AI in UK Healthcare: What NHS Trusts and Private Healthcare Providers Must Do

AI in clinical settings is regulated by MHRA as a medical device, subject to DSPT requirements, UK GDPR, and NHS governance frameworks. Here is the compliance landscape for UK healthcare AI.

Key Takeaways

AI used for clinical decision support — diagnostic assistance, risk stratification, treatment recommendation — is regulated by MHRA as Software as a Medical Device (SaMD) under UK Medical Devices Regulations 2002. UKCA marking is required before deployment in clinical settings.
NHS trusts must complete a Data Security and Protection Toolkit (DSPT) assessment covering AI tools that process patient data. The DSPT requires evidence that AI systems meet NHS data security standards before clinical deployment.
UK GDPR and the common law duty of confidentiality apply to all patient data processed by AI systems. Data Processing Agreements must be in place with AI vendors — NHS trusts are responsible for how AI vendors handle patient data.
Clinicians retain professional and legal responsibility for decisions made with AI assistance. The responsible clinician must understand AI outputs well enough to exercise professional judgement — following AI recommendations without understanding their basis does not satisfy the professional duty of care.
The NHS AI Lab's Evidence Standards Framework for Digital Health Technologies sets out what evidence is expected before AI adoption into NHS clinical pathways. Private providers are not formally bound but the standards represent best practice.
Clinical negligence liability for AI-assisted errors follows existing clinical negligence frameworks. Trusts and clinicians must demonstrate that AI-assisted decisions met the standard of a reasonably competent practitioner.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

UK healthcare AI governance — a fragmented regulatory environment

AI in UK healthcare sits at the intersection of multiple regulators with overlapping but distinct jurisdictions. There is no single AI healthcare regulator in the UK. Instead, several bodies have responsibility for different aspects: the Medicines and Healthcare products Regulatory Agency (MHRA) for AI as medical devices; NHS England and the integrated care systems for AI deployment in NHS settings; the Care Quality Commission (CQC) for regulated care providers using AI; the Health Research Authority (HRA) for AI used in healthcare research; the Information Commissioner's Office (ICO) for personal data processing including health data; the General Medical Council (GMC), Nursing and Midwifery Council (NMC), and other professional regulators for clinicians' use of AI; and emerging coordination through the AI and Digital Regulations Service (AIDRS).

MHRA — AI as a medical device

The MHRA is the primary regulator for AI as Medical Device (AIaMD) and Software as Medical Device (SaMD). UK Medical Device Regulations 2002 (as amended) require AI medical devices to be UKCA marked (or CE marked under the transitional arrangements) before being placed on the UK market. The MHRA has issued progressive guidance on AI medical devices: the Software and AI as a Medical Device Change Programme (running since 2021); updates on the regulation of medical products in light of AI; and detailed guidance on how the AI principles apply to medical AI products.

On 18 December 2025, the MHRA launched a call for evidence to inform the National Commission into the Regulation of AI in Healthcare. The call closed on 2 February 2026 with the Commission's recommendations expected in 2026. The Commission's work is likely to shape any formal legislative framework for AI in UK healthcare.

Non-compliance with the medical devices framework is a criminal offence with unlimited fines. AI medical device manufacturers must: classify the device (Class I, IIa, IIb, or III based on risk); complete conformity assessment; affix UKCA marking; maintain technical documentation; conduct post-market surveillance; and notify the MHRA of serious incidents.

NHS England — AI in NHS settings

NHS England has issued multiple AI-related frameworks. The NHS Long Term Workforce Plan (June 2023, refreshed) addresses AI's role in healthcare workforce planning. The Federated Data Platform and broader NHS AI Lab initiatives shape AI deployment in NHS contexts. NHS England's AI Knowledge Repository and the AI for Healthcare framework provide guidance to NHS trusts deploying AI. Trust-level deployment of AI must satisfy Data Security and Protection Toolkit requirements, NHS England commissioning standards, and where applicable, clinical safety standards (DCB0129/DCB0160 — clinical risk management).

NHS-funded research using AI must satisfy HRA requirements including ethics committee approval where applicable, Confidentiality Advisory Group consideration for use of confidential patient information without consent, and compliance with Caldicott Principles for sharing identifiable patient information.

CQC — registered care providers using AI

The Care Quality Commission inspects regulated providers (hospitals, GP practices, adult social care, community services) against the Fundamental Standards. AI deployed in care settings must satisfy: safe care and treatment (Regulation 12); good governance (Regulation 17); fit and proper persons employed (Regulation 19); duty of candour (Regulation 20). The CQC's single assessment framework includes specific consideration of how providers ensure safety when using digital technologies including AI. AI that produces clinical decisions without appropriate human oversight, or that causes patient harm through error, creates CQC inspection findings and potential enforcement action.

ICO — health data and AI

The ICO has been particularly active on health AI. Health data is special category data under UK GDPR Article 9, requiring explicit consent or another Article 9 lawful basis (typically Article 9(2)(h) — provision of health or social care). Article 22 (now Articles 22A-D following the Data (Use and Access) Act 2025, in force from June 2025) governs solely automated decision-making — particularly relevant where AI affects clinical decisions, eligibility, or treatment.

Data Protection Impact Assessments are required for high-risk AI processing under Article 35. The ICO has published specific guidance on AI auditing, explaining AI decisions, and the application of UK GDPR to AI systems. For NHS organisations, the ICO and the National Data Guardian have issued joint guidance on data sharing for AI development and deployment.

Professional regulators — clinicians' AI use

The General Medical Council, Nursing and Midwifery Council, Health and Care Professions Council, and other professional regulators are increasingly issuing AI-related guidance for registrants. Common themes: clinicians remain accountable for clinical decisions even when AI is used; AI cannot replace clinical judgement for diagnoses or treatment decisions; appropriate training and competency in AI tools is part of professional development; transparency with patients about AI use is expected. The GMC's Good Medical Practice (most recent edition) implicitly covers AI use through its accuracy, accountability, and communication requirements.

The EU AI Act — extraterritorial application

UK healthcare AI providers may also be subject to the EU AI Act if their products are placed on the EU market or used by EU patients. The EU AI Act classifies AI used in healthcare as high-risk where it falls within Annex III categories, with high-risk obligations applying from 2 December 2027 under the Omnibus agreement of 7 May 2026. AI embedded in medical devices regulated under the EU Medical Devices Regulation falls within Annex I, with high-risk obligations from 2 August 2028. UK healthcare AI providers should not assume that UK-only deployment avoids EU AI Act considerations — EU patients accessing UK healthcare services, NHS organisations procuring AI from EU vendors, and clinical research with EU collaborators all create potential EU AI Act touchpoints.

Practical compliance for UK healthcare AI

For AI providers serving UK healthcare: complete medical device classification and MHRA registration where applicable; obtain UKCA marking (or CE marking under transitional arrangements); maintain technical documentation including clinical evaluation; implement post-market surveillance and serious incident reporting; satisfy clinical safety standards (DCB0129/DCB0160) for NHS deployment; ensure UK GDPR compliance including DPIAs and Article 9 lawful basis for health data.

For NHS trusts and registered providers deploying AI: confirm vendor MHRA registration and UKCA marking; complete clinical safety case (DCB0129) for clinical AI; integrate AI deployment into existing clinical governance frameworks; document training, oversight, and incident response for AI use; ensure information governance approval before live deployment; address Caldicott Principles for any patient-identifiable data use; conduct DPIAs for high-risk AI processing.

For clinicians: maintain appropriate competency in AI tools used; document AI's role in clinical decisions in patient records; explain AI use to patients where it materially affects their care; report AI errors or adverse events through both clinical and regulatory routes (MHRA Yellow Card scheme for medical devices, NHS England Learning from Patient Safety Events).