Insights

Vital Signs_ Digital Health Law Update _ Spring 2

Vital Signs: Digital Health Law Update | Spring 2025

INTRODUCTION

Note From the Editors 

Welcome to Vital Signs, a curated compilation of the latest legal and regulatory developments in digital health. Thank you to our Jones Day contributors who are committed to bringing you a one-stop resource on notable digital health updates.

INDUSTRY INSIGHTS

Trump's First 100 Days in Digital Health: Seismic Shifts or More of the Same?
 

ByTyler Loveall, Rachel Fleischer, and Sean Swinford

As is the case across many industries, entities and thought leaders in the health care space continue to grapple with the rate of change at the federal level under the new presidential administration. Yet, given seemingly increased bipartisan support for digital health, federal actions relating to digital health have tended to signal a continuation of some of the prior administration's policies. However, it remains unclear how such policies will be put into action.

For example, many of the newly introduced leaders at the Department of Health and Human Services ("HHS") have voiced support for the continued and increased incorporation of digital health technologies, such as artificial intelligence ("AI") or telemedicine, into the health care industry. Dr. Mehmet Oz, appointed as administrator of the Centers for Medicare & Medicaid Services ("CMS"), advocated for the use of AI and telemedicine during his Senate confirmation hearing and subsequent CMS events. Similarly, during their confirmation hearings, HHS Secretary Robert F. Kennedy, Jr., stated that President Trump aims to address rural health care through the use of AI and telemedicine, and Food and Drug Administration ("FDA") Commissioner Dr. Marty Makary discussed the use of AI to assist FDA staff in reviewing drug and device applications.

Though the messaging has been clear, the industry eagerly awaits information regarding how agencies will operationalize such policy. For instance, upon taking office, Trump issued an executive order titled "Removing Barriers to American Leadership in Artificial Intelligence" and rescinded a prior AI-related executive order issued under the Biden administration. Further, in April, the administration issued memoranda to the heads of federal agencies, in part discussing the acceleration of federal use of AI. It remains to be seen how such federal agencies will integrate digital health in practice. 

Similarly, under the Biden administration in December 2024, the HHS Office for Civil Rights proposed significant modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Security Rule, reportedly aimed to strengthen cybersecurity for electronic protected health information, or ePHI. Apart from certain required technical safeguards (e.g., encryption, multifactor authentication, anti-malware protection), key proposed changes also include the addition of technology asset inventories and network maps of information systems, introduction of specific implementation requirements for risk analyses, and removal of the distinction between "addressable" and "required" implementation specifications. The Trump administration's position on the proposed rule remains unknown. 

As another example, under the Biden administration in December 2024, the Department of Justice ("DOJ") issued a final rule prohibiting or restricting various "bulk" data transactions involving certain countries, including China (and Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The rule covers transactions with foreign entities that are 50% or more owned (directly or indirectly) by, are organized under the laws of, or have a principal place of business in, a listed country. The rule prohibits transactions involving data brokerage of certain sensitive personal data, including personal health data. 

The rule was implemented under the Biden administration, but the Trump administration continues to advance it. In April 2025, DOJ published several documents, including an Implementation and Enforcement Policy effective for the first 90 days of implementation, a Compliance Guide, and Frequently Asked Questions. The policy indicates that DOJ will not prioritize civil enforcement until July 8, 2025, and that certain due diligence obligations are delayed until October 6, 2025. However, none of the materials indicate any intent to lessen or change the policies imposed by the Biden administration.

It is increasingly important to stay abreast of the federal changes relating to digital health. The new administration's emphasis on digital health integration and deregulation could create significant opportunities for growth in the space, but health care entities should also balance government announcements with careful substantive analysis of the law. Moreover, if trends change and federal scrutiny rolls back, health care entities may expect increased action at the state level. 

United States Developments 

FEDERAL

Executive Order Targets Prescription Drug Prices and Calls for Direct-to-Consumer Sales 

On May 12, 2025, President Trump signed an Executive Order titled "Delivering Most-Favored-Nation Prescription Drug Pricing to American Patients." "Most-Favored-Nation" pricing policies aim to tie drug prices in the United States to prices in certain foreign markets. The order requires HHS to communicate most-favored-nation pricing targets to pharmaceutical manufacturers within 30 days. Thereafter, the order, among other things, calls for HHS to propose rulemaking on most-favored-nation pricing and consider opening up drug importation under the Food, Drug, and Cosmetic Act. Most interestingly, for digital health providers, the order directs HHS to facilitate direct-to-consumer purchasing programs for manufacturers that sell their products to American patients at the most-favored-nation price. Though the order's effects are yet to be felt, digital health providers should monitor both the price consequences and the opportunities presented by the order.

A New Regulatory Framework for AI/ML at FDA?  

In January 2025, President Donald Trump signed an Executive Order on "Initial Rescissions of Harmful Executive Orders and Actions," which rescinded the former administration's Executive Order 14110 on "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence." The decision to rescind the former order may affect several FDA guidance documents and other resources that cite Executive Order 14110, including the guidance on "Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence-Enabled Device Software Functions," discussed below. The administration also rolled back previous efforts at identifying and measuring potential bias in the use of AI and machine learning ("ML"), taking down an FDA website devoted to the topic before receiving a court order to restore the website in February 2025.

Overall, the new administration seems generally receptive to the use of AI/ML. During his confirmation hearing in January 2025, HHS Secretary Robert F. Kennedy, Jr. expressed his support for using AI and telemedicine to support struggling rural hospitals and expand access to quality care, citing advanced AI nurses capable of diagnosing as effectively as human doctors. At his own confirmation hearing in March 2025, FDA Commissioner Dr. Marty Makary advocated for AI to assist—though not replace—staff in reviewing drug and device applications and in post-approval data monitoring to prevent adverse events, in addition to exploring the potential for AI to predict toxicities and improve drug safety. 

FDA Issues Final PCCP Guidance for AI-Enabled Devices 

In December 2024, FDA released its final guidance outlining the framework for predetermined change control plans ("PCCPs") in marketing submissions for AI-enabled device software functions ("AI-DSFs"). PCCPs allow manufacturers to proactively specify and seek premarket authorization for planned modifications to AI-DSFs, such as updates to algorithms or performance improvements, without the need for a new marketing submission for each change. 

The final guidance clarifies that PCCPs must include a detailed description of planned modifications, a modification protocol outlining verification and validation activities, and an impact assessment addressing benefits, risks, and mitigation strategies. Manufacturers are required to implement changes in accordance with their quality systems, and any significant deviation from an authorized PCCP may necessitate a new marketing submission to ensure continued device safety and effectiveness. For additional details, see here.

FDA Issues Two Draft Guidances on the Use of AI in Medical Product Development 

Earlier this year, FDA issued two draft guidance documents relating to the use of AI to support development and marketing of medical devices and drugs.

In the first draft guidance titled "Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations," FDA provides comprehensive recommendations for the development, lifecycle management, and marketing submissions of AI-enabled medical devices. The guidance emphasizes a total product lifecycle approach, encouraging manufacturers to integrate risk management, transparency, and bias mitigation strategies from the earliest stages of device design through post-market performance monitoring and decommissioning. Key recommendations include detailed documentation of device description, user interface, risk assessment, data management, model development, validation, and cybersecurity measures. The guidance highlights the importance of robust performance validation, including subgroup analyses, to ensure equitable device performance across diverse patient populations. The guidance also calls for proactive post-market monitoring to identify and address risks related to potential performance changes once deployed in the real-world environment, given that such technology is highly sensitive to changes in data inputs. 

In the second draft guidance titled "Considerations for the Use of Artificial Intelligence To Support Regulatory Decision-Making for Drug and Biological Products," FDA aims to support sponsors and stakeholders in establishing the credibility of AI models used to generate information or data for regulatory decision-making regarding drug safety, effectiveness, and quality. Recognizing the rapidly evolving role of AI across the drug product lifecycle, including non-clinical, clinical, post-marketing, and manufacturing phases, the guidance introduces a risk-based credibility assessment framework designed to help sponsors systematically plan, gather, and document evidence that demonstrates the trustworthiness of the AI model output based on a particular context of use (i.e., the specific role and scope of the AI model used to address a question of interest). The draft guidance emphasizes the importance of early and ongoing engagement with FDA to align on expectations for credibility assessment activities, particularly for high-risk applications where AI model outputs may have significant impact on patient safety or product quality. Sponsors are encouraged to provide detailed documentation on model development, data management, evaluation methods, and lifecycle maintenance, so that AI models remain fit for use as new data and deployment environments emerge. 

Healthy Technology Act of 2025

In January 2025, Representative David Schweikert (R-AZ) introduced the Healthy Technology Act of 2025 (H.R. 238), a bill that would amend the Federal Food, Drug, and Cosmetic Act to permit AI/ML technologies to prescribe medications under specific conditions. The proposed legislation would allow AI/ML to qualify as practitioners eligible to prescribe drugs if they are approved, cleared, or authorized by FDA and if the state in which the AI/ML operates authorizes such use. The bill aims to utilize AI/ML to reduce errors, improve safety, enhance efficiency, and alleviate physician burnout by automating routine tasks.

The bill has sparked debate among stakeholders. Proponents highlight AI/ML's potential to deliver more personalized treatment plans and streamline health care delivery, while critics voice concerns about the erosion of human clinical judgment, data privacy risks, liability in the event of AI/ML errors, and the potential for bias or fraud.

Re-envisioning R&D for Medical Technologies 

In December 2024, FDA's Center for Devices and Radiological Health launched the Idea Lab as a cornerstone of its Home as a Health Care Hub initiative, aiming to reimagine how medical technologies can be seamlessly integrated into home environments. With a particular focus on diabetes management, the Idea Lab leverages immersive tools such as a virtual reality prototype, which allows users to experience the daily challenges faced by individuals living with diabetes in affordable housing. This virtual environment, developed from insights of patients, caregivers, providers, and experts, offers a realistic perspective on the barriers to effective home-based care and highlights opportunities for innovation in device design, usability, and integration. By providing access to resources and virtual experiences, the Idea Lab aims to encourage the development of novel home-use medical devices and the adaptation of existing technologies to better meet patient needs. 

DEA Reviews Comments on Special Registration Proposal, Delays Effective Dates of Telemedicine Controlled Substance Prescribing Final Rules 

In the final days of the Biden administration, the Drug Enforcement Administration ("DEA") released three key regulations concerning the prescription of controlled substances via telemedicine, including a long-anticipated proposed rule on "Special Registrations for Telemedicine." This rule would create a special registration system, as required by previous legislation, allowing health care providers to prescribe controlled substances through telemedicine under the specific categories of: Telemedicine Prescribing Registration (for Schedule III-V drugs), Advanced Telemedicine Prescribing Registration (for Schedule II-V drugs), and Telemedicine Platform Registration (for certain online platforms). 

Additionally, the DEA and HHS issued two final rules: One exempts Department of Veterans Affairs practitioners from special registration requirements, and the other allows authorized practitioners to prescribe an initial six-month supply (split among several prescriptions covering a total of six calendar months) of buprenorphine for opioid use disorder via telemedicine, including audio-only encounters, after reviewing state prescription drug monitoring program data. Although these final rules were set to take effect in February 2025, their implementation has been delayed until at least December 31, 2025. In the meantime, temporary telemedicine prescribing flexibilities remain in place, ensuring that practitioners can continue to prescribe controlled substances via telemedicine under exceptions similar to those used during the COVID-19 public health emergency. 

DOJ Secures Settlement Related to Alleged Improper Billing for Telehealth Services Provided for At-Home Patients

On April 2, 2025, DOJ announced a $152,382.70 settlement with a medical practice based in West Virginia for alleged violations of the False Claims Act ("FCA") occurring at the height of the COVID-19 pandemic in 2020 and 2021. DOJ alleged that the medical practice regularly billed using improper coding for telehealth visits while the patient was at home, in violation of federal law, which specifies that a facility fee is not payable when the patient's originating site is their home.

DOJ Maintains Its Enforcement Focus on Telehealth Schemes Involving Durable Medical Equipment 

DOJ continues to criminally prosecute individuals for their participation in allegedly fraudulent schemes involving medically unnecessary durable medical equipment ("DME"). 

On January 16, 2025, an Iowa nurse practitioner and physician entered into civil settlements, in the amounts of $150,000 and $14,325.96 respectively, to resolve allegations under the FCA that they billed for telehealth visits and discussions that never occurred and signed thousands of orders for medically unnecessary DME, such as orthotic braces. The government alleged that both providers signed orders after listening to "recorded cold calls" asking beneficiaries about common aches and pains, some of whom later complained of receiving braces they did not want or use. 

On February 20, 2025, a Kansas man pleaded guilty to conspiracy to commit health care fraud for owning, controlling, and operating DMERx, an internet-based platform that generated false and fraudulent doctors' orders for orthotic braces and pain creams, among other items. The individual and his co-conspirators admitted to connecting pharmacies, DME suppliers, and marketers with telemedicine companies that accepted illegal kickbacks and bribes in exchange for fraudulent doctors' orders which were transmitted through the DMERx platform.  

On February 28, 2025, a Florida man was convicted by a federal jury for his role in a DME kickback scheme. As alleged, the scheme involved purchasing lists of Medicare patients and paying telemarketers to convince patients to purchase orthotic braces. The man and his co-conspirators then paid telemedicine doctors to sign prefilled prescriptions which were sold to suppliers who subsequently billed Medicare and other insurers hundreds of millions of dollars for the braces.

USAO for the Western District of Kentucky Cracks Down on Overbilling for Medicare Telehealth Time 

A Connecticut health care company, doing business in 17 states, agreed to pay $358,514.00 to resolve allegations that the company submitted claims for sessions that were shorter than reported and supported these claims with false time records. These allegations were brought to light through a whistleblower lawsuit filed in federal court in Kentucky. 

Concerns Regarding the Use of AI in Coding and Insurance Claim Reviews 

AI's increased prevalence in the health care industry has created questions and concerns about the misuse of AI, including through the use of algorithms to inappropriately deny claims. CMS have issued regulations over the past two years relating to the use of AI by health insurers, including Medicare Advantage plans, which may create new avenues for FCA liability. 

Although President Trump's January 23, 2025, AI executive order mainly focuses on removing barriers that inhibit AI growth, DOJ and whistleblowers can be expected to monitor at least for traditional concerns that AI is resulting in over-billing. For example, in November 2024, a health system entered into a $23 million settlement to resolve claims that it violated the FCA when an automated coding system improperly assigned CPT codes to emergency department claims, resulting in overpayment for services by federal health care programs.  

STATE

Flurry of States Introduce Personal Privacy Protections 

Throughout the first quarter of 2025, numerous states, including Georgia, Illinois, and Pennsylvania, introduced legislation with potential consequences for non-HIPAA entities processing health data. While these privacy bills largely exclude HIPAA-covered protected health information, they may still regulate consumer health data processed by non-HIPAA-covered entities. In this regard, states have seen an increased focus on banning the sale or sharing of precise geolocation data. Such data, while not obviously health-related, could reveal information about consumers' health through inferences (for example, if a consumer visits a reproductive health center). 

For example, Georgia's SB 111 and Pennsylvania's HB 78 are both consumer personal data privacy acts pending in the House. Both bills would regulate the processing of sensitive data, which includes information related to mental or physical health diagnoses and sexual orientation, genetic or biometric data, and precise geolocation data. Similarly, Illinois' SB 52, which would create the state's Privacy Rights Act, is pending in the Senate. This bill has a broad definition of personal data which includes biometric information, internet activity information including browsing and search history, geolocation data, and inferences drawn from any other personal data. Sensitive personal data includes a consumer's precise geolocation and personal information collected and analyzed concerning a consumer's health, sex life, or sexual orientation.  

Other states which introduced consumer data privacy-related bills include: Alabama, Arkansas, Hawaii, Maine, Massachusetts, Mississippi, Montana, New Mexico, New York, North Carolina, Oklahoma, South Carolina, Texas, Vermont, Washington, West Virginia, and Wisconsin. While some of these bills have already failed, states continue to introduce new data privacy legislation. Other states have amended existing legislation to include health data. Minnesota, for example, introduced an amendment to the Minnesota Consumer Privacy Act which would make consumer health data a form of sensitive data, subject to additional health data protections. Iowa, similarly, has proposed an amendment to its Consumer Data Protection Act to expand the definition of sensitive data to include health data. 

Proposed New York Bill Tightens Regulations for Entities in Health Care Space  

New York has proposed its New York Health Information Privacy Act, SB 929, which would expand health information privacy protections beyond the traditional health care settings, entities, and requirements. Indeed, as proposed, SB 929 would be more onerous than comparable state privacy laws, such as in California and Washington.  

For example, SB 929 applies broadly to entities that control the processing of regulated health information ("RHI"), without consumer thresholds and more expansive location requirements, capturing both New York residents and individuals physically present in New York at the time of processing. Notably, there are no carve-outs in this definition for HIPAA-covered entities. Requirements include opt-in consents prior to processing of RHI that is not "strictly necessary" to an enumerated processing purpose and onerous contractual assurances with service providers (e.g., duty of confidentiality, retention and deletion standards, and further contractual assurances with downstream service providers).SB 929 would be enforced by the state attorney general, with power to impose various penalties including injunctions and monetary civil penalties.

Pending AI Legislation Relating to Transparency of Interactions With Chatbots  

Various states have introduced legislation focusing on the use of AI in chatbots and "companions" in the health space. For example, New York AB 3265 and A06545 would, respectively, establish an AI Bill of Rights, requiring certain opt-out rights and notices to New York residents when interacting with GenAI, and prohibit chatbots from providing any medical or psychological advice and require explicit notices about interactions with chatbots.

Virginia and Texas Comprehensive AI Legislation—Vetoed and Amended 

Significant updates to proposed comprehensive state AI laws have occurred. For example, on March 24, 2025, Virginia Governor Glenn Youngkin vetoed the High-Risk Artificial Intelligence Developer and Deployer Act, which had previously passed the state legislature. The bill aimed to require companies that develop and deploy "high-risk" AI systems—including those used in critical areas like health care—to implement safeguards against algorithmic discrimination. In vetoing the bill, Governor Youngkin expressed concerns that the bill would serve as an impediment to innovation, stating the bill's "rigid framework fail[ed] to account for the rapidly evolving and fast-moving nature of the AI industry[.]"  

Further, recent proposed amendments to the Texas Responsible AI Governance Act significantly narrow its potential application. While the original bill as introduced was far more comprehensive than Colorado and Virginia comprehensive AI legislation, the amendments would generally limit application to government entities and intentional discrimination.

Global Developments 

EUROPE

European Union

European Commission Launches New Biotech and Biomanufacturing Hub

On January 30, 2025, the EuropeanCommission (the "Commission") launched the Biotech and Biomanufacturing Hub (the "Hub") to support certain companies in bringing innovative products to the EU market. The Hub is a webpage that provides tools and resources to companies to promote success in the biotech and biomanufacturing sector. Among other things, the Hub includes an overview with essential regulations and requirements, key research and technology infrastructures, tools to scale up a biotech or biomanufacturing business, and finance and funding resources.

European Commission Presents Action Plan to Protect the Health Sector From Cyberattacks

On January 15, 2025, the Commission presented the "European action plan on the cybersecurity of hospitals and healthcare providers" ("Action Plan"), a deliverable of the Political Guidelines of the 2024-2029 Commission mandate. The Action Plan aims to level up and strengthen the cybersecurity and resilience of Europe's hospitals and health care providers, and focuses on improving threat detection, preparedness, and crisis response. It will accomplish this by providing tailored guidance, tools, services, and training to hospitals and health care providers.

European Commission Sets Out a Roadmap for Standardization of Organ-on-Chip Technology 

On January 13, 2025, the Commission announced the roadmap for standardization of organ-on-chip ("OoC") technology. OoC is an integration of biotechnology with micro-fluidic chips and sensors to build miniaturized versions of human organs, such as the lung, heart, or liver. These devices contain living human cells that replicate the functioning of real organs, allowing researchers to study how diseases affect human tissues and to develop novel therapies. This marks an important step toward personalized medicine and animal-free testing. 

Regulation on Health Technology Assessment Becomes Applicable 

On January 12, 2025, the Regulation on Health Technology Assessment ("HTA") became applicable. HTA is a scientific, evidence-based process that aims to inform the creation of safe and effective health policies by summarizing information about the medical, social, economic, and ethical issues related to the use of a health technology. The HTA regulation creates an EU framework for the assessment of health technologies, such as medicines and medical devices, by fostering collaboration and coordination between EU Member States. Among other things, this framework aims to help national authorities make more timely and informed decisions on the pricing and reimbursement of health technologies, to streamline the procedure for health technology developers, and to improve access to innovative products for patients. 

European Clinical Trials Information System Launches New Clinical Trial Map 

On March 3, 2025, a new clinical trial map became accessible from the public website of the Clinical Trials Information System ("CTIS"). The map is designed to provide patients and health care professionals with easy access to comprehensive, real-time information about clinical trials conducted in their area, increasing access to clinical research in the EU.

Clinical Trials Regulation Becomes Fully Applicable 

As of January 31, 2025, all clinical trials in the EU, including ongoing trials that were approved under the previous legal framework, the Clinical Trials Directive, will be governed by the Clinical Trials Regulation ("CTR"). This marks the end of a three-year transition period. A key aspect of the CTR is the CTIS, the single-entry point for sponsors and regulators for the submission and assessment of applications for clinical trials in the EU. Ongoing trials that were not moved to the new system may be subject to corrective measures.

European Shortages Monitoring Platform Becomes Fully Operational  

On January 29, 2025, the European Shortages Monitoring Platform ("ESMP") became operational with its full scope of functionalities. The ESMP enables marketing authorization holders ("MAHs") and national competent authorities ("NCAs") to directly report information on supply, demand, and availability of nationally and centrally authorized medicines during crises and preparedness actions. On February 2, 2025, the use of the ESMP became mandatory for MAHs and NCAs. 

Electronic Product Information Pilot Report  

On December 16, 2024, the European Medicines Agency ("EMA") published the report of a pilot exploring the creation and testing of electronic product information ("ePI") with respect to human medicines. The pilot found that the EU regulatory system is generally prepared for the introduction of ePI and can move toward ePI's phased implementation in regulatory procedures, though it recognized the need for more development, including additional functionalities and integration with current IT systems.  

Regulation on the European Health Data Space Published 

On March 5, 2025, the Regulation on the European Health Data Space ("EHDS") was published in the Official Journal. The EHDS aims to provide a comprehensive framework for access to and use of electronic health data across EU Member States. Among other things, the EHDS aims to give citizens better control over their personal health data and enable seamless access to their medical records across the EU (i.e., primary use). Furthermore, the EHDS aims to strengthen the reuse of health data in anonymized or pseudonymized form for research, innovation, public health, and policymaking (i.e., secondary use). The EHDS regulation entered into force on March 26, 2025, and will become applicable in different phases according to data types and use cases.

European Court of Justice Clarifies "Advertising of Medicinal Products" 

On February 27, 2025, the European Court of Justice ("ECJ") further clarified the concept of "advertising of medicinal products" for an online pharmacy.In the EU, the intended purpose is the decisive factor to distinguish advertising from mere information. In this case, the ECJ clarified that information which seeks to influence the customer's choice of pharmacy rather than choice of a medicinal productdoes not fall within the concept of "advertising of medicinal products" under the applicable EU framework. In that regard, the court indicated a distinction between advertising campaigns limited to prescription-only medicinal products and messages that also relate to non-prescription medicinal products. Advertisement campaigns that promote the prescription or consumption of unspecified prescription-only medicinal products concern the choice of the pharmacy, and therefore do not fall within the concept of advertising. To the contrary, advertising campaigns that do not solely concern prescription-only medicinal products could be considered advertising.  

European Commission Proposes Critical Medicines Act 

On March 11, 2025, the Commission proposed regulations to improve the availability of critical medicines in the EU. The proposal aims to protect human health by incentivizing supply chain diversification and boosting pharmaceutical manufacturing in the EU, as seen through a corresponding press release and Q&A document.

European Commission Opens Public Consultation on the EU Life Sciences Strategy 

On March 20, 2025, the Commission opened the "Call for Evidence" on the EU Life Sciences Strategy. The aim of the Life Sciences Strategy is, among other things, to boost competitiveness and prosperity and to accelerate "green" and digital transitions. 

Belgium 

New Belgian Federal Government Sets Out Pharmaceutical Policies 

On February 12, 2025, the new Belgian Federal Government published the government agreement defining, among other things, the pharmaceutical policies for the coming years. The agreement also discusses regulatory changes to expand hospitalization at home. 

Temporary Suspension of Reimbursement for Telephone Consultations in Belgium 

The Belgian National Institute for Health and Disability Insurance decided to temporarily suspend the reimbursement of telephone consultations as of February 15, 2025. Several Belgian general practitioners have already announced their discontent with this decision.

Belgian Public Health Minister Presents Policy Declaration 

On March 13, 2025, the policy declaration of the Belgian Federal Minister of Social Affairs and Public Health was published. Among other things, the minister aims to focus on digitalizing health care and on improving access, control, and sharing of health data. 

France

The French CNIL Authorizes EMA Processing of French Data but Voices Concerns 

In two deliberations dated January 13, 2025, and February 13, 2025, the French Data Protection Authority ("CNIL") granted the EMA authorization to process data from the French National Health Data System ("SNDS") for studies on the use of medicine and vaccines in France. The authorization request was part of the EU-wide research project "Darwin EU," which aims to leverage real-world health data to strengthen public health surveillance and inform health policy decisions. Under the proposed framework, the EMA is set to serve as the data controller, while the Health Data Hub will act as the data processor responsible for extracting data from the SNDS. 

Despite granting the authorization, the CNIL reiterated serious concerns regarding the Health Data Hub's use of a foreign cloud provider. The CNIL specifically warned of the risk that foreign authorities could access French patients' personal data. The CNIL also emphasized that, once the implementing decree for the French SREN law is published, the Health Data Hub will be required to use a provider that ensures protection against unauthorized access from third-party countries. With the current authorization being limited to three years, its renewal will depend on compliance with these new legal obligations.

The French CNIL Publishes Draft Recommendation for Ensuring Compliance and Security of Electronic Patient Records 

On March 20, 2025, the CNIL published a draft recommendation aimed at ensuring the compliance and security of "Electronic Patient Records" (Dossier Patient Informatisé). The draft recommendation comes in response to a sharp increase in personal data breaches in the health care sector, with data breach notifications rising from 16 in 2018 to 196 in 2024, alongside several high-profile incidents involving mass data exfiltration and system-wide cyberattacks. The recommendation primarily addresses data controllers (i.e., health care institutions), but also invites subcontractors and health care-related software providers to align their products and services with these requirements. The draft recommendation consolidates and updates the CNIL's expectations regarding both organizational and technical safeguards for electronic patient records, in light of evolving threats and regulatory standards. Among the key measures proposed are strong authentication methods (including mandatory multifactor authentication for all internal and external access by January 2026), granular and regularly reviewed access rights, encryption requirements, and separation of administrative and health data. Special attention is given to the contractual and operational oversight of subcontractors, particularly regarding certified health data hosting requirements. Beyond the public consultation, the draft recommendation will likely be subject to more updates in the future, particularly to address forthcoming EHDS obligations.

Netherlands

Interim Report on EHDS Implementation in the Netherlands 

On March 7, 2025, an interim report on EHDS implementation was released. The EHDS aims to improve cross-border health data exchange while ensuring patients' control over their information. The report highlights key challenges, including data security, interoperability, and health care provider adoption. Recommendations include establishing a national digital health authority for EHDS oversight and accelerating standardization of electronic health records and privacy safeguards for secondary data use in research. In Q2, more information on the next steps of the EHDS implementation is expected. 

Implementation of the Data Processing by Partnerships Act in Health Care 

On March 1, 2025, the Data Processing by Partnerships Act (Wet gegevensverwerking door samenwerkingsverbanden) took effect, impacting how Dutch health care and security partnerships process personal data. The law aims to enhance collaboration between health care providers, law enforcement, and municipalities while ensuring strict data protection measures. Key health care-related partnerships affected include Care and Safety Houses (Zorg- en Veiligheidshuizen), which handle complex cases involving mental health, youth crime, and domestic violence. These centers will gain clearer legal grounds to exchange data for risk assessment and intervention in an effort to improve patient safety and care coordination. The law mandates privacy audits, data quality assessments, and independent oversight. A Legitimacy Advisory Committee will monitor compliance, ensuring that data processing remains lawful and does not lead to discrimination.

Lawyer Spotlight 

Laura Koman

Laura Koman (Washington, Health Care & Life Sciences) is a leading advisor for health care and life sciences companies on complex regulatory and compliance matters, with a focus on emerging areas in digital health and clinical research. She counsels a range of clients from large health systems, national provider organizations, and early-stage companies in navigating multijurisdictional and interdisciplinary issues concerning digital health, corporate structuring, clinical trials, and artificial intelligence. Laura also regularly advises clients on health care fraud and abuse issues under the federal Anti-Kickback Statute and the Stark Law, particularly in the context of digital health and value-based care models, and structures health care transactions and service arrangements. Laura regularly presents at both health care and life sciences-focused industry events.

Ed Reines

Ed Reines (Silicon Valley, Intellectual Property) is a decorated trial and appellate lawyer with deep experience representing clients in the life sciences, biotechnology, and high-technology sectors, particularly in competitor disputes involving health care innovations. He has secured significant victories in high-stakes patent and false advertising litigation related to genetic technologies, diagnostic tests, and prenatal genetic testing methods, as well as cases involving microfluidic technologies critical to health care advancements. Ed's leadership roles in key legal organizations, including as past president of the Federal Circuit Bar Association and chair of the N.D. Cal Patent Rules Committee, reflect his influence on patent litigation practices that impact the health care industry nationwide. In addition to his litigation practice, Ed teaches patent litigation at UC Berkeley Law School, further contributing to the development of legal expertise in health care and life sciences.

Sage Revell

Sage Revell (London, Health Care & Life Sciences, Corporate, Technology) is a recognized leader in advising life sciences and technology companies on complex national and cross-border transactions, including on mergers and acquisitions, venture capital, private equity, and corporate reorganizations. She counsels emerging-growth companies and their investors throughout all stages of development and including through exit. Sage's experience includes advising clients on investments and strategic initiatives in clinical research, diagnostics, therapeutics, genomics, fertility and patient management platforms, health technology leveraging artificial intelligence for cancer detection, pharmaceutical development for women's health, and clinical-stage biotech innovations. Sage was recognized as one of the Top 25 Biotechnology and Life Sciences Attorneys of 2024 by Attorney Intel, and she frequently speaks on women's health, wellness, and technology-driven advancements in health care.

Recent and Upcoming Speaking Engagements

  • Jessica Tierney, 2025 FDLI Annual Conference, AI Policy and the New Administration: Implications for FDA-Regulated Industries, May 2025
  • Laura Koman, 2025 FDLI Annual Conference, Clinical Trials: Potential Impacts of MAHA and Related Policies, May 2025
  • Colleen Heisey, 2025 FDLI Annual Conference, AI Trends in Medical Devices: Global Developments, FDA Policies, and Software as a Medical Device, May 2025 

In Case You Missed It 

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.