Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: When does health IT cross into healthcare ‘regulated activities’?

  • Published: January 25, 2024
  • Category: Expert Insights

Share this post

Avatar photo
Nick Pavard

Share this post

As product manufacturers and developers of health IT solutions respond to the technological opportunities of this digital healthcare revolution, they may have strayed, or will stray, into one or many of the Care Quality Commission’s 14 ‘regulated activities’. These are detailed in Schedule 1 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014.

Any manufacturers and developers of healthcare IT solutions that operate independently of a registered healthcare provider and undertake a regulated activity, will need to be registered with the Care Quality Commission (CQC). However, it’s important to distinguish that it’s the provider of a health IT system that needs to be CQC registered, not the software itself. This is similar to the way individual healthcare professionals are not directly registered with the CQC; rather, it is the organisation they work for that holds the registration.

 

What regulated activities should you be aware of?

In the UK, the health and social care sector is regulated by the CQC. The CQC publishes guidance on what constitutes a regulated activity and it falls into 14 categories. Our experience suggests that manufacturers and developers of health IT systems should be aware of two specific regulated activities: 

 

1. Diagnostic and screening procedures

This regulated activity includes a wide range of procedures related to diagnostics, screening and physiological measurement. Examples of these include:

 

  • Most forms of endoscopy 
  • Taking an intraoral scan 
  • Taking a sample or biopsy
  • Examining a sample 
  • Physiological measurements, including:
    • audio-vestibular
    • vision
    • neurological
    • cardiovascular
    • respiratory
    • gastro-intestinal
    • urinary.
 

There are a large number of exemptions under these, including blood pressure monitoring and pulse oximetry. A vast majority of health-tech is sold to a regulated provider and therefore does not need to be regulated themselves. The CQC acknowledges this: 

 “A healthcare provider that uses AI technology to deliver a regulated activity will be carrying on the regulated activity and will need to be registered with CQC….” 

When a health tech organisation carries out a regulated activity independent of a regulated provider, the organisation will need to be registered as the CQC explains:  

“..in some cases, the technology supplier may use its own technology to deliver a regulated activity, independently of any CQC-registered healthcare provider, and will need to register.”

The CQC also highlights the increasing prevalence of manufacturers and developers of healthcare IT solutions needing to become CQC registered:

“This is becoming common in diagnostics and screening services, where a healthcare provider sends X-ray, CT or MRI images to an AI supplier that then uses its own AI to analyse the images and report the results. If the healthcare provider does not review the results of the analysis independently, then the AI supplier is likely to be carrying on the regulated activity and will need to register.”

It’s the activity that is registered, not what or who carries it out. Therefore, if a manufacturer or developer of a health IT solution bypasses a clinician acting on behalf of a regulated provider, the manufacturer/ developer will, most likely, need to be registered. Again, it’s important to note that it’s the organisation, not the product that needs to be registered. Unlike for example DCB0129 assessments which are an assessment of the product, not the developer.  

 

2. Transport services, triage and medical advice provided remotely

For transport services, triage and medical advice provided remotely, the CQC highlights:

“This regulated activity applies where medical advice is:

 

  • provided remotely, over the telephone or by email, and
  • required in cases that need immediate attention or action, or triage (as opposed to a service where a person submits questions electronically to a provider who responds at a later time, or when a person seeks general health care or lifestyle advice), and
  • provided by a body established for that purpose (as opposed to remote consultation and advice by a GP practice or the occasional provision of remote advice by a body such as a hospital or university on an informal basis).

 

This includes NHS 111 and any other organisation established to provide telephone or internet-based medical advice where immediate action or attention is needed, or that provides triage (see what this means in our glossary of terms).”

As with screening and diagnostics, if the manufacturer or developer is acting independently of a clinician working for a regulated health care provider, and that regulated provider must be registered for the activity the technology delivers, the manufacturer/ developer will need to be registered to carry out the activity. 

Failing to register can ultimately result in unlimited fines or custodial sentences. The CQC have a proven track record of prosecuting healthcare providers who fail to register with them. 

 

What are your options?

If your health technology is operating as a standalone product, independent of any interaction with a clinician from a registered healthcare provider, you have a few options:

 

1.Register with the CQC

This will enable you to keep operating directly with patients. The number of premises held and number of patients managed will determine the cost of registration. You’ll need to consider the ongoing requirements of being a registered healthcare provider, including the need to continually evidence compliance with a wide range of regulations that are assessed by the CQC’s inspection methodology.

 

2. Operate your health technology through a current provider 

This requires you to only sell your product to CQC registered healthcare providers, enabling them to use it under their registration. If you’re selling to the NHS, you will need to meet NHS Digital Technology Assessment Criteria or DTAC. NHS organisations are increasingly building DTAC into their procurement process, recognising their responsibility to undertake due diligence prior to implementation and satisfy the legally mandated requirements of DCB0160.

 

3. Re-align your product to fall outside the need for CQC registration 

Whilst viable, this will most likely affect the commercial validity of your product. After all, you developed the solution to solve a problem, right? And, the problem will still be there! If you are selling to the NHS, the chances are you will still need to complete the DTAC. 

Whichever option you choose, we’re on hand to guide you through the entire process, ensuring you deliver a high-quality product while remaining compliant with all your regulatory requirements. If you choose to register with the CQC, here’s what to expect: 

 

How to become CQC registered

The process of registering with the CQC involves an initial application and the provision of supporting documentation to demonstrate that your organisation is capable of safely conducting the regulated activities. This includes details about your organisation’s structure, activities, and location of operations. 

[Highlight as CTA] We support organisations to compile and present this information, simplifying the entire process and giving you the best chance of succeeding. Get in touch to find out more.

Once registered, the CQC evaluates providers across five domains: Caring, Safe, Well-led, Effective, and Responsive. They assess whether the organisation provides a safe environment for patients and staff, assigning ratings from ‘Outstanding’ to ‘Inadequate’. This involves a review of the organisational culture, governance, policies, staffing, and training. Demonstrating compliance in a remote care setting may be challenging but is achievable with the right approach. Speak to us and learn how we can support you.

 

What next?

If the information above has left you perplexed and maybe unsure about how compliant your IT product is with its CQC regulatory obligations, get in touch for a no-obligation discovery call and I’ll walk through the options with you. Alternatively, check out the FAQs below. 

 

FAQs

 

What are the ‘regulated activities’?

The Health and Social Care Act Regulations 2014 set out the regulated activities. They are summarised on the CQC website and in the quick reference guide.

 

Why do I need to be registered? 

If you are undertaking a regulated activity and are not registered with the CQC, the organisation’s owners or senior managers can face up to 12-months imprisonment and/or an unlimited fine. Cases include a £44k fine to an unregistered provider and an online healthcare provider being fined £13.6K.  

 

How do I become registered?

The registration process can be time-consuming and admin heavy. There are a number of steps you need to follow. The first is to know what you are getting into. Understanding the CQC’s regulations is a must. Next, you’ll need to, as a minimum:

  • Gain a DBS check (must be less than 12 months old)
  • Compile sector-specific supporting documents,  including a wide range of policies and procedures
  • Write a ‘Statement of Purpose’
  • Reference and evidence of financial viability.

Once you have the information above, you’re ready to start the application process. 

 

Once my registration is approved, what next?

You’ll be required to consistently upload evidence of the quality of the service you are providing through the CQC’s portal. This, and any evidence collated from patients and other care providers will determine the frequency and scope of any on site inspections. 

If you would like to discuss any of the above, please book a call with our team. We can make this simple for you and ensure you succeed. 

 

How do I maintain compliance? 

The CQC looks for evidence to support regulatory compliance under 5 domains; Safe, Well-Led, Effective, Responsive and Caring. 34 Quality Statements breakdown what compliance looks like under each of these domains. The regulated activity dictates the type of evidence you’ll need to provide.

Your organisation will need to provide evidence that a range of effective policies and procedures are in place. That service users are listened to,  consulted, and that stakeholders are engaged in the process. 

As specialists in health tech compliance, we’ll support and guide you through any of the above. We work with you to ensure your product is safe, effective and compliant, leaving you to be the innovator. 

For any further help and guidance, simply get in touch.

Other Articles​

Loading...
ROPA

FAQ: What is a Records of Processing Activity (RoPA)?

Read More →

November 24, 2025
Digital Mental Health

Expert Insights: Crisis Signposting in Digital Mental Health

Read More →

July 15, 2025

Navigating the UK’s Health Tech Landscape: Building Foundations for Global Success

Read More →

July 2, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept