First Read for Health Tech Founders: Navigating UK Regulations

By Benedikt von Thüngen, Alex Merwin and Anna Boden

If you're a first-time founder, introducing tech innovation into the UK’s health system is an intimidating experience. However, you can successfully deploy clinically validated innovations while managing costs with the right advice and approach.

First, we must acknowledge that a single article can only partially chart this complex landscape. Instead, consider this an introductory guide – providing a mental model of the regulatory process and agencies. We also highlight advisors and thought leaders who can help you.

The regulation landscape is changing rapidly: if your product impacts or influences clinical decision-making, it needs to be regulated as a medical device. This ensures that your product is safe and works as intended, so it can only be a good thing (and is not meant to scare you off!). Many previously unregulated tools must adhere to stringent regulations and produce lots of evidence. Generating and summarising this evidence can be difficult and time-consuming, so this article gives you an overview of what regulatory steps you should consider immediately. If you lean into regulatory compliance, you’ll be miles ahead of your competitors and reduce time to clinical value. Put another way, would you be comfortable if an unsafe or untested algorithm influenced your medical treatment? 

There are two main pathways first-time founders should consider. First, the regulatory pathway to ensure your product is safe and effective. Second, the health economics pathway establishes to the NHS that there is real value for money in deploying your solution. You must demonstrate that your product cuts costs or even releases cash across the health system.

1. The Regulatory Essentials

The MHRA (UK), EMA (EU) and FDA (US)

These are your primary regulators. The MHRA / EMA / FDA are the gatekeepers, ensuring your solution is safe and effective. They’re not the bad guys; they’re your assurance that what you bring to market helps patients. Starting from their perspective is crucial. The MHRA decides whether it wants to model its regulatory process on the European Medicines Agency (EMA) or the US Food and Drug Association (FDA). We believe the EMA is more stringent and has higher evidence standards and thresholds, and you should benchmark your new medical device here. The FDA is increasingly accepting European evidence, and regulatory standards generally converge toward the most stringent, for example, GDPR standards. Also, by adhering to more stringent requirements, you are building credibility with your future customers - e.g., hospitals, insurance providers, etc., who are naturally very sceptical and slow adopters of innovation due to the high-stakes nature of healthcare. 

Key Questions for Founders:

• Have I reviewed the MHRA's or EMA’s latest guidelines?

• Does my product/solution influence clinical decision-making? If yes, it will be classified as a Class II Medical Device. 

• How does my product align with their safety and efficacy standards?

Dive Deeper:

• MHRA Regulatory Guidance

• European Medicines Agency

• Medical Devices | FDA

Notified Bodies

Notified Bodies are like regulatory guides, helping you navigate the standards required for market approval. They are essential for obtaining necessary certifications, like the CE mark or the UK-specific UKCA mark. The US has a slightly different approach here. 

Notified Bodies are often the most significant bottleneck to getting your product regulated, with wait times for the first meeting between six and twelve months (due to capacity shortages) and approval timelines of 12-18 months. Therefore, the sooner you engage with them, the better, even if you feel unprepared. More than 50% of MedTech companies fail or run out of cash because of the long timelines to obtain regulatory approval. Therefore, ensure that engaging a Notified Body is an early priority. If you are developing a Software-as-a-Medical Device (SaMD), several innovative Notified Bodies, such as Scarlet, can accelerate these timelines. With all of them, spend time building a solid relationship and understanding their requirements.

Key Questions for Founders:

• Which Notified Body is the best fit for my product?

• How do I prepare for the certification process?

Dive deeper:

• List of Approved Bodies for Medical Devices

ISO – the International Organization for Standardization

Developing your medical device in a safe and compliant manner is critical. The medical device graveyard is littered with companies that have built great medical devices with impressive results. However, they had to re-do everything because they could not demonstrate that it was built safely and competently! Your best friends are ISO 13485 and ISO 14971, the gold standards for Health Tech credibility and safety. They signal to the regulator (and customers!) that you’re serious about quality. Don’t overlook them. Embracing these standards from the start will save you loads of pain in the long run. We also recommend embedding their terminology and how you think about risk and quality into your product development culture from day one. This will save you a ton of time later in the process. Good engineering culture considers this naturally (think about sprint planning, proper documentation, retrospectives, risk registers, etc). However, how you document and your team's language are essential to setting a compliance-friendly culture from day 1. 

Key Questions for Founders:

• How can I integrate ISO standards into my product development process?

• How can ISO certification directly benefit my customers? 

• What are the key meetings, documentation and terminology I need to use? 

Learn more:

• ISO Standards in Medical Devices

2. Health Technology Assessment: Health Economics & Proving Your Worth

National Institute for Health and Care Excellence (NICE) Evidence Standard Framework (ESF)

Most healthcare systems, including the NHS, will only adopt your innovation if it demonstrates value for money, which is where NICE comes into play. NICE doesn't regulate; it evaluates cost-effectiveness. Adhering to its standards maximises your chances of passing Health Technology Assessments (HTAs) – a critical step to gaining adoption. NICE’s Evidence Standards Framework (ESF) is a helpful starting point; you can work backwards from their template to develop your evidence-generation strategy. 

Any HTA looks for robust evidence that your product is either more effective (e.g., better than the golden standard) or cheaper. The home run is, of course, if you can demonstrate both.  

Key Questions for Founders:

• How does my product provide value for money, according to the ESF?

• What evidence must I collect to prove my product's effectiveness and efficiency?

Dive Deeper:

• NICE Evidence Standards Framework for Digital Health Technologies

Information Security - DTAC and DSPT

Digital Technology Assessment Criteria for Health and Social Care (DTAC) and the Data Security & Protection Toolkit (DSPT)

There are many standards to adhere to, but the key ones (in our eyes) are DTAC and DSPT. DTAC is your yardstick for measuring the effectiveness and safety of your digital health tool within the NHS. The DSPT, a part of DTAC, focuses on how well you manage and protect data – a non-negotiable in today’s landscape. Trust is slowly gained and quickly lost, especially when working with sensitive data, and DTAC and DSPT are there to help you. ISO 27001 will soon be on your radar and will ultimately be required. However, it is a mountain of work. It is good, though, to familiarise yourself with the standard at a high level when designing your systems so that you are not inadvertently creating too much compliance & InfoSec debt. 

Key Questions for Founders:

• Are my products’ features compatible with DTAC standards?

• What measures have I taken to ensure data security and compliance with DSPT?

Dive Deeper:

• DTAC for Health and Social Care

• Data Security and Protection Toolkit

• ISO 27001 Beginners Guide

3. Navigating the Maze: Your Action Plan

Start by embedding compliance, regulatory, and InfoSec considerations into your design process. It’s not just about building something great; it’s about building something compliant you can bring to market. Involve experts who understand the nuances of these frameworks and can guide your development process accordingly. Also, be curious and learn about the standards yourself. 

Remember, your journey doesn’t end with obtaining regulatory approval or NHS adoption. It’s a continuous process of adapting to evolving standards and maintaining the trust of regulatory bodies and the end-users – patients and healthcare professionals. Also, as regulation typically only moves in one direction, focus on the highest standards and maintain compliance with them. Ultimately, effective compliance requires attention and energy. Embed compliance into your culture, and you won’t regret it - we promise you!

In conclusion, while the path to health innovation might seem tangled with regulatory red tape and bureaucracy, it’s far from impassable. Remember that agencies, notified bodies, and published standards are there to help you - we all share the goal of reducing time to clinical value. With the proper understanding and approach, you can navigate the maze, emerge victorious, and meaningfully contribute to improving healthcare.