With the Medicines and Healthcare products Regulatory Agency (MHRA) about to close a consultation on how medical devices will be regulated across the in the future, there has been lots of debate about what the future regulatory landscape will look like within the digital health space. Andrew Davies, digital health lead at the Association of British HealthTech Industries (ABHI), takes a deeper look at these consultations and looks at what they signal.

Product lifecycles in Digital Health Technologies are characterised by an agile process where the product is updated at frequent and regular intervals, sometimes multiple times a week. Artificial Intelligence (AI), as an extreme case, takes product iteration to a new level, where ‘updates’ potentially occur continuously and without human intervention. Continuous innovation in response to changing user demands, new data inputs, operating environments or the need to respond quickly to security vulnerabilities or adverse events drives further rapid updates at a much higher frequency than “traditional” medical devices experience.

The regulatory system needs to align to the pace of change in technologies and the process of initial and ongoing approval and post market surveillance may need to differ from traditional regulatory systems applied to health technologies.

Software as a medical device

At nearly 200 pages, the consultation on the UKCA mark is a large document, running through 17 chapters, 83 sections and 100s of questions. I will, however, focus on chapter 10, which deals with Software as a Medical Device (SaMD). There are a number of promising proposals outlined in the document, not least of which is the adoption of a risk classification system based on that of the International Medical Device Regulators Forum. Regulatory alignment between international jurisdictions can support British businesses to export, the ability of the health system to adopt international best practice and the attraction of inward investment. So, it is a fine balancing act that the new regulations will need to achieve between alignment with key regulatory systems (such as FDA and EU CE mark) and taking the opportunity to create new regulations that take advantage of the new found freedoms post-Brexit to forge a different path.

One way to achieve this fine balance is to look not at deviation in our regulation from international norms, but instead the process for implementation, making them as seamless, agile and transparent as possible. At the same time as launching the consultation the MHRA also made two other announcements; firstly the launch of a work programme on AI and secondly the announcement of guiding principles for good machine learning. The fact that the latter announcement was made in conjunction with FDA and Health Canada is a clear indication of the more international approach to thinking in this area. Whilst the work programme stated: “It is anticipated that much of the reform required to meet these objectives will be in the form of clarificatory guidance, standards, or processes rather than secondary legislation.” The greater use of tools other than legislation provides the opportunity for the system to responds in a much more agile way to technological changes and is a positive direction of travel for UK industry.

Inconsistent data

How data can be managed and processed is a cornerstone of digital health and there is potential change in the offing for the UK GDPR with the current DCMS consultation. Again, the exit from the European Union brings about the possibility of amending our legislation, but again it is a fine balancing act. Whilst few would argue that UK data legislation is not without its issues, the current implementation of UK GDPR has helped ensure we have an adequacy agreement with the EU, allowing sharing of data across European borders for research and clinical trials (amongst other things).

One of the key issues is that there are two intersecting regulatory regimes governing the use of health data that are inconsistent with one another, but nevertheless overlap: firstly, there is the traditional healthcare regulatory framework, which includes the common law duty of confidentiality and the regulation of medical devices. Secondly, there are the legal concepts which appear in data protection legislation like the UK GDPR that employs concepts like data controllers and data processors which have been developed and cultivated totally outside the healthcare context and fit uneasily in the healthcare environment. An example of this is anonymised data where there are very different thresholds for anonymisation between the GDPR and the common law duty of confidentiality. This disconnect has been highlighted as one possible reason why the NHS can be overly cautious regarding data sharing.

Clear guidance on data sharing

Another area where the two regimes can cause issues, and one that is highlighted in the consultation, is the basis for data sharing. We would recommend that government issue clear guidance on the legal bases for processing and transparency under the GDPR, including outlining how various GDPR legal basis for processing align with use cases that are fundamental to the development of data-driven innovation in the life sciences.

Streamlined data governance can ensure that data will flow seamlessly and securely across the health and care environment. This is of benefit to all those involved in the system.

A modern regulatory methodology will support faster patient access, improve safety and position the UK as an attractive investment and launch market. Regulation has as an important role to play in demonstrating to the public, and to users, the trustworthiness of the system to build confidence in the use of data, software and devices as part of health and care delivery.

You can find more detail on this contained within the ABHI White Paper: Digital Health Regulatory Concepts.

We have only touched on some of the aspects around data and I look forward to a deeper dive into the subject next time round.