Understanding the regulatory landscape in the UK for digital health startups

This week we attended a workshop organised by South East Health Technologies Alliance (SEHTA). SETHA is one of the largest health technology networking organisations in the country and has grown to 1300 members from 20 different countries. The day focused on regulation in digital health specifically around medical devices. Here’s a round-up of the day.

Chris Alderson, Partner at legal firm Hempsons who were hosting the event kicked us off with a whistlestop tour on information governance issues that startups need to be aware of when working with health data. Currently in the UK the regulation covering health data is the Data Protection Act but this will be superseded by the General Data Protection Regulation (GDPR) when it comes in next May. 

Chris recommended that every health startup read the Confidentiality NHS Code of Practice which was written in 2003 and is the main source of the rules governing how data can be used in the NHS. The Code enshrines the Caldicott Principles - a set of guiding principles written by Dame Fiona Caldicott in 1997 (and updated in 2012 and 2016). The seven principles are worth a read and include access to patient identifiable information should be on a strict need-to-know basis (Principle 4). Patient data can only be shared with those in direct care and and for direct care purposes only. Therefore patient data cannot be shared with researchers or app developers without explicit consent. This is how Deepmind and the Royal Free got into trouble recently over their use of patient data.

But even if your startup is not targeting NHS, with the GDPR coming in next year companies will still need to be transparent about how you are using data. So how do you develop digital products in this restrictive environment? Chris recommended that data is anonymised or pseudonymised at source; consider the granularity of the data to mitigate against the risk of accidental re-identification of data if detailed information can be combined with other data sets; the use of controlled environment for usage of detailed anonymised data; and ensuring that you have an excellent levels of security.

Lastly, Chris reminded the audience that with the GDPR the requirements to demonstrate consent will be tightened. His recommendation was not to reply on explicit consent especially as the GDPR Data Protection Bill will introduce a criminal offence of re-identifying data.

Next up was Harriet Unsworth, Senior Technical Analyst at the National Institute for Health and Care Excellence (NICE) which is the body that provides national guidance and advice to improve health and social care. Harriet gave an overview by NICE on their role in digital health assessment. NICE are best known for looking at drugs but they also provide guidance and advice on technologies.

There are currently four routes for digital technologies at NICE that startups should be aware of:

1.    Medtech Innovation Briefings (MIBs) are NICE advice designed to support NHS and social care commissioners and staff who are considering using new medical devices and other medical or diagnostic technologies.

2.    NICE are piloting Healthcare App Briefings (HABs) with the first three pilot HABs expected to published this month.

3.    NICE and NHS England are developing an assessment programme for digitally enabled psychological therapies which will assess the effectiveness of 14 digitally enabled therapies for use within Improving Access to Psychological Therapies (IAPT) programmes.

4. Lastly, NICE can endorse simple digital tools the help in the implementation of NICE guidance.

NICE provide a range of support services to medtech companies. Their Office for Market Access can answer queries and help companies develop their value proposition. They also have a not for profit consultancy service.

Following Harriet was Clive Flashman, Director of Strategy at ORCHA talking about the landscape of regulation and review with mHealth apps. ORCHA are the predominant provider of health and care related App Reviews to the health and care market in the UK. The company was founded by Liz Ashall-Payne in 2015 when she was looking for an app to help her child but didn’t know which one to choose from the app store.

Clive shared some statistics showing the extent of the problem for consumers. There are over 300,000 health and wellness apps in the app stores at present, 4 million downloads per day globally, and 80% of healthcare professionals believe that apps can help people.

However there are challenges. Many apps provide information of varying quality, 50% of health apps have less than 500 downloads so user reviews cannot necessarily be trusted, there is an absence of information around risks and side effects of apps, and most apps have a drop off rate of 64% after one month.

Clive dispelled some common myths about apps. There is not one perfect app for each condition; each person’s needs are different. It’s a myth that apps need to be reviewed only once. ORCHA review each app again after an update. Just having a library of apps will not drive transformation and change; cultural change is also needed. Lastly, every health and care economy has different requirements and will not want the same recommended selection of apps.

ORCHA review 4 levels of apps: wellbeing apps; self management of a condition apps; apps that are part of a professional pathway; and clinician facing apps (which tend to need CE marking). They have a process for shifting, reviewing, rating and publishing their scores.

After coffee and a networking break we were joined by Valerie Field, Head of Devices and Software / Apps at the Medicines & Healthcare products Regulatory Agency (MHRA) who have an overview of when apps become medical devices. Their research has shown that 83% of clinicians use apps for professional purposes such as dose calculation, triage apps, symptom checkers etc.

But when is software a medical device? Valerie said the following tests should be applied: firstly, what does the manufacturer claim is does? Secondly, is this use considered to be a medical purpose? Examples of this are diagnosis, monitoring, treatment or alleviation. If the app is a lifestyle app only, it's not a medical device. Also if the app just transmits data (rather than recommending a clinical decision), it is not a medical device.

Valerie started by explained that all medical devices need to be CE marked. The MHRA do not directly give CE marking. Companies either certify themselves or use a notified body such as the BSI. Class 1 devices are self certified. This is a light touch process. Most apps are Class 1 at present and the company needs to register the device with the relevant competent authority which is the MHRA in the UK. The device can then carry a CE mark. A CE mark is a logo that is placed on medical devices to show that the device is fit for its intended purpose stated and meets legislation relating to safety. It shows the product can be freely marketed anywhere in the European Union. Companies need to register with MHRA which costs £100. They self declare for each device, apply the CE mark and details then appear on the publicly available database.

They have developed a useful interactive Device determination flow chart with guidance to show which standalone software and apps meet the definition of a medical device and therefore require to be CE marked, and those which do not.

Next up was Neelam Patel, COO of MedCity and Rob Turpin, Healthcare Market Development Manager at BSI with advice on how to get evidence to satisfy regulations.

Neelam started by outlining four challenges for early stage companies that they see time and time again at MedCity: understanding the market and the multiple payers and players in it; understanding the demand for the product and quantifying this; understanding where the innovation would fit into the patient and clinician pathway; and lastly, an idea of how are you going to displace what exists already.

She shared an interesting case study of the 11Health journey to demonstrate the complexity of the system. Michael Seres, the founder of 11Health, was the 11th patient in the UK to receive a small bowel transplant. While recovering from the operation he had an idea for a sensor that works with his ostomy pouch to signify when it was full and about to leak. Michael’s technology has CE marking, FDA approval and is now in the NHS apps library but with the right advice and guidance at the start 11Health could have saved time and money as the innovation landscape is complex.

Next Rob talked us through the types of evidence that it’s important for digital health companies to start to gather. They are:

1     Business case:  stakeholder mapping, market intelligence, value proposition
2.    Usability: usability, adherence, technical design
3.    Quality: regulatory compliance, information governance, safety and risk
4.    Outcomes: patient outcomes, health economics, efficacy

He shared the Digital Health Evidence Map that they developed with MedCity, DigitalHealth.London and NIHR NOCRI, to support early-stage and late-stage digital health SMEs to generate evidence for their technologies to support adoption into the NHS. It maps the organisations available to help SMEs provide infrastructure to trial their technology and where to go to get more information.

Last but not least the morning finished with a case study from Tom Muller, Customer Relations Executive at Docobo. Docobo is a company whose aim is to reduce unscheduled admissions to hospital for people with long-term conditions. They have developed two medical devices to help with this. 

The DocoboApp is a Class 1 medical device that is CE marked. They also got ISO 13485:2016 - Quality Management System which is not legally required but expected and also IEC 62304 which defines the life cycle requirements for medical device software. Their Careportal is a Class 2a medical device. They codesigned it with AgeUK and is aimed at the IT illiterate older user. The physical device does a number of things including recording ECG. The Notified Body they used was BSI.

Tom outlined some of the regulation challenges the company have had since their inception in 2001. Achieving the regulatory standards in the first place was the first hurdle; maintaining those standards is an ongoing process that takes a lot time and money; and lastly, regulatory differences between other countries can be difficult eg they are looking at the Chinese market currently.

 However the benefits of getting it right are that it helps sell into the UK healthcare market; it helps sell into international markets; and helps when writing bids for tenders for NHS services by giving credibility eg they won a large £1.4 million telehealth tender on the back of their regulated products.

All in all it was a fantastically informative morning. Thanks to SETHA and Hempsons for organising it.

(Disclaimer: this is our interpretation of the information and advice given at the event. Please do not take this as legal advice.)