agency has increased scrutiny of SaMD, particularly those making diagnostic or treatment claims without proper authorisation.

HIPAA/Privacy Enforcement

The HHS OCR enforces HIPAA violations through civil monetary penalties and corrective action plans. Common violations include unpermitted use/disclosure of protected health information (PHI), inadequate safeguards and failure to provide patients with access to their information. OCR investigations often follow data breaches affecting 500 or more individuals, which must be reported promptly under the Breach Notification Rule. In 2025, large HIPAA breaches affected approximately 62 million individuals, with at least 642 data breaches affecting 500 or more individuals shown on the OCR breach portal for the year.

FTC Enforcement

The FTC targets deceptive advertising claims and unfair privacy practices in digital health, typically resulting in consent decrees requiring companies to implement comprehensive privacy programmes and undergo regular assessments.

Medicare Fraud Enforcement

The CMS and the HHS Office of Inspector General (OIG) have increased scrutiny of telehealth billing practices. In April 2023, the HHS-OIG issued a toolkit for identifying telehealth fraud and improper payments, focusing on high-risk billing patterns.

State-Level Enforcement

State attorneys general increasingly enforce data privacy laws and consumer protection statutes against digital health companies, particularly concerning sensitive health information collected outside HIPAA’s scope.

Areas subject to stricter enforcement include:

• false or misleading marketing claims about clinical effectiveness;
• inadequate security measures protecting sensitive health data;
• billing fraud in telehealth services;
• unauthorised practice of medicine across state lines; and
• non-compliance with informed consent requirements.

Enforcement intensity has increased as digital health adoption has expanded, with regulators adapting traditional enforcement mechanisms to address novel challenges presented by emerging technologies while attempting to balance innovation promotion with consumer protection.

The current regulatory framework for digital healthcare offers significant strengths as well as limitations in addressing emerging risks.

Current strengths include:

• established pathways for traditional medical device oversight through the FDA;
• a HIPAA framework for protecting health information by covered entities;
• growing expertise within regulatory agencies regarding digital technologies;
• flexible guidance approaches that can adapt more quickly than formal rule-making; and
• public-private collaborations to develop standards and best practices.

Notable limitations include the following:

• regulatory fragmentation across multiple agencies creates co-ordination challenges;
• significant gaps in oversight of health data collected outside HIPAA-covered entities;
• limited resources for enforcement relative to the rapidly expanding digital health sector;
• difficulty in keeping pace with technological innovation, particularly in AI/ML applications; and
• variation in state regulations, creating compliance complexities for national services.

Proposed enhancements include:

• expanded statutory authority to address health information collected by non-covered entities;
• enhanced co-ordination mechanisms between federal and state regulators;
• increased resources for technical expertise within regulatory agencies;
• development of pre-competitive research collaborations to establish validation methodologies; and
• harmonisation of state telehealth and licensure requirements.

Several reform initiatives are under consideration, including:

• federal privacy legislation that would provide comprehensive protection for health data, regardless of the collecting entity;
• expanded FDA oversight frameworks for AI/ML-enabled medical software;
• enhanced cybersecurity requirements for connected medical devices, including the proposed HIPAA Security Rule amendments expected in May 2026; and
• permanent telehealth flexibilities beyond the current temporary provisions extending through 31 December 2027.

The sufficiency of oversight varies significantly across digital healthcare domains. While traditional medical devices have well-established regulatory pathways, newer technologies such as AI diagnostics and consumer health platforms operate in areas where regulatory frameworks are still evolving. Striking the appropriate balance between enabling innovation and ensuring adequate protection remains an ongoing challenge for regulators.

Digital healthcare presents numerous legal risks and challenges across several domains.

Non-compliance with regulations includes:

• HIPAA/HITECH violations resulting from inadequate data security measures, improper disclosure of protected health information or failure to conduct required risk assessments;
• FDA regulatory violations related to marketing unapproved medical devices or making claims exceeding authorised indications;
• licensing infractions when telehealth services cross state lines without appropriate provider licensure;
• corporate practice of medicine violations when technology companies improperly influence clinical decision-making; and
• reimbursement compliance issues, particularly as telehealth billing rules continue to evolve.

Enforcement by regulatory authorities includes:

• investigations by the HHS OCR following data breaches or privacy complaints;
• FDA enforcement actions, including warning letters, product recalls or marketing prohibitions;
• FTC scrutiny of deceptive marketing claims or unfair privacy practices;
• DOJ and HHS-OIG investigations into telehealth fraud and improper billing;
• state attorney general actions enforcing state privacy and consumer protection laws; and
• professional licensing board disciplinary actions against providers.

Liability risks include:

• medical malpractice claims resulting from misdiagnosis or treatment errors in telehealth settings;
• product liability claims for defective digital health technologies that cause patient harm;
• negligence claims related to cybersecurity breaches exposing sensitive patient information;
• contractual liability for service disruptions or performance failures in digital health platforms;
• intellectual property disputes regarding proprietary algorithms or software components;
• class action litigation following data breaches or privacy violations; and
• vicarious liability for health systems when affiliated providers use digital technologies.

The interconnected nature of digital health technologies often creates complex liability scenarios involving multiple parties. For example, a telehealth consultation that results in patient harm might implicate the treating physician, the telehealth platform provider, the health system and potentially the developers of any clinical decision support software used during the encounter.

Additionally, as AI and ML play increasingly prominent roles in clinical decision-making, questions of liability attribution become more complicated. When algorithms influence or drive medical decisions, determining responsibility for adverse outcomes presents novel legal challenges not fully addressed in existing liability frameworks.

The legal exposures associated with digital healthcare are addressed through multiple liability frameworks.

Statutory frameworks include the following:

• HITECH authorises civil monetary penalties for HIPAA violations, with tiered penalty structures based on violation severity and culpability;
• the FFDCA provides for civil and criminal penalties for violations of medical device regulations;
• state data breach notification laws establish requirements for disclosing security incidents and may create private rights of action;
• the False Claims Act imposes significant penalties for fraudulent billing practices, including in telehealth services; and
• state consumer protection statutes frequently provide remedies for deceptive practices in digital health marketing.

Tort liability includes the following:

• medical malpractice claims follow state-specific standards of care, increasingly addressing telemedicine practice;
• product liability frameworks apply to digital health technologies through theories of design defect, manufacturing defect or failure to warn; and
• negligence claims may address breaches of the duty of care in safeguarding health information.

Contractual liability includes the following:

• business associate agreements under HIPAA establish contractual obligations for handling protected health information;
• service-level agreements (SLAs) between healthcare providers and technology vendors define performance expectations and remedies; and
• end user licence agreements and terms of service establish rights and responsibilities for consumers using digital health applications.

Formal redress mechanisms include:

• an OCR complaint process for HIPAA violations;
• an FDA adverse event reporting system for medical device issues;
• FTC complaint procedures for deceptive practices;
• state medical board complaint processes for provider misconduct; and
• alternative dispute resolution provisions in many digital health contracts.

The applicability of these frameworks varies based on the specific digital health application, the parties involved and the nature of the harm. Certain digital health innovations operate in regulatory grey areas where existing liability frameworks must be adapted or extended to address novel circumstances. This creates uncertainty for providers and patients regarding rights, responsibilities and available remedies when issues arise.

Several mechanisms exist to mitigate or defend against liability exposures in digital healthcare.

Regulatory compliance defences include:

• demonstrating adherence to FDA quality system regulations and software development best practices;
• maintaining comprehensive HIPAA compliance programmes with regular risk assessments;
• following state-specific telemedicine practice standards and documentation requirements; and
• implementing appropriate informed consent processes that disclose technology limitations.

Risk-management strategies include:

• robust cybersecurity frameworks with encryption, access controls and incident response plans;
• clear documentation of clinical decision-making, particularly when algorithmic tools are utilised;
• comprehensive testing and validation of software before deployment;
• regular audits and assessments of digital health systems and processes; and
• thorough documentation of provider credentials and licensing across jurisdictions.

Contractual protections include:

• limitation-of-liability clauses in vendor agreements and user terms of service;
• indemnification provisions allocating responsibility among technology partners;
• carefully drafted scope-of-service descriptions that accurately represent capabilities; and
• clear disclaimers regarding technology limitations and appropriate use cases.

Insurance coverage includes:

• specialised cyber liability insurance for data breach incidents;
• technology errors and omissions insurance for software failures;
• professional liability coverage extended to telehealth activities; and
• directors’ and officers’ (D&O) insurance addressing management decisions.

Affirmative defences include:

• statutes of limitations restricting the timeframe for claims;
• contributory negligence or comparative fault when patient actions contribute to harm;
• a learned intermediary doctrine potentially shielding technology vendors when healthcare providers intervene; and
• pre-emption arguments when federal regulations may supersede state requirements.

Successful defence strategies typically combine multiple approaches, emphasising both technical compliance and process excellence. Organisations often develop comprehensive risk management frameworks that integrate legal compliance, technical safeguards and clinical governance to address the multifaceted nature of digital health risks.

The evolving regulatory landscape requires continuous monitoring and adaptation of defence strategies. As new technologies such as AI and ML become more prevalent in healthcare, defence approaches must address novel liability scenarios not fully contemplated in existing frameworks. The proposed HIPAA Security Rule amendments, expected to be finalised in May 2026, will require organisations to implement mandatory encryption, multi-factor authentication and enhanced cybersecurity controls, fundamentally changing compliance requirements and potential defences.

A number of significant developments are reshaping the digital healthcare regulatory landscape.

AI Governance

The rapid advancement of AI in healthcare has prompted increased regulatory attention. The FDA’s 6 January 2025 draft guidance on AI-enabled device software functions proposed various life cycle considerations and recommendations to support marketing submissions for AI-enabled medical devices. Previously, in December 2024, the FDA issued final guidance on Predetermined Change Control Plans for AI/ML-enabled device software functions, allowing manufacturers to implement certain algorithm modifications without new pre-market submissions. In March 2024, the HHS issued updated guidance on AI-driven tracking technologies such as Google Analytics and Meta Pixel, emphasising HIPAA compliance requirements. State-level initiatives, such as California’s investigation into algorithmic discrimination in healthcare, also signal growing scrutiny of AI fairness and transparency.

Expanded Data Privacy Frameworks

Beyond traditional HIPAA protections, comprehensive state privacy laws are increasingly addressing health-related information. Washington State’s My Health, My Data Act exemplifies this trend, establishing consent requirements and private rights of action for health data collected outside HIPAA’s scope. More than three dozen states have enacted or are actively pursuing updated consumer privacy laws.

Telehealth Permanence

As pandemic-era telehealth waivers transition to permanent policies, new regulatory frameworks are emerging. With the passage of the Consolidated Appropriations Act, 2026 on 3 February 2026, extending many Medicare telehealth flexibilities through 31 December 2027, the CMS has made certain Medicare telehealth provisions permanent, including home-based care for behavioural/mental health services, geographic restriction removal for behavioural health services and audio-only services for behavioural health. This phased approach creates both opportunities and compliance challenges as organisations adapt to evolving reimbursement requirements.

Digital Therapeutics Classification

Regulatory agencies are developing frameworks to address prescription digital therapeutics (PDTs) – software-based interventions that prevent, manage or treat medical conditions. These novel products challenge traditional regulatory categories, prompting discussions about appropriate oversight mechanisms and reimbursement pathways.

Cybersecurity Requirements

On 6 January 2025, the HHS OCR published a Notice of Proposed Rulemaking proposing comprehensive updates to the HIPAA Security Rule. As noted previously, the proposed rule eliminates the distinction between “required” and “addressable” implementation specifications, thereby:

• making encryption of all ePHI at rest and in transit mandatory;
• requiring multi-factor authentication for all access to ePHI;
• mandating vulnerability scanning every six months and penetration testing annually;
• establishing 72-hour disaster recovery and 24-hour incident notification timelines; and
• requiring annual compliance audits.

The final rule was expected in May 2026, with an estimated 180-day compliance period. This marks a shift towards more explicit regulatory attention to security vulnerabilities in connected health technologies. The Consolidated Appropriations Act of 2023 amended the FFDCA to require cybersecurity information in pre-market submissions for “cyber devices”.

Non-Traditional Healthcare Entrants

The entrance of major retailers and technology companies into healthcare delivery raises questions about corporate practice of medicine restrictions, data privacy protections and regulatory oversight. Companies such as Amazon, CVS and Walgreens are expanding primary care, pharmacy and telehealth services, challenging traditional healthcare models.

Interoperability Mandates

The CMS Interoperability and Prior Authorization Final Rule, issued in January 2024, requires implementation of FHIR-based APIs to streamline health information exchange. These requirements represent significant regulatory efforts to address fragmentation in health information systems.

These emerging issues reflect the increasing complexity of digital healthcare regulation as technologies evolve and cross traditional boundaries between healthcare, consumer products and information services.

Several significant legislative and regulatory reforms are reshaping the digital healthcare landscape, driven by policy objectives including expanded access, enhanced privacy protections, improved interoperability and appropriate oversight of emerging technologies.

Telehealth expansion initiatives include the following, some of which have also been discussed previously:

• the Consolidated Appropriations Act, 2026, passed 3 February 2026, extended certain Medicare telehealth flexibilities through 31 December 2027, providing temporary continuity while permanent policies are developed;
• the proposed Telehealth Modernization Act (re-introduced in September 2025) aims to permanently remove geographic restrictions for Medicare telehealth services; and
• state-level legislation continues to expand participation in interstate licensure compacts.

Privacy and data protection includes the following:

• the FTC’s final Health Breach Notification Rule, which became effective in July 2024, clarifies requirements for non-HIPAA covered entities handling health information; and
• state comprehensive privacy laws continue to proliferate, with growing attention to sensitive health data categories.

Interoperability advancement includes the following:

• the CMS Interoperability and Prior Authorization Final Rule of January 2024 establishes requirements for FHIR-based APIs to improve data exchange and streamline prior authorisation processes, many of whose requirements are entering into effect in 2026; and
• the Trusted Exchange Framework and Common Agreement (TEFCA) implementation continues to advance nationwide health information-exchange capabilities – as of early 2026, according to the HHS, TEFCA has facilitated the exchange of nearly 500 million health records.

AI governance includes (or, in some cases, does not include) the following:

• Executive Order 14110 on Safe, Secure, and Trustworthy Artificial Intelligence, which included provisions specifically addressing AI use in healthcare, was rescinded by President Trump within hours of his 6 January 2026 inauguration;
• the FDA’s 6 January 2025 draft guidance on AI-enabled device software functions proposed various life cycle considerations and recommendations to support marketing submissions for AI-enabled medical devices; and
• the proposed federal Algorithmic Accountability Act, which was referred to the House Committee on Energy and Commerce in September 2025, would require impact assessments for automated decision systems, including those used in healthcare.

Cybersecurity enhancement includes the following:

• implementation of FFDCA Section 524B establishes cybersecurity requirements for medical device pre-market submissions; and
• the proposed HIPAA Security Rule amendments, with a final rule expected in May 2026, would mandate encryption of all ePHI, require multi-factor authentication, establish vulnerability scanning and penetration testing requirements and reduce breach notification timelines.

These reforms collectively seek to balance innovation promotion with appropriate safeguards for patient safety, privacy and equity. Policy drivers include:

• pandemic-era lessons regarding healthcare access;
• growing recognition of digital health’s potential to address healthcare disparities;
• concerns about health data monetisation; and
• the need for appropriate oversight of increasingly sophisticated healthcare technologies.

The reform landscape reflects an evolving understanding that digital healthcare requires regulatory frameworks that can accommodate rapid technological change while maintaining fundamental protections for patients and healthcare systems.