As the healthtech market continues to grow, so too does the range of legal issues that suppliers need to consider to successfully commercialise their products. We look at four key issues in this article: attracting funding and investment, developing a regulatory strategy, managing your data governance, and contracting and collaborating with others.
The article is of broad application to medical devices but with a particular focus on software and health apps.
Investments and transactions to fund development of your medical device
One of the most important, if not the most important, requirements for your business will be funding. Initially, funding may come from friends and family, and then potentially a seed raise. But after that you are likely to need more significant investment from angels or other funders. Whether you are a small start-up, owner-managed business or a relatively mature business, understanding the range of different options for funding is important.
Broadly, fundraising can be split into two categories: debt and equity. Debt involves the granting of some manner of credit facility to the company, which is then repaid over time with interest. Equity is the sale of shares in the company for cash. There is no ‘one size fits all’ approach to corporate finance, and it is important to understand what options are available to you, and how those options will help your business to grow.
When raising any kind of capital, funders will want comfort on a number of points, most notably:
- Good governance – funders will want to know that the company is being run in a way that ensures compliance with various legislation affecting companies, ensuring that adequate records are kept and consideration paid to legal, regulatory and commercial obligations, as well as providing an audit trail for decision making processes and accounting.
- Strong management team – one of the first sets of questions funders will ask is about the management team. These are the people that will be driving the business toward its goals, and should be sufficiently experienced to effectively manage the business.
- Business plan – a fundamental question when fundraising is ‘where will the money go?’ A strong and well researched and prepared business plan will show how funds being raised will be used to advance the business in furtherance of its aims, and will provide funders with comfort that funds will not be mismanaged or misallocated, and that the business will grow in a way which enables funders to realise their investment.
- Suitability – not all sources of funding will be suitable for all businesses; asset financing would not be suitable for a professional services business, where a start-up business will likely not be in the stage of its life where an IPO would be suitable. A corporate finance adviser will be able to work with you to assess what financing route will work best. This may include work to put in place certain measures, or remedy others, to make the business more appealing to investors.
- Compliance – funders will want to know that you have all necessary regulatory consents and registrations for your software based medical device, including from the MHRA. Or if you do not have them yet that a process is in place to obtain them. They will also want to know that you own, or have control of, all intellectual property needed to develop the business.
Corporate solicitors can also assist by conducting a ‘legal audit’, which will go through the same due diligence process that will be undertaken funders in order to highlight any areas where improvements can be made.
Debt finance is available in a number of forms, which may include: loans; rotating credit facilities; asset financing; invoice financing; and others. Whilst banks are a common source of debt financing, they are not the only funders of this nature, and other financial services providers may be a better fit for your business. In most circumstances, funders will expect the company to provide some form of security to guarantee the company’s obligations to repay the debt. In some circumstances, directors may also be asked to give a personal guarantee.
Equity can be further separated into private and public equity.
Private equity is an agreement between the company and private individuals or, more commonly, private equity houses whereby the private equity investor invests money in the business in exchange for shares in the capital of the company. Where a PE house invests, they will want the company and its shareholders to adopt new articles of association and enter into a shareholders’ agreement, in order to manage the corporate structure of the company. They will also appoint at least one investor director to the board, who will have input to board meetings. How private equity works in brief is that investors help to facilitate the growth of a business, and therefore its value, such that they may then exit the business by selling the shares that they hold at a profit.
Public equity is the trading of shares on a market operated by a stock exchange. In the UK, the London Stock Exchange operates its main market list, AIM (formerly Alternative Investment Market) and ISDX. UK companies may also list on overseas exchanges, such as the New York or Tokyo. Public equity has potentially unlimited fundraising capabilities from retail and institutional investors across the world. The downside to this potential upside is that the process of listing shares for share on an exchange is lengthy, expensive and likely only suitable for mid to large corporates. In addition, public companies are subject to far more scrutiny than private companies. In the first instance, the company would need to complete an initial public offering (IPO), being the first time that shares are made available for sale on the exchange. Subsequent fundraises would be pursuant to a ‘placing’ of additional securities for sale.
The regulatory framework for medical devices
It is perhaps understandable that many people are unaware that stand-alone software used in a healthcare setting may constitute a medical device, an in vitro diagnostic (IVD) medical device, or an accessory. If it does qualify as such as device, it is an offence to sell or supply it unless it conforms with the applicable legal standards.
The classification criteria which are used to determine when stand-alone software attracts regulatory requirements are not, however, straightforward. This is further complicated by the upheaval that we have seen in medical device regulation as a result of Brexit and the adoption of a new Medical Device Regulation in the EU. The recent Medicines and Medical Devices Act 2021 allows the UK to amend and develop new regulations for medicines, devices and clinical trials, but as things stand at the time of writing, the applicable legislation for devices in Great Britain remains the 2002 Medical Regulations (the position being more nuanced in Northern Ireland).
So when does software become a medical device?
Medical devices are defined in the UK Medical Devices Regulations as being:
“…any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnosis or therapeutic purposes or both and necessary for its proper application, which –
(a) is intended by the manufacturer to be used for human beings for the purpose of—
(i) diagnosis, prevention, monitoring, treatment or alleviation of disease,
(ii) diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap, (
iii) investigation, replacement or modification of the anatomy or of a physiological process, or
(iv) control of conception; and
(b) does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, even if it is assisted in its function by such means.”
It follows from this definition that, while the regulations specifically include software within their scope, it is also necessary to consider the intended use and purpose of the software to determine whether or not it constitutes a medical device.
Stand-alone software must have a ‘medical purpose’ to qualify as a device. This necessitates looking at the purpose of the software itself: the test does not include software which is incorporated into an existing medical device. For example, built-in software which controls a CT scanner will be treated as a part of that device, not as stand-alone software requiring its own classification. However, software which interprets CT scan results to aid diagnosis may well be a medical device.
When considering use and purpose in the context of classification, it may also be helpful to consider the function of the software and the action it performs on data. For example, software that merely stores electronic patient records is unlikely to be categorised as a medical device, but if it incorporates modules which provide additional analysis that contribute to diagnosis or therapy (for example, a patient medication module), then this may be classified as a medical device.
Similarly, the purpose of the software itself must be medical, not just applied in a medical context. For example, a clinical information system which records and stores data relating to patient identification and clinical observations will not usually be considered a medical device in itself: however, if it incorporates a functionality which provides additional diagnostic or therapeutic information then it may qualify as a device.
This distinction between medical and non-medical purposes can be nuanced, depending on the circumstances. An example given by the Medicines and Healthcare products Regulatory Agency (MHRA) is the use of an application which uses an accelerometer in order to detect falls in epileptic patients. This is likely to be regulated as a medical device because its purpose is medical, whereas the use of the same application to alert a carer when an elderly person gets up out of bed in the social care context would not be regulated as a medical device.
A further consideration is whether the software is used for the benefit of individual patients or for a cohort. Stand-alone software which is used to interpret or evaluate data relating to the medical care provided to an individual may be a medical device, whereas software used to analyse population data or to create generic treatment plans will not be.
The MHRA has published useful guidance on the regulation of health apps, suggesting that there are a number of key words which are likely to contribute to the MHRA determining a health app is a medical device, including: amplify, analysis, interpret, alarms, calculates, controls, converts, detects, diagnose, measures, and monitors. These of course reflect the provisions of the medical device regulations discussed above, and many of the same questions discussed above will arise in relation to classification.
In September 2021, the MHRA published a consultation on the future regulation of medical devices in the UK. The overall aims of the process are to develop a future regulatory regime for medical devices which enables:
- Improved patient and public safety;
- Greater transparency of regulatory decision making and device information;
- Close alignment with international best practice, and;
- More flexible, responsive and proportionate regulation of medical devices.
The document sets out a range of notable and novel proposals, including new access pathways to support innovations, and a new regulatory framework for software and AI as medical devices.
Although still proposals, the level of specificity in the consultation document suggest the proposals are already at an advanced stage of development. They are therefore a useful and important guide for companies looking to develop products in the UK.
Chapter 10 is of particular note to software developers. The consultation document recognises that software and AI as devices have grown in market share and complexity. At times, this has resulted in a regulatory lag, so regulations need to be revised to protect patients and support innovation. A new definition of ‘software’ as “a set of instructions that processes input data and creates output data” is proposed, together with wider proposals, including:
- New requirements for persons selling SaMD at a distance via electronic means (eg via websites and app stores) through modification of the definition of ‘placing on the market’;
- Measures to ensure pre-market scrutiny to check safety, quality and performance of SaMD;
- Introducing minimum requirements relating to cybersecurity; and
- Defining specific requirements for AIaMD.
The consultation closed on 25 November 2021 and the MHRA aim to publish their response in April 2022 with a view to new regulations coming into force on 1 July 2023 (to align with the date for CE mark transition).
In addition to the requirements of the MHRA, it is also important to understand the other regulatory requirements which can apply when selling to the NHS. These include NHSX’s Digital Technology Assessment Criteria for Health and Social Care, NICE’s Evidence Standard Framework and the NHS Information Governance Toolkit.
Using personal data in your medical device
Where your software based medical device is driven by personal data, there are legal requirements that often have real practical and technological implications - such as user verification, interface design, and the technical functionality and security of your products, tools, mobile apps and websites.
It is best to have a proper understanding of these requirements and bake them into your product from the outset, rather than try to make changes further down the line. The latter can trouble investors and customers about the maturity of your product, generate concerns amongst customers and end users about requests being made to change how their data is used, and potentially even require renegotiations with your customers.
- Privacy by design - your product must incorporate features that facilitate - rather than complicate - the ability of your organisation and your customers to achieve and demonstrate compliance with data protection, and of end users to exercise rights over their data. The use of mobile apps and privacy dashboards make this more immediate and accessible for end users while also increasing efficiency in managing consents, privacy notices, marketing and opt ins/outs. Providing individuals with easy ways to exercise their rights and more granular control over how their data is used can help you do new and exciting things with data (e.g. research, product development and AI) without undermining confidence in the confidentiality of data used for your product's core functionality.
- Controllers and processors - whether or not you are a controller or processor (or both for different aspects of processing) will have a substantial impact on the responsibility and control you have over the data. Signing a standard data processing agreement with little thought to what it says is likely to seriously restrict your use of data. Which processors you use, and where in the world data will be hosted, will also have an impact on the complexity of your data protection compliance.
- NHS policies and procedures - if being marketed to NHS customers, your app should interface with NHS systems, meet NHS information standards and facilitate NHS-specific policies, such as the national opt-out.
- Accessibility - if deployed within the public sector, your app and website must meet accessibility standards.
Collaborations to develop your medical device
It is very likely that the development of your software based medical device will involve collaboration with other individuals or businesses. There are certain key issues to be aware of when entering into collaborations.
At the outset, this may be collaboration with your business partners/ investors or third parties providing a particular contribution such as a software developer. It is important to recognise these collaborations for what they are – a vital means of moving your product forward but also a risk in terms of disclosure of confidential information and intellectual property.
To protect against this risk you should have a standard form Non-Disclosure Agreement (NDA) that you can require your collaborators to enter into. Other agreements may be needed at this stage, including for example consultancy agreements and/ or Heads of Terms, but the NDA is a key early stage protection.
As your innovation, product or service develops you are likely to need more comprehensive contractual arrangements with your collaborators. For example, many start-ups will secure some form of grant funding from the likes of Innovate UK and will need to ensure that the terms of the funding are passed on to collaborators.
This may lead to putting in place a Collaboration Agreement, for example involving your business, a university and a hospital trust with whom you are collaborating. This agreement will document each parties’ contributions and access to funding, as well as other key terms such as in relation to protection and exploitation of intellectual property. If you are involved in clinical trials or research studies, the collaboration may take the form of one of a range of model agreements available for this purpose.
It is important to put in place the right agreements at the right time. You may not need to devote significant time and resource to legal arrangements early on, but as your business develops your contractual arrangements will become increasingly important. They will provide certainty for your business, for example about ownership of your vital intellectual property, and this is certainly something investors will want to see.
This article is an updated version previously published 29 April 2021.