With telehealth surging around the globe due to the COVID-19 pandemic, the UK National Health Service has released guidance that provides a set of good practice principles for third-party partners to follow.
Telehealth is not a term widely used outside of the healthcare sector. However, it is increasingly a feature of healthcare services regularly accessed by patients. Telehealth is defined differently by regulators in different jurisdictions and there is no single agreed legal definition in the United Kingdom. In broad terms, telehealth encompasses any healthcare service provided remotely, typically through information and communication technology.
Two key drivers of health and social care policy over the last decade have been an increased focus on patient convenience and growing budgetary pressures. The COVID-19 pandemic has resulted in acute capacity challenges and the requirement to reduce face-to-face contact. Each of these factors has contributed to an increased focus on telehealth.
The size and scope of the United Kingdom’s universal healthcare provider, the National Health Service (NHS), make the United Kingdom’s healthcare sector almost unique in comparison to its global peers. The NHS provides universal, nondiscriminatory healthcare to all citizens that is free at the point of use. While many countries have made significant advances in adopting telehealth services, the United Kingdom’s telehealth provision prior to the COVID-19 pandemic was comparatively underdeveloped.
However, during the peak of the crisis, the UK Secretary of State for Health Matt Hancock declared that NHS general practitioners (GPs) should see patients remotely by default. This precipitated a significant leap in the number of virtual GP appointments from 25% to 71%.
Such eye-catching statistics are not restricted to virtual GP appointments; similar statistics can be seen across many NHS services during the COVID-19 pandemic. Registrations to use the NHS app increased by 111% from February to March 2020. Use of the nonemergency online advice site, NHS 111 online, for the period of June to November 2020 was up 257% compared to the same period in the previous year.
The shift toward an increased focus on telehealth predates the pandemic, as demonstrated by the creation of NHSX in 2019, a technology-focused department with a remit to lead the world’s largest digital and social care transformation program. However, the pandemic appears to have crystalized policymakers’ appreciation of the efficiencies and opportunities that telehealth presents.
Mindful of the challenges presented by the growing provision of digitally enabled care, the NHS published guidance in January 2021 to update the Code of Conduct for Data-Driven Health and Care Technologies. The guidance provides a set of good practice principles (the Principles) that third-party partners should follow. The Principles set out the standards the NHS will use to assess any telehealth innovation. While the Principles are just guidance at this stage, they offer a useful insight into the standards policymakers are seeking to apply in this area. Given the extent of NHS control over healthcare provision in the United Kingdom, any technology provider that is seeking to impact the UK healthcare sector would be well advised to take heed of the Principles.
Regulation in healthcare is understandably vital to maintain patient safety. While most laws and regulations are appropriate for the provision of traditional healthcare services, many jurisdictions have yet to update their regulatory regime to accommodate telehealth delivery.
The scope of the legislative and regulatory challenge is vast. Remotely conducting examinations and issuing prescriptions risks incorrect diagnosis and treatment. Running alongside this key therapeutic concern, there are significant technology-specific hurdles; for example, in respect of the reliability of equipment and storage or transfer of patient data. As telehealth continues to evolve, so will the challenge of applying existing regulations to the new technology.
At present the UK laws and regulations do not specifically address telehealth.
The Care Quality Commission (CQC) is the regulator for healthcare providers in England (with Northern Ireland, Scotland, and Wales each having its own regulator). The CQC requires all service providers to register to perform remote medical advice. Providers must satisfy the CQC that the care and treatment they provide will meet the requirements of the Health and Social Care Act 2008 and associated regulations. This means digital providers of medical advice are regulated by the same regime as nondigital providers.
In addition to the regulation of healthcare providers, each medical practitioner is regulated by a health and social care regulator. These regulatory bodies regulate individual professions (e.g., the General Dental Council and General Pharmaceutical Council) regardless of whether the professional is in private practice or works for the NHS. These regulators have sought to issue guidance to their professional groups. For example, the General Medical Council has issued guidance on remote consultations following the outbreak of COVID-19 and the General Pharmaceutical Council has issued guidance on the provision of online pharmacy services.
The expansion of telehealth presents challenges for regulators, notably the CQC. One example, which has received significant press coverage, is the prescribing of medication online. As patients move away from the traditional face-to-face GP setting, the CQC has sought to ensure the traditional standards of quality and safety are imposed on online providers. This has seen the CQC use its power as a regulator to suspend the licences of providers failing to adhere to its standards. Healthcare regulators are not alone in seeing the internet pose such challenges. Regulating online services and content is an issue for regulators and governments across the world and across sectors. While online prescriptions are a key current concern in the health sector, this will likely be just one of many challenges that the growth of telehealth poses to UK regulators in the coming years.
Regulatory treatment of the software and other equipment used in telehealth is complex. Some software may be considered to be a medical device. The definition of a medical device includes standalone software and specifies that when software is used in combination with a device that is “intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes” it will be considered a medical device.
For example, software intended to enhance images from X-ray or ultrasound will likely be considered a medical device. However, software that functions purely as a patient management system or a records storage system will not be considered a medical device. A substantial gray area exists between these two extremes. For example, we understand that telecare alarm systems (devices that alert family or healthcare professionals that a user is in discomfort or need of assistance) are unlikely to be considered medical devices; however, some specific telehealth systems or products used with such systems may well come within the remit of medical device regulations. This is a complex and evolving area.
In 2018, the General Data Protection Regulation (GDPR) introduced new data protection laws across the European Union. The GDPR plays an important role in regulating telehealth services as it places limits on the lawful processing of an individual’s personal data. In other sectors, organizations typically rely on individual consent as a lawful basis to process data. However, the Information Commissioner’s Office (ICO) advises that consent will not always be appropriate or necessary for data protection purposes in the healthcare sector (providers of telehealth services and healthcare more broadly can often rely on exceptions that apply to official authorities and health or social care systems).
As digital technology plays an ever-increasing role in day-to-day life, awareness and scrutiny of personal data protections will continue to grow. The uptake and acceptance of telehealth will inevitably be inextricably linked to patient confidence in the security and application of their data. A joint Lancet and Financial Times Commission (the Commission) was established in October 2019 with the aim of producing recommendations for the future governance of telehealth. The Commission aims to consider how best to balance the potential for considerable scientific benefits derived from data sharing with individuals’ rights to privacy. The Commission aims to conclude its consultation of sector stakeholders and experts in December 2021.
The ICO confirmed that GDPR rules will effectively be retained in UK law after Brexit as the provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period as the UK GDPR. It should be noted that the United Kingdom’s independence from the European Union will give it the right to amend relevant legislation, and any future amendments could have significant implications for how providers handle patient data. However, because of the United Kingdom’s new “third country” status, the European Union will require that equivalent privacy laws are maintained in order for data to be transferred freely between the European Union and the United Kingdom. The importance of transferring data with the European Union makes it extremely unlikely that the United Kingdom will significantly diverge from the current GDPR requirements.
As an increasing reliance is placed on telehealth for the United Kingdom’s healthcare provision, the absence of wide-ranging and specific professional standards, procedures, and protocols for telehealth is likely to become an increasingly pertinent issue. As demonstrated by some US and Canadian jurisdictions, specific standards are being imposed on telehealth services. Restricting the scope of remote prescriptions is a common example. Even prior to COVID-19, Germany passed legislation in the form of the Digital Healthcare Act, which sought to address the country’s future healthcare provision through digitalization and innovation. By legislating to ensure meaningful changes to its digital health tools, such as fast-tracking regulatory approvals, Germany’s approach has been heralded as a model for other nations.
However, as each nation adopts new regulations and laws to accommodate telehealth, the absence of a coherent global framework has been highlighted as a threat to the progress of healthcare innovation. In many cases, digital technology could be developed but is hindered by the lack of international coherence on issues such as data, funding, access, and oversight.
As the current COVID-19 crisis subsides, technological advances continue, and telehealth embeds further in the United Kingdom’s healthcare system, it is possible that further specific regulations, either locally or as part of a coordinated international approach, may be considered a logical step.
Telehealth is a highly regulated field and legal issues can vary across payers, across states, and even across countries. Morgan Lewis provides companies around the world with integrated legal guidance related to telehealth and digital health technologies. Our lawyers work seamlessly together to advise and represent telehealth provider networks, hospitals and healthcare providers, digital health, life sciences and technology companies, employers, investors, and other telehealth stakeholders.
Sharing insights and resources that help our clients prepare for and address evolving issues is a hallmark of Morgan Lewis. To that end, we maintain a resource center with access to tools and perspectives on timely topics driven by current events such as the global public health crisis, economic uncertainty, and geopolitical dynamics. Find resources on how to cope with the globe’s ever-changing business, social, and political landscape at Navigating the NEXT. and Coronavirus COVID-19 to stay up to date on developments as they unfold. Subscribe now if you would like to receive a digest of new updates to these resources.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors or any of the following Morgan Lewis lawyers:
Dr. Joachim Heine
Wai Ming Yap