In Lexology’s Getting the Deal Through: Digital Health 2021 (UK) Latham & Watkins considers the key regulatory and transactional issues faced by market players and practitioners.
The UK has an active digital health market comprising both the private and public sectors. Venture capital funding in the digital health sector has increased significantly in recent years, with the majority of investment appearing to come from private investment firms. However, public financing through IPOs is also on the rise. The COVID-19 pandemic has further heightened the positive and dynamic investment climate for digital health technologies in the UK. In particular, the pandemic has highlighted the need for resilience in healthcare systems, including through digital health solutions. As a result, the pandemic has significantly accelerated uptake of digital health solutions in the UK and related investment opportunities, as well as challenging structural barriers that had previously slowed investment in digital health innovations.
Digital health in the UK is currently governed by a patchwork of different legal regimes, rather than bespoke legislation, while various regulatory and enforcement bodies have jurisdiction over the digital health sector.
On 26 May 2021, the EU overhauled its regulatory framework of medical devices with the introduction of a new regulation governing medical devices. A further EU regulation governing in vitro diagnostics (IVDs) is due to come into force on 26 May 2022 (with specific transitional periods depending on the type of IVD). These two new regulations do not form part of UK law following Brexit.
On 16 September 2021, the Medicines and Healthcare products Regulatory Agency (MHRA) launched a 10-week consultation on the future regulation of medical devices in the United Kingdom, with the aim of creating a “bold new regulatory regime” effective from July 2023. The consultation, which closed on 25 November 2021, aims to amend the Medical Devices Regulations 2002 with a view to creating new access pathways to support innovation, creating an innovative framework for regulating software and artificial intelligence (AI) as medical devices, reforming IVD regulation, and fostering sustainability through the reuse and re-manufacture of medical devices. The consultation covers 15 key areas, including the scope of the regulations, classification of medical devices, economic operators, registration and unique device identifiers, conformity assessment, clinical studies, IVDs, software, and routes to market. For the most part, the proposed changes in many of these areas align with the new EU regime, although there are some notable divergences, in particular with respect to routes to market. For more information on the consultation, see this Latham Client Alert.
In parallel with the consultation, the MHRA has published a set of 11 work packages detailing the UK’s proposals to provide a regulatory framework for software and AI medical devices. The MHRA plans to deliver key elements of each work package from Autumn 2021 until Summer 2023. These proposed reforms, most importantly regarding software and AI as a medical device, will be of particular interest for companies offering digital health solutions in the UK.
On 22 September 2021, the UK government’s Department for Digital, Culture, Media & Sport (DCMS) announced its long-awaited National AI Strategy, which sets out the government’s 10-year plan to make the UK a “global AI superpower”. The strategy focuses on three core pillars: (i) investing in the long-term needs of the AI ecosystem, (ii) ensuring that AI benefits all sectors and regions of the UK, and (iii) governing AI effectively.
Digital health offerings will usually process data concerning health, genetic data, or biometric data, which are among a list of “special categories of personal data” under the UK General Data Protection Regulation. Such data can only be processed if one of a limited number of conditions is met, which are exhaustively set out in law.
Companies engaged in the digital health space should bear in mind the concepts of “privacy by design” and “privacy by default”, which are built into the UK data protection regime and also the Information Commissioner’s Office (ICO’s) stated priority on records management in the healthcare space. In practical terms, this means implementing technical and organisational measures that secure data and ensure that data is processed in a manner commensurate to the purposes for its processing.
In 2020 and 2021, we saw a continuation of the trend of ransomware and other cybersecurity attacks targeting companies with large amounts of electronic health records or profiles. Defending against and responding to a ransomware incident, particularly one with multi-jurisdictional impact, is complex and requires consideration of a number of regulatory areas, including data protection, cybersecurity, law enforcement, industry-specific regulation, and sanctions (in relation to ransom payments).
On 10 September 2021, DCMS launched a consultation on reform of the UK data protection regime, proposing a number of divergences from the EU GDPR, including reducing compliance burdens, reducing barriers to data flows, and reducing barriers to innovation by making it easier to use, share, and reuse data for research and development purposes.
This year will likely bring more clarity as the nascent regulatory framework for digital health continues to develop. Companies and investors in the digital health sector will need to keep pace with the fast-moving regulations and guidance, particularly in the area of AI, as well as potential further divergences between the UK and the EU.