Digital Health Blog

On October 21, CMS instructed all MACs to lift the hold on claims with dates of service on and after October 1, 2025 for certain services impacted by select expired Medicare legislative provisions, including claims paid under the Medicare Physician Fee Schedule and telehealth claims that CMS can confirm are for behavioral and mental health services. CMS continues to direct MACs to temporarily hold claims for non-behavioral/mental health telehealth services and for acute Hospital Care at Home claims.

The Centers for Medicare & Medicaid Services (CMS) released an updated telehealth Frequently Asked Questions (FAQ) which addresses how the federal government shutdown impacts rendering these services to Medicare beneficiaries. The FAQs address where Medicare beneficiaries need to be to receive telehealth services, which practitioners can furnish these services, whether audio-only visits are allowed, among other questions.

The American Medical Association (AMA) announced the launch of its Center for Digital Health and Artificial Intelligence (AI). The Center will focus on putting physicians in a leadership role to shape policy, digital tools, educate and collaborate with others to build partnerships across the government and healthcare, technology, research sectors.

On September 25, 2025, the Massachusetts Senate unanimously passed the Massachusetts Data Privacy Act (“MDPA”), originally introduced as SB 2608 and now refiled as SB 2619. The bill proposes sweeping reforms to consumer data protection, including bans on the sale of sensitive data (such as biometric, health, and geolocation information), enhanced data privacy rights for minors, and strict limits on data collection practices. The Senate referred the bill to the Massachusetts House of Representatives.

On October 16, Massachusetts joined growing number of states taking legislative action on the use of artificial intelligence in healthcare. SB 2632 sets clear boundaries around AI’s role in behavioral and mental health services, as well as in healthcare decision-making and utilization review. Under SB 2632, artificial intelligence cannot be used to make independent therapeutic decisions in a mental or behavior health setting. All treatment plans and patient interactions involving AI must be reviewed by a licensed professional. The bill also mandates transparency: patients must be informed when AI is used in their care and must provide explicit consent. The legislation further restricts how insurance carriers use AI in utilization review and other administrative functions. Specifically, it prohibits AI from replacing human decision-making or being used in ways that could result in discrimination against insured individuals.

As state legislatures gear up for the 2026 session, more proposals addressing artificial intelligence in healthcare and data privacy issues are likely. These developments reflect growing public and policymaker concern over the ethical, legal, and social implications of emerging technologies. However, states are taking varied approaches to regulation and enforcement, signaling an evolving and diverse policy landscape.

California Governor Newsom has signed Assembly Bill 489 into law, which establishes protections against the misuse of artificial intelligence in health care communications. The new law, which takes effect January 1, 2026, prohibits AI systems from impersonating or misrepresenting themselves as licensed medical professionals.

Sponsored by Assemblymember Rob Bonta and supported by the California Medical Association and SEIU California, AB 489 amends existing consumer protection laws to ensure that generative AI tools cannot use misleading titles, post-nominal letters, or phrases that imply clinical authority. Each violation is enforceable by the relevant licensing board and treated as a separate offense.

The enactment of AB 489 reflects California’s proactive approach to maintaining patient trust and transparency as AI tools increasingly interact with patients. The legislation compels developers to revise user interfaces and marketing language that could mislead users into believing they are receiving care from credentialed providers. Existing California law already mandates that AI-generated patient-facing content include clear disclaimers and offer access to a human contact when clinical information is presented. By extending false advertising and impersonation protections to AI-generated content, California sets a precedent for other states considering similar regulations. AB 489 underscores the importance of ethical boundaries and oversight as AI continues to reshape the health care landscape.

Senator Richard Durbin (D-IL) and Senator Josh Hawley (R-MO) introduced the AI LEAD Act. The legislation classifies all Artificial Intelligence (AI) systems, including those incorporated into health care settings, as products, and permits the Department of Justice, state attorneys general, and individuals to bring claims against developers of large language models (LLMs) under traditional products liability doctrine. If passed, developers of AI systems may face increased claims over design defects and be forced to increase transparency regarding development and deployment of AI tools. The legislation follows from Congressional hearings on AI safety and may inspire similar state legislation as both federal and state policymakers seek to establish a new regulatory framework for artificial intelligence.

The FDA’s Digital Health Center of Excellence is requesting public comment on methods for measuring and evaluating the performance of artificial intelligence-enabled medical devices. This initiative aims to improve regulatory clarity and foster innovation while ensuring safety and effectiveness. Stakeholders—including developers, clinicians, and researchers—are encouraged to share feedback on evaluation frameworks, performance metrics, and uncertainty quantification. Comments are due December 1.

The Office of Science and Technology Policy (OSTP) is seeking public input to identify federal statutes, regulations, and administrative processes that may hinder the development and adoption of AI technologies in the U.S. This Request for Information invites feedback from industry, academia, government entities, and other stakeholders to help shape future regulatory reforms that promote AI innovation. Comments are due October 27.

Government funding has lapsed as of October 1, as well as current telehealth waivers. It is expected that if and when Congress acts on government spending, an extension would be included, but it is not clear when that will occur. CMS released guidance directing Medicare Administrative Contractors (MACs) to implement a temporary claims hold. This standard practice is typically up to 10 business days and prevents the need for reprocessing large volumes of claims should Congress act after the statutory expiration date. Providers can continue to submit claims during this time, but payment will not be made until the hold is lifted. Additionally, CMS reiterated that absent congressional action, many of the statutory limitations that were in place prior to the COVID-19 Public Health Emergency (PHE) will take effect again, and that practitioners may choose to hold claims associated with telehealth services that are not payable by Medicare in the absence of congressional action. CMS noted that clinicians in applicable Medicare Accountable Care Organizations (ACOs) can provide and receive payment for covered telehealth services to certain Medicare beneficiaries without geographic restriction and in the beneficiary’s home. Stay up to date on further information related to government funding and expiring provisions via our website. You can also sign up for our government relations and public policy email newsletter for further updates.

On September 23, 2025, the California Privacy Protection Agency (CPPA) finalized a landmark set of regulations under the California Consumer Privacy Act (CCPA), approved by the Office of Administrative Law.

The new regulations introduce significant obligations for covered businesses using automated decision-making technologies (ADMT), require regular cybersecurity audits, and mandate technical privacy risk assessments. While the CPPA narrowed the scope of earlier proposals to the updated regulations – limiting ADMT provisions to technologies that “substantially replace” human decision-making – the final rules represent an expansion of compliance duties.

The regulations are set to take effect January 1, 2026, with the compliance deadlines phased in based on business type and size.