AI in UK Healthcare: What NHS Trusts and Private Healthcare Providers Must Do

The regulatory landscape for AI in UK healthcare

Healthcare AI in the UK sits at the intersection of medical device regulation (MHRA), data protection (UK GDPR, common law duty of confidentiality, NHS data security requirements), clinical governance and professional responsibility, and NHS procurement governance. Understanding which framework applies to which AI system is the starting point for building a defensible governance framework.

MHRA regulation of AI as a medical device

The MHRA regulates Software as a Medical Device (SaMD) under UK Medical Devices Regulations 2002, as amended post-Brexit. AI that is intended for diagnosis, prevention, monitoring, prediction, treatment, or alleviation of disease is likely to be regulated as a medical device. Most AI diagnostic and decision support tools fall into Class IIa or IIb, requiring notified body involvement. UKCA marking is required before placing the device on the UK market. Healthcare organisations should verify that clinical AI vendors hold appropriate UKCA marking before deployment.

NHS data security requirements

NHS organisations must complete annual DSPT assessments covering AI tools that process patient data. Key DSPT requirements for AI: evidence that data security has been assessed; confirmation that Data Processing Agreements are in place with AI vendors; and demonstration that patient data is handled in accordance with National Data Guardian standards. Access to NHS patient data for AI training and development is separately governed by NHS England's data access frameworks.

Clinical responsibility and professional obligations

The GMC, NMC, and Royal Colleges are clear that clinicians retain professional responsibility for decisions made with AI assistance. AI is an assistive tool — the responsible clinician must understand AI outputs well enough to evaluate them. Before deploying AI in a clinical pathway, trusts should ensure: clinicians receive adequate training on the tool's capabilities, limitations, and failure modes; a clinical lead is responsible for oversight; ongoing performance monitoring is in place; and AI-related clinical concerns have a clear reporting pathway.