Digital Health Blog

The Centers for Medicare & Medicaid Services (CMS) recently announced the development of the Medicare App Library as part of its Health Technology Ecosystem initiative. The library will provide a centralized directory through which Medicare beneficiaries can access patient facing digital health tools that integrate with CMS Aligned Networks.

CMS stated that participating apps will be grouped into three categories: applications designed to eliminate manual check in processes, conversational artificial intelligence assistants, and diabetes and obesity management tools. To be included, apps must sign CMS’s interoperability pledge and meet specified participation requirements, including implementing identity verification through ID.me or CLEAR, enabling connectivity to CMS Aligned Networks, and completing an evaluation by the Digital Medicine Society or the CARIN Alliance prior to CMS review. CMS also indicated that participants in the Advancing Chronic Care with Effective, Scalable Solutions (ACCESS) Model that join the Health Technology Ecosystem will be identified in the library with a special designation. The announcement reflects CMS’s continued emphasis on voluntary participation, interoperability, and consumer facing digital tools within Medicare.

The House Energy and Commerce Committee advanced a broad package of children’s online safety bills, including the Kids Internet and Digital Safety (KIDS) Act (H.R. 7757) and Children and Teens’ Online Privacy Protection Act (COPPA 2.0- H.R. 6291), which now heads to the House floor. While the debate largely centered on privacy and platform accountability, several provisions touch directly on artificial intelligence—including mandatory disclosure when AI chatbots interact with minors and new studies on how social media algorithms impact mental health.

The House package, driven by Republicans, drew criticism from Democrats who argued it weakens key protections found in bipartisan Senate counterparts of these bills. Notably, the House bill omits “duty of care” language that would require tech and AI-enabled platforms to design products with children’s safety in mind.

Meanwhile, the Senate unanimously passed its COPPA 2.0 (S. 836), which expands data protections to teens under 17 and restricts how companies—including those deploying AI-driven personalization and advertising tools—can use minors’ data.

Overall, both chambers are moving toward tighter regulation of platforms and AI technologies that interact with young users, though the House and Senate currently diverge on how strong those protections should be.

On February 26, the Senate Health, Education, Labor and Pensions (HELP) Committee passed the Health Care Cybersecurity and Resiliency Act (S. 3315) by a vote of 22-1. This legislation would establish new minimum cybersecurity standards for HIPAA‑regulated entities—including multifactor authentication, data encryption, penetration testing, and regular security audits—while strengthening federal coordination through HHS and CISA and requiring a comprehensive cybersecurity incident response plan. It also updates breach reporting rules, mandates publication of corrective actions after incidents, and designates the Administration for Strategic Preparedness and Response (ASPR) as the Sector Risk Management Agency for healthcare. This bipartisan bill has been of interest since recent cybersecurity threats have crippled parts of the health care industry.

On February 3, Congress was able to avert a government shutdown, in particular providing funding for the Department of Health and Human Services (HHS) which included digital health provisions and extensions of expired programs. The final funding bill included:

• a two-year extension of the telehealth waivers (through December 31, 2027),
• a delay of the in-person visit requirement for mental health services via telehealth for three years (through January 1, 2028),
• allow telehealth cardiopulmonary rehabilitation services through Jan 1, 2028,
• a five-year extension of the Hospital at Home program (through September 30, 2030), and require the hospital-at-home study be shared with Congress, and
• a three- year extension of the virtual diabetes prevention program (through December 31, 2029).

In addition to the extensions, the funding bill included provisions requiring providers use a telehealth modifier beginning January 1, 2027, and requires HHS issue guidance on delivering telehealth services to individuals with limited English proficiency in one year.

Notable, Congress also included a provisions requirement an assessment and report to Congress on wearable medical devices in 18 months. The report on wearables includes a review of the potential for such devices to accurately prescribe treatments, an examination of artificial intelligence to augment such capabilities and policy options to enhance the benefits while mitigating challenges.

ASTP/ONC announced on February 2, 2026, the selection of nine nationwide pilot programs aimed at improving the interoperable exchange of behavioral health data. Launched in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), the pilots will test real world implementation of the USCDI+ Behavioral Health dataset and the FHIR Behavioral Health Profiles Implementation Guide in varied behavioral health settings. A central focus of the pilots is addressing persistent barriers to behavioral health data sharing, including patient consent and heightened confidentiality requirements, while supporting more integrated behavioral and physical health care workflows.

The pilots will run through the end of 2026, with results expected to inform future updates to federal interoperability standards, implementation guidance, and ONC policy initiatives, including development of a Behavioral Health Information Resource anticipated in 2027. For providers, health IT developers, and health information exchanges, the initiative underscores continued federal emphasis on expanding electronic health information exchange for behavioral health while balancing privacy protections. As behavioral health interoperability remains a priority across multiple federal agencies, these pilots may signal the direction of future regulatory and enforcement activity in this area.

ASTP/ONC has released Draft USCDI v7 for public comment, proposing 30 new data elements aimed at advancing interoperable health data exchange and improving the usability of health IT. The proposed additions span adverse health and safety events, care coordination and patient context, and clinical care, signaling continued federal emphasis on more actionable data sharing to support care coordination. The accompanying Standards Bulletin 2026-1 provides important context on how these proposed elements fit within ONC’s broader standards strategy and highlights key changes stakeholders should review closely. The public comment period is open through April 13, 2026. Draft USCDI v7 and the Standards Bulletin are available here and here.

ASTP/ONC has also issued a new Request for Information focused on diagnostic imaging interoperability standards and certification, reflecting the growing centrality of imaging to patient care and clinical decision-making. The RFI seeks feedback on how standards and ONC Health IT Certification Program criteria can better support access to and exchange of diagnostic images as part of electronic health information, with the goal of improving care coordination, reducing costs, and accelerating diagnosis and treatment. Comments will be due March 16, 2026. The RFI is available in the Federal Register.

Leading artificial intelligence companies OpenAI and Anthropic have both unveiled major health care initiatives, marking a significant push by foundational model makers into the medical sector. OpenAI announced two products: ChatGPT Health, a consumer-facing platform that allows users to upload medical records and connect health and wellness apps for personalized insights, and OpenAI for Healthcare, an enterprise suite designed to help health care providers with administrative tasks like prior authorization and coding. Anthropic followed with Claude for Healthcare, which blends enterprise and consumer tools in a unified platform offering HIPAA-ready infrastructure for handling protected health information. Both companies are targeting patients, providers, and researchers with AI tools that promise to reduce administrative burden, improve care coordination, and help individuals better understand their medical information.

However, the creation of these patient-centric tools has raised significant concerns among consumer privacy advocates and health care professionals. Medical information inputted by patients onto these kinds of tools often falls outside of HIPAA’s protections since the tool is not functioning as a covered entity under the federal health privacy framework. That said, the FTC’s health breach notification regulations and state consumer health data privacy laws may still be implicated (e.g., Washington’s My Health My Data Act).  Additionally, critics highlight the risk of AI hallucinations producing inaccurate medical information, potential data breaches, and the possibility that de-identified health records could be re-identified when combined with other datasets.

While OpenAI and Anthropic have indicated that the tools are designed with privacy protections and committed not to use personal health data for training future models, the regulatory landscape impacting these initiative remains unclear. State and federal laws do not yet adequately address the unique challenges posed by AI systems processing vast amounts of medical data in real-time, requirements for disclaimers in patient communications, and clear instructions for reaching human health care providers. Both companies acknowledge their systems can make mistakes and emphasize that qualified health care professionals must review AI-generated content before clinical decisions are made. California Assemblywoman Mia Bonta, sponsor of the recently enacted AB489, a law prohibiting AI systems from functioning as licensed healthcare professionals and restricts marketing language that suggests clinical expertise, responded to these announcements emphasizing that these tools warrant increased scrutiny around consumer protection and highlight the importance of compliance with emerging regulations.

Utah has partnered with Doctronic to become the first state to approve artificial intelligence for prescription refills, marking a significant development in health care innovation and use of regulatory sandboxes to foster technological advancement while maintaining patient safety through controlled testing environments. This project allows patients to interact with an AI agent to renew routine prescriptions for chronic conditions approximately 190 commonly prescribed medications including blood pressure drugs, diabetes medications, and thyroid treatments. The program includes human oversight mechanisms, with physicians reviewing the first 250 AI-generated prescriptions in each drug class before full automation proceeds. The AI agent also includes multiple safeguards such as identity verification, contraindication screening, and automatic escalation to human clinicians when uncertainties arise. State officials will track clinical safety protocols, patient satisfaction, medication adherence, and cost impacts. Controlled substances and high-risk medications are excluded from the pilot project.

This project may catalyze broader adoption of regulatory sandboxes for high-stakes AI applications across the country, balancing innovation with accountability. States such as Texas, Arizona, and Delaware have already created their sandbox frameworks, and legislation is being introduced in others for consideration in the 2026 legislative sessions. In September 2025, Senator Ted Cruz introduced the SANDBOX Act, which would create a federal regulatory sandbox program allowing AI developers to obtain temporary waivers from federal regulations for up to ten years to test and deploy AI technologies.

The DEA, in coordination with HHS, issued another temporary extension of the COVID-19 era telemedicine flexibilities. The fourth temporary extension allows DEA-registered practitioners to prescribe Schedule II-V controlled substances remotely without a prior in-person evaluation through December 31, 2026, avoiding a potential disruption to telehealth-based care while permanent rules are finalized. Under the extension, clinicians may continue prescribing controlled substances via telemedicine (subject to applicable federal and state laws), as the DEA continues work on long-term regulations, including a proposed special registration framework. Additional details are available in the DEA’s official announcement here, HHS’s related press materials here, and HHS’s overview of controlled substance prescribing via telehealth here.