Open call for evidence

Summary - Information on how AI is used in Health and the Current Regulatory Frameworks

Published 18 December 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/calls-for-evidence/regulation-of-ai-in-healthcare/summary-information-on-how-ai-is-used-in-health-and-the-current-regulatory-frameworks

This section contains information which may be helpful background when considering your responses to this Call for Evidence. It contains technical information for people familiar with medical device regulation. We have also produced a summary of this information with less technical language, which can be found in the next section.

How AI is being used in healthcare

Healthcare artificial intelligence (AI) covers a large range of products, used in a broad range of contexts, with the level of risk and the sources of assurance varying across them.

Starting outside formal healthcare services, a recent survey estimated that just under 1 in 10 people use large language mode (LLM)-based chatbots as the source of information they ‘most often’ use for health and care purposes. Health and wellbeing apps have provided citizens with the AI generated analyses of health data from personal devices for many more years. 

Moving into administrative uses in formal care settings, some health providers are using automated systems with conversational interfaces to invite patients to screening appointments and schedule appointments via messaging. 

Ambient Voice Technologies are used to summarise consultations. AI-enabled AVTs can record and summarise consultations, reducing the amount of note-taking that health professionals need to do. A newer class of patient assistant services have been emerging, providing patients with their own record of a conversation and advice based on it.

Other AI health technologies may be useful in screening (for example, in detection of cancer), in diagnosis, in supporting treatment decisions and in helping deliver therapies. Some AI technologies have relatively ‘narrow’ tasks (for example, screening for one condition) and others have broader applications (for example those that are based on newer forms of AI such as large language models). Additionally, AI can now be designed to coordinate multiple specialist AI systems to undertake more complex tasks (known as ‘agentic AI’).

The existing regulatory framework

Device regulation

Regulation provides the most formal source of assurance for AI in healthcare. Processes are designed to ensure products placed on the market meet the performance and safety requirements as claimed by the manufacturer and required by the regulations. When regulations are effectively implemented, they should give healthcare professionals and patients confidence the product is safe and effective. Products are medical devices when they meet the definition of a medical device as set out in the Medical Devices Regulations 2002. AI and other forms of software which have a medical purpose and fall within the definition will currently qualify as medical devices.

Pre-market assessment

The Medical Devices Regulations 2002 define classes of risk for medical devices (including software and AI), and the requirements against them. For low-risk devices, manufacturers must self-declare conformity with the requirements of the regulations. For medium-risk and high-risk medical devices, assessment processes apply scrutiny to a product and manufacturer to ensure it meets the relevant regulatory requirements. In Great Britain, Approved Bodies carry out independent assessment of conformity of medium and high-risk medical devices, reviewing for example the clinical evidence and risk management, manufacturing and quality systems, and labelling and instructions for use. Once this is complete, the manufacturer must register the device with the MHRA before placing it on the Great Britain market. Due to its unique access to both the UK Internal Market and EU Single Market, Northern Ireland follows EU regulations for medical devices and a CE certificate and marking is required.

Data privacy and security

When accessing and using and managing patient data, all parties involved need to ensure this data is used in a secure way, which does not compromise the safety of the patient. The process for doing this is set out in several pieces of legislation.

This includes the:

Public Records Act 1958 which sets out the responsibilities placed on officials when they access data,

Freedom of Information Act 2000 which outlines how the public can access data held by public institutions,

Health and Social Care Act 2008 which requires healthcare providers to maintain safe, accurate and complete patient records,

Data Protection Act 2018 which sets out how personal information can be processed,

Data Use and Access Act 2025, which introduces changes to GDPR, specifically around the use of data for scientific purposes.

When looking to access data, all parties should work together to complete a data sharing agreement and a data protection impact assessment to ensure there are clear, agreed responsibilities between parties and mitigations are in place to ensure patient data is not compromised or accessed in an unlawful way.

Post-market surveillance and vigilance

The manufacturer is required to conduct post-market surveillance (PMS) of their medical device, assessing the device’s safety and performance in the market.

In June 2025, the MHRA introduced new regulations covering requirements for post-market surveillance in Great Britian. The regulations reinforced existing requirements and introduced new requirements for manufacturers of medical devices to:

  • Have a post-market surveillance system in place
  • Produce a post-market surveillance plan and undertake PMS in accordance with the plan
  • Report serious incidents to MHRA
  • Investigate serious incidents and report to MHRA on the conclusions
  • Undertake preventative and corrective actions as required
  • Undertake field safety corrective actions and issue field safety notices to affected customers
  • Conduct trend reporting of significant increases in incidents that do not require reporting
  • Produce a post-market surveillance safety report or periodic safety update report against the PMS plan depending on the device risk class
  • Meet documentation and information provision requirements to support the processes

Software and AI as a Medical Device Change Programme

The MHRA published the Software and AI as a Medical Device Change Programme in 2023. The Change Programme aims to provide a regulatory framework that provides a high degree of protection for patients and public, but also makes sure that the UK is recognised globally as a home of responsible innovation for medical device software looking towards a global market.

Back to top