Digital health apps and telemedicine in the United Kingdom

Software in the form of digital health apps may be considered a “medical device.”

In this post-Brexit period, medical devices placed in the “Great Britain market” (England, Wales and Scotland) are regulated by the Medicines and Medical Devices Act 2021 (enabling reform of medical devices and (human) medicines) and the Medical Devices Regulations 2002 (SI 2002/618, as amended) (“GB MDR”). 

The Medicines & Healthcare products Regulatory Agency (“MHRA”) published a revised Roadmap to implementation in December 2024, which sets out the intended timescales for delivery of the future core regulations; 1  the first major reform legislation arising out of this relates to post-market surveillance. 1.1  Core aspects of the new GB Medical Devices Regulations applied from 16 June 2025, with transitional arrangements available for certain products placed on the market before that date. Further reforms are expected.

Software within digital health apps may qualify as a “medical device” if it has an intended purpose that is one or more of the medical purposes specified in the definition, which include, inter alia, diagnosis, treatment, and monitoring of a disease, injury or disability.

The definition of a medical device includes both standalone software and that which is used in combination with a device that is “intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes.” 1.2 ,  1.3

The MHRA published guidance that indicates that where computer programs are composed of multiple “functions/modules,” only the modules which fall within the definition of a medical device need to comply with medical devices requirements.

Therefore, where certain parts of the proposed service qualify as a medical device, this does not necessarily qualify the whole service as a medical device where the modules can be considered distinct. 1.4

If software within a digital health app is considered a medical device, the software would have to conform to strict safety requirements, including (i) performing pre-market conformity assessments; (ii) the obligation to implement vigilance and post-market surveillance and monitoring of the device’s safety and efficiency; and (iii) comply with the safety reporting requirements under the medical device vigilance system. 

The current medical devices legislation only regulates medical devices that are placed on the market or made available in the Great Britain market. Therefore, a service provided from outside the Great Britain market is arguably not regulated by current medical devices legislation even where it has a medical purpose. However, providing a service with a medical purpose from outside the Great Britain Market without it complying with medical devices legislation is not without risk as this is a regulatory grey area and is also being considered by the MHRA with possible changes to the definition of “placing on the market” to provide clarity of the requirements which apply when software is provided online to the Great Britain market (see question 7 below). 

Post-Brexit, different rules apply when placing medical devices on the Northern Ireland market. Under the Northern Ireland Protocol, the Medical Devices Regulations ((EU) 2017/745) (the “EU MDR”) and In Vitro Diagnostic Medical Device Regulation (2017/746) (“the EU IVDR”) regulate medical devices in Northern Ireland. 1.5  Similar requirements to UK medical devices apply (e.g., conformity assessments and post-market surveillance), however there are differences as EU law applies. For example, a CE marking will be required before medical devices can be placed in the Northern Ireland market.

The new Post-Market Surveillance (“PMS”) Regulations (effective from 16 June 2025 in GB only) clarify that all medical devices, including Software as a Medical Device (“SaMD”) are subject to new, more stringent, PMS requirements when placed on the market or put into service in GB. 1.6 1.7  Therefore, these regulations will directly affect digital health apps on the market in GB if they are classified as medical devices. If a digital health app is deemed a medical device, the manufacturer will be required to establish a robust post-market surveillance system. This includes tracking how the app functions after deployment, identifying any incidents or defects, and reporting them to the MHRA. For example, if a digital health app used for diagnosing a disease malfunctions and provides incorrect information, the manufacturer will be legally required to report this to the MHRA as part of the new PMS framework. Apps that rely on AI or machine learning will also have more stringent requirements around the continuous monitoring of these systems, ensuring that any algorithmic flaws or safety concerns are tracked.

The MHRA published the Government Response on 10 July 2025 following its consultation on Common Specification requirements for in vitro diagnostic (IVD) devices which closed on 14 June 2024. 1.8  The response confirmed that these Common Specifications will be incorporated into the UK Medical Devices Regulations 2002, become a condition of post-market performance follow-up (“PMPF”) plans, and replace the Coronavirus Test Device Approval (“CTDA”) process. These changes are due to be implemented through a new statutory instrument expected in 2026, with interim measures in place for certain COVID-19 tests that already meet the Common Specifications.

A digital health app may also be subject to general liability principles apply. In particular:

1. it could be considered a defective product under the Consumer Protection Act 1987 (“the CPA”); and
2. civil liability could potentially arise under the common law tort of negligence and/or consumer contractual law (where a direct contract with the user exists).

There exists some debate as to whether non-embedded software (i.e., that has to be downloaded) is a “product” within the scope of the CPA. The CPA is expressed to apply to “goods or electricity”. 2  We are not aware of any UK case law that specifically addresses whether non-embedded software can be “goods” for the purposes of the CPA. However, UK case law on other legislation that is expressed to apply to goods has held that downloaded software is not a “good” for the purposes of that legislation. 2.1

The applicable liability principles would need to be considered on a case-by-case basis.

Under section 4 of the CPA, the defences (which are not specific to the healthcare context) to a product liability claim are as follows:

• the defect is attributable to compliance with any requirement imposed by UK and EU retained law;
• the party proceeded against did not at any time supply the product to another or otherwise did not supply the product in the course of business or with a view to profit;
• the defect did not exist in the product at the time it was supplied;
• the producer could not reasonably have been expected to discover the defect given the state of scientific and technical knowledge at the time; or
• the product a constituent part of a defective end product and the defect is due to either the design of the end product or because the component producer complied with the final producer’s instructions.

Particularly due to the rapidly changing position for the UK, the issue as to the classification of software in a digital health app and applicable laws/regulations need to be determined on a case-by-case basis.

If the personal data of users/patients is processed using digital health software, such processing must comply with the data protection laws in force in the UK, in particular with: 

• The UK General Data Protection Regulation (“GDPR”);
• The Data Protection Act 2018 (“DPA”);
• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), to the extent relevant; and
• Data (Use and Access) Act 2025 (“DUA Act”). 

The UK GDPR generally governs the processing of personal data and requires that any processing undertaken is done (amongst other things) lawfully, fairly and in a transparent manner. (See in particular Articles 5(1)(a), 6, 13 & 14 UK GDPR.) The UK GDPR also imposes further conditions on the processing of “special category data” including health data. (See Article 9 GDPR.) The DPA is a national law which supplements the UK GDPR, and (amongst other things) sets out additional requirements for the processing of special category data. 

PECR sits alongside the DPA and UK GDPR and imposes specific requirements in the context of marketing, cookies, keeping communications secure, and customer privacy.

The DUA Act, enacted 19 June 2025, now forms part of the UK’s data protection framework and is directly relevant to digital health software. The DUA Act is intended to enhance the UK’s digital strategy by unlocking the use of data to support public services and economic growth. It aligns enforcement powers under the PECR with those of the UK GDPR, thereby increasing potential fines for breaches relating to electronic communications and cybersecurity. 

For digital health apps, the DUA Act clarifies lawful bases for processing personal and health data, broadens the scope of legitimate interests, and simplifies consent mechanisms. It also introduces greater flexibility for AI-driven features, particularly around automated decision-making, while strengthening enforcement of data protection rules in areas such as marketing and cookies.

In addition to MHRA regulatory approval, digital health software must comply with NHS-specific frameworks that are crucial for successful market entry. NHS England’s technology standards require products to meet the Digital Technology Assessment Criteria (DTAC), which covers clinical safety (including DCB 0129 and DCB 0160 standards), data security, interoperability, and user-centred design. The UK government has announced plans for an “Innovator Passport” for MedTech by 2026, intended to streamline procurement and reduce repetitive local assessments. This will complement the expansion of the Rules Based Pathway, which will mandate NHS funding for certain technologies following a positive NICE technology appraisal.

Furthermore, NHS procurement processes increasingly demand evidence of compliance with information governance standards and the ability to integrate with existing NHS digital systems. These requirements are separate from MHRA regulation and present additional commercial challenges that manufacturers must address to achieve market access in the UK.

The Consumer Rights Directive (2011/83/EC) applies when a person purchases an app relating to lifestyle or wellbeing. Any data that is transferred via the app is likely to be considered personal data. 

The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (SI 2013/3134) (“CCRs”) implement most of the Consumer Rights Directive. The Consumer Protection (Amendment etc.) (EU Exit) Regulations 2018 amend the CCRs by making various amendments to EU-derived UK consumer protection legislation, including the removal of references to EU legislation. They also include an omission of CCR 3(2) relating to having regard, in the Secretary of State’s periodic reviews, to what is done in other EU Member States to implement The Consumer Rights Directive.

The Digital Markets, Competition and Consumers Act 2024 (“DMCC”) was enacted in May 2024, introducing significant reforms. Chapter 2 of the DMCC imposes new requirements on businesses offering subscription-based services, such as clear pre-contract information, straightforward cancellation methods, and additional cooling-off periods. Schedule 20 of the DMCC also introduces offences related to fake reviews. Therefore, these provisions aim to enhance consumer protection and are particularly relevant for digital health services offering subscription models or relying on user reviews. Digital health app providers should review and, if necessary, update their business practices to comply with the provisions of the DMCC.

The EU AI Act (2024/1689) applies to AI systems deployed or provided in NI and in the EU. Therefore, if a medical device placed on the NI market contains software or an AI system as defined by the EU AI Act, then it must comply with obligations (depending on the AI’s risk classification) under the EU AI Act, as well as UK regulatory obligations.

The Equality Act 2010 (“EqA”) prohibits various forms of discrimination, harassment and victimisation in the context of the provision of goods and services (see s.29 EqA). If a healthcare or social care organisation provides any goods, facilities or services to the public or a section of the public, it must make sure it complies with its duties under the EqA. The UK government have identified in particular the potential for potential racial, ethnic and other factors leading to unfair biases in the design and use of medical devices (see Equity in Medical Devices: Independent Review 3 ).

The EqA also includes an anticipatory obligation to make “reasonable adjustments” to ensure disabled people can access services. Specifically in the context of digital apps and software, the Web Content Accessibility Guidelines (“WCAG 2”), an internationally-recognised standard for website accessibility, is generally accepted as a best practice website accessibility standard in the UK. 3.1  Further, digital services produced by or for public sector bodies in the UK must meet the internationally recognised ‘AA’ standard of accessibility under the WCAG 2.2 (see Government guidance on Making your service accessible 3.2  and NHS Digital Accessibility Standards 3.3 ).

The UK GDPR applies to the processing of personal data in the context of an establishment of a controller/processor in the UK, regardless of whether the processing takes place there. (See Article 3(1) UK GDPR.)

In addition, the UK GDPR applies if a controller/processor is not established in the UK but processes the personal data of data subjects in the EEA or UK when the processing activities relate to the offering of goods/services or monitoring the behaviour of the data subjects so far as that takes place within the UK. (See Article 3(2) UK GDPR.)

The EqA does not limit the scope of the services and public functions provisions to activities which take place in Great Britain. Whether or not an act which takes place outside Great Britain is covered by the EqA will be determined by the court, who will consider whether there is a sufficiently close connection with the UK.

The EqA also has specific provisions that apply where services, goods or facilities are provided or advertised through a website, in which case the person doing so will be an information society service provider (ISSP). If an ISSP is established in Great Britain, then the provisions of the EqA apply where the services are accessed via that site from Great Britain or any other EEA member state. If the ISSP is established outside Great Britain, then the provisions do not apply.

The UK GDPR and DPA do not distinguish between the processing of personal data in a B2B or B2C context and may apply to processing in either context.

In general, the marketing requirements of PECR will apply in a B2C but not B2B context. There are however exceptions in the case of marketing relating to sole traders and some partnerships to which the PECR marketing requirements will also apply. (See in particular regulation 22 PECR.)

The DMCC primarily targets B2C transactions, focusing on enhancing consumer protection in areas such as transparency, subscription services, and marketing practices. However, certain provisions of the DMCC may have some B2B relevance, particularly around ensuring fair competition and preventing anti-competitive practices in digital markets.

Under the EqA, a "person" can include a corporate body, such that a company may pursue a complaint against another company, for example where discriminatory decisions are made in connection with the supply of a service. However, the alleged discrimination must be linked to the protected characteristic of an individual or individuals, for example that corporation’s workforce or associated communities.

To the extent that personal data is processed for location tracking or monitoring real-time information, the UK GDPR applies. 

PECR contains provisions in relation to the processing of location tracking information. In general, such processing is only permitted in cases in which it is undertaken by a services provider on an anonymous basis or if it is necessary for a value added service (i.e. beyond what would be needed for transmission or billing of a communication) and the user has consented. (Traffic data is subject to separate requirements.) (See in particular regulation 14 PECR.) 

If the monitoring of real-time information includes the processing of health data then, as explained above, this is classified as special category data under the UK GDPR and subject to additional requirements under the UK GDPR and DPA. (See Article 9 UK GDPR.) 

Please note that the UK GDPR also imposes specific requirements in respect of automated individual decision-making, including profiling. Such decision-making must not be based on special category data such as health data unless the controller takes suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and either: 

• the data subject has given their explicit consent to the processing, or 
• the processing is necessary for reasons of substantial public interest (and has met additional DPA requirements). 

(See in particular Article 21 UK GDPR, section 10 and Part 2 of Schedule 1 DPA.) 

The DUA Act offers more flexibility for the use of AI-driven real-time monitoring but still mandates that explicit consent from the data subject is required (i.e., from patients in the context of digital health apps). It also clarifies the conditions under which legitimate interests may be used for processing sensitive health data, provided adequate safeguards are in place.

The DMCC introduces consumer protection provisions, requiring businesses to be more transparent with consumers about how their real-time data is used.

If a digital app were to include analytical, behavioural or marketing cookies, then the use of such cookies requires prior consent by the data subject. Unless an exemption applies, PECR requires the following for the use of cookies: 

• the provision of "clear and comprehensive" information; and 
• the consent of website users or subscribers. 

(See in particular regulation 6 PECR.) 

The DUA Act relaxes consent requirements for non-intrusive cookies, particularly those used for analytics, website appearance, and emergency assistance. The DUA Act introduces targeted exceptions to existing consent rules while preserving transparency and opt-out rights, with the aim of reducing consent fatigue and enabling smoother data collection for service improvements. It also broadens enforcement to cover not only those who place cookies but also those who instigate the storage of data, such as website publishers.

On the assumption that the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, the relevant data controller must perform a data protection impact assessment (“DPIA”). If the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller must consult with the UK data protection regulator prior to commencing the relevant. (See Articles 35 and 36 UK GDPR). 

The DUA Act requires that panels of individuals be established to consider codes of practice in the context of impact assessments. 3.4

We refer you to our response to Question 9 for information regarding the standards to which doctors are held. 

Generally speaking, whether liability would fall on the doctor or the producer depends on where the fault lies. 

If the doctor’s clinical decision was based on defective or faulty software, then the producer may be deemed to be negligent, or the product may be considered defective such that general product liability principles may apply. In those situations, liability would be borne by the producer of the software. If a claim is brought against the doctor and the doctor is found liable, then the doctor may bring a claim for contribution against the producer. 

If the doctor’s clinical decision itself was not dependent on the accuracy or fault within the software, then the doctor could face a claim in negligence brought against him/her directly.

If the software contained in digital health apps satisfies the definition of a medical device (such that its intended use is for diagnostic, treatment, prevention, or prognosis purposes), then the manufacturer would need to follow the applicable conformity assessment procedure. Its technical documentation and quality systems may be required before a Notified Body (designated by the competent authority, the MHRA in the UK) assesses the conformity of a product and issues a certificate of UKCA (UK Conformity Assessed) or CE conformity of the device. All this is required before a medical device can be allowed to be placed on the market. The Notified Body can therefore prevent the supply of a medical device by not issuing the necessary certificate of conformity. 

After a medical device has been UKCA/CE marked, via post-marketing obligations overseen by the national competent authority, if an incident is identified with regard to the device, then corrective action may need to be taken. This may include the recall or withdrawal of a device in order to reduce the risk of serious injury or death. 

The UK government recently put into place legislation extending the acceptance of CE marked medical devices on the Great Britain market, providing that CE marked medical devices may be placed onto the Great Britain market until the sooner of expiry of the certificate or 30 June 2028 (or 30 June 2030 for IVDs), using either the UKCA or CE marking, for those general medical devices compliant with the EU MDD (or EU IVDD for IVDs) or EU AIMDD with a valid declaration and CE marking. General medical devices that are CE marked and that are compliant with the EU MDR (or IVDs compliant with the EU IVDR) can be placed on the Great Britain market up until 30 June 2030. 

Self-declared CE marked Class I medical devices can be placed on the Great Britain market beyond 30 June 2023 if self-declared against EU MDR requirements (until 30 June 2030), or self-declared against MDD requirements before 26 May 2021 where Notified Body involvement in their assessment is not required, until 30 June 2028 (including up-classified devices and reusable surgical instruments). 

The UKCA marking is not recognised in the EU market and a CE marking will still be needed to place medical devices in the EU market. UK approved bodies can only conduct conformity assessments for UKCA markings only, not CE markings. 3.5

A brief summary of the key requirements for placing a medical device on the Northern Ireland market are as follows: 3.6

The EU MDR and IVDR have applied in Northern Ireland since 26 May 2021 and 26 May 2022, respectively. CE marking is required for the Northern Ireland market. If a UK notified body conducts the mandatory third-party conformity assessment, then the UKNI indication will also be required (in addition to CE marking). Certain medical devices (e.g., IVDs) placed on the Northern Ireland market need to be registered with the MHRA, as does all custom-made devices (and within 28 days of being made available on the market). GB-based manufacturers must appoint an EU or Northern Ireland-based Authorised Representative when placing medical devices on the Northern Ireland market.

Legal consequences: 

• Offences against/breaches of the safety regulations of the CPA can result in imprisonment for no longer than 6 months, a fine, or both. 4  
• Alternatively, the Secretary of State may impose civil sanctions under Schedule 2, Part 1 of the Medicines and Medical Devices Act 2021 as an alternative to criminal prosecution. 
• The Secretary of State (in practice, the MHRA) has a duty to enforce the UK MDR, and may exercise investigatory powers (see Schedule 5 of Consumer Rights Act 2015). Breaches of an MMD Act enforcement notice or of the UK MDR, will result in an offence and may be liable to up to 6 months imprisonment and/or a fine.

The DUA Act introduces new responsibilities for the UK Information Commissioner, including ensuring enhanced protections for children’s personal data, overseeing the use of web crawlers, and developing new statutory codes of practice. The DUA Act also strengthens data subjects’ rights in relation to AI-driven decision-making, giving individuals the ability to request explanations and details of the appeal process for decisions made wholly or partly through automated processing.

In addition to potential regulatory liability, a company whose health app caused injury could face potential civil liability claims from injured users. Depending on the exact circumstances, users may be able to claim damages in respect of their injury under: (i) statutory product liability laws; (ii) the tort of negligence; and/or (iii) where the user has a contract directly with the producer of the health app, contract law (either express or implied terms of the contract). 

The MHRA is currently developing a legal framework for AI as a Medical Device, which will directly affect AI-based digital health apps. Key areas include adaptivity, explainability, transparency, and assurance of safety. These priorities are being embedded through its ongoing Software and AI as a Medical Device Change Programme, 4.1  which encompasses pre-market and post-market reforms and builds on guiding principles for Good Machine Learning Practice (“GMLP”) and predetermined change control plans (“PCCPs”). Additionally, MHRA’s AI Airlock regulatory sandbox 4.2  allows innovators to test AIaMD products under regulator oversight.

Once formal guidance and regulatory updates are rolled out, failure to meet these evolving standards may result in non-conformity with medical device regulations and potentially market withdrawal or enforcement action. 4.3

Under the UK GDPR, the UK Information Commissioner has a number of enforcement powers, including: 

• to issue an information notice requiring information in order to exercise his functions and conduct investigations; 
• to issue an enforcement notice requiring a person to take certain steps, or refrain from taking certain steps, which may include an absolute or partial ban on processing; and 
• to issue an assessment notice allowing him to conduct assessments of compliance with applicable legislation. 

In addition, for breaches of the UK GDPR the Information Commissioner may issue public reprimands and/or impose a fine of up to £17.5 million or 4% of worldwide annual turnover of the preceding financial year, whichever is higher. For a breach of PECR, the Information Commissioner can also impose a fine of up to £500,000. (See in particular Article 83 UK GDPR and regulation 31 PECR.) 

Service users (including corporate entities as noted at 3.2 above) can bring a claim to enforce their rights under the EqA. The Equalities and Human Rights Commission (“EHRC”) also has enforcement powers where it considers that a person is likely to breach their obligations under the EqA. Financial remedies in such cases are usually low and limited to awards for injury to feelings (in the absence of any other identifiable loss suffered by the service user). However, the court can also grant an injunction to prevent the defendant from doing or repeating the unlawful act, or to compel them to take certain steps; for example, to prevent a discriminatory advert to being published 4.4  or require a services provider to make adjustments to its premises. The court can also make a declaration of the rights and responsibilities of the parties, which may then of course be referred to by other potential claimants experiencing the same issues with the goods/service.

The EU MDR and the EU IVDR apply in EU Member States and in Northern Ireland but not the rest of the UK. 

The MHRA closed its consultation on proposed changes to medical device regulation in the UK in November 2021. In June 2022, the government response was published. 5  These changes will be introduced via new regulations which will amend the UK MDR 2002. Of particular relevance are proposed changes which are specific to software as a medical device (SaMD). This includes: (a) introducing a definition of “software” which is consistent with the definition found in MEDDEV 2.1/6; (b) modifying the definition of “placing on the market” to clarify when SaMD deployed on websites, app stores and other electronic means accessible in the UK falls within this definition; (c) a new “airlock classification rule” which allows temporary classifications to some SaMD which will likely invole monitoring and restricting the SaMD as if it were a high-risk in the event its risk-profile is uncertain; (d) post-market requirements, including the SaMD having a hyperlink to MHRA endorsed websites to allow for incident reporting; and (e) requiring SaMD manufacturers to meet certain minimum cybersecurity requirements.

A consultation that concluded on 5 January 2025 resulted in the Government Response published on 26 February 2025, addressing four EU-derived regulations under the UK Medical Devices Regulations (regulations 4H, 4J, 4K and 4L). 5.1  The Government confirmed plans to remove the revocation date (26 May 2025) of the mentioned four pieces of assimilated law to avoid disruption to the regulatory framework. However, this is considered a stop-gap measure, pending a more permanent reform via the “Pre-Market” Regulations, expected to come into force in 2026.

In parallel, the MHRA’s Regulatory Roadmap outlines new measures to support safe access to medical technology, including AI and diagnostics. The roadmap details a phased programme of statutory instruments designed to enhance patient safety while facilitating access to innovative medical technologies. The first of these, covering Post-Market Surveillance, came into effect in June 2025, with further instruments scheduled through 2025 and 2026. 5.2

A central element of the MHRA’s Roadmap is the forthcoming Pre-Market regulations, which are intended to bring UK requirements up to date with technological advances and encourage greater international alignment. These regulations will introduce Unique Device Identifiers (“UDI”) and implant cards for patients, expand requirements for custom-made devices, revise the classification of several device types (including IVDs), and align core safety and performance requirements more closely with those in the EU. The government has confirmed that the draft statutory instrument will be published on the WTO website during 2025, with the regulations expected to come into force in 2026. 5.3  A recent development includes the UK’s plan to implement an international reliance framework that will allow manufacturers to leverage approvals from a small number of trusted regulators from other countries (USA, Australia, and Canada), for streamlined GB market access of medical technologies. International regulatory reliance is expected to be covered in the Pre-Market statutory instrument, projected for 2026. 5.4  The UK also announced further consultations in 2025 regarding an indefinite recognition of CE marked medical devices.

Because the new EU Product Liability Directive (EU) 2024/2853 (“the new PLD”) falls within the EU rules that continue to apply in Northern Ireland in accordance with Article 5(4) of The Protocol on Ireland/Northern Ireland, the new PLD must be implemented in Northern Ireland by 9 December 2026. One of the key amendments to the existing Product Liability Directive is the expanded definition of “product.” Under the new PLD, the definition of “product” explicitly includes software and AI Systems as defined by the EU AI Act, meaning that manufacturers could be held strictly liable for damage caused by defective digital health apps. The new PLD will apply to products placed on the market, or put into service, in Northern Ireland from 9 December 2026. 

The General Medical Council (the “GMC”) regulates individual medical practitioners in the UK—not medical services. Every doctor who wishes to practise medicine in the UK must be registered with the GMC and hold practising rights. Doctors utilising telemedicine need to be appropriately qualified and regulated and should demonstrate, through the GMC or other means, that they are up to date and fit to practise medicine.

From 13 December 2024, the GMC also began regulating physician associates (“PAs”) and anaesthesia associates (“AAs”). 5.5  This regulation aims to strengthen patient safety and public trust in these professions by ensuring they meet the required standards of education and training and can be held accountable if serious concerns are raised. 5.6 From December 2026, PAs and AAs will be required to register with the GMC to practise in the UK. 5.7

Medical professionals have a duty of care to the patients they treat. The case of Bolam v Friern Hospital Management Committee (1957) 1 WLR 583 established a test to determine if a medical professional has breached their duty of care. It led to the proposition that a doctor’s duty is to exercise skill and care in accordance with the reasonable standards by those practising in the relevant medical field. Therefore, if a responsible body of professional opinion considered the doctor’s care was reasonable, then the doctor would not be in breach of the standard of care. If a doctor did breach the applicable standard of care, and if that breach of duty caused an injury, then the doctor can be liable for damages under the common law tort of negligence. 

A doctor must be qualified and fit to practise medicine to maintain registration with the GMC and be allowed to practise medicine. 

All doctors must comply with the “Good Medical Practice” standards set out by the GMC. 

The standards of doctors by the GMC apply equally to digital and conventional consultations. Clinicians should consider which medium is most appropriate for them and their patient. 

In the context of Digital Health/Telemedicine, doctors must consider the clinical risk of not conducting the consultation against any potential risk of using consumer-focused services and apps, such as Skype, WhatsApp, or FaceTime. 

Primary care networks (PCNs) can procure approved videoconferencing software. However, when using telehealth, doctors still need to safeguard confidential patient information in the same way they would with any other consultation. 5.8  They need to take extra care to ensure that all information is recorded in the appropriate care record (as usual); ensure any personal information stored on the doctor’s own device, or obtained through a video or telephone conversation, is safely transferred to the appropriate health and care record as soon as possible; delete any personal information, including back-up data, from the doctor’s own device; and apply his/her own relevant professional standards, as would normally be done. 6

Regarding other telemedicine providers, telemedicine is an area of regulation which is still relatively new and undeveloped in some jurisdictions, and therefore, regulatory oversight will need to be considered on a case by case basis. Should a provider of telemedicine not register with the relevant regulator when required, they will be operating illegally and sanctions could be imposed. 

England 

Although not a regulator of the individual doctors, the Care Quality Commission (“CQC”) registers telehealth/telemedicine service providers in England for the regulated activity of providing triage and medical advice “remotely” when certain criteria are met. Under Schedule 1(9)(2) of The Health and Social Care Act 2008 (Regulated Activities Regulations) 2014, this is defined as, “Medical advice in cases where immediate action or attention is needed, or triage provided, over the telephone or by electronic mail by a body established for that purpose.” The CQC’s updated guidance published in 2025 confirmed that remote advice will qualify as a regulated activity when the following are criteria met: 

• The advice is medical; and 
• The advice is responsive (i.e., for immediate attention or action); or it constitutes triage (defined in the guidance as “determining the urgency of diseases, disorders or injuries to decide the order of treatment for people and where to treat them”); and 
• The advice is provided over the telephone or by electronic mail; and 
• The advice is provided by a body established for that purpose (as opposed to, for example, the occasional provision of advice by a hospital or university on an informal basis).

Introduced from late 2023, the CQC implemented a Single Assessment Framework (“Framework”) to evaluate providers, local authorities, and integrated care systems. This Framework aims to streamline the regulatory process and ensure consistent quality and safety standards across all healthcare providers. The Framework applies to all types of service, including care providers, local authorities, and integrated care systems. 6.1

The six evidence categories that the CQC uses as part of the new Framework are:

1. People’s Experiences – This category focuses on how people experience the care provided firsthand.
2. Feedback from Staff & Leaders – Evidence from this category includes evaluations and insights from those who deliver and oversee the provided care.
3. Observations of Care – This includes direct observations of care practices and interactions within the service itself.
4. Feedback from Partners – Here the CQC will gather perspectives from other organisations and entities who are involved in delivering care.
5. Processes – Here the systems and procedures in place to deliver care are assessed.
6. Outcomes of Care – As part of this evidence category the CQC assess the results and impacts of the provided care.

The updated Area Special Educational Needs and Disabilities (“SEND”) inspections framework (April 2024) outlines how Ofsted and the CQC now jointly assess local area partnerships’ arrangements for children and young people with SEND in England. These inspections evaluate how effectively health, education, and care services collaborate, including integrated care boards, to support outcomes and compliance with duties under legislation like the Children and Families Act 2014. 6.2

In April 2025, the CQC, in collaboration with Ofsted and His Majesty’s Inspectorate of Prisons (HMIP), updated the joint inspection framework for Secure Training Centres (STCs) in England. While primarily focused on the care of young people in STCs, this framework underscores the CQC's commitment to collaborative regulation across various healthcare settings. 6.3

Wales 

Healthcare Inspectorate Wales (“HIW”) is the independent inspectorate and regulator of healthcare in Wales. Depending on the specific service being offered, it may be that telehealth/telemedicine service providers in Wales could be considered an independent medical agency. This is defined under s.2(5) of the Care Standards Act 2000 as “an undertaking (not being an independent clinic or an independent hospital) which consists of or includes the provision of services by medical practitioners.” In the HIW publication “Guidance for Applicants” published on 4 December 2019 (updated in 2025), HIW highlighted that a business is required to register as an independent medical agency where private only medical services are provided regularly by medical practitioners, either individually or on behalf of a company, based in Wales. This applies even where there is no establishment or physical premises in Wales. One provided example where HIW registration would be required is for “online private GP services within pharmacies where the online provider company and/or the doctor is based in Wales.” 

Scotland 

Healthcare Improvement Scotland (“HIS”) is responsible for the regulation and inspection of health and social care facilities in Scotland, including both NHS and private facilities. Under s.10P(1) of the National Health Service (Scotland) Act 1978, “a person who seeks to provide an independent health care service must apply to HIS for registration of the service.” “Health care” is defined under s.10A(2) of the same Act as “services for or in connection with the prevention, diagnosis or treatment of illness provided (a) under the health service; or (b) by persons providing independent health care services.” Depending on the specific service being offered, it may be that telehealth/telemedicine service providers in Scotland could be considered an independent medical agency. S.10F(2) of the National Health Service (Scotland) Act 1978 defines an independent medical agency as “an undertaking which consists of or includes the provision of services, other than in pursuance of this Act by (a) a medical practitioner; (b) a dental practitioner; (c) a dental care professional; (d) a registered nurse; (e) a registered midwife; (f) a registered pharmacist; or (g) a registered pharmacy technician.

Northern Ireland 

The Regulation and Quality Improvement Authority (“RQIA”) is the body responsible for inspecting registered health and social care services in Northern Ireland. Depending on the specific service being offered, it may be that telehealth/telemedicine service providers in Northern Ireland could be considered an independent medical agency. Under Article 8(2) of The Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003, an independent medical agency is required to register with the RQIA. Article 2(2) defines an independent medical agency as “an undertaking (not being an independent clinic) which consists of or includes the provision of services by medical practitioners, but if any of the services are provided for the purposes of an independent clinic, or by medical practitioners in pursuance of the Health and Personal Social Services (Northern Ireland) Order 1972, it is not an independent medical agency”. 

Post-Brexit, the retained law is the E-Commerce Regulations, amended by the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019. The most significant impact of the amendments is to the “country of origin” rule such that a UK-established e-commerce operator will no longer be able to benefit from the previous principle allowing an information society service provider to comply with the laws of the country in which it is based. Instead, it will have to comply with the specific requirements of each jurisdiction in which it is active. A UK-based provider will therefore need to do the following: 

(i) account for different contracting arrangements/requirements/information provision rules in each EU jurisdiction post-Brexit transition period (as well as complying with UK requirements when selling in the UK); and 

(ii) be mindful of any limitation on offering a telemedicine service which may apply in each jurisdiction where it is active. 

The General Medical Council, the royal colleges and the professional associations are in the midst of publishing standards of practice, procedures and protocols that will cover the use of telemedicine. 7

The GMC has published guidance on remote consultations. 8 Briefly, the doctor needs to consider whether a face-to-face consultation is necessary, or whether remote treatment may be appropriate. 9  If appropriate, then the doctor should obtain the patient’s consent for this method of provision of medical services. If the doctor is not the patient’s usual doctor, then s/he must ask the patient for consent to obtain information and a history from the patient’s GP and to send details of any treatment the doctor has arranged. 

Remote consultations via use of telehealth can take place where the patient’s clinical need or treatment request is straightforward; the doctor has access to the patient’s medical records; all the information requested/needed by the patient can be given by telephone, internet, or video-link; the treatment does not require follow-up or monitoring; and the doctor has a safe system in place to prescribe medications if needed. If these are not met, and/or if the doctor needs to physically examine the patient; the doctor is unsure about the patient’s capacity; the doctor is unable to determine that the patient has all the information the patient wants or needs about treatment options; or the doctor is prescribing injectable cosmetic medications, then the consultation must be in person. 

From October 2021, all GP practices are required to ‘offer and promote’ to their patients (and those acting on their behalf) the following: 

• an online consultation tool 
• a video consultation tool 
• a secure electronic communication method 
• an online facility to provide and update personal or contact information. 

These requirements are all subject to existing safeguards for vulnerable groups and third-party confidentiality. They are to be in place alongside, rather than as a replacement for, other access and communication methods, for example, telephone and face to face contact. 10

Further guidance regarding directly bookable appointments was introduced in October 2022. This sets out requirements for online appointment booking following changes to General Medical Services (“GMS”), Personal Medical Services (“PMS”) and Alternative Provider Medical Services (“APMS”) contractual arrangements that came into effect in England from October 2022. Practices must now ensure that all of their “directly bookable” appointments are made available online, as well as by phone or in-person. 11

The standards of doctors by the GMC apply equally to digital and conventional consultations.

This was reinforced in the GMC’s January 2024 update to its Good Medical Practice guidance, which includes specific considerations for remote consultations. Doctors are expected to provide “safe and effective clinical care, whether delivered face to face or through remote consultations via telephone, video link, or other online services.” 12

After the doctor verifies the patient’s identity, the doctor will need to confirm consent for a remote consultation and confirm that the patient is in a private area to speak, explaining limitations of the medium used. 

If a video consultation is used, then the doctor’s practice should use a system that incorporates a robust identity authentication process, allowing the doctor to control communications with the patient. 13

Doctors should inform patients that any data/information/photos/etc. sent to the doctor via an app will be added to the patient’s medical record, in order to obtain the patient’s consent to use other media forums for sharing of information. 

The same principles of good clinical practice should apply in online consultations as compared to either when speaking to a patient by way of phone or by way of other non-face to face contact. The doctor should see the patient in person if clinically appropriate, confirming the patient’s agreement with management plans, and should ensure to follow GMC requirements for good care. 

Data Protection

Under the UK GDPR, a controller is required to meet transparency requirements, including providing data subjects with information on the processing of any personal data they provide (e.g., using a privacy notice). As explained above, the processing of health data is also subject to additional requirements under the UK GDPR where a specific condition must be satisfied to permit the processing of such data. (See in particular Articles 9, 13 and 14 UK GDPR.) 

The use of telemedicine does not particularly increase the risk of liability, per se. Doctors are held to the same standards as when not using telemedicine and will need to determine if a face-to-face consultation is necessary. See our response to Question No. 9. 

In November 2019, a number of bodies (including the four organisations that regulate healthcare providers in each of the countries in the UK and the GMC) published a set of high-level principles for remote consultations and prescribing (the High Level Principles). 14 These state that UK registered healthcare professionals must prioritise patient safety, protect vulnerable patients, ensure patients understand how remote consultations work and that there may be limitations on prescribing, obtain informed consent, undertake an adequate clinical assessment, give patients all the available options, arrange after care, keep notes, and stay up to date with relevant guidance. 

In conjunction with the High Level Principles, the GMC has published good practice guidance on prescribing and managing medicines and devices. 15 The standards of good practice apply to all doctors working in all settings. Advice on face to face and remote prescribing is integrated throughout the guidance, which aims to ensure that doctors practise safe prescribing. It includes considerations to be had when repeat prescribing, prescribing controlled drugs or where the responsibility of a patient is shared between colleagues. 

The General Pharmaceutical Council (“GPhC”), the regulator for pharmacists, pharmacy technicians, and pharmacies in the UK most recently published guidance in February 2025  16  for pharmacy owners providing pharmacy services at a distance, including on the internet 16.1  which sets out further safeguards to help make sure that people can only obtain medicines from online pharmacies that are safe and clinically appropriate for them. Ultimately, the same general standards with which pharmacies would have to comply should also be complied with when prescribed medications are provided to patients remotely. Pharmacies cannot dispense medications without a doctor’s prescription, nor can they fill prescriptions written by a doctor who is not registered with the GMC.

On 4 February 2025, the GPhC published guidance for registered pharmacies providing services at a distance, including the online space. 16.2  This guidance incorporates feedback from a public consultation held in late 2024, and it introduces additional safeguards to enhance the safety and effectiveness of remote pharmacy services. The guidance applies to various remote services, including mail-order and internet pharmacy services, and emphasises the importance of risk assessments and appropriate consultation methods.

Notably, GPhC’s guidance tightens regulations for online pharmacies prescribing certain medications. Pharmacies must now independently verify a patient's weight, height, and body mass index before prescribing these medications. Online questionnaires or phone calls are no longer sufficient for this verification. 16.3

Moreover, the GPhC's updated guidance emphasises that, for high-risk medicines, prescribers cannot rely solely on information provided through online questionnaires. They must independently verify patient information through methods such as video consultations, accessing clinical records, or contacting the patient's GP or regular prescriber. 16.4

The National Health Service (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013 include a number of specific conditions subject to which distance-selling pharmacies may operate in England. 

GPhC guidance specifically refers to service providers working with non-UK service providers in respect of UK patients and sets out specific minimum obligations on such UK service providers. 17

As of March 2024, all GP surgeries in England were expected to have transitioned to digital phone lines to improve patient access and streamline appointment bookings. 17.1  Backed by a £240 million investment, more than 1,000 practices had already signed up to switch from analogue to modern digital systems, designed to make it easier for patients to receive care when needed. While this was the government’s goal, the status of every individual practice cannot be confirmed, so the statement reflects expected, rather than verified, completion. ​

Healthcare in the UK is funded primarily by the public healthcare system, the National Health Service (“NHS”). Responsibility for the NHS is a devolved power, meaning that the devolved governments of Scotland, Wales, and Northern Ireland are responsible for the operation of the NHS in those respective countries. 

Telemedicine services can be reimbursed or funded by the NHS, and NHS England continues to develop digital infrastructure and service models to expand access to digital-first and remote care.

There are no statutory provisions specific to reimbursement/coverage of telemedicine/healthcare mobile apps. However, services may be commissioned or subcontracted through standard NHS contractual frameworks (e.g., via General Medical Services (GMS) contracts in primary care or NHS Trust procurement in secondary care).

Newer developments that may affect the coverage of costs in digital health and telemedicine include:

• NHS Digital Health Technology Standards Framework: NHS is working with the National Institute for Health and Care Excellence (“NICE”) to build a framework which will support approval pathways for mobile apps and digital tools. 18
• NHS Digital Primary Care programme: Updated guidance encourages the use of approved digital tools and apps that support patient access, online triage, and video consultations. These tools may be eligible for NHS funding through primary care contracts, subject to local commissioning decisions. 19
• NHS App integrations: Many telemedicine apps that meet security and interoperability requirements are now integrated with the NHS App. These integrations may receive central funding from NHS England for use across GP practices and NHS Trusts, enhancing accessibility and patient engagement. 20

Additionally, the government's commitment to digital transformation includes a £10 billion investment to modernise NHS infrastructure, with a focus on integrating digital tools and technologies into routine care. This investment is expected to further support the adoption and reimbursement of digital health solutions across the NHS. 21

As of 2025, NHS Trusts, GP practices, and Integrated Care Boards (“ICB”) typically cover the costs of digital health tools through NHS budgets. These tools must meet the Digital Technology Assessment Criteria (“DTAC”) and procurement guidelines to be eligible for funding. 22

While some patient-facing digital tools and telehealth services are free, either via the NHS App, or embedded in NHS online services, many advanced or third-party apps remain self-funded by patients unless explicitly commissioned. 23

Some apps are now funded through NHS innovation grants or pilot schemes (especially those supporting long-term conditions, remote monitoring, and preventive care). 24

Some recent initiatives on reimbursement of digital health solutions include:

• NHS Digital Tools Funding 2024/25: ICBs have been allocated £48 million to fund capabilities related to Digital Pathways and demand and capacity tools, supporting the integration of digital solutions into care pathways. 25
• Digital Health Partnership Award: This award assists NHS organisations in England to bid for funding to accelerate the adoption of digital health technologies, particularly those supporting patients with long-term conditions. 26
• Digital Inclusion Innovation Fund: A £9.5 million fund supporting innovative interventions to build the evidence base on effective digital inclusion, ensuring equitable access to digital health tools. 27

Besides the legislation referred to above, there are no other specific data protection laws or regulations relating to telemedicine in the UK. 

Although not related to data protection, the obligations under equality legislation referred to above equally apply to telephone services. The EHRC guidance for users of healthcare and social care services refers specifically to telephone services and gives examples of potential reasonable adjustments, including for example availability of a textphone to accept calls from people with a hearing impairment. 28

To date not all of the relevant healthcare regulators have developed their regulatory frameworks to appropriately capture this type of healthcare provision. As such, we expect regulation in telemedicine to increase as the delivery of these services becomes more commonplace within the provision of healthcare. 

With regard to data protection, Schedule 15 of the newly enacted DUA Act amended Part 9 of the Health and Social Care Act 2012 by making provision about information standards for health and adult social care in England. The Secretary of State is empowered to publish information standards that now explicitly include standards relating to information technology (IT) and IT services used in connection with the health and adult social care in England and has the power to add further safeguards. Compliance can be monitored by the Secretary of State or a designated body and can take action where standards are not met. 

The practical impact for telemedicine is that telemedicine providers must comply with now possibly stricter IT standards and ensure that their systems are accredited and compliant with these new information standards. The information standards implement systems that facilitate secure data sharing with other health care and social care providers, supporting integrated care and continuity of information. The effect will be to facilitate greater interoperability and data security across the sector. 

The Care Quality Commission (CQC) continues to expand its oversight of online healthcare providers, with particular attention to safety, quality of care, and the growing use of AI‑driven diagnostic tools. Alongside this, the UK Government has consulted on proposed changes to the CQC’s regulatory framework, reflecting a wider policy direction to adapt oversight to new models of healthcare delivery. In parallel, the MHRA is progressing reforms to the Medical Devices Regulations 2002, which will have implications for digital health technologies, including software and apps used in telehealth.

Generally, we anticipate that the scope of regulation of digital healthcare and telemedicine will ultimately widen and incorporate services that are not currently captured by existing regulation, particularly in relation to remote monitoring, AI assisted care, and cross border provision of services. There is also increasing regulatory focus on advertising and consumer protection (notably under the Digital Markets, Competition and Consumers Act), which will affect how telemedicine providers promote their services and make medical claims online.