Patient safety and the regulation of AI in healthcare

Summary

In this blog, Patient Safety Learning highlights the key issues included in its response to the Medicines and Healthcare products Regulatory Agency’s (MHRA) call for evidence on the regulation of artificial intelligence (AI) in healthcare.

Content

At Patient Safety Learning we recognise the potential of the use of AI to improve patient care and outcomes. However, we believe it is vital that patient safety considerations are hardwired into the implementation of these solutions.

One of the key ambitions of the UK Government, set out in its 10 Year Health Plan, is to “make the NHS the most AI-enabled care system in the world”.[1] In support of this goal, in September 2025 the MHRA announced the creation of a new National Commission into the Regulation of AI in Healthcare.[2]

The Commission’s purpose is to advise the MHRA on improving its regulatory framework and to “accelerate safe access to AI in healthcare and across the NHS”.[3] To inform its work, in January the MHRA launched a call for evidence on the regulation of AI in healthcare. Below we summarise the key points included in our response to this.

Improving the regulatory framework

The NHS should adopt a systems approach to patient safety with this at the heart of the initial procurement, design and configuration of new technological solutions provided by AI. This approach should also be reflected in the framework for regulating these technologies.

Existing regulations are designed around traditional medical devices, which range from surgical instruments to diagnostic scanners. We believe these regulations need a significant update to respond effectively to the growing use of AI in healthcare and the adaptive nature of this technology. In our response to the call for evidence, we have highlighted several areas which we think should be considered when updating this.

Developing and testing AI

In our response, we stated that there should be a single “front door” regulating AI as a medical device. By this, we mean there should be a standardised process for regulating these technologies, in terms of guidance, requirements and approval processes. This should bring together the MHRA, NHS England and the National Institute of Health and Care Excellence (NICE).

We also have suggested that there should be an expansion of targeted sandboxes and testbeds, so AI developers can generate real world evidence with NHS data and workflows, under MHRA oversight. A sandbox is a controlled environment where AI can be developed, tested and experimented with safely, without affecting real individuals or sensitive data.

The outcomes of these tests could subsequently be linked to clinical safety cases that manufacturers and healthcare providers have to complete. A clinical safety case is a current regulatory requirement for digital solutions. It sets out, with supporting evidence, an argument that a digital system is safe for use in healthcare.

How regulation interacts with professional competency

While an AI tool may be safe when properly implemented and used by a well-trained healthcare professional, it could be potentially dangerous if such training and support is absent. As such technologies are increasingly used, ensuring staff have adequate levels of digital literacy will be vital. Without this, an overreliance on automated systems and algorithms could create new patient safety risks.

Ensuring inequalities are not embedded in new systems

Data accuracy, completeness and representativeness is key to ensuring safe AI systems in health and care. As we increase the use of AI health technologies, it is important we avoid reproducing historic biases, particularly relating to groups with protected characteristics. Steps should be taken to ensure the data used to train and develop AI models reflects this.

Cybersecurity

Cyber attacks present a significant risk to patient safety; one which will only grow with the increased digitalisation of health services. In our response to this call for evidence, as also noted in our response to the 10 Year Health Plan last year, we set out the need for a greater focus on cybersecurity in the regulatory framework.[4]

Patient engagement

In our response, we posed the question of how patients and families will be informed and engaged in the use of AI. The public needs to be confident that they can trust their healthcare providers to use AI safely and there needs to be mechanisms that inform and support this. There also needs to be consideration on how the public will be guided on their own use of AI if they directly access information and guidance and not via regulated health and care professionals.

AI that is not a medical device

When considering the future regulation of AI in healthcare, a yet unresolved issue we highlighted in our response concerns how technologies that do not meet the specific requirements to qualify as a medical device will be regulated. There may be new tools used in healthcare settings that could have a significant impact on patients’ safety, experience and outcomes but are not covered by the existing definitions. Who regulates these?

Monitoring AI health technologies in use

The call for evidence asked for views on how regulation should approach the post-market surveillance of AI health technologies. Post-market surveillance refers to requirements on manufacturers of medical devices to monitor their products once they are being used by healthcare providers.

In our response, we suggested that a different approach to this may be needed when it comes to AI, because these technologies have significant scope to evolve and change over time. For example, an AI system may initially work well in a single site but subsequently fail when rolled out in a more complex health and care setting. Or it may, over time, change in terms of its capabilities, role and risk profile as it processes more data, significantly changing the way it operates. Further to this, there may be a need to reassess AI tools when they undergo significant version upgrades or model changes.

Therefore, new regulation needs to carefully consider the level of ongoing evaluation that will be required to account for these systems evolving and changing over time. This may be for significantly longer than for other medical devices and change at significant pace.

We also noted the need to consider oversight of AI as part of the ongoing review of the existing clinical assurance standards and processes in the NHS: DCB0129 and DCB160.[5] These standards provide essential requirements for manufacturers of health IT systems and healthcare providers in assessing and managing clinical risks to ensure the safety of digital solutions in the NHS.

We highlighted various issues around the importance of ongoing monitoring and sharing learning during post-market surveillance, including:

• The importance of having in place sustained and transparent feedback loops between developers, regulators and care providers.
• The need to encourage continuous monitoring to be standard practice. Automated dashboards and audits should be employed to detect safety issues and initiate regulatory review where needed.
• The value of having effective means of sharing information about patient safety incidents and risks between providers and manufacturers. This should be supported and aided by regulators.
• Considering how the patient voice is incorporated into post-market surveillance and how patients’ experiences inform this.

Shared responsibility for delivering safer care

In our response, we set out that we believe everyone involved in healthcare – national bodies, individual providers, healthcare professionals, industry and patients – has a role in ensuring patient safety. Responsibility for the safety of such systems should be shared over the full life cycle of an AI health technology.

In its final question, the call for evidence asked about where liability would lie in the case of where an adverse patient outcome involved an AI tool. There is currently significant ambiguity around this, and few legal test cases. It is also potentially complex, tying into the previous point we mentioned earlier about the boundary between appropriate training and support and professional accountability and regulation.

This is an area where we think national leadership is required to establish these boundaries, from the Department of Health and Social Care and MHRA. In our view, there should be collaborative working to convene key stakeholders to provide clarity and guidance in this area, including NHS Resolution, professional regulators such as the General Medical Council, and system regulators such as the Care Quality Commission.

This is a matter that should be considered UK wide, as the issues relate equally to England, Northern Ireland, Scotland and Wales, and should be informed by discussions in European and internationally.

References

1. Department of Health and Social Care. 10 Year Health Plan for England: fit for the future, 3 July 2025.
2. MHRA. National Commission into the Regulation of AI in Healthcare. Last accessed 2 February 2026.
3. MHRA. New Commission to help accelerate NHS use of AI. 26 September 2025.
4. Patient Safety Learning. 10 Year Health Plan: Patient Safety Learning’s Response, 14 August 2025.
5. NHS England. Review of digital clinical safety standards: DSC0129 and DCB0160. Last accessed 2 February 2026.

Related reading

• Artificial intelligence and patient safety in healthcare: Insights and recommendations from HETT 2025 roundtable (10 November 2025)
• Clive Flashman. Copilot has arrived in the NHS — But no one told us how to fly it! 25 November 2025
• Patient safety and the role of AI in a cautiously optimistic future: A blog by Ian Fearnley. 19 August 2025.
• Professional regulation and patient safety systems: parallel planets or partners in improvement? (5 November 2025)