Digital Health Policy Mythbusters: Separating Fact from Fiction in a Rapidly Evolving Landscape

May 12

The digital health space is booming, bringing incredible innovation and expanding access to care. Yet, navigating the intricate web of policies and regulations governing this dynamic field can feel like a constant game of whack-a-mole. Misinformation abounds, leading to confusion, compliance risks, and missed opportunities.

Disclaimer: This blog post provides general information and should not be construed as legal or regulatory advice. Consult with qualified legal and compliance professionals for guidance specific to your situation.

In this edition of Digital Health Policy Mythbusters, we're tackling three common misconceptions that digital health delivery professionals encounter. Get ready to bust some myths, dive into the facts, and arm yourself with the knowledge you need to thrive in this ever-changing environment.

Let's dive in!

Myth 1: All Telehealth Regulations Reverted to Pre-Pandemic Rules When the Public Health Emergency Ended.

The Myth: Many in healthcare assumed that the end of the COVID-19 Public Health Emergency (PHE), which concluded in the U.S. on May 11, 2023, automatically signaled a complete return to the restrictive telehealth rules that existed before 2020. The idea was that temporary waivers were gone, and suddenly patients would again need to be in rural areas or specific healthcare facilities to receive remote care, and reimbursement would dry up.

The Nuance (Why it's a Myth): While the end of the PHE did indeed trigger the expiration of some temporary flexibilities, it by no means caused a full-scale rollback. The pandemic fundamentally shifted perceptions of telehealth's value and feasibility. This led to significant legislative and regulatory action at both the federal and state levels, extending, modifying, and, in some cases, making permanent many of the telehealth flexibilities initially introduced as temporary measures (CMS, 2025a; CMS, 2025b; Health Law Advisor, 2025; Manatt, 2025). The landscape today, in May 2025, is a complex hybrid, far more permissive than the pre-2020 era, though still subject to change.

"Busted!" Fact: The notion that all telehealth regulations reverted is simply untrue. Federal action, notably through appropriations acts passed by Congress, has repeatedly extended key Medicare telehealth flexibilities well beyond the PHE's end date. As of May 2025, many critical waivers remain in effect, primarily extended through September 30, 2025, by the Full-Year Continuing Appropriations and Extensions Act, 2025 (CMS, 2025a; CMS, 2025b; Health Law Advisor, 2025). State legislatures have also been active, codifying many temporary telehealth provisions into permanent state law or extending them through specific dates (National Law Review, 2024; Manatt, 2025). The trend is clear: many states have made, or are working towards making, expanded telehealth access a permanent fixture (National Law Review, 2024).

Supporting Details & Policy Context:

Federal Extensions (via Appropriations Acts): Crucially, Medicare beneficiaries can still receive telehealth services from any geographic location, including their homes, through September 30, 2025. The requirement for patients to be at an "originating site" in a rural area remains waived until this date (CMS, 2025a; CMS, 2025b; Health Law Advisor, 2025). The list of eligible distant site practitioners who can bill Medicare for telehealth has also been expanded and extended, including professions like physical therapists, occupational therapists, and speech-language pathologists, through the same date (CMS, 2025a; CMS, 2025b; AOTA, 2025).
FQHCs and RHCs: Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) can continue to serve as distant sites for telehealth services, a flexibility extended until September 30, 2025 (CMS, 2025a; CMS, 2025b).
Audio-Only Telehealth: While the long-term policy around audio-only services remains debated, the ability to use two-way, real-time audio-only communication for many telehealth services is extended through September 30, 2025 (CMS, 2025a; CMS, 2025b). CMS's Calendar Year (CY) 2025 Physician Fee Schedule (PFS) final rule did make the use of audio-only permanent for mental health services when the patient is in their home and under specific conditions for other services (CMS, 2025b).
Behavioral Health Nuances: An important specific extension relates to behavioral and mental health services via telehealth. The requirement for an in-person visit within six months of an initial telehealth visit and annually thereafter has been delayed until October 1, 2025 (CMS, 2025a; CMS, 2025b; Health Law Advisor, 2025).
Permanent Changes: Beyond extensions, CMS has also codified some changes permanently in recent final rules. For instance, the ability for teaching physicians to have a virtual presence for certain Medicare telehealth services and the suspension of frequency limits on subsequent inpatient and nursing facility visits via telehealth have been extended through December 31, 2025 (CMS, 2025b).
State-Level Parity and Access: Parallel to federal actions, numerous states have enacted laws requiring commercial payers to cover telehealth services (coverage parity) and, in some cases, reimburse them at the same rates as in-person services (payment parity) (National Law Review, 2024; Manatt, 2025). These state laws vary significantly in scope, duration, and specific requirements. For example, New Jersey extended payment parity until July 1, 2026, while an amendment in Illinois significantly limits physical therapists' ability to provide telehealth (National Law Review, 2024). Keeping track of individual state legislation is essential for providers operating across state lines.

Potential Confusion: The staggered nature of extensions (many federal waivers end September 30, 2025, while others end December 31, 2025, and state laws vary) and the ongoing discussions about which flexibilities will become permanent create understandable complexity (CMS, 2025a; Health Law Advisor, 2025). Digital health providers must actively monitor federal legislative developments (especially regarding appropriations bills that could extend waivers again) and state-level policy changes to understand the specific rules that apply to their services and patient populations. The "telehealth cliff" is not a single event tied to the PHE's end, but rather a series of potential deadlines that require proactive monitoring.

Myth 2: Patient Data Privacy in Digital Health is Fully Secured by Current Laws, Primarily HIPAA.

The Myth: A widespread belief is that the Health Insurance Portability and Accountability Act (HIPAA) is the ultimate shield for all patient health data privacy and security in the digital age. If a company handles health data, surely HIPAA covers it entirely, right? This myth suggests that relying on HIPAA is sufficient to protect sensitive information collected by the vast array of digital health tools, from wellness apps and wearables to remote monitoring devices and AI diagnostics.

The Nuance (Why it's a Myth): While HIPAA is undeniably the bedrock of health data privacy in the U.S., its scope is specifically limited. HIPAA primarily applies to "Covered Entities" (healthcare providers, health plans, and healthcare clearinghouses) and their "Business Associates" (third parties performing functions on behalf of covered entities that involve protected health information, or PHI) (Stanford Law School, 2025; MDPI, 2024). This leaves a significant portion of the digital health ecosystem operating outside of direct HIPAA regulation.

"Busted!" Fact: HIPAA does not cover all health data. Many direct-to-consumer digital health technologies, such as fitness trackers, wellness apps not connected to a healthcare provider, and some direct-to-consumer genetic testing services, collect vast amounts of sensitive health-related information but are often not considered Covered Entities or Business Associates under HIPAA (Stanford Law School, 2025; MDPI, 2024). This means the data they collect, while health-related, may not be classified as Protected Health Information (PHI) under HIPAA and is therefore not subject to HIPAA's stringent privacy and security rules.

Supporting Details & Legal Context:

HIPAA's Limited Scope: HIPAA's framework was established before the explosion of mobile health apps and wearable technology. Its focus on traditional healthcare relationships leaves a regulatory gap for consumer-generated health data collected outside of these specific contexts (Stanford Law School, 2025; MDPI, 2024). While a health app used by a HIPAA-covered provider might fall under HIPAA via a Business Associate Agreement, the same app used directly by a consumer might not.
The FTC's Role and the Health Breach Notification Rule (HBNR): Recognizing this gap, the Federal Trade Commission (FTC) has stepped in. The FTC regulates unfair or deceptive practices under the FTC Act, and more specifically, its Health Breach Notification Rule (HBNR) applies to vendors of personal health records (PHRs) and related entities not covered by HIPAA (FTC, 2025a; FTC, 2025b). The HBNR requires these entities to notify individuals, the FTC, and in some cases, the media, following a breach of unsecured PHR identifiable health information. Crucially, amendments finalized in July 2024 clarified that the HBNR applies to health apps, connected devices, and similar technologies that collect or use consumers' health information (FTC, 2025b). This provides a layer of protection outside of HIPAA, but the HBNR is primarily focused on breach notification, not the comprehensive privacy and security safeguards required by HIPAA.
Emerging State Privacy Laws: A significant trend in 2024 and 2025 is the passage of state-level comprehensive privacy laws (Paul Hastings LLP, 2025; White & Case, 2025). While not health-specific in their entirety, many of these laws, like those in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and others, include definitions of sensitive data that encompass health information (White & Case, 2025). Some states, like Washington with its My Health My Data Act, have even passed laws specifically targeting the collection, sharing, and sale of consumer health data that falls outside of HIPAA, imposing strict consent requirements and restrictions on data brokering (Paul Hastings LLP, 2025). These state laws create a complex patchwork of additional privacy obligations for digital health companies.
Data Use Beyond Treatment: Data collected by non-HIPAA-covered entities can potentially be used or sold for purposes beyond individual healthcare, such as targeted advertising, research (often de-identified, but re-identification risks exist), or even underwriting by entities not subject to HIPAA (MDPI, 2024). Consumers often agree to these uses through lengthy terms of service and privacy policies that may not be fully understood.

Potential Confusion: The term "health data" is broad, but "Protected Health Information (PHI)" under HIPAA has a specific legal definition tied to Covered Entities and Business Associates. This distinction is key. Digital health companies must assess whether they function as Covered Entities or Business Associates, and regardless, understand their obligations under the FTC Act, the HBNR, and applicable state privacy laws, which are increasingly regulating consumer health data regardless of HIPAA status (Stanford Law School, 2025). Relying solely on HIPAA compliance is insufficient in today's digital health landscape.

Myth 3: AI Adoption in Healthcare is a Regulatory "Wild West."

The Myth: Given the rapid pace of innovation in artificial intelligence (AI) and machine learning (ML) and their burgeoning applications in healthcare (from diagnostic image analysis and drug discovery to predictive analytics and administrative automation), there's a perception that the regulatory framework hasn't caught up. This leads some to believe that deploying AI tools in healthcare is largely unregulated, a "free-for-all" where developers and providers face minimal oversight.

The Nuance (Why it's a Myth): While the regulatory landscape for AI in healthcare is indeed evolving and presents unique challenges, it is far from a vacuum. Existing legal and regulatory frameworks apply, and key regulatory bodies are actively developing and implementing specific guidance for AI/ML technologies used in healthcare (FDA, 2025; King & Spalding, 2025; NCSL, 2025; Credo AI Company Blog, 2025).

"Busted!" Fact: AI/ML tools used in healthcare are subject to regulation, particularly when they function as medical devices. The Food and Drug Administration (FDA) regulates AI/ML software that meets the definition of a medical device (FDA, 2025; King & Spalding, 2025). Furthermore, existing laws concerning data privacy (like HIPAA and state laws), patient safety, and professional liability all apply to the use of AI in clinical settings (ArentFox Schiff, 2025; Holland & Knight, 2025; NCSL, 2025; Credo AI Company Blog, 2025). Regulatory scrutiny is increasing, not absent.

Supporting Details & Regulatory Context:

FDA Regulation of AI/ML as Medical Devices: The FDA has been actively engaged in establishing a regulatory pathway for AI/ML-based medical devices. Software that uses AI/ML algorithms for purposes such as diagnosis, treatment recommendations, or analyzing medical images often falls under the FDA's purview as Software as a Medical Device (SaMD) (FDA, 2025; King & Spalding, 2025). The FDA is moving towards a "Total Product Lifecycle" approach for regulating AI/ML, recognizing that these algorithms can learn and change over time.
Key FDA Guidance (as of May 2025): In January 2025, the FDA released important Draft Guidance on Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations (FDA, 2025; King & Spalding, 2025). This guidance provides comprehensive recommendations for the design, development, validation, and ongoing performance monitoring of AI/ML-based medical devices throughout their lifecycle. It addresses crucial aspects like managing algorithmic changes ("predetermined change control plans"), addressing bias, and ensuring transparency. This draft guidance, along with finalized guidance on predetermined change control plans, demonstrates the FDA's proactive approach to regulating these technologies.
Applicability of Existing Laws: Any AI system that accesses, uses, or stores patient data must comply with applicable privacy regulations, including HIPAA (if used by a Covered Entity or Business Associate) and increasingly, state-level privacy laws (ArentFox Schiff, 2025; Holland & Knight, 2025; NCSL, 2025). Furthermore, standard medical device regulations regarding quality systems, adverse event reporting, and cybersecurity also apply to AI/ML medical devices.
Liability and Accountability: The use of AI in clinical decision-making raises complex questions about liability in cases of errors or adverse outcomes (ArentFox Schiff, 2025; Holland & Knight, 2025). Legal scholars and professional bodies are actively debating how existing medical malpractice frameworks apply when an AI algorithm contributes to patient harm. Discussions center on who is liable: the AI developer, the healthcare provider using the tool, the institution, or a combination? While specific case law is still developing, it's understood that deploying AI in healthcare introduces new considerations for professional responsibility and accountability (ArentFox Schiff, 2025).
State-Level AI Regulation: Beyond the FDA's focus on medical devices, states are also beginning to enact broader AI regulations that can impact healthcare (NCSL, 2025; Credo AI Company Blog, 2025). In 2025, legislation in states like California and Texas is addressing issues like the use of AI in health insurance utilization review (aiming to prevent AI from being the sole basis for denying care) and requiring disclaimers when generative AI is used in patient communications (NCSL, 2025; Credo AI Company Blog, 2025). These state efforts highlight a growing focus on the ethical and practical implications of AI across various sectors, including healthcare.

Potential Confusion: The rapid pace of AI development can make it feel like regulation is lagging. Additionally, not all AI used in healthcare is regulated as a medical device (e.g., AI used solely for administrative tasks or internal research might not be). However, any AI tool that impacts clinical care, handles patient data, or influences decisions with health implications is subject to significant existing and emerging regulatory scrutiny and legal considerations (ArentFox Schiff, 2025; Holland & Knight, 2025; FDA, 2025). Companies developing or deploying AI in healthcare must engage proactively with regulatory bodies and legal counsel to ensure compliance and manage risks.

Staying Ahead in a Dynamic Landscape

The digital health policy landscape is a living, breathing entity, constantly reshaped by technological advancement, legislative action, and regulatory guidance. The myths we've busted today highlight the critical need for accurate, up-to-date information.

For digital health delivery professionals, staying informed is not just about compliance; it's about building trust with patients, mitigating legal and financial risks, and effectively leveraging technology to improve health outcomes. Don't rely on outdated assumptions or hallway whispers. Engage with official sources like CMS, the FDA, the FTC, and your state legislatures. Consult with legal and compliance experts who specialize in digital health.

By separating fact from fiction, we can collectively navigate this complex terrain and ensure that the promise of digital health is realized safely, equitably, and effectively.

References

AOTA. (2025, March 18). Congress enacts six-month Medicare telehealth waiver extension for OT. https://www.aota.org/advocacy/advocacy-news/2025/congress-enacts-telehealth-waiver-extension

ArentFox Schiff. (2025, February 20). Top Legal Challenges for the Health Care Industry in 2025. https://www.afslaw.com/perspectives/health-care-counsel-blog/top-legal-challenges-the-health-care-industry-2025

CMS. (2025a, April 9). Telehealth FAQ Calendar Year 2025. https://www.cms.gov/files/document/telehealth-faq-04-09-25.pdf

CMS. (2025b, April). MLN901705 - Telehealth & Remote Patient Monitoring. https://www.cms.gov/files/document/mln901705-telehealth-remote-patient-monitoring.pdf

Credo AI Company Blog. (2025, March 22). Key AI Regulations in 2025: What Enterprises Need to Know. https://www.credo.ai/blog/key-ai-regulations-in-2025-what-enterprises-need-to-know

FDA. (2025, January 6). FDA Issues Comprehensive Draft Guidance for Developers of Artificial Intelligence-Enabled Medical Devices. https://www.fda.gov/news-events/press-announcements/fda-issues-comprehensive-draft-guidance-developers-artificial-intelligence-enabled-medical-devices

FTC. (2025a). Health Privacy. https://www.ftc.gov/business-guidance/privacy-security/health-privacy

FTC. (2025b, January 24). Complying with FTC's Health Breach Notification Rule. https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0

Health Law Advisor. (2025, March 25). Telehealth Cliff Averted, for Now (but September Is Six Months Away). https://www.healthlawadvisor.com/telehealth-cliff-averted-for-now-but-september-is-six-months-away

Holland & Knight. (2025, March 14). Top Ten 2025: Medical Malpractice in the Age of AI. https://www.hklaw.com/en/insights/media-entities/2025/03/top-ten-2025-medical-malpractice-in-the-age-of-ai

King & Spalding. (2025, January 10). FDA Releases Draft Guidance on Submission Recommendations for AI-Enabled Device Software Functions. https://www.kslaw.com/news-and-insights/fda-releases-draft-guidance-on-submission-recommendations-for-ai-enabled-device-software-functions

Manatt. (2025, January 28). Manatt Telehealth Policy Tracker: Tracking Ongoing Federal and State Telehealth Policy Changes. https://www.manatt.com/insights/white-papers/2025/manatt-telehealth-policy-tracker-tracking-ongoing-federal-and-state-telehealth-policy-changes

MDPI. (2024, June 19). “Whispers from the Wrist”: Wearable Health Monitoring Devices and Privacy Regulations in the U.S.: The Loopholes, the Challenges, and the Opportunities. Healthcare, 8(2), 26. https://www.mdpi.com/2410-387X/8/2/26

National Conference of State Legislatures. (2025, March 22). Artificial Intelligence 2025 Legislation. https://www.ncsl.org/technology-and-communication/artificial-intelligence-2025-legislation

National Law Review. (2024, December 18). Telehealth Trends State Legislative Updates and Actions. https://natlawreview.com/article/trending-telehealth-december-18-2024-january-6-2025

Paul Hastings LLP. (2025, March 27). US Privacy Update: Where Things Stand at the Start of Q2 2025. https://www.paulhastings.com/insights/ph-privacy/us-privacy-update-where-things-stand-at-the-start-of-q2-2025

Stanford Law School. (2025, February 26). Digital Diagnosis: Health Data Privacy in the U.S. https://law.stanford.edu/2025/02/26/digital-diagnosis-health-data-privacy-in-the-u-s/

White & Case. (2025, January 21). 2025 State Privacy Laws: What Businesses Need to Know for Compliance. https://www.whitecase.com/insight-alert/2025-state-privacy-laws-what-businesses-need-know-compliance

April Noel