UK Law and Practice Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
3.4 Sufficiency of Oversight The current regulatory framework is comprehen- sive but continues to evolve in response to the rapid development of digital health technologies. There is recognition that further enhancements and powers may be needed. Gaps have been identified, and it has been proposed that there is a need to update device regulations for soft- ware and AI, and to reform data protection law in this area. Industry groups have urged a more agile, risk- based approach: the ABHI’s 2024 digital health White Paper recommends shifting to a classifi- cation system tailored for software/AI devices, streamlining data governance and clarifying liability for digital products. As regards patient safety, the CQC has itself indicated a need for expanded powers. Cur- rently, it cannot publish a separate rating for “digital-only” providers, although it expects new legislation to grant this in future. The Regulatory Horizons Council’s 2022 report on AI in healthcare – and the UK government’s March 2025 response accepting either fully, or at least in principle, all of its 15 recommenda- tions – signals plans to boost regulators’ capac- ity, introduce life cycle monitoring for AI devices, increase transparency and patient involvement, and encourage UK leadership on safe AI. 4. Liability 4.1 Legal Risks of Digital Healthcare The main legal risks and drawbacks associated with digital healthcare include the following.
Non-Compliance With Regulations Failure to comply with medical device regula- tions, data protection laws or consumer protec- tion requirements can result in regulatory action, fines, product recalls or criminal prosecution. Failure to comply with the foregoing can trigger enforcement by the MHRA. Likewise, operating a telemedicine service without proper registra- tion or meeting the required standards can risk CQC action. Enforcement by Regulatory Authorities Regulatory authorities have significant powers to enforce compliance, including the ability to prevent products from being marketed, require corrective actions and impose financial penal- ties. Failing to comply with data protection rules can result in severe penalties from the ICO. Simi- larly, providers must also comply with advertis- ing and consumer laws – for example, making unsubstantiated medical claims about a health app could violate the CAP Code and result in ASA sanctions. Liability Digital health software will generally constitute a “product” under the CPA/CPO 1987 (for defec- tive products) where it is supplied as a distinct commercial offering, though specific applica- tion depends on the nature of the software and how defects arise. EU law – specifically the new Product Liability Directive – could change the situation in NI compared to GB. If the Directive is deemed to apply in NI under the Northern Ireland Protocol, there could be a divergence in product liability regimes in NI in the future, including for digital health applications and software. 4.2 Liability Frameworks Legal exposures are addressed through a com- bination of statutory and common law mecha- nisms.
134 CHAMBERS.COM
Powered by FlippingBook