Digital health apps and telemedicine in England and Wales

  1. Digital Health Apps/Software
    1. 1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?
    2. 2. Are there any other legal regimes that may govern digital health software? (e.g. data protection/ privacy) 
    3. If yes, please indicate these. 
    4. 3.If your response to Q2 is yes, please state whether it matters if, 
    5. 4. Do any particular features, such as location tracking, or monitoring real-time information, trigger any additional consent requirement, regulatory approval, and/or other restrictions beyond the general ones applicable to Q1/Q2?
    6. 5. In the context of physicians relying on digital health apps (i.e., standalone software), whether for in-person or telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the developer of the app software, or the producer of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage or injury?  
    7. 6. Please describe the enforcement mechanism for compliance with regard to the regulations discussed in Q1, Q2, and/or Q4 in your jurisdiction with regard to the software digital health apps. What are the legal consequences for non-compliance? 
    8. 7. Are you aware of any expected future legal developments in your jurisdiction with regard to digital health apps/software?
  2. Telemedicine
    1. 8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?
    2. 9. What laws and/or regulations apply to physicians regarding telemedicine?
    3. 10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?
    4. 11. Do the standards of care applicable to physicians change in the context of using telemedicine?
    5. 12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?
    6. 13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 
    7. 14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.
    8. 15. Are you aware of any future legal developments in your jurisdiction with regard to telemedicine?

Digital Health Apps/Software

1. How is the software within digital health apps classified in your jurisdiction, and what regulation(s) apply?

1.1 Is it considered a “medical device,” and if so, under what regulations? 

Software in the form of digital health apps may be considered a “medical device.”  

In this post-Brexit period, medical devices placed in the “Great Britain market” (England, Wales and Scotland) are regulated by the Medicines and Medical Devices Act 2021 and the Medical Devices Regulations 2002 (SI 2002/618, as amended) (UK MDR).  The new UK Medical Devices Regulations is planned to be brought into force by 1 July 2024, with core aspects of the future regime to apply from 1 July 2025.  

Under both current law and the incoming Medical Devices Regulation, software within digital health apps may qualify as a “medical device” if it has an intended purpose that is one or more of the medical purposes specified in the definition, which include, inter alia, diagnosis, treatment, and monitoring of a disease, injury or disability.  

The definition of a medical device includes both standalone software and that which is used in combination with a device that is “intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes.” 1  

The Medicines & Healthcare products Regulatory Agency (MHRA) published guidance that indicates that where computer programs are composed of multiple “functions/modules”; only the modules which fall within the definition of a medical device need to comply with medical devices requirements. 

Therefore, where certain parts of the proposed service qualify as a medical device, this does not necessarily qualify the whole service as a medical device where the modules can be considered distinct. 

If software within a digital health app is considered a medical device, the software would have to conform to strict safety requirements, including (i) performing pre-market conformity assessments; (ii) the obligation to implement vigilance and post-market surveillance and monitoring of the device’s safety and efficiency; and (iii) comply with the safety reporting requirements under the medical device vigilance system.   

The current medical devices legislation only regulates medical devices that are placed on the market or made available in the Great Britain market.  Therefore, a service provided from outside the Great Britain market is arguably not regulated by current medical devices legislation even where it has a medical purpose. However, providing a service with a medical purpose from outside the Great Britain Market without it complying with medical devices legislation is not without risk as this is a regulatory grey area and is also being considered by the MHRA with possible changes to the definition of “placing on the market” to provide clarity of the requirements which apply when software is provided online to the Great Britain market (see question 7 below).   

In this post-Brexit era, different rules apply when placing medical devices on the Northern Ireland market. Under the Northern Ireland Protocol, the Medical Devices Regulations ((EU) 2017/745) (the “EU MDR”) regulates medical devices in Northern Ireland since 26 May 2021.  Similar requirements to UK medical devices apply (e.g., conformity assessments and post-market surveillance), however there are differences as EU law applies.  For example, a CE marking will be required before medical devices can be placed in the Northern Ireland market. 

1.2 Is it considered a “product” to which civil liability can attach, and if so, under what regulations? 

 A digital health app may also be subject to general liability principles apply.  In particular: 

  1. it could be considered a defective product under the Consumer Protection Act 1987 (“the CPA”); and 
  2. civil liability could potentially arise under the common law tort of negligence and/or consumer contractual law (where a direct contract with the user exists). 

There exists some debate as to whether non-embedded software (i.e., that has to be downloaded) is a “product” within the scope of the CPA.  The CPA is expressed to apply to “goods or electricity” 2 Section 1(2) of the CPA . We are not aware of any UK case law that specifically addresses whether non-embedded software can be “goods” for the purposes of the CPA. However, UK case law on other legislation that is expressed to apply to goods has held that downloaded software is not a “good” for the purposes of that legislation. 3 See Computer Associates UK Ltd v The Software Incubator Ltd [2018] EWCA Civ 518; the issue was whether supply of downloadable software could be a “sale of goods” for the purposes of the Commercial Agents (Council Directive) Regulations 1993. The Supreme Court referred this question to the Court of Justice of the European Union which provided a preliminary ruling that software can constitute “goods” (C-410/19). The case was to then go back to the UK Supreme Court for its consideration. However, the appeal has been withdrawn by the parties. Therefore, it is currently unknown as to whether the UK Supreme Court would follow the ECJ approach.  

The applicable liability principles would need to be considered on a case-by-case basis. 

1.3 If your response to (b) is yes, please state whether there are any exclusions/exemptions applicable with regard to liability, and/or whether those are applicable only under certain circumstances (e.g., for in-hospital use)? 

(c) Under section 4 of the CPA, the defences (which are not specific to the healthcare context) to a product liability claim are as follows: 

  • the defect is attributable to compliance with any requirement imposed by UK and EU retained law; 
  • the party proceeded against did not at any time supply the product to another or otherwise did not supply the product in the course of business or with a view to profit; 
  • the defect did not exist in the product at the time it was supplied;  
  • the producer could not reasonably have been expected to discover the defect given the state of scientific and technical knowledge at the time; or 
  • the product a constituent part of a defective end product and the defect is due to either the design of the end product or because the component producer complied with the final producer’s instructions. 

Particularly due to the rapidly changing position for the UK, the issue as to the classification of software in a digital health app and applicable laws/regulations need to be determined on a case-by-case basis.

If yes, please indicate these. 

Data Protection 

If the personal data of users/patients is processed using digital health software, such processing must comply with the data protection laws in force in the UK, in particular with:  

  • The UK General Data Protection Regulation (“GDPR”);  
  • The Data Protection Act 2018 (the “DPA”) and  
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), to the extent relevant. 

The UK GDPR generally governs the processing of personal data and requires that any processing undertaken is done (amongst other things) lawfully, fairly and in a transparent manner. (See in particular Articles 5(1)(a), 6, 13 & 14 UK GDPR.)  The UK GDPR also imposes further conditions on the processing of “special category data” including health data. (See Article 9 GDPR.) The DPA is a national law which supplements the UK GDPR, and (amongst other things) sets out additional requirements for the processing of special category data. 

PECR sits alongside the DPA and UK GDPR and imposes specific requirements in the context of marketing, cookies, keeping communications secure, and customer privacy.  

Consumer Rights 

The Consumer Rights Directive (2011/83/EC) applies when a person purchases an app relating to lifestyle or wellbeing.  Any data that is transferred via the app is likely to be considered personal data. 

The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (SI 2013/3134) (“CCRs”) implement most of the Consumer Rights Directive.  The Consumer Protection (Amendment etc.) (EU Exit) Regulations 2018 amend the CCRs by making various amendments to EU-derived UK consumer protection legislation, including the removal of references to EU legislation.  They also include an omission of CCR 3(2) relating to having regard, in the Secretary of State’s periodic reviews, to what is done in other EU Member States to implement The Consumer Rights Directive.

3.If your response to Q2 is yes, please state whether it matters if, 

3.1  the users are residents using it within their jurisdiction and/or using it outside their jurisdiction; and/or 

(a) The UK GDPR applies to the processing of personal data in the context of an establishment of a controller/processor in the UK, regardless of whether the processing takes place there.  (See Article 3(1) UK GDPR.) 

In addition, the UK GDPR applies if a controller/processor is not established in the UK but processes the personal data of data subjects in the EEA or UK when the processing activities relate to the offering of goods/services or monitoring the behaviour of the data subjects so far as that takes place within the UK.  (See Article 3(2) UK GDPR.)

3.2 it is a “B2B” (business to business) rather than “B2C” (business to end consumer) service. In each case, please summarise any implications (if applicable).

The UK GDPR and DPA do not distinguish between the processing of personal data in a B2B or B2C context and may apply to processing in either context.  

In general, the marketing requirements of PECR will apply in a B2C but not B2B context. There are however exceptions in the case of marketing relating to sole traders and some partnerships to which the PECR marketing requirements will also apply.  (See in particular regulation 22 PECR.) 

Data Protection

To the extent that personal data is processed for location tracking or monitoring real-time information, the UK GDPR applies.  

Location tracking 

PECR contains provisions in relation to the processing of location tracking information.  In general, such processing is only permitted in cases in which it is undertaken by a services provider on an anonymous basis or if it is necessary for a value added service (i.e. beyond what would be needed for transmission or billing of a communication) and the user has consented. (Traffic data is subject to separate requirements.)  (See in particular regulation 14 PECR.) 

Monitoring real-time information 

If the monitoring of real-time information includes the processing of health data then, as explained above, this is classified as special category data under the UK GDPR and subject to additional requirements under the UK GDPR and DPA.  (See Article 9 UK GDPR.) 

Please note that the UK GDPR also imposes specific requirements in respect of automated individual decision-making, including profiling. Such decision-making must not be based on special category data such as health data unless the controller takes suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and either:  

  • the data subject has given their explicit consent to the processing, or 
  • the processing is necessary for reasons of substantial public interest (and has met additional DPA requirements). 

(See in particular Article 21 UK GDPR, section 10 and Part 2 of Schedule 1 DPA.) 

Cookies 

If a digital app were to include analytical, behavioural or marketing cookies, then the use of such cookies requires prior consent by the data subject. Unless an exemption applies, PECR requires the following for the use of cookies: 

  • the provision of "clear and comprehensive" information; and 
  • the consent of website users or subscribers. 

(See in particular regulation 6 PECR.) 

Data Protection Impact Assessment  

On the assumption that the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, the relevant data controller must perform a data protection impact assessment (“DPIA”).  If the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult with the UK data protection regulator prior to commencing the relevant.  (See Articles 35 and 36 UK GDPR). 

5. In the context of physicians relying on digital health apps (i.e., standalone software), whether for in-person or telemedicine consultations, are there circumstances where the physicians’ liability can be limited or transferred to the developer of the app software, or the producer of the final product/app itself, when a fault or inaccuracy with the software (rather than the physicians’ error) occurs, leading to damage or injury?  

We refer you to our response to Question 9 for information regarding the standards to which doctors are held. 

Generally speaking, whether liability would fall on the doctor or the producer depends on where the fault lies. 

If the doctor’s clinical decision was based on defective or faulty software, then the producer may be deemed to be negligent, or the product may be considered defective such that general product liability principles may apply. In those situations, liability would be borne by the producer of the software.  If a claim is brought against the doctor and the doctor is found liable, then the doctor may bring a claim for contribution against the producer. 

If the doctor’s clinical decision itself was not dependent on the accuracy or fault within the software, then the doctor could face a claim in negligence brought against him/her directly.

Medical Devices

If the software contained in digital health apps satisfies the definition of a medical device (such that its intended use is for diagnostic, treatment, prevention, or prognosis purposes), then the manufacturer would need to follow the applicable conformity assessment procedure.  Its technical documentation and quality systems may be required before a Notified Body (designated by the competent authority, the MHRA in the UK) assesses the conformity of a product and issues a certificate of UKCA (UK Conformity Assessed) or CE conformity of the device.  All this is required before a medical device can be allowed to be placed on the market.  The Notified Body can therefore prevent the supply of a medical device by not issuing the necessary certificate of conformity. 

After a medical device has been UKCA/CE marked, via post-marketing obligations overseen by the national competent authority, if an incident is identified with regard to the device, then corrective action may need to be taken.  This may include the recall or withdrawal of a device in order to reduce the risk of serious injury or death. 

The UK government recently put into place legislation extending the acceptance of CE marked medical devices on the Great Britain market, providing that CE marked medical devices may be placed onto the Great Britain market until the sooner of expiry of the certificate or 30 June 2028 (or 30 June 2030 for IVDs), using either the UKCA or CE marking, for those general medical devices compliant with the EU MDD (or EU IVDD for IVDs) or EU AIMDD with a valid declaration and CE marking.  General medical devices that are CE marked and that are compliant with the EU MDR (or IVDs compliant with the EU IVDR) can be placed on the Great Britain market up until 30 June 2030.  

Self-declared CE marked Class I medical devices can be placed on the Great Britain market beyond 30 June 2023 if self-declared against EU MDR requirements (until 30 June 2030), or self-declared against MDD requirements before 26 May 2021 where Notified Body involvement in their assessment is not required, until 30 June 2028 (including up-classified devices and reusable surgical instruments). 

The UKCA marking is not recognised in the EU market and a CE marking will still be needed to place medical devices in the EU market. 

Legal consequences:  

  • Offences against/breaches of the safety regulations of the CPA can result in imprisonment for no longer than 6 months, a fine, or both. 4 Section 12 of the CPA.  
  • Alternatively, the Secretary of State may impose civil sanctions under Schedule 2, Part 1 of the Medicines and Medical Devices Act 2021 as an alternative to criminal prosecution. 

In addition to potential regulatory liability, a company whose health app caused injury could face potential civil liability claims from injured users. Depending on the exact circumstances, users may be able to claim damages in respect of their injury under: (i) statutory product liability laws; (ii) the tort of negligence; and/or (iii) where the user has a contract directly with the producer of the health app, contract law (either express or implied terms of the contract).   

Data Protection

Under the UK GDPR, the UK Information Commissioner has a number of enforcement powers, including: 

  • to issue an information notice requiring information in order to exercise his functions and conduct investigations; 
  • to issue an enforcement notice requiring a person to take certain steps, or refrain from taking certain steps, which may include an absolute or partial ban on processing; and 
  • to issue an assessment notice allowing him to conduct assessments of compliance with applicable legislation.  

In addition, for breaches of the UK GDPR the Information Commissioner may issue public reprimands and/or impose a fine of up to £17.5 million or 4% of worldwide annual turnover of the preceding financial year, whichever is higher.  For a breach of PECR, the Information Commissioner can also impose a fine of up to £500,000.  (See in particular Article 83 UK GDPR and regulation 31 PECR.) 

The EU MDR and the In Vitro Diagnostic Medical Devices Regulation (Regulation 2017/746) (“EU IVDR”) apply in EU Member States and in Northern Ireland but not the rest of the UK.  

The MHRA closed its consultation on proposed changes to medical device regulation in the UK in November 2021.  In June 2022, the government response was published. 5  These changes will be introduced via new regulations which will amend the UK MDR 2002.  Of particular relevance are proposed changes which are specific to software as a medical device (SaMD). This includes: (a) introducing a definition of “software” which is consistent with the definition found in MEDDEV 2.1/6; (b) modifying the definition of “placing on the market” to clarify when SaMD deployed on websites, app stores and other electronic means accessible in the UK falls within this definition; (c) a new “airlock classification rule” which allows temporary classifications to some SaMD which will likely invole monitoring and restricting the SaMD as if it were a high-risk in the event its risk-profile is uncertain; (d) post-market requirements, including the SaMD having a hyperlink to MHRA endorsed websites to allow for incident reporting; and (e) requiring SaMD manufacturers to meet certain minimum cybersecurity requirements.

Telemedicine

8. How are physicians regulated in your jurisdiction (i.e., who is their Regulator; e.g., the General Medical Council in the UK)?

The General Medical Council (the “GMC”) regulates individual medical practitioners in the UK—not medical services.  Every doctor who wishes to practise medicine in the UK must be registered with the GMC and hold practising rights.  Doctors utilising telemedicine need to be appropriately qualified and regulated and should demonstrate, through the GMC or other means, that they are up to date and fit to practise medicine.

9. What laws and/or regulations apply to physicians regarding telemedicine?

Medical professionals have a duty of care to the patients they treat. The case of Bolam v Friern Hospital Management Committee (1957) 1 WLR 583 established a test to determine if a medical professional has breached their duty of care.  It led to the proposition that a doctor’s duty is to exercise skill and care in accordance with the reasonable standards by those practising in the relevant medical field.  Therefore, if a responsible body of professional opinion considered the doctor’s care was reasonable, then the doctor would not be in breach of the standard of care.   If a doctor did breach the applicable standard of care, and if that breach of duty caused an injury, then the doctor can be liable for damages under the common law tort of negligence. 

Fitness to Practise

A doctor must be qualified and fit to practise medicine to maintain registration with the GMC and be allowed to practise medicine.   

All doctors must comply with the “Good Medical Practice” standards set out by the GMC. 

The standards of doctors by the GMC apply equally to digital and conventional consultations. Clinicians should consider which medium is most appropriate for them and their patient.  

In the context of Digital Health/Telemedicine, doctors must consider the clinical risk of not conducting the consultation against any potential risk of using consumer-focused services and apps, such as Skype, WhatsApp, or FaceTime. 

Primary care networks (PCNs) can procure approved videoconferencing software.  However, when using telehealth, doctors still need to safeguard confidential patient information in the same way they would with any other consultation.  They need to take extra care to ensure that all information is recorded in the appropriate care record (as usual); ensure any personal information stored on the doctor’s own device, or obtained through a video or telephone conversation, is safely transferred to the appropriate health and care record as soon as possible; delete any personal information, including back-up data, from the doctor’s own device; and apply his/her own relevant professional standards, as would normally be done. 6
BMA Advice, “Covid-19: video consultations and home working,” 3 June 2020:

Regarding other telemedicine providers, telemedicine is an area of regulation which is still relatively new and undeveloped in some jurisdictions, and therefore, regulatory oversight will need to be considered on a case by case basis.  Should a provider of telemedicine not register with the relevant regulator when required, they will be operating illegally and sanctions could be imposed. 

England 

Although not a regulator of the individual doctors, the Care Quality Commission (“CQC”) registers telehealth/telemedicine service providers in England for the regulated activity of providing triage and medical advice “remotely” when certain criteria are met.  Under Schedule 1(9) of The Health and Social Care Act 2008 (Regulated Activities Regulations) 2014, this is defined as, “Medical advice in cases where immediate action or attention is needed, or triage provided, over the telephone or by electronic mail by a body established for that purpose.”  The CQC’s guidance published in May 2022 confirmed that remote advice will qualify as a regulated activity when the following are criteria met: 

  • The advice is medical; and 
  • The advice is responsive (i.e., for immediate attention or action); or it constitutes triage (defined in the guidance as “determining the urgency of diseases, disorders or injuries to decide the order of treatment for people and where to treat them”); and 
  • The advice is provided over the telephone or by electronic mail; and 
  • The advice is provided by a body established for that purpose (as opposed to, for example, the occasional provision of advice by a hospital or university on an informal basis).

Wales 

Healthcare Inspectorate Wales (“HIW”) is the independent inspectorate and regulator of healthcare in Wales. Depending on the specific service being offered, it may be that telehealth/telemedicine service providers in Wales could be considered an independent medical agency. This is defined under s.2(5) of the Care Standards Act 2000 as “an undertaking (not being an independent clinic or an independent hospital) which consists of or includes the provision of services by medical practitioners.”  In the HIW publication “Guidance for Applicants” published on 4 December 2019, HIW highlighted that a business is required to register as an independent medical agency where private only medical services are provided regularly by medical practitioners, either individually or on behalf of a company, based in Wales.  This applies even where there is no establishment or physical premises in Wales.  One provided example where HIW registration would be required is for “online private GP services within pharmacies where the online provider company and/or the doctor is based in Wales.” 

Scotland 

Healthcare Improvement Scotland (“HIS”) is responsible for the regulation and inspection of health and social care facilities in Scotland, including both NHS and private facilities.  Under s.10P(1) of the National Health Service (Scotland) Act 1978, “a person who seeks to provide an independent health care service must apply to HIS for registration of the service.” “Health care” is defined under s.10A(2) of the same Act as “services for or in connection with the prevention, diagnosis or treatment of illness provided (a) under the health service; or (b) by persons providing independent health care services”.  Depending on the specific service being offered, it may be that telehealth/telemedicine service providers in Scotland could be considered an independent medical agency.  S.10F(2) of the National Health Service (Scotland) Act 1978 defines an independent medical agency as “an undertaking which is neither an independent clinic nor an undertaking comprised in a hospital and which consists of or includes the provision of services, other than in pursuance of this Act, by a medical practitioner.” 

Northern Ireland 

The Regulation and Quality Improvement Authority (“RQIA”) is the body responsible for inspecting registered health and social care services in Northern Ireland. Depending on the specific service being offered, it may be that telehealth/telemedicine service providers in Northern Ireland could be considered an independent medical agency. Under Article 8(2) of The Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003, an independent medical agency is required to register with the RQIA. Article 2(2) defines an independent medical agency as “an undertaking (not being an independent clinic) which consists of or includes the provision of services by medical practitioners, but if any of the services are provided for the purposes of an independent clinic, or by medical practitioners in pursuance of the Health and Personal Social Services (Northern Ireland) Order 1972, it is not an independent medical agency”. 

E-Commerce 

Post-Brexit, the retained law is the E-Commerce Regulations, amended by the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019.  The most significant impact of the amendments is to the “country of origin” rule such that a UK-established e-commerce operator will no longer be able to benefit from the previous principle allowing an information society service provider to comply with the laws of the country in which it is based.  Instead, it will have to comply with the specific requirements of each jurisdiction in which it is active.  A UK-based provider will therefore need to do the following: 

(i) account for different contracting arrangements/requirements/information provision rules in each EU jurisdiction post-Brexit transition period (as well as complying with UK requirements when selling in the UK); and  

(ii) be mindful of any limitation on offering a telemedicine service which may apply in each jurisdiction where it is active. 

10. Does the law in your jurisdiction regulate under what circumstances physicians can use telemedicine in order to treat patients?

10.1 What are the requirements?

The General Medical Council, the royal colleges and the professional associations are in the midst of publishing standards of practice, procedures and protocols that will cover the use of telemedicine. 7
www.gmc-uk.org%2F-%2Fmedia%2Fdocuments%2FRegulatory_approaches_to_telemedicine.docx_73978543.docx&psig=AOvVaw0D3qYhAfiZVuCJ-LiOK_cs&ust=1671011211600099

The GMC has published guidance on remote consultations. 8
https://www.gmc-uk.org/ethical-guidance/ethical-hub/remote-consultations and also https://www.gmc-uk.org/about/what-we-do-and-why/data-and-research/research-and-insight-archive/regulatory-approaches-to-telemedicine
Briefly, the doctor needs to consider whether a face-to-face consultation is necessary, or whether remote treatment may be appropriate. If appropriate, then the doctor should obtain the patient’s consent for this method of provision of medical services.  If the doctor is not the patient’s usual doctor, then s/he must ask the patient for consent to obtain information and a history from the patient’s GP and to send details of any treatment the doctor has arranged. 

Remote consultations via use of telehealth can take place where the patient’s clinical need or treatment request is straightforward; the doctor has access to the patient’s medical records; all the information requested/needed by the patient can be given by telephone, internet, or video-link; the treatment does not require follow-up or monitoring; and the doctor has a safe system in place to prescribe medications if needed.  If these are not met, and/or if the doctor needs to physically examine the patient; the doctor is unsure about the patient’s capacity; the doctor is unable to determine that the patient has all the information the patient wants or needs about treatment options; or the doctor is prescribing injectable cosmetic medications, then the consultation must be in person.   

From October 2021, all GP practices are required to ‘offer and promote’ to their patients (and those acting on their behalf) the following: 

  • an online consultation tool 
  • a video consultation tool 
  • a secure electronic communication method 
  • an online facility to provide and update personal or contact information. 

These requirements are all subject to existing safeguards for vulnerable groups and third-party confidentiality. They are to be in place alongside, rather than as a replacement for, other access and communication methods, for example, telephone and face to face contact. 9 See
https://www.england.nhs.uk/gp/investment/gp-contract/digital-requirements-guidance/new-digital-and-online-services-requirements-guidance-for-gp-practices/

Further guidance regarding directly bookable appointments was introduced in October 2022. This sets out requirements for online appointment booking following changes to General Medical Services (GMS), Personal Medical Services (PMS) and Alternative Provider Medical Services (APMS) contractual arrangements that came into effect in England from October 2022. Practices must now ensure that all of their “directly bookable” appointments are made available online, as well as by phone or in-person. 10 See
https://www.england.nhs.uk/publication/directly-bookable-appointments-guidance-for-practices/

10.2 Were there any new (time-limited) regulation regarding the Sars-CoV-2 pandemic?

Telemedicine/telehealth services and technology were already being used before the Covid-19 pandemic.  However, the pandemic highlighted the need to urgently reduce the risk of staff exposure, increase the supply of PPE, and minimise high patient volume impacts on healthcare facilities. No new regulations or laws have been introduced.  As above, the CQC regulate healthcare institutions in England.  Telemedicine providers in England are required to register with the CQC to perform the regulated activity of “transport services, triage and medical advice provided remotely.” 11 The Healthcare Improvement Scotland (HIS), Healthcare Inspectorate Wales (HIW), and the Regulation and Quality Improvement Authority in Northern Ireland (RQIA), the other 3 national regulators, do not have specific telemedicine policies for healthcare providers.

At the start of the Covid-19 global pandemic/during the first lockdown period in the UK, primary care and hospital outpatient departments were instructed by England’s Health Secretary to use “digital first” and that all consultations should be done via telemedicine unless there were clinical or practical reasons not to do so.  GP practices were advised to move to a “total triage first” model to protect patients and staff from avoidable risks of infection, 12
“How to establish a remote total triage model in general practice using online consultations.” 
with a similar approach being taken by Scotland, Wales, and Northern Ireland. However, GP practices must conduct face-to-face consultations where clinically indicated, as discussed in Q10(a).

11. Do the standards of care applicable to physicians change in the context of using telemedicine?

The standards of doctors by the GMC apply equally to digital and conventional consultations.  

11.1 Are there legal requirements for physicians to give disclaimers or other types of notices to patients (as part of the consent process) before using telemedicine? If so, please indicate these.

After the doctor verifies the patient’s identity, the doctor will need to confirm consent for a remote consultation and confirm that the patient is in a private area to speak, explaining limitations of the medium used. 

If a video consultation is used, then the doctor’s practice should use a system that incorporates a robust identity authentication process, allowing the doctor to control communications with the patient. 13 See
https://www.england.nhs.uk/wp-content/uploads/2020/01/online-consultations-implementation-toolkit-v1.1-updated.pdf

Doctors should inform patients that any data/information/photos/etc. sent to the doctor via an app will be added to the patient’s medical record, in order to obtain the patient’s consent to use other media forums for sharing of information.   

The same principles of good clinical practice should apply in online consultations as compared to either when speaking to a patient by way of phone or by way of other non-face to face contact.  The doctor should see the patient in person if clinically appropriate, confirming the patient’s agreement with management plans, and should ensure to follow GMC requirements for good care.   

Data Protection

Under the UK GDPR, a controller is required to meet transparency requirements, including providing data subjects with information on the processing of any personal data they provide (e.g., using a privacy notice).  As explained above, the processing of health data is also subject to additional requirements under the UK GDPR where a specific condition must be satisfied to permit the processing of such data.  (See in particular Articles 9, 13 and 14 UK GDPR.) 

11.2 Does the use of telemedicine increase the risk of liability (e.g., if a physician is asked to certify someone’s fitness to engage in a particular employment and does so virtually versus an in-person consultation)?

The use of telemedicine does not particularly increase the risk of liability, per se.  Doctors are held to the same standards as when not using telemedicine and will need to determine if a face-to-face consultation is necessary.  See our response to Question No. 9. 

12. Are there any restrictions on the type of medicine that can be prescribed through telemedicine?

In November 2019, a number of bodies (including the four organisations that regulate healthcare providers in each of the countries in the UK and the GMC) published a set of high-level principles for remote consultations and prescribing (the High Level Principles). 14
https://www.gmc-uk.org/ethical-guidance/learning-materials/remote-prescribing-high-level-principles
These state that UK registered healthcare professionals must prioritise patient safety, protect vulnerable patients, ensure patients understand how remote consultations work and that there may be limitations on prescribing, obtain informed consent, undertake an adequate clinical assessment, give patients all the available options, arrange after care, keep notes, and stay up to date with relevant guidance. 

In conjunction with the High Level Principles, the GMC has published good practice guidance on prescribing and managing medicines and devices. 15
https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/good-practice-in-prescribing-and-managing-medicines-and-devices
The standards of good practice apply to all doctors working in all settings. Advice on face to face and remote prescribing is integrated throughout the guidance, which aims to ensure that doctors practise safe prescribing. It includes considerations to be had when repeat prescribing, prescribing controlled drugs or where the responsibility of a patient is shared between colleagues. 

The General Pharmaceutical Council (“GPhC”), the regulator for pharmacists, pharmacy technicians, and pharmacies in the UK has published guidance for pharmacy owners providing pharmacy services at a distance, including on the internet  16
https://www.pharmacyregulation.org/sites/default/files/document/guidance-for-registered-pharmacies-providing-pharmacy-services-at-a-distance-including-on-the-internet-march-2022.pdf
which sets out further safeguards to help make sure that people can only obtain medicines from online pharmacies that are safe and clinically appropriate for them.  Ultimately, the same general standards with which pharmacies would have to comply should also be complied with when prescribed medications are provided to patients remotely.  Pharmacies cannot dispense medications without a doctor’s prescription, nor can they fill prescriptions written by a doctor who is not registered with the GMC. 

The National Health Service (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013 include a number of specific conditions subject to which distance-selling pharmacies may operate in England. 

GPhC guidance specifically refers to service providers working with non-UK service providers in respect of UK patients and sets out specific minimum obligations on such UK service providers. 17
https://www.pharmacyregulation.org/sites/default/files/document/guidance-for-registered-pharmacies-providing-pharmacy-services-at-a-distance-including-on-the-internet-march-2022.pdf

13. Are telemedicine services reimbursable under the state’s medical insurance / subsidy / coverage? 

Healthcare in the UK is funded primarily by the public healthcare system, the National Health Service (“NHS”). Responsibility for the NHS is a devolved power, meaning that the devolved governments of Scotland, Wales, and Northern Ireland are responsible for the operation of the NHS in those respective countries.  

Telemedicine services can, in principle, be funded by the NHS through a range of different structures depending on the nature of the service and the context it is provided (e.g., primary versus secondary care).  For example, primary care services provided by way of telemedicine may be commissioned and paid for by a commissioning body under a standard contract for general medical services.  

13.1 If so, are there any special provisions about the reimbursement/coverage of costs regarding the use of mobile apps that can combine digital health and telemedicine?  

There are no statutory provisions specific to reimbursement/coverage of telemedicine/healthcare mobile apps. However, there are various ways that such a service may be funded by the NHS. For example, as per above, in primary care this could be funded under a contract for general medical services.  Alternatively, a telemedicine service may be indirectly funded by the NHS by an NHS provider, such as a hospital Trust sub-contracting part of its service provision to a provider of this type of service.

13.2 And further, if yes, who is covering the costs for apps that are mostly used by healthcare professionals and by patients?

As per above, this will depend on the type of app. For apps used by healthcare professionals, this will likely be the healthcare provider at which they are employed, which will in turn be funded by way of contracts with NHS commissioning bodies. 

There is not yet widespread publicly-funded provision of apps to patients, and in many cases, patients will self-fund or the apps will be used free of charge.  

The launch of the Office for Digital Health should result in progress in this area, with a key strategic aim of the office being to work with strategic partners to improve digital health approval pathways and reimbursement policy.  

14. Are there specific data protection regulations covering telemedicine (outside the context of using a digital health app) in your jurisdiction? If so, please summarise what they are.

Data protection

Besides the legislation referred to above, there are no other specific data protection laws or regulations relating to telemedicine in the UK.  

To date not all of the relevant healthcare regulators have developed their regulatory frameworks to appropriately capture this type of healthcare provision. As such, we expect regulation in telemedicine to increase as the delivery of these services becomes more commonplace within the provision of healthcare. 

With regard to data protection, the UK Government is in the process of formulating changes to the UK data protection law.  The extent of these changes has not yet been finalised. 

Generally, we anticipate that the scope of regulation of digital healthcare and telemedicine will ultimately widen and incorporate services that are not currently captured by existing regulation. 

Portrait ofSarah Hanson
Sarah Hanson
Partner
London
Portrait ofElizabeth-Anne Larsen
Elizabeth-Anne Larsen
Senior Associate
London