Welcome to the latest installment of Arnold & Porter’s Virtual and Digital Health Digest. This digest covers key virtual and digital health regulatory and public policy developments during March and early April 2025 from the United States, United Kingdom, and European Union.

The biggest change this month is that as of March 25, 2025, the European Health Data Space Regulation (EHDS Regulation) is now in force. This means that, as it is gradually implemented, companies will be able to request access to electronic health data for health care purposes, including for use in scientific research, and may be required to share certain health data that they hold. The implementation of the EHDS Regulation is likely to raise a number of questions, which future European Commission implementing regulations or guidelines may clarify.

Regulatory Updates

European Medicines Agency (EMA) Issues First Qualification Opinion on an AI Tool (AIM-NASH). AIM-NASH is an AI-based machine learning tool designed to assess the severity of inflammatory liver disease (MASH) in liver biopsy scans. It aims to improve the accuracy, repeatability, and reproducibility in MASH disease activity assessments. The EMA’s Committee for Medicinal Products for Human Use (CHMP) concluded that AIM-NASH reduces variability in determining MASH disease activity compared to the current standard and that it can be used in MASH clinical trials. The qualification opinion means that evidence generated by AIM-NASH can be considered scientifically valid by CHMP in future applications for authorization when used as agreed in the opinion.

UK Government Responds to Recommendations on the Regulation of AI as a Medical Device. In November 2022, the Regulatory Horizons Council (RHC) published a report on how the UK can encourage innovation and improve safety in the area of AI as a medical device through changes to the regulatory system. The UK government has now published its response, accepting all 15 of the RHC’s recommendations. The recommendations are grouped by four themes: (1) regulatory capacity and capability, (2) whole product lifecycle, (3) open transparency, patient, and public involvement, and (4) UK leadership and international collaboration.

The UK MHRA Publishes an Update on the AI Airlock Pilot. The AI airlock is a regulatory sandbox aimed at testing and improving the safety of AI-based medical devices (read our June 2024 and October 2024 Digests for more detail). It is being piloted with the projects of four developers, after one developer has withdrawn. The MHRA reports that the “Simulation Airlock testing” stage has been completed, in which key stakeholders brain-stormed solutions to challenges that had been identified. The next steps include drafting outputs based on the insights from the simulations and virtual testing, and the preparation of an AI Airlock program report summarizing the learning points from each project.

Bill to Establish Central AI Authority Reintroduced in the UK. A Private Members’ Bill relating to the regulation of AI has been reintroduced in the House of Lords. The bill was originally introduced in November 2023, as reported in our December 2023 Digest, but failed to progress when the UK parliament was dissolved in May 2024 for the general election. The main purpose of the bill is to establish a central AI authority to act as a dedicated regulatory body for overseeing the regulatory approach to AI. Private Members’ Bills do not often succeed in becoming law, but the reintroduction of this bill will put pressure on the UK government to strengthen regulatory safeguards surrounding AI.

Privacy and Cybersecurity Updates

The European Health Data Space Regulation Is Now Law. On March 5, 2025, Regulation 2025/327, creating the EHDS Regulation, was published in the European Union Official Journal, and came into force on March 25. Under the regulation, companies handling health data must share their health data when requested by a national Health Data Access Body. Companies can also request access to health data for secondary purposes (e.g., scientific research). Requesting access is also possible for non-EU companies, but only when their country is recognized by the European Commission as being compliant with the EHDS Regulation and where it grants equivalent access to EU health data applicants. While already in force, implementation of the EHDS Regulation will be gradual. The European Federation of Pharmaceutical Industries and Associations has issued recommendations to support the implementation. More details on the EHDS Regulation can be found in our March 2025 Advisory.

WHO Issues Health Data Governance Recommendations for EU Policymakers. To enhance interoperability and the adoption of AI in health systems, the World Health Organization urges policymakers in the EU Member States to take four actions: (1) to strengthen national health data governance; (2) to develop robust health data standards for primary and secondary exchange and use; (3) to develop mechanisms to coordinate national data providers to facilitate collection, management, and dissemination of consistent and complete data; and (4) to engage stakeholders in developing health data governance frameworks that support AI implementation.

The UK’s ICO Fines NHS Software Provider £3 Million for Failing to Protect Patients’ Personal Data. The UK Information Commissioner’s Office (ICO) has ruled that Advanced Computer Software Group Ltd broke data protection laws by failing to fully implement security measures prior to a ransomware incident. The company provides IT and software services to the national health service (NHS), which includes the processing of patient personal data. In August 2022, the company was the target of a cyber-attack and the personal information of over 79,000 people was taken. The investigation found various shortcomings. The company agreed to a voluntary settlement of a reduced fine (down from £6 million) after the ICO took into account the company’s proactive cooperation with the authorities.

UK Government Responds to Call for Views on Code of Practice for Software Vendors. In the June 2024 Digest, we reported that the UK government announced and invited views on the voluntary Code of Practice for Software Vendors (the Code). The UK government has now published its response to the call for views. Respondents have confirmed that the Code would be a useful tool to help enhance software security practices and better secure digital supply chains across the UK and the digital economy. The government will make minor edits and publish the final version of the Code in 2025, alongside implementation guidance developed with the National Cyber Security Centre.

Antitrust Updates

The Swedish Competition Authority (SCA) Fines Digital Health Care Providers for Participation in an Online Ad Cartel. On April 3, 2025, the SCA announced that it had fined three digital health care companies a combined SEK 26.5 million (approximately GBP 2.1 million) because they had entered anticompetitive agreements in 2020 regarding their online advertising practices on Google. Keyword advertising allows businesses to purchase ad space on Google Search. In order for the ad to be visible when googling a competitor’s brand, companies bid on keywords that correspond to competitors’ brand names such that their ads are displayed when users search for keywords that correspond to a competitor’s brand name. However, in this case, the companies agreed to refrain from marketing themselves on Google Search to consumers who searched for the other party’s brand name; this meant that consumers did not have the opportunity to see alternatives to the online medical company they had searched for. In its press release, the SCA noted that agreements limiting consumers’ ability to become aware of competing suppliers when searching on the internet are harmful to consumers and competition. Four companies were involved in the agreements: Doktor.Se, Min Doktor, Doktor24, and Kry — competing health care providers offering digital primary care services to individuals in Sweden, including consultations with health care professionals via video calls or chats on their apps. However, Kry was not fined on the basis that it had proactively reported the agreements to the SCA and therefore benefitted from the SCA’s leniency program.

IP Updates

Whoop Triumphs in “Smart Bra” UK Patent Dispute With Prevayl. Deep-tech company, Prevayl, has a broad patent portfolio for innovations designed to be integrated into a diverse set of wearable products and industries. On February 27, 2025, the UK Intellectual Property Enterprise Court invalidated Prevayl’s patent relating to a “smart bra” with embedded biosignal sensors for lack of inventive step, resulting in the rejection of Prevayl’s patent infringement claim against fitness tracker brand Whoop.

Judge Hacon ruled that placing sensors in a side region rather than an under band was an obvious design choice in light of the prior art and as a result, the patent was invalidated. He added that, had the patent been upheld, he would have reached a finding of indirect infringement in relation to the Whoop Bra and the Whoop 4.0 module.

Judge Hacon remarked in the decision that “simple inventions can be especially vulnerable to hindsight” highlighting the importance of the care that should be taken when drafting patent specifications to highlight how the problem being solved is not obvious and reaffirming the importance of genuine innovation in wearable technology.