Aims and objectives:
- Understand what ORCHA does and how it can help your organisation.
- Be able to define key elements of regulation as they apply to digital health tools being used on a commissioned basis within a Healthcare organisation.
- Who to contact should you need further support and guidance.
The rapid pace of innovation in digital health brings with it significant legal and regulatory policy challenges. ORCHA (Organisation for the Review and Care of Health Apps) carry out independent reviews and accreditations of healthcare apps and are commissioned by NHSEI and NHS Transformation Directorate and support innovators through their regulatory journey. ORCHA’s Digital Health Formularies allow health and care professionals to select the best digital health solution and accurately recommend it to a patient, with toolkits, training and governance needed for risk management.
Information provided by ORCHA
Regulatory requirements
The Regulatory landscape can be very confusing for Digital Health providers as ‘old’ regulations and standards are being ‘adapted’ to meet the very different scenarios that these solutions throw up. Healthcare Regulators globally are wrestling with how to provide a suitable regulatory regime for these innovative products and services.
ORCHA assesses the compliance of Digital Health Technologies (DHT’s) by focusing on four principal domains. This allows to help providers of healthcare to clearly understand their responsibilities and developers of DHTs the regulation that applies to their products and the certification required to satisfy various deployment scenarios.
The majority of these elements are a requirement of the Digital Health Technology Assessment (DTAC) framework, outlined by NHSE Transformation Directorate. Overall compliance is a function of their complexity and intended use. For example, an administrative app such as a rota system will have a differing level of necessary compliance compared to a Digital Therapeutic App such as a regulated insulin management app.
Additional support is available at ICS level and via the Academic Health Science Health Network (AHSN) or local Commissioning Support Unit.
ORCHA provides online learning resources through their ‘Digital Health Academy’ available free to all HCP’s through the ORCHA Landing Page and the Health Education England Learning Portal.
Data protection & privacy
Requirements ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected. The following requirements apply to most digital health technology products however there may be some products that do not process any NHS held patient data or any identifiable data.
General Data Protection Regulations (GDPR) & Information Commissioners Officer (ICO) Registration
Conformity is mandatory for all developers collecting any personal data and will have to demonstrate compliance with user rights and the legal basis for the uses of data under GDPR. This is done through a well written and transparent Privacy Policy. Many DHTs will additionally collect sensitive information and so need to be registered with the ICO.
Data Protection Impact Assessment (DPIA)
A DPIA is a process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of a developers’ accountability obligations under the UK GDPR when done properly helps developers to assess and demonstrate how they comply with all of data protection obligations. This will need to be signed by a commissioning body however a validated template will be the output of DTAC certification.
Data Protection Officer (DPO)
DHTs that process sensitive information are required to name a DPO and register with the Information Commissioners Office, this can be checked online, and evidence of exemption will need to be provided. DPO details need to be provided including their suitability, how they are involved in process and systems covered by the DPIA. This is covered in the DTAC.
NHS Digital Data Security and Protection Toolkit (DSPT)
DSPT completion is required by all organisations that have access to NHS patient information to provide assurances that the proper measures are in place to ensure that this information is kept safe and secure. Covering similar ground as the GDPR, Cyber Essential Plus and ISO 27001. Developers need to complete the annual online self-assessment tool to measure their performance against the National Data Guardian’s 10 data security standards.
Technical Security, Stability & Interoperability
DHTs must meet industry best practice security standards, and demonstrate they are stable to be utilised in a healthcare setting. Evidence of this is required utilising external testing with details relating to the specific technology, and not generally to the developer organisation.
Cyber Essentials
A valid Cyber Essentials certificate is mandatory for any product used within the NHS; this ensures that the developer has appropriate processes in place to guard against the most common cyber threats.
Security Testing
In order to comply with the DTAC criteria, products must have a had recent penetration (PEN) testing undertaken. The testing confirms that the DHT is not vulnerable to security threats by benchmarking against OWASP Top 10 security risks and appropriate CVSS vulnerability score. In addition, the developer should document a code security review processes has taken place.
Interoperability
Regulatory requirements are based on the level of integration with other devices and systems. For example, connected devices should conform to ISO 11073 (Personal Health Data (PHD) Standards) and integration with health records must utilise recognised standards for authentication and data exchange such as FHIR, OAuth 2.0 and TLS 1.2.
Professional assurance and clinical safety
It is essential that a developer ensures that their DHT should have the appropriate Medical Device classification if required. For DHTs to be used within health systems, developers should ensure they are not subject to additional regulation and have appropriate risk management procedures assessed. It is of note that DCB0160 Clinical Risk Management for the deployment and use of Health IT Systems should be adhered to by commissioning organisations which will require the early involvement, development and sign off by an organisations Clinical Safety Officer.
Medical Device Registration
Not all products will require registration under the Medical Device Regulations to ensure safety and quality – this depends on the functionality and ranges from a Class I to Class III. Products that do, must display a UKCA / CE mark and provide details of their registration for DTAC certification.
Registration Requirements
Some DHTs form part of additional health service provision e.g. telehealth consultations. In this case, those services should consider if they require registration e.g. Care Quality Commission or General Pharmaceutical Council.
Safety, Risk Management & Clinical Safety Officer (CSO)
For any DHT being used in a clinical environment consideration for use and the potential impact on patient safety need to be carefully considered. A clinical risk management plan as outlined in DCB0129 will need to be in place (complemented by the commissioning organisation producing a formal risk assessment under DCB0160). These documents will provide up to date Clinical Safety Documentation, in the form of a Hazard Log, a Clinical Safety Case Report and Clinical Risk Management System. In addition, a developer will appoint a Clinical Safety Officer (CSO) with appropriate skills to demonstrate this compliance – for DTAC this includes relevant training through NHS Digital.
USER EXPERIENCE
The NHS have developed service standards which a DTAC assessment will evaluate. There are international accessibility standards that developers can use to ensure that a wide range of people can access and use web-based and mobile technologies which are assessed as part of baseline reviews of technology.
Web Content Accessibility Guidance (WCAG)
Compliance with WCAG is a requirement of any DHT being used by public bodies in the UK. A WCAG 2.1 standard of AA is required to ensure that everyone can use a web or mobile based service.
NHS Service Standards
A DTAC assessment will, in addition, award a Usability score to a DHT. This reflects the process of design, development and continuing improvement of a product. From understanding users and demonstrating that the solution is designed to solve whole problems of users, the standard focuses on the benefits case of a technology and that a multidisciplinary team are involved. Other points are obtained by detailing customer support and service reliability.
Useful Links
- NHS Learning Hub – https://learninghub.nhs.uk/Catalogue/ORCHA
- ORCHA Academy https://orcha-academy.com/
Data Protection & Privacy
- ICO – https://ico.org.uk/
- Data Security and Protection Toolkit – https://www.dsptoolkit.nhs.uk/
- Data Protection Impact Assessment (DPIA) template
Technical Security
- About Cyber Essentials – https://www.ncsc.gov.uk/cyberessentials/overview
- Penetration Testing – https://www.ncsc.gov.uk/guidance/penetration-testing
Professional Assurance & Clinical Safety
- Clinical Safety Team – NHS Digital – https://digital.nhs.uk/services/clinical-safety
- Clinical Risk Management Training – NHS Digital – https://digital.nhs.uk/services/clinical-safety/clinical-risk-management-training
- Evidence standards framework – NICE – https://www.nice.org.uk/about/what-we-do/our-programmes/evidence-standards-framework-for-digital-health-technologies
User Experience