June 4, 2023

Volume XIII, Number 155


June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

Top 5 Legal Issues in Digital Health to Watch for in 2022

The use of digital health to deliver healthcare has seen unprecedented growth over the past few years, with significant acceleration due to the COVID-19 Public Health Emergency (PHE). As patients seek ways to empower themselves and take more control of their health and well-being, this demand is being met by flexible and innovative tools and technologies. The latest health technology advancements in diagnostics, treatment, and ongoing patient management have the potential to improve health and disease outcomes more than ever before. Companies in this industry have also raised a record-setting amount of capital, particularly during the PHE.

Like many other segments that go through rapid growth and innovation, the industry faces a complex and shifting set of laws and regulations. While many temporary waivers and policies during the PHE created an ecosystem allowing companies to flourish, companies in this space should begin to expect heightened scrutiny from various regulators as we turn the page to 2022.

In this article, we highlight some of the key legal considerations that the digital health industry can expect in the coming year from the perspective of: (1) telehealth related laws and regulations, (2) FDA, (3) privacy and cybersecurity, (4) fraud and abuse, and (5) antitrust issues. As companies look ahead to allocate legal and compliance resources and think about risk mitigation strategies, this article showcases those areas where we expect to see further developments or regulator attention this year.


In response to the PHE, the federal and state regulatory landscape swiftly created a makeshift of temporary waivers, executive orders and regulations, to expand access to telehealth services, but leaving providers and patients uncertain about, among other things, scope of practice issues (e.g., licensure) and reimbursement for these services. With many of these federal and state flexibilities tied to the PHE set to expire, providers offering telehealth services, regardless of the modality or specialty, will need to continue to be aware of and track the status of certain flexibilities implemented

in response to the PHE. For example, the Centers for Medicare & Medicaid Services (CMS) released the Calendar Year (CY) 2022 Medicare Physician Fee Schedule (PFS) final rule (Final Rule), which extended or made permanent a number of PHE related changes (e.g., permanently removing geographic originating site restrictions on telehealth services used for purposes of diagnosis, evaluation, or treatment of mental health disorders). Also at the federal level, there is still no guidance on whether the “dormant” Ryan Haight Act, which, absent limited exceptions, prevented the prescription of controlled substances via telehealth without first conducting an in-person examination, will be enforced following the expiration of the PHE.

Likewise, on the stateside, there have been a number of actions making permanent changes expanding access to telehealth services. This includes removing restrictions on the delivery of telehealth via certain modalities (e.g., audio-only telephone, e-mail, text message) and addressing insurance parity coverage of telehealth services. While these examples suggest a positive trend towards increased access to telehealth and making telehealth a permanent and critical part of the healthcare delivery system, other states have rolled back certain of the flexibilities implemented in response to the PHE. All of these matters will significantly impact the way providers and patients continue to utilize telehealth services, and will impact scope of practice, mode of practice and reimbursement matters going forward.


Companies developing software medical devices, whether in the wellness or in the therapeutic and diagnostic spaces, should continue to monitor FDA’s developing approaches to regulating digital health. In late 2021, FDA published multiple resources for companies developing medical devices that incorporate software with Artificial Intelligence and Machine Learning (AI/ ML) functions. These documents, including “GMLP for Medical Device Development: Guiding Principles” (27 Oct 2021), “List of AI/ML-Enabled Medical Devices,” (22 Sep 2021), and FDA Guidance “Content of Premarket Submissions for Device Software Functions” (04 Nov 2021), demonstrate the Agency’s efforts to be transparent with industry on its expectations as it develops a framework for reviewing and approving AI/ ML technology. The newly minted FDA Digital Health Center of Excellence promises to foster high-quality digital health and innovative regulatory approaches in 2022 (and the coming years). While the Agency is still developing these approaches, companies seeking clearance or approval of digital health devices with AI/ML should consider engaging FDA in premarket submission meetings to understand the Agency’s expectations for clinical data and software performance data. We also expect the FDA to finalize its draft guidance on Clinical Decision Support (CDS) software before the close of the year. CDS software provides healthcare professionals and patients with intelligently filtered knowledge, coupled with person-specific information, to inform healthcare options. The finalized CDS guidance will provide companies developing CDS with some clarity on whether, and to what extent, their product may be regulated in 2022 and beyond. We also expect FDA to continue to partner with its international counterparts to harmonize the regulation of digital health products.

Privacy and Cybersecurity

HIPAA became somewhat of a social media star during the PHE, with individuals attempting to use the law to protect more than the protected health information within its purview. HHS/OCR offered guidance to help entities share public health information, manage drive-through testing and vaccination sites, and resolve telehealth hurdles. Enforcement in 2022, however, will continue to be focused on entities taking action to prepare for and reduce ransomware and other attacks, including through the performance of risk analyses of electronic infrastructure and ensuring individuals’ access to their information, including interoperability standards.

HIPAA’s stardom has accelerated the appetite for the industry to offer HIPAA compliance as a “best practice,” whether or not any entity falls under HIPAA’s legal jurisdiction. While such practices may be admirable, entities should proceed with caution to ensure actions and representations do not overreach contractual terms or create grounds for unfair and deceptive claims under federal and state laws. HIPAA’s mainstream persona has also helped push the discussion of a federal privacy law, and the states’ impatience with that idea stalling.

Therefore, even where HIPAA may not apply to certain business models, the ever-growing patchwork of state and federal privacy and data security laws creates a confusing sea of requirements. Throughout 2021, the FTC continued to flex its muscles in this space sending a clear message of its intent to more closely scrutinize companies collecting health information that sit outside HHS/OCR’s reach. Companies are continuing to grapple with the new and broad interpretations in the FTC’s policy statement about the Health Breach Notification Rule released in the Fall of 2021. Namely, how to comply with the comments around sharing of “covered information” subject to an individual’s authorization and what will be considered a “breach” under this law. This year, companies will also want to be mindful of the forthcoming “comprehensive” state privacy laws coming into effect in 2023 in Virginia and Colorado and the expansion of California’s existing law. With conflicting exemptions across these state laws for entities that may be regulated by HIPAA, and newly introduced “consent” requirements for the collection of “sensitive” information, digital health companies will likely have steps in the coming months to prepare for these laws. Finally, sophisticated cyber threat actors continue to find ways to attack even the most prepared companies, particularly due to the value of healthrelated information. This reinforces the importance of having cyber insurance – though the market has become increasingly costly for these policies with more detailed diligence from carriers to obtain coverage.

Fraud and Abuse

During the COVID-19 pandemic, the use of digital health tools and solutions has accelerated due to necessity and to temporary waivers and flexibilities granted by HHS in response to the PHE. Enforcement response to this uptick has been mixed. For instance, the HHS Office of Inspector General (“OIG”) issued a policy statement to notify physicians and other practitioners that they will not be subject to administrative sanctions for reducing or waiving any cost sharing obligations incurred for telehealth services furnished consistent with applicable coverage and payment rules during the PHE. However, though OIG recognizes the benefits that digital health technologies have for improving care coordination and health outcomes, it has also announced “significant oversight work” assessing telehealth services during the PHE. Specifically, OIG is currently conducting eight reviews related to the use of telehealth services. Many of the OIG audits focus on compliance with Medicare and Medicaid requirements for documenting and billing home health services - in a sense, traditional billing and coding audits applied to telehealth services.

The government has also pursued fraud and kickback allegations related to telehealth. For instance, in October 2020, DOJ announced Operation Rubber Stamp, a nationwide enforcement action involving criminal charges against 345 defendants across 51 federal districts, including more than 100 doctors, nurses and other licensed medical professionals, mostly related to schemes involving telemedicine. In addition to these criminal charges, the investigation resulted in CMS’ revocation of the Medicare billing privileges of more than 250 additional Medical professionals, a record-breaking number of administrative actions. Beyond audit activity related to compliance with coding and documentation rules, providers can expect the government’s continued focused attention on the use of digital health technologies in ways that it believes may result in excess costs to the government and in patient harm.


Digital health companies may find themselves increasingly in the antitrust enforcement cross-hairs, as they are at the center of the two most frequently targeted industries: healthcare and technology. In recent years, the FTC has devoted more resources to investigating and challenging conduct by healthcare providers than any other industry (even tech), and the DOJ has ramped up its efforts in the sector as well. Both agencies have aggressive new leaders in place – FTC Chair Lina Khan and DOJ Assistant Attorney General Jonathan Kanter – who are coordinating on a number of enforcement priorities and who recently characterized corporate concentration as a “crisis” for the American economy. Chief among the agencies’ focus is a growing concern about whether transactions involving upstart digital health companies may be chilling competition. As digital health companies consider transactions, including joint ventures, they should carefully analyze potential antitrust issues, even if those deals do not involve direct competitors.

Looking Ahead

The digital health ecosystem being created by new entrants and healthcare industry incumbents reinventing themselves will continue to evolve from fixed solutions to a more widespread overhaul of the healthcare system. These digital tools and products changing the infrastructure supporting the delivery of healthcare will be matched by increased regulatory scrutiny, as law and policy try to keep pace with technology to ensure patient safety and treatment efficacy.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 32

About this Author

Allison Fulton DC SheppardMullin Shareholder Life Sciences FDA

Allison Fulton is a partner in the Life Sciences and FDA team and is based in the firm's Washington, D.C. office. Allison advises life sciences companies, including pharmaceutical, medical device, dietary supplement, food and cosmetic companies, in matters relating to the development, manufacture, and marketing of products regulated by the U.S. FDA.

Areas of Practice

Allison’s areas of focus include assisting U.S. and international companies comply with current Good Manufacturing Practice (GMP) and the Quality System Regulation (QSR). She regularly advises...

John D. Carroll Antitrust Lawyer Sheppard Mullin

John D. Carroll is a partner in the Antitrust & Competition Practice Group in the Washington, D.C. office.

Areas of Practice

John’s practice focuses on civil and criminal antitrust matters, including mergers & acquisitions, strategic counseling and compliance, and global cartel investigations, where he represents clients before the Department of Justice Antitrust Division, Federal Trade Commission, and international and state antitrust enforcement authorities.

Prior to private practice, John was in the Mergers I Division of the Federal Trade...

Sara Helene Shanti Corporate Lawyer Sheppard Mullin Law Firm

Sara Helene Shanti is a partner in the Corporate Practice Group in the firm's Chicago office.

Areas of Practice

Shanti represents healthcare providers and technology companies in matters related to data privacy, healthcare regulatory compliance and mergers and acquisitions. She counsels clients on various data privacy and healthcare technology matters, including artificial intelligence, data security incidents, mobile applications, and telemedicine. Shanti’s experience includes advising clients on transferring data across multinational borders, implementing...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...


Ms. Kraus focuses her practice on representing healthcare entities in regulatory compliance matters.  Ms. Kraus advises clients on compliance with federal and state fraud and abuse laws, assists clients in responding to government investigations, and represents clients in False Claims Act litigation.  Ms. Kraus also assists clients with regulatory due diligence in transactional matters, and through advocacy with federal and state regulators, and leverages her background in health policy to help clients maximize opportunities in the changing healthcare landscape...