In Lexology’s Getting the Deal Through: Digital Health 2021 (UK) Latham & Watkins considers the key regulatory and transactional issues faced by market players and practitioners.
The UK has an active digital health market comprising both the private and public sectors. Venture capital funding in the digital health sector has increased significantly in recent years, with the majority of investment appearing to come from private investment firms. However, public financing through IPOs is also on the rise. The COVID-19 pandemic has further heightened the positive and dynamic investment climate for digital health technologies in the UK. In particular, the pandemic has highlighted the need for resilience in healthcare systems, including through digital health solutions. Consequently, the pandemic has significantly accelerated uptake of digital health solutions in the UK and related investment opportunities, as well as challenged structural barriers that previously slowed investment in digital health innovations.
Digital health in the UK is governed by a patchwork of legal regimes, rather than bespoke legislation, while various regulatory and enforcement bodies have jurisdiction over the sector. In the EU, the regulatory framework of medical devices is due to be overhauled with the introduction of two new regulations on 26 May 2021 and 26 May 2022 governing medical devices and in vitro diagnostic medical devices, respectively. These two new regulations will not form part of UK law following Brexit. However, the Medicines and Healthcare products Regulatory Agency has noted that it is “developing a robust, world-leading regulatory regime for medical devices that prioritises patient safety”, meaning the UK may choose in future to either align with the new EU regulations or retain regulatory flexibility.
Digital health offerings usually process data concerning health, genetics, or biometrics, which are among a list of “special categories of personal data” under the UK General Data Protection Regulation. Such data can only be processed if one of a limited number of conditions are met, which are exhaustively set out in law.
In 2020, the trend of ransomware attacks targeting companies with large amounts of electronic health records or profiles continued. Defending against and responding to a ransomware incident, particularly one with multi-jurisdictional impact, is complex and requires consideration of a number of regulatory areas, including data protection, cybersecurity, law enforcement, industry-specific regulation, and sanctions (in relation to ransom payments).
Companies engaged in the digital health space should bear in mind the concepts of “privacy by design” and “privacy by default”, which are built into the UK data protection regime and the Information Commissioner’s Office’s stated priority on records management in the healthcare space. In practical terms, this means implementing technical and organisational measures that secure data and ensure it is processed in a manner commensurate to the purposes for its processing.