Whether your company is new to the digital health space, or enhancing its existing digital health offering in response to COVID-19, here are our top 5 legal issues to bear in mind as you embark on your journey.
COVID-19 is accelerating the adoption of digital health solutions by hospitals and medical institutions around the world. Companies are innovating at lightning speed to adapt to new needs: patients are being treated remotely through mobile doctor apps, symptom-checking bots are triaging patients and providing tailored advice, and new remote consultation and tracking solutions are hitting the market fast.
There has never been a more urgent need to help strained healthcare systems and patients. But even in the current climate, regulators are emphasising the need to balance innovation and safety.
Top 5 legal issues to have on your radar
1. Medical Device Regulation
If your digital health solution has a medical purpose, there’s a risk it will be regulated as a medical device in the EU. There are exceptions to this, but companies should conduct an assessment to determine whether this is the case and the classification of any potential medical device.
EU medical device regulation is in a state of transition and comprises the outgoing Directive 93/42 on medical devices (MDD) and the incoming Regulation 2017/745 on medical devices (MDR). The MDR will only fully replace its predecessor, the MDD, on 26 May 2020 (although at the time of writing, the EU Commission has proposed an extension of the transition period until 26 May 2021, to allow manufacturers to focus on COVID-19 responses). During the transition period, devices can be placed on the market under the current MDD, or the new MDR, and the two regimes operate in parallel. The UK’s Medicines and Healthcare products Regulatory Agency (MHRA) is firmly focussed on prioritising any tools in the fight against COVID-19, so any digital health tool aimed at helping in this is likely to receive priority attention in reviews and approval procedures. In some circumstances, the MHRA may authorise manufacturers to supply a non-CE marked device in the interest of protecting public health.
2. The hurdles in using patient data: data privacy, medical confidentiality and cybersecurity
In the EU, organisations using patient data will need to assess whether they act as processor or controller, and comply with corresponding obligations under the GDPR. There can be difficult GDPR questions to grapple with, such as consents, security measures, and restrictions on transfers of data. The UK’s Information Commissioner’s Office has issued guidance during the pandemic, emphasising that data protection doesn’t stop organisations from sharing information quickly or adapting the way they work – data protection is about being proportionate.
But the GDPR is only one part of the jigsaw puzzle when using patient data. In the UK, you may need to factor in the common law duty of confidentiality between doctors and patients – this restricts sharing of data by healthcare professionals. There’s also the National Data Guardian’s Data Security Standards and the UK National Health Service (NHS)’s detailed information governance requirements. It’s important to see GDPR compliance as one aspect (albeit a highly important one) of your organisation’s approach to patient data in the UK.
3. Registration requirements for regulated activities?
There’s no telemedicine-specific legislation in the UK, and this has created a more digital health-friendly environment than some other jurisdictions. However, your organisation may still need to register certain regulated activities with the UK’s Care Quality Commission (CQC), such as triage and medical advice provided remotely. The registration process involves a detailed application process, an assessment by the CQC and a CQC inspection. Providers of regulated services are also expected to comply with ‘fundamental standards’ and guidance on issues such as mental capacity of patients and verification of patient identity. The CQC has announced that it will be stopping routine inspections during the pandemic, to focus on its primary objective to support providers to keep people safe.
4. Liability
We advise digital health providers to consider and mitigate several potential avenues for liability claims, including:
- strict liability under the Consumer Protection Act 1987 which implements the EU Product Liability Directive;
- fault-based liability for negligence, including medical negligence claims;
- contractual liability, depending on the contracts entered into; and
- exposure to liability under the MDD and MDR.
There is a relatively high, and ever increasing, appetite for medical negligence actions in the UK.
5. Market access and reimbursement
The NHS is by far the largest customer of healthcare products and services in the UK. However, the NHS can be a difficult customer to get to grips with – processes are decentralised, complex and may sometimes vary between NHS trusts. We advise providers of digital health solutions on public procurement laws in the UK and the complexities of contracting with NHS bodies, including the monetary thresholds for contracts which may necessitate public tenders by hospitals, potential commercial models of supply, and reimbursement.
There is new guidance making it easier for commissioners to adopt digital healthcare technologies, and for innovators to facilitate this. The UK’s National Institute for Health and Care Excellence (NICE) has produced an evidence standards framework for digital health technologies, addressing effectiveness standards and economic impact standards. The UK has also produced a ‘Code of conduct for data-driven health and care technology‘, setting out the UK government’s expectations from those developing, deploying and using data-driven technologies into the NHS. Like the MHRA, NICE is prioritising the fight against COVID-19, so any digital health solutions in this space are likely to be prioritised by NICE in their review and approval procedures.
