UK Law and Practice Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
the GPhC regulates pharmacy owners and sets standards for distance-selling pharmacies. The foregoing bodies are involved because digi- tal healthcare often involves the processing of sensitive data, consumer transactions, and the provision of regulated products and services outside traditional healthcare settings. 3.3 Enforcement Laws and regulations in digital healthcare are enforced through a combination of pre-market controls, post-market surveillance and direct enforcement actions. Medical Devices The MHRA is the regulatory agency with statu- tory powers to regulate medical devices, includ- ing software as medical devices (SaMDs), and to enforce applicable legislation. Enforcement measures range from simple informal or formal compliance requests to more stringent admin- istrative measures (such as issuing product recalls, or restricting or prohibiting the placing or making available of devices on the market). The MHRA also has the power to issue financial penalties. The MHRA’s approach is generally to apply a proportionate response based on the risk for public health. It tends to favour a collabo- rative approach for technical violations. Escala- tions are expected if safety risks are identified, or in cases of non-cooperation. Examples where criminal prosecutions can occur would include cases of deliberate violations or cases of serious safety risks. Data Protection The ICO has significant enforcement powers, including issuing information and enforcement notices, conducting assessments and imposing fines of up to GBP17.5 million or 4% of glob- al turnover for breaches of the UK GDPR. For
breaches of the PECR, fines can reach up to GBP500,000. CQC The CQC can use both civil and criminal powers to enforce the fundamental standards of care. For example, the CQC can prosecute providers for breaches of Regulation 12 (safe care) under the HSCA 2008 – a criminal offence if patients suffer avoidable harm. Where standards fall short but are not criminal, the CQC may impose civil remedies: issuing warning notices, impos- ing additional conditions on a registration, or suspending or even cancelling a provider’s reg- istration. Since 2020 the CQC can also levy fixed pen- alties (fines) for certain breaches. Notably, the government has urged the CQC to be “tough” on online services – for example, a 2017 statement praised a “tough and comprehensive inspec- tion regime” to uncover failings in digital care and protect patients. In practice, the CQC has inspected and sanctioned several online GP ser- vices and pharmacies for safety violations, with some providers being placed in special meas- ures or closed. ASA (Advertising) The ASA enforces through its Compliance and Investigations Committees. It can quickly remove or ban ads (especially online) that breach the CAP Code. In 2025, it partnered with the MHRA to issue formal enforcement notices targeting illegal online adverts for prescription medicines. Stricter Enforcement Areas involving patient safety, the processing of special category data (such as health data), and the use of digital health apps as medical devices are subject to particularly strict enforcement due to the potential for significant harm.
133 CHAMBERS.COM
Powered by FlippingBook