Key Contact: Sean McElligott – Partner | Anne bateman – Partner

From wearable heart monitors to a live-in robot that answers your medical questions, AI is transforming healthcare, before our eyes. The health technology industry has witnessed enormous growth over the past five years – in the United States, the industry was worth about $8 billion in 2016 but has grown to an estimated $44 billion in 2022.

A rise in chronic illnesses, an ageing population, and a shortage in medical personnel is the perfect storm that AI is helping to manage.

This rapid growth has inevitably been followed by regulation leaving regulators grappling with complex issues to ensure that AI-enabled devices, apps, and other digital tools used in healthcare (as well as all other industries) are safe, effective, and get the job done.

Medical AI is already subject to stringent controls, including the General Data Protection Regulation (GDPR) and the Medical Devices Regulation (MDR). Any personal data processed by an AI system must be processed in a manner consistent with the GDPR, with health information classified as a “special category of data” requiring higher levels of protection. In addition to this, the recently proposed European Health Data Space Regulation (EHDS) strengthens these protections by establishing requirements for data storage with electronic health record systems and setting guidelines for third-party use of health data.

Providers of AI will also have to contend with proposed new legislation, the Artificial Intelligence Act (AIA). Recognising the risks AI may pose, the AIA requires heightened cybersecurity, recordkeeping, and risk management for what is classified as “high-risk” systems with a safety component.

When drafting the AIA, the European Commission adopted a risk-based approach to ensure that their definition of AI would have the necessary flexibility. Currently, the AIA defines an ‘artificial intelligence system’ as “software that is developed with one or more techniques and approaches listed in Annex I and can, for a given set of human-define objectives, generate outputs, such as content, predictions, recommendations, or decisions influencing the environments they interact with”. Annex I prescribes three methods of processing that could result in a piece of software being classified as artificial intelligence:

• Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning;
• Logic and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems; and
• Statistical approaches, Bayesian estimation, search and optimization methods.

This definition of AI is extremely broad, which is understandable in the light of the rapidly evolving ecosystem. While complying with the relevant legislation, products are frequently marketed as wellness products rather than medical devices (which fulfil a specific medical purpose) in order to avoid the strictures of the MDR. However, applying the above broad definition of AI, could a high-end smartwatch, for example, or some other home healthcare products, fall within the scope of the AIA?

It is important to bear in mind that the AIA’s impact is not limited to manufacturers within the EU and the current proposal would subject all those who sell AI systems within the EU to the legislation. Failing to follow these regulations could result in a fine of up to €30 million or 6 percent of the company’s turnover (whichever is higher) – it is worth noting that this fine exceeds the highest penalties imposable under GDPR.

The legislation in the area remains in a state of flux and the current draft of the AIA will change – the current text has amassed thousands of potential amendments from each political group within the European Parliament. Members of the European Parliament are expected to debate amendments to the AIA in the coming months.  However, it is certain that changes are coming in this arena and although still some way off, businesses would be wise to stay abreast of developments in the area – as with GDPR, it is possible that the proposed legislative regime may have a ripple-effect across the Atlantic.

For further information in relation to this article please contact partner Sean McElligott or partner Anne Bateman.