Continuous innovation in digital health means there is also a continuous need for increased regulation
CREDIT: This is an edited version of an article that originally appeared on Digital Health
Product lifecycles in digital health technologies are characterised by an agile process where the product is updated at frequent and regular intervals, sometimes multiple times a week. Artificial intelligence (AI), as an extreme case, takes product iteration to a new level, where ‘updates’ potentially occur continuously and without human intervention. Continuous innovation in response to changing user demands, new data inputs, operating environments or the need to respond quickly to security vulnerabilities or adverse events drives further rapid updates at a much higher frequency than ‘traditional’ medical devices experience.
The regulatory system needs to align to the pace of change in technologies, and the process of initial and ongoing approval and post market surveillance may need to differ from regulatory systems traditionally applied to health technologies.
Software as a medical device
At nearly 200 pages, the consultation on the UKCA mark is a large document, running through 17 chapters, 83 sections and hundreds of questions. I will, however, focus on Chapter 10, which deals with Software as a Medical Device (SaMD). There are several promising proposals outlined in the document, not least of which is the adoption of a risk classification system based on that of the International Medical Device Regulators Forum. Regulatory alignment between international jurisdictions can support British businesses to export, and enhance the ability of the health system to adopt international best practice and the attraction of inward investment. So, it is a fine balancing act that the new regulations will need to achieve between alignment with key regulatory systems (such as FDA and EU CE mark) and taking the opportunity to create new regulations that take advantage of the new found freedoms post-Brexit to forge a different path.
One way to achieve this fine balance is to look, not at deviation in our regulation from international norms, but instead the process for implementation, making them as seamless, agile and transparent as possible. At the same time as launching the consultation the MHRA also made two other announcements; firstly, the launch of a work programme on AI and, secondly, the announcement of guiding principles for good machine learning. The fact that the latter announcement was made in conjunction with FDA and Health Canada is a clear indication of the more international approach to thinking in this area.
Whilst the work programme stated, ‘It is anticipated that much of the reform required to meet these objectives will be in the form of clarificatory guidance, standards, or processes, rather than secondary legislation’, the greater use of tools other than legislation provides the opportunity for the system to respond in a much more agile way to technological changes, and is a positive direction of travel for UK industry.
Inconsistencies in data
How data can be managed and processed is a cornerstone of digital health – and there is potential change in the offing for the UK GDPR with the current DCMS consultation. Again, the exit from the European Union brings about the possibility of amending our legislation, but again it is another fine balancing act. Whilst few would argue that UK data legislation is not without its issues, the current implementation of UK GDPR has helped ensure we have an adequacy agreement with the EU, allowing sharing of data across European borders for research and clinical trials, amongst other things.
One of the key issues is that there are two, intersecting, regulatory regimes governing the use of health data which are inconsistent with one another but, nevertheless, overlap; firstly, there is the traditional healthcare regulatory framework, which includes the common law duty of confidentiality and the regulation of medical devices. Secondly, there are the legal concepts which appear in data protection legislation like the UK GDPR – which employs concepts like data controllers and data processors – that have been developed and cultivated totally outside the healthcare context, and fit uneasily in the healthcare environment. An example of this is anonymised data where there are very different thresholds for anonymisation between the GDPR and the common law duty of confidentiality. This disconnect has been highlighted as one possible reason why the NHS can be overly cautious regarding data sharing.
Clear guidance on data sharing
Another area where the two regimes can cause issues, and one that is highlighted in the consultation, is the basis for data sharing. We would recommend that government issue clear guidance on the legal bases for processing and transparency under the GDPR, including outlining how the various GDPR legal bases for processing align with use cases that are fundamental to the development of data-driven innovation in the life sciences. Streamlined data governance can ensure that data will flow seamlessly and securely across the health and care environment; this would be of benefit to all those involved in the system.
A modern regulatory methodology will support faster patient access, improve safety and position the UK as an attractive investment and launch market. Regulation has as an important role to play in demonstrating to the public, and to users, the trustworthiness of the system in order to build confidence in the use of data, software and devices as part of health and care delivery.
Be the first to comment