Navigating Healthcare Compliance in 2024: Key Developments and Emerging Requirements

As we begin 2024, the healthcare sector is gearing up for a number of new regulatory updates and compliance requirements. In the UK, the medical device sector is set to transition from the EU's CE marking to the UKCA marking, marking a notable change in product certification standards. From April of this year, NHS suppliers will be required to submit their carbon reduction plans as part of the NHS' Net Zero strategy, and those looking to achieve or maintain compliance with the NHS DSPT will now be subject to additional staff training requirements to meet compliance with Version 6 of the framework.

Across the channel, the EU is set to continue developing the "European Health Data Space" while also making strides with its initiative to introduce a 'seal of approval' for digital health and well-being apps, setting standardised benchmarks across member states through its Label2Enable scheme. Meanwhile, Google is adding a new Health App Policy to its app store, requiring developers of health apps to meet additional privacy requirements to get their apps published in the marketplace.

In this blog post, we'll delve into some of the key regulatory updates and new compliance requirements set to impact the healthcare sector and its suppliers this year.

Want a general overview of what's coming up in data protection, information governance and cybersecurity? Take a look at our 2023 Compliance Unwrapped blog.

‍

NHS Carbon Reduction Requirements for Suppliers

With a lofty goal of achieving Net Zero by 2045 and over 60% of its emissions coming from suppliers, from April 2024, the NHS will require all suppliers, regardless of contract size, to meet several carbon reduction requirements as part of the procurement process.

Since publishing its "Delivering a Net Zero NHS" report in 2021, the National Health Service has introduced a number of environmental and carbon reduction requirements - Since 2022, a minimum 10% Net Zero and Social Value weighting has applied to all NHS procurements, and a year later in April 2023, suppliers fulfilling contracts over £5 million per year have been required to publish a Carbon Reduction Plan for their Scope 1 and 2 emissions. 

From April 2024, these carbon reduction requirements will be "proportionately" extended to all new procurements regardless of the contract value. Organisations bidding on procurements over the existing £5 million per year threshold will continue to be required to publish a Carbon Reduction Plan (CRP), while those pursuing contracts below the threshold will need to complete and publish a Net Zero Commitment, highlighting their commitment to achieving net zero by 2050 or earlier. Suppliers who've met the CRP requirements will already comply with the Net Zero Commitment requirements and will not need to do both.

Additionally, the NHS guidance indicates that the CRP requirements will apply to new frameworks run by 'in-scope' organisations, irrespective of the contract value. However, the specifics of which organisations will be in scope have yet to be provided. 

The NHS has provided an in-depth guide of what the new requirements will entail in addition to guidance on how to complete a CRP and a Net Zero Commitment statement, both of which you can find here.

‍

Transition from CE to UKCA Marking: An Updated Timeline

In a recent turn of events, the UK government has recently updated the guidance on the implementation deadline for the UKCA (UK Conformity Assessed) marking for medical devices. While the deadline was initially intended to come into force in 2023, delays in finalising the regulatory framework, coupled with the sudden pressure on medical device manufacturers to comply, led the MHRA to push the implementation deadline to July 2024.

However, the latest government update brings another change to this timeline. This week, the UK government updated the Medical Device Regulations 2022, setting out the intended timescale for the delivery of the UKCA implementation framework - and it's not July 2024. 

Depending on the type of Medical Device, manufacturers will now be able to place their medical devices in Great Britain until as late as June 2030 or until their existing CE certificates expire, whichever occurs first:

• Medical devices compliant with the EU medical devices directive or EU active implantable medical devices directive with a valid CE marking can be placed on the GB market until 30th June 2028 or until certificate expiry, whichever is sooner. 
• Medical devices compliant with the EU medical devices regulation (EU MDR) can be placed on the GB market until 30th June 2030.
• In-vitro medical devices compliant with the in vitro diagnostic medical device regulations (EU IVDR) can be placed on the GB market until 30th June 2023. 
• CE-marked Class I medical devices that are self-declared against the EU MDR requirements can continue to be placed on the GB market until June 2030.

While the UKCA enforcement has been delayed, the government has published several post-market surveillance requirements set to come into force this year. These include enhanced incident reporting from manufacturers to facilitate earlier detection of safety concerns and more stringent obligations for periodic reviews of post-market surveillance data. You can view the updated UKCA Medical Device Framework roadmap here.

‍

Version 6 of the NHS Data Security & Protection Toolkit sets out new training requirements.

The Data Security & Protection Toolkit received its annual update in late 2023, setting out new compliance requirements for all NHS suppliers. 

Version 6 of the NHS DSPT now requires those looking to meet compliance with the framework to ensure that all staff within their organisation have an "appropriate understanding of information governance and cyber security". While these changes allow for greater flexibility in training delivery, the 2023/2024 version of the framework does come with additional evidence requirements, including training needs analysis and evidence of any cyber security and data protection training delivered across the organisation. 

For an in-depth look at exactly what these training requirements entail, take a look at our blog "What's New In Version 6 of the NHS DSPT?"

‍

Naq's automated healthcare compliance platform automatically updates your policies, training and compliance frameworks in line with the latest regulatory changes, ensuring your organisation stays continuously compliant with the frameworks it needs to grow.

From NHS DSPT and DTAC to ISO 27001, ISO 9001, SOC 2 and more, Naq empowers healthcare innovators to revolutionise healthcare while our platform handles compliance. Click here to learn more.

‍

EU looks to introduce new "stamp of approval" for health and wellness apps.

In an effort to set a baseline standard for the quality of health and wellness apps across the region, the EU launched its Label2Enable project in 2020 with the aim of promoting the adoption of the ISO 82304-2 framework. The ISO 82304-2 framework sets out a comprehensive list of requirements and specifications that health apps must meet to be considered high quality, ensuring they are secure, user-friendly, and safe.

The health and wellness app market is rapidly expanding, becoming one of the fastest-growing sectors globally. Several factors contribute to this growth: a surge in health awareness, the advancement of wearable technology, including medical devices like blood glucose monitors, and the unparalleled convenience and accessibility these apps offer. In times of social distancing and increased pressure on healthcare systems, these apps have provided a way to maintain health and wellness remotely and have shown potential to improve healthcare outcomes, offering much-needed relief and efficiency in health services.

However, this burgeoning market faces a challenge: regulation inconsistency. While some health apps fall under medical device regulations, many do not, resulting in wide disparities in quality, ease of use, safety, and data security. This lack of uniformity is a significant concern, especially considering the sensitive nature of the data handled by these apps.

The Label2Enable project aims to bridge this gap. It focuses on aligning health and wellness apps with the ISO 82304-2 standard, which lays out criteria for evaluating an app's user-friendliness, health and safety, data security, robustness, and accessibility. Set to wrap up its initial phase in 2024, a major goal of the project is to establish an EU quality label for health and wellness apps. This label will serve as a benchmark for app quality, helping consumers identify apps that meet high standards of safety and effectiveness.

At Naq, we are proud to contribute to this effort, ensuring that healthcare apps meet a fundamental level of quality, accessibility, safety and security. By supporting and working with the Label2Enable project, we're helping to elevate the standard of digital health solutions across the EU, making them safer and more reliable for the people who use them.

‍

Google to introduce new App Store requirements for health apps.

Staying on the topic of health apps, Google recently announced that it will introduce a new set of requirements for any app that qualifies as a health app or has health-related features and processes healthcare data. 

From May 2023, any app that classifies as a health app with health-related features or processes healthcare data must comply with a new set of requirements, including new privacy and data security policies and meet Google's prominent disclosure requirements. These requirements also apply to apps where health features might not be the primary focus, such as games that use health and activity data to enhance gameplay or offer in-app benefits.

There are also additional requirements for apps built in cooperation with or healthcare organisations, apps involved in human subject research, and those categorised as medical devices or SaMD (Software as a Medical Device). These apps will need to meet several additional requirements, ranging from obtaining explicit consent from research participants to including proof of compliance with relevant medical device regulatory bodies.

These additional requirements are set to come into force from May 2023, and you can read more about them here.

‍

EU set to finalise its European Data Health Space Framework.

This year, the EU is set to finalise its European Data Health Space Regulation, designed to establish a common framework for the sharing and exchange of health data across EU member states. This regulation aims to revolutionise how health data is utilised across the region, offering public and private entities access to valuable health data for research and innovation while empowering individuals to take control of their healthcare data, including greater ease of sharing their electronic health records with healthcare providers.

One of the main goals of the European Data Health Space is to enhance healthcare delivery and foster the innovation of new, life-saving solutions through the optimal use of healthcare data. The regulation emphasises the importance of interoperability, ensuring that healthcare data can be seamlessly shared and utilised across different systems and borders. This interoperability is crucial, particularly for individuals moving between countries, where seamless data transfer can significantly reduce treatment delays and errors.

The regulation also seeks to address the challenges faced in accessing health data for 'secondary use', such as developing new medical products, treatments or conducting research. Obtaining access to relevant healthcare information is often a challenge for smaller innovators and research organisations, hindering the development of healthcare solutions. Organisations wishing to use this data will need to apply for permission from a health data access body, which will set out the permitted uses and purposes of the data. 

Additionally, the data will only be allowed to be used and processed within secure environments provided by the health data access body, and interested organisations must meet compliance with a number of cyber security and data protection requirements, such as the GDPR. The European Data Health Space legislation is an integral component of the EU's broader Data Strategy, which aims to make the EU "a leader in a data-driven society.

‍

Simplify your organisation's healthcare compliance

Navigating the evolving landscape of healthcare compliance is a challenging, daunting task and can often distract innovators and healthcare organisations from their essential work of driving innovation and delivering quality care.

This is why we built Naq. At Naq, we're dedicated to empowering healthcare organisations and innovators to bring their solutions to market and get back to delivering better care by simplifying their compliance with the frameworks required by the healthcare sector. 

From NHS DSPT and DTAC to ISO 27001, ISO 9001, HIPAA, SOC 2 and more, Naq's automated healthcare compliance platform streamlines your organisation's journey to compliance and keeps you that way, automatically updating your policies, training and frameworks in line with regulatory changes. 

Discover why hundreds of healthcare organisations use Naq to meet their healthcare compliance obligations. Click here to learn more.