Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during January and early February 2025 from the United States, United Kingdom, and European Union.
In this issue, we discuss some useful international guidance documents from the International Medical Device Regulators Forum (IMDRF). These include Guiding Principles on Good Machine Learning Practices (GMLP) that build on the principles previously set out by the U.S. Food and Drug Administration (FDA), UK Medicines and Healthcare products Regulatory Agency (MHRA), and Health Canada, and guidance on characterization and risks of medical device software. The continued development of international guidance in this area highlights the importance of coordination between regulatory authorities and standardized guidance for these products. There have also been important developments in ongoing litigation relating to digital technologies, although whether these developments provide clear guidance to manufacturers remains to be seen.
Regulatory Updates
International Medical Device Regulators Forum Publishes Guiding Principles on Good Machine Learning Practices in Medical Device Development. Intended to promote GMLP and foster collaboration, the 10 principles highlight the importance of using representative datasets with separate sets for training and testing, as well as ensuring that the model design is suited to the data and the intended use of the device. Other principles include that the intended use of the device should be clearly defined and aligned with the context in which it will be used. This follows an earlier consultation, set out in our July 2024 Digest, and the principles previously published by the MHRA, FDA, and Health Canada.
IMDRF Publishes Guidance on Characterization Considerations for Medical Device Software and Software-Specific Risk. The guidance is aimed at ensuring clear and accurate characterization of medical device software, including developing the intended use statement. It also sets out a general strategy for characterizing software-specific risks.
MHRA Publishes Guidance Aimed at Manufacturers of Digital Mental Health Technologies. The guidance explains how the intended purpose of a mental health technology can be defined and communicated, and outlines key considerations to understand whether the technology is regulated as a medical device. It also provides guidance on how the appropriate risk classification is determined for a device, emphasizing that where mental health is being assessed, it is likely that this would constitute providing a “direct diagnosis,” which would fall within medical device Class IIa.
International AI Safety Report Published. The report, mandated by 30 countries and encompassing 100 independent expert insights, informed discussions at the AI Action Summit in France, which took place on February 10 and 11, 2025. The report addresses the capabilities of AI, including the associated risks and how to mitigate such risks. It identifies areas where further research is needed, such as how AI models can be designed to behave reliably.
Hamburg Higher Regional Court Agrees That a Modified Version of an App Designed to Review Skin Conditions Is Not a Medical Device. In the August 2024 Digest, we reported that the German court of appeal (OLG Hamburg) handed down a decision that considered the status of a dermatologic telemedicine app under the Medical Devices Regulation, and found that the app was a Class IIa medical device. In a recent decision, the Regional Court has confirmed that a modified version of the app, which removed some of the functionality, is significantly different from the original app and therefore can remain on the market. This continuing litigation has been much criticized and discussed given some arguments that are inconsistent with the legislation and guidance. This latest decision is unlikely to be the last.
Liability Updates
Industry Calls on EU Legislators to Withdraw the AI Liability Directive (AILD) Proposal. The call was made by a coalition of industry associations, including the European Federation of Pharmaceutical Industries and Associations and MedTech Europe, warning that the AILD could create legal uncertainty and regulatory burdens for AI. Originally published by the European Commission in 2022, the AILD proposal has been on hold and is now set to be updated by the EU legislators to align with legislative developments, including the EU AI Act. However, industry argues that the AILD overlaps with existing frameworks (such as the Product Liability Directive, the EU AI Act, and the GDPR), and that the AILD is unnecessary in the current legal landscape.
Privacy and Cybersecurity Updates
Council of the European Union Formally Adopts the European Health Data Space (EHDS) Regulation. The EHDS Regulation sets out rules allowing access to electronic health data across the EU for permitted secondary uses (e.g., research) by any natural or legal person, provided that the access request is approved. The regulation also imposes obligations on health data holders, including medical technology companies, to share specific categories of health data (e.g., personal health data automatically generated through medical devices), and to disclose the data they hold. To facilitate the access and sharing of the health data, HealthData@EU, a cross-border platform for secondary data use, has been established. The EHDS Regulation is expected to become law in March 2025, and will apply gradually, with provisions on secondary use taking effect as of March 2029.
EU Action Plan to Strengthen Cybersecurity in the Health Sector Published. Aimed at improving detection, preparedness, crisis response, and protection from cyber threats in hospitals and health care providers, the action plan builds on existing frameworks such as the NIS2 Directive. Some measures planned for 2025 and 2026 include developing a regulatory mapping tool, a European known exploited vulnerabilities catalogue for medical devices, a framework for cybersecurity maturity assessments, and guidelines on critical cybersecurity practices and procurement in health care. The plan also includes pilot projects to develop best practices for cyber hygiene and security risk assessment, along with an EU-wide early warning subscription service for near-real-time alerts on emerging cyber threats.
IP Updates
Abbott and Dexcom Settle CGM Patent Disputes. In December 2024, Abbott and Dexcom announced they had settled their ongoing global patent disputes regarding continuous glucose monitoring devices. (See our July 2024, September 2024, and January 2025 Digests for further context.)