US Export Plan - Sector Report - HealthTech & Digital Health

Trade, policy and regulation considerations

US HealthTech and digital health companies operate within a relatively complex regulatory framework that balances innovation with patient safety, data protection, and equitable access. At the federal level, many of the key regulations are from the FDA (Food and Drug Administration) and HIPAA (Health Insurance Portability and Accountability Act), among others, while state level regulation around privacy, telehealth licensure and reimbursement rules vary significantly. Understanding and navigating this landscape is essential for companies seeking to scale HealthTech solutions in the US.

There are several different general regulatory bodies in the Public Health and Safety space. The Department of Health and Human Services (HHS) oversees public health and safety through a range of agencies and programmes. Key divisions include the FDA, the Centres for Medicare & Medicaid Services (CMS), the Office of Inspector General, and the Office for Civil Rights (OCR), among others.

FDA & Medical Devices: The FDA is the primary federal authority responsible for enforcing the Federal Food, Drug, and Cosmetic Act, which governs the regulation of medical devices, drugs, dietary supplements, cosmetics, and food products introduced into interstate commerce. This includes oversight of Software as a Medical Device (SaMD). Within the FDA, the Digital Health Center of Excellence, housed in the Center for Devices and Radiological Health (CDRH), coordinates digital health initiatives across the FDA and assists in the evaluation and review of emerging digital health products.^[25]

FDA approval for medical devices with the pathway from initial concept to market launch can take up to 15 years. The FDA has categorised distinct generic device types and organised them into 16 medical specialty groups known as panels. Each device type is placed into one of three regulatory classes, determined by the level of oversight required to ensure its safety and effectiveness.^[26] Higher-class medical devices typically require clinical data to demonstrate safety and effectiveness, and studies may take 2-7 years. During this period, companies can submit FDA documentation such as a 510(k) Premarket Notification, De Novo request, or Premarket Approval application. Following this, FDA review of the device can take several months to over a year. Gaining compliance with FDA Quality System Regulations (QSR) and ISO standards typically takes 6 months to 2 years. Devices may only enter the market once these systems are fully implemented, so it can be a lengthy process from idea to market.^[27]

Data protection and privacy regulation in the US can be a significant issue for some companies in the sector. Adherence to both GDPR and US-specific regulations such as HIPAA need to be considered. HIPAA ensures that Protected Health Information (PHI) is handled with strict administrative, physical and technical safeguards, covering encryption, access controls, audit trails, incident response, and breach reporting.^[28] There are also emerging HHS regulations around the use of AI.^[29]

For digital health providers, telemedicine platforms, and mobile apps, HIPAA compliance demands comprehensive security controls, and companies need to work with their suppliers, especially cloud service suppliers, closely to ensure compliance.^[30] Strong controls in this area will also give assurance to clients such as healthcare providers.

The Federal Trade Commission (FTC) also plays a regulatory role in digital health through the Health Breach Notification Rule (HBNR). This rule requires companies that handle digital health records to notify both consumers and the FTC in the event of a breach involving personal health information. It primarily applies to health apps and services that fall outside the scope of HIPAA.

US Health Product Patents and Trademarks: Health products imported into the US should be protected by appropriate patents and trademarks. Scottish companies must navigate US intellectual property laws and register and enforce their rights across jurisdictions.^[31] Patents and trademarks are primarily governed at the federal level, with limited state-level elements. Patents are granted under Title 35 of the US Code and processed by the US Patent and Trademark Office (USPTO).^[32] All inventions, whether medical devices, software, or digital health platforms, must meet federal criteria for novelty, non‑obviousness, utility, and eligibility. For digital health, additional eligibility challenges apply, especially for software and diagnostic methods.^[33]

State-level regulations

Each US state sets its own rules for telehealth, including provider licensing, consent requirements, prescribing, and compacts like the Interstate Medical Licensure Compact. The framework itself is federal, but each state governs its own implementation.

Most states regulate Medicaid and/or private insurers to mandate that telehealth services be reimbursed at levels comparable to in-person care. For example, 41 states passed significant telehealth legislation in 2024, often addressing parity and remote patient monitoring. Some states, like Arizona, have service parity laws requiring insurers to cover live video, store-and-forward, and audio-only telehealth.

Several states have created protections that go beyond HIPAA, covering data from health apps, wearable trackers, and online platforms. For example, Washington’s My Health My Data Act applies privacy protections to a wide range of health-related consumer data, regardless of provider type.^[34]

Overall, regulations in this sector are primarily set at the federal level, with only limited state‑specific requirements in certain areas. Some exports to the US may also need to account for individual states’ sustainability priorities or specialised regulations, such as those relating to women’s health. As a result, some companies may opt to avoid certain states altogether due to concerns around data rights, monitoring requirements, or other regulatory sensitivities.