Digital health: ensuring your business is investor-ready

The Covid-19 pandemic has put digital healthcare provision centre stage and with it, the potential for increased M&A activity. Jocelyn Ormond, corporate partner at Ashfords and head of its healthcare, digital health & life sciences sector team, takes a detailed look at the specific areas digital healthcare providers and investors should focus on to make the most of the emerging opportunities


The global response to Covid-19 has created sometimes dizzying new opportunities for the adoption and scaling of digital health solutions, both in local markets and internationally. Many digital health companies are now focusing on expansion into new markets with greater clarity and ambition as to how their products and services can deliver better care and wellbeing or unlock value.

We are seeing a significant uptick in instructions from digital health companies pursuing new funding opportunities or exits, and often requiring preliminary commercial law, data protection, intellectual property and regulatory advice. Despite the sharp fall in global M&A levels in the last quarter (when deal activity was down more than 50% from the same period last year according to data from Refinitiv), and investors’ concerns about transacting without face-to-face engagement with management teams, many owners are still seeing 2020 as a good moment to exit and/or to bring in new financial or strategic investors to take their businesses to another level.

The growth in activity in the digital health space, although hard to measure at this stage, is still clearly evident relative to the rest of the healthcare and life sciences sector and the wider tech sector.

There are, however, numerous legal and regulatory, as well as commercial, pitfalls for digital health businesses, and buyers and investors are very focused on carrying out due diligence in these areas. The areas where these businesses generally find themselves becoming unstuck from a legal perspective, in brief, are not adequately focusing on:

Patient/customer data protection compliance

Businesses are already very aware of their need to comply with the EU GDPR (and, in the UK, the Data Protection Act 2018) and in particular the more extensive requirements for so-called ‘special category’ personal data.


Less familiar to most are the requirements for transfers of data outside the European Economic Area, which need to be covered by one of the following: an ‘adequacy decision’ from the European Commission in respect of the territory to which the data are being transferred (i.e. a decision that the legal framework in that territory provides ‘adequate’ protection); ‘appropriate safeguards’ as listed in the GDPR (e.g. a contract incorporating European Commission approved ‘standard contractual clauses’ or ‘SCCs’); or otherwise one of the narrow permitted ‘derogations’ (e.g. valid explicit consent from the individual whose data are being transferred).

Indeed, this is a topical and changing area of law with both challenges by individuals on the legality of certain aspects of international transfers (the ‘Schrems II’ litigation – decision expected mid-July 2020) and the European Commission in its recent report (24 June 2020) specifically highlighting SCCs as requiring further review and modernisation.

Robust cybersecurity measures

Cybersecurity is linked to data protection, but the emphasis here is on the technology rather than compliance. This is an increasingly critical area for all businesses, but particularly sensitive for digital health businesses given their handling of patient and other vulnerable user data and the growing focus on the digital health space from a national security perspective, heightened by the impact of Covid-19. (As an illustration of this, the UK government has formally acquired powers as of 23 June 2020 to intervene in acquisitions which might threaten ‘the need to maintain the capability to combat, and mitigate the effects of, public health emergencies’.)

Human error and lack of training remain, however, arguably greater areas of concern in terms of ensuring patient privacy. The latest data from the Information Commissioners Office on Reported Data Security Incidents shows that the healthcare sector remains the biggest contributor (16%) but that cyber security incidents accounted for only 14% of all healthcare sector breaches.

Compliance with regulations for medical devices

Some digital health services in England may need to be registered with the Care Quality Commission (CQC).

Depending on their market, they may need to comply with certain NHS Digital standards, especially standard DCB0129 designed to assist health IT software providers to evidence the clinical safety of their products. The more difficult question is usually whether software is caught by regulatory frameworks for medical devices, particularly the EU Medical Device Regulation (MDR), which has significantly expanded the definition of ‘medical device’. Despite Brexit, all the key elements in MDR will be mirrored in the UK regulatory framework in accordance with the EU’s own implementation timetable for MDR.

The implementation date for certain key provisions of MDR has been delayed until 26 May 2021 as a result of Covid-19, but the lead time for ensuring compliance with MDR is still very challenging for most digital health businesses.

Appropriate allocation of product liability risk

It can be difficult to attribute responsibility for a defect in a digital health solution between the coder, the manufacturer of hardware, the clinician or another stakeholder.

Digital health businesses need to anticipate the potential for product liability or other claims to arise and seek to allocate liability for such claims in their contractual arrangements. Similarly, if safety concerns do arise and corrective actions are needed, it is helpful to have considered the responsibilities of relevant stakeholders both in relation to recall/corrective action plans and the contractual arrangements which underpin them.

Ownership and IP

Ownership of intellectual property (IP) is documented and third-party IP is not being infringed. Digital health companies need to be able to demonstrate that they own their own intellectual property and are using third-party intellectual property rights pursuant to a valid licence. Their contracts with business consultants and third-party developers should contain appropriate assignment provisions.

If they have used third-party software or data, they need to establish what licences may be needed and the extent of any open source acknowledgements or conditions that apply and then comply with them. Employees’ and consultants’ contracts need to contain well-drafted
confidentiality and other restrictive covenants.

Where the retention of key staff is critical to preserving the goodwill and know-how of the business, these staff members also need to be given appropriately aligned incentives.

Appropriate insurance cover

There is a growing sophistication in the types of cover for digital health solutions available in the market. These include products which are competitively priced for SMEs and should be considered by even very early stage digital health businesses. It is important to anticipate the nature and level of cover which may be appropriate, as such cover may not be available on a retrospective basis and a business may therefore continue to be exposed to claims being made in respect of breaches or defects at the time when the business was under-insured.

Clearly, on any transaction, most of the energy of digital health companies, shareholders, investors/acquirors and advisers will be on addressing valuation issues, negotiating deal terms and identifying what third-party consents may be required. Such transactions are, however, not infrequently derailed where target businesses are not able to satisfy investors or buyers that their house is in order on the points above.