[co-author: Arushi Pandya]*
The metaverse has been described as the “next frontier” and the “new era” of healthcare. Although still a loosely defined and relatively broad term, the “metaverse” generally refers to a shared virtual environment accessed by individuals via the Internet. Individuals generally enter the metaverse through the following four technologies: virtual reality, augmented reality, mixed reality and extended reality.
As the metaverse market continues to grow, with some estimates potentially approaching $800 billion in 2024 (or a $300 billion increase from 2020 estimates), technology leaders in various industries, including healthcare, have begun to expand their presence in this new platform. The metaverse has numerous potential applications for healthcare, ranging from virtual immersive therapy experiences to digitally evaluating drug interactions. These advancements, present challenges and raise novel questions as to how the current healthcare and life sciences legal regime would apply to the metaverse.
Data Privacy and Security
Underlying the metaverse is a potential massive collection of user data. As users “exist” in the metaverse as avatars performing activities, various types of data, including some that may be deemed “personal” or “sensitive” (by law), may be generated.
Developers and other players in the metaverse offering health-related products and services will face an ever-growing patchwork of state and federal privacy and data security laws. Among other laws, this might include state biometric privacy laws, state “comprehensive laws” (California, and forthcoming in Colorado, Connecticut, Virginia and Utah), and considerations under unfair and deceptive practice laws at the state and federal level. The FTC’s increasing interest in health information that sits outside of HHS/OCR’s reach is likely to only expand in light of health-related metaverse use cases. However, traditional healthcare players, subject to the Health Insurance Portability and Accountability Act (“HIPAA”), may also find themselves innovating in this space (and grappling with how to stand up a HIPAA compliance program in the metaverse). In addition, companies may struggle with how to implement specific technical controls and robust data security programs (required under certain state and federal laws) in this evolving infrastructure.
Another significant concern in today’s digital health ecosystem is interoperability issues. Achieving interoperability, which is the ability of two or more systems to exchange health information and use the information once it is received, is already difficult amongst existing technology platforms and networks. Information is often inconsistent across different sources and protocols for sending, receiving and managing information vary between health systems. The introduction of the metaverse will likely exacerbate these interoperability issues.
Medical Device Regulations
Medical devices are regulated by the Food and Drug Administration (“FDA”) and many of the applications and technologies used to deliver or access healthcare in the metaverse may be classified as a medical device. For example, smart glasses and other forms of VR headsets can visualize a clinic in which a physician virtually evaluates the avatar of a patient.
In response to the growth of the metaverse and digital health generally, the FDA has been working to expand its guidance in the area. Four of the 2022 proposed draft guidance topics address software and clinical decision software as well as encompass other medical devices that incorporate AI, machine learning, or “smart” devices.
The agency has been especially active in the area of extended reality. The Medical Extended Reality Program in the FDA’s Center for Devices and Radiological Health has been formed to address regulatory science gaps and challenges in the area. The FDA has also hosted public workshops to discuss evaluation techniques for hardware, standards development, and assessment challenges for applications of extended reality in medicine.
The healthcare system in the United States is governed by an expansive network of state and federal laws, including the aforementioned HIPAA regulations. As the delivery of healthcare in the metaverse grows, the impact and application of these laws is uncertain.
Many types of healthcare services, ranging from mental health therapy to a dermatology appointment, have the potential to be offered through the metaverse. Which regulations are implicated will depend upon how those services are rendered, as well as how those services are funded and paid. For example, services that are billed to Medicaid or Medicare must comply with regulations that may not apply to services that are paid for in cash. Some technology platforms are in development to accept payment via cryptocurrency for health services provided in the metaverse. The way in which the current regulatory and payor systems would mesh with cryptocurrency payments is a gray area, especially as the movement towards cryptocurrency emphasizes deregulation and decentralization.
Some healthcare services may implicate certain healthcare fraud and abuse laws, such as the Stark law or the federal Anti-Kickback Statute, as well as the equivalent versions at the state level. For example, if an entity leases space or equipment to or from a physician and bills Medicare for services rendered or referred by the physician, the lease agreement must meet certain requirements, including the requirement that the space or equipment must not exceed what is reasonable for legitimate business purpose. The novelty of the metaverse raises the issue as to what constitutes a commercially reasonable amount of space in the metaverse. These laws have the potential to limit or regulate healthcare delivery in the metaverse, but their exact application is still unclear.
How healthcare providers are licensed in the metaverse is also an open question. Licensure and its enforcement can also occur at the state level. It remains to be seen how states licensure laws would translate to the metaverse and to what extent, if at all, states will impose or create licensure-related laws in the metaverse.
The interplay between healthcare delivery in the metaverse and healthcare laws creates even more questions when considered from a global perspective. The metaverse removes many of the geographic boundaries that can restrict the provision of healthcare services in daily life, and different countries vary immensely in their legal structure, especially with respect to their health laws. Innovators in the digital health metaverse face an exciting opportunity to redefine the patient experience from diagnostics, to treatment, and ongoing patient management. However, developing and maintaining patient trust in the context of a confusing sea of legal requirements will be critical to long-term success.
*Arushi Pandya is a law clerk in the Firm’s Dallas office.
 “Metaverse may be $800 billion market, next tech platform,” Bloomberg Intelligence (Dec. 1, 2021).
 “The Path to Interoperability,” The Office of the National Coordinator for Health Information Technology (Sept. 2013).
 Medical devices are defined by the FDA as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including any component, part, or accessory, which is (A) recognized in the official National Formulary, or the United States Pharmacopeia, or any supplement to them, (B) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or (C) intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. 21 U.S. Code § 321(h).