This isn't breaking news: meeting compliance with various standards and frameworks is critical if you want to sell your digital health solution. Whether you aim to work with the NHS, the private healthcare sector, or internationally, meeting compliance demonstrates that your solutions are safe, secure, and ready to be used within the health sector.
However, navigating these standards can be daunting. In fact, around 50% of innovators fail to bring or remove their products from the market due to the complexities of compliance. Understanding the regulatory bodies involved, the key compliance frameworks, how they interact with one another, and which standards actually apply to your solution is crucial for digital health companies looking to succeed without becoming overwhelmed by regulatory challenges.
In this article, we'll break down some of the key frameworks and standards you need to consider, provide links to in-depth guides, and share practical tips to help you manage compliance more effectively.
Starting with the basics but by no means something to overlook, The General Data Protection Regulation (GDPR) is a fundamental legal framework for protecting personal data in the EU and UK (UK GDPR). It is a legal requirement for any organisation processing UK or EU personal information, making it relevant beyond digital health. However, digital health organisations face additional responsibilities if they process healthcare data, which is considered special category data under GDPR and UK GDPR
In essence, any data that, if breached, could significantly impact the freedoms of an individual falls under this category, including healthcare data. GDPR compliance goes far beyond a simple cookie policy. It mandates that organisations implement robust security controls to safeguard this information. Failure to do so can result in fines, although we recognise that fines are less common for smaller organisations. That said, the reputational damage associated with a data breach can be significant, which is why GDPR is the foundation for several other frameworks we'll discuss in this article.
Some GDPR-specific requirements you may have heard of, some in-depth guides on how to handle them:
An in-depth look at the GDPR and its role in NHS DSPT and DTAC
Data Protection Impact Assessments
Cyber Essentials is a UK government-backed scheme designed to help businesses protect themselves from the most common cyber threats. It serves as a foundational framework, particularly beneficial for smaller digital health businesses, by offering a clear, practical guide to implementing basic security controls.
Compliance with Cyber Essentials safeguards sensitive healthcare data and creates a pathway toward more comprehensive standards like ISO 27001. Achieving Cyber Essentials certification is often a prerequisite for bidding on public sector contracts, including within the NHS.
While Cyber Essentials is not explicitly required by the NHS DSPT (at least not yet, we're still waiting to hear more as the Cyber Assessment Framework expands beyond Category One organisations), complying with Cyber Essentials significantly helps in meeting the Data Security and Protection Toolkit (DSPT), as many of the controls overlap.
There are two versions of the Cyber Essentials certification: Cyber Essentials and Cyber Essentials Plus. Most organisations will only need to comply with Cyber Essentials. Still, those handling particularly sensitive information or bidding on high-risk contracts may be required to comply with Cyber Essentials Plus, which includes an independent audit to verify the implementation of security controls outlined in the self-assessment. In both cases, your Cyber Essentials certification must be renewed annually to ensure controls are maintained and updated as your organisation grows.
Dive deeper into the role of Cyber Essentials in healthcare compliance and learn how you can meet the standard with Naq.
The NHS Data Security and Protection Toolkit (DSPT) is a self-assessment tool that organisations must complete to demonstrate compliance with the data security standards required to supply the NHS and access systems like NHS Mail. It's a requirement for any business handling NHS data and ensures supply chain compliance across the NHS and its suppliers.
The process involves gathering and submitting evidence for the DSPT's 42 mandatory evidence items through the DSPT portal. The portal then shows whether suppliers have met compliance with the toolkit and the level of compliance, which ranges from:
"Approaching Standards": For organisations that have not yet completed the full requirements but have a development plan to meet all the requirements.
"Standards Met": Full compliance with the toolkit.
"Standards Exceeded" demonstrates that the supplier has exceeded the minimum requirements.
The system also displays when suppliers last met compliance, making it easy to identify any lapses. Suppliers must meet compliance by 30th June each year, and the toolkit is updated annually to reflect developments in security and data protection practices.
From this year, Category One organisations (such as Trusts and ICBs) are required to meet compliance with the new NHS Cyber Assessment Framework. This framework is designed to make the standard more continuous and reflective of the growing security threats faced by the NHS, ultimately building a more resilient supply chain. The DSPT also mandates compliance with GDPR and includes many controls from Cyber Essentials, making adherence to these frameworks especially beneficial.
For most of those reading this article, no changes to the DSPT have been announced yet, but they can't be ruled out. It's essential to stay informed as the NHS evolves its security requirements.
It's important to note that beyond policies, the NHS DSPT may require companies developing digital products to undergo a penetration test, provide staff training, and manage their supply chain effectively, requirements that are often overlooked. For an in-depth look at the standard and how Naq's platform makes achieving, maintaining, and managing your NHS DSPT compliance easier, take a look here.
The NHS Digital Technology Assessment Criteria (DTAC) is a framework used to assess whether a digital health product meets NHS expectations for clinical safety, data protection, technical security, interoperability, and usability. DTAC is a crucial certification for any company looking to sell its digital health solution to the NHS.
Navigating DTAC can be complex, as it spans multiple areas of compliance, including GDPR, Cyber Essentials, and clinical safety standards like DCB 0129. Rather than considering it a standalone standard, you should view DTAC as a framework encompassing several standards, along with additional requirements for accessibility, technical security, and more. This integration of various standards often brings complexity as innovators struggle to understand which parts they've already met.
Adding to the challenge is the fact that there's no centralised system for DTAC evaluation, meaning what counts as a pass for one NHS Trust may not for another, as individual Trusts may have additional requirements. Meeting the DTAC standard is almost always a prerequisite for getting your digital health solution into a pilot. Additionally, you may be required to adjust your DTAC evidence depending on your buyer, the project you're undertaking, and the scope in which your solution will be used.
For this reason, DTAC is not a one-and-done process; your documentation must be updated whenever significant changes to your product or organisation occur.
We've compiled a comprehensive guide on the standard, which you can find here. If you'd prefer to speak to someone, you can also book a no-strings-attached call with our team, who would happily answer your DTAC questions.
DCB 0129 is a clinical risk management standard that governs the management of clinical safety risks in health IT systems used within the NHS and across the broader health and social care sector. The standard requires digital health innovators to build and maintain a robust clinical safety management system to identify, mitigate, and manage the clinical risks associated with your solution. It's important to note that not only patient safety solutions are required to meet this standard, any solution used by clinicians may need to undergo the DCB 0129 process if its use poses a potential clinical risk.
DCB 0129 ensures that clinical risks related to digital health systems are identified, documented, and managed throughout the product lifecycle. The key here is "product lifecycle"; your DCB 0129 documentation must be updated whenever changes are made to your product. This process ensures that every modification is followed by a risk management process, identifying any new risks or addressing any that emerge as your digital health solution evolves.
Due to the nature of the standard, which requires a deep understanding of health IT systems and risk management practices, your clinical safety documentation must be overseen by a Clinical Safety Officer (CSO). This certified clinician must have undergone the appropriate training in building a clinical risk management system.
While it can be a complex standard, we've created an in-depth guide to help you understand exactly what's required - take a look here.
In addition to our streamlined compliance platform, Naq offers access to a Clinical Safety Officer. Your CSO can even oversee, approve, and sign off on your documentation directly within the platform. Plus, with our built-in Hazard Log, you can continuously identify, manage, and mitigate risks as your solution evolves - no more risky, disconnected spreadsheets.
Interested in learning more? Book a call with our team and get a demo of our clinical safety features.
If your digital health solution provides regulated activities such as remote consultations, diagnostics, or other healthcare services, you may need to be registered with the Care Quality Commission (CQC) in the UK. The CQC is the independent regulator of health and social care services in England, ensuring that services meet standards of safety, effectiveness, caring, responsiveness, and well-led management.
CQC registration is required if your digital health product involves the delivery of care, whether directly to patients or through services that are used by healthcare providers to deliver care. This applies to services like telemedicine platforms, digital diagnostics, or any product that facilitates medical care or treatment.
For businesses developing healthcare solutions, ensuring CQC compliance early in the process can prevent delays in launching your product. For an in-depth guide on CQC registration and to understand whether your service falls under the regulated activities, take a look here.
If the solution you're developing meets the definition of a medical device, you are required to comply with the UK Medical Devices Regulations 2002. These regulations, overseen by the Medicines and Healthcare Products Regulatory Agency (MHRA), govern the development, testing, and approval of medical devices used in the UK.
A medical device is defined as any instrument, apparatus, software, or material intended to be used for medical purposes such as diagnosing, preventing, monitoring, or treating disease. Digital health products such as wearable health devices, diagnostic tools, or certain health apps may be classified as medical devices if they fit this definition. If your solution falls under this category, you must meet additional regulatory requirements beyond general digital health standards.
For an in-depth look at how to determine if your product qualifies as a medical device, the NHS Innovation Service has laid out a great guide here. It also provides guidance on the requirements for each classification of medical devices.
ISO 13485 is the globally recognised standard for Quality Management Systems (QMS) specific to medical devices. While not mandated, even if your product is classified as a medical device, it is highly recommended as it is one of the fastest ways to demonstrate your organisation's commitment to quality and patient safety and continuous improvement, a significant advantage if you're looking to sell your solution in the international market.
Unlike ISO 9001, which isn't industry-bound, ISO 13485 focuses heavily on risk management within medical devices and patient safety. The standard requires organisations to implement a robust quality management system that covers the entire product lifecycle, from design and development to manufacturing and post-market surveillance.
Compliance with ISO 13485 will often ensure you've implemented the best practices and systems needed to make obtaining a UKCA mark or CE marking much easier.
ISO 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). It provides a framework for managing sensitive information and ensuring data security through the implementation of risk management processes and robust security controls. For digital health companies, where protecting patient data and health information is critical, compliance with ISO 27001 is highly recommended.
The standard helps organisations identify and address security risks related to data breaches, cyber threats, and unauthorised access. By implementing an ISO 27001-compliant ISMS, digital health companies can safeguard sensitive data and ensure that the development of their solutions continuously accounts for the risks to information and data.
ISO 27001 certification also provides a competitive edge, particularly when dealing with private and international buyers. While data security is a top priority across healthcare, including the NHS, ISO 27001 makes it easier for private and international buyers to see that you've implemented a robust information management system and built a strong cybersecurity posture.
The demand for this standard is growing; over 50% of digital health innovators we surveyed this year are looking to meet compliance with this standard by 2025. If you've already met compliance with UK-GDPR, Cyber Essentials, and NHS DSPT, chances are you've already implemented many of the policies and processes required to build out your ISMS.
Naq customers can easily track this progress through their Naq dashboard, where they can see how the work they've done toward other standards contributes to their broader compliance goals. This makes adding additional standards as you scale, acquire new buyers, or expand internationally, a breeze.
Book a demo with our team to see it in action.
ISO 9001 is the internationally recognised standard for Quality Management Systems (QMS), applicable across a wide range of industries, including digital health. It provides a framework for establishing consistent processes that help organisations deliver high-quality products and services. While ISO 9001 is not specific to healthcare, it is highly beneficial for digital health companies looking to build a strong foundation in quality management and improve operational efficiency.
As mentioned previously, if your solution is classified as a medical device, we recommend opting for ISO 13485. However, that's not to say you can only meet ISO 13485 if you have a medical device. Both frameworks are built on the foundation of ISO 9001, but ISO 9001 allows for greater flexibility. Moreover, if needed, you can add ISO 13485 later, and the transition will be much smoother since you will have already built your QMS foundations.
The standard emphasises a process-oriented approach, helping organisations identify inefficiencies, improve workflows, and ensure that all aspects of their operations, from product development to customer service, are aligned with quality objectives. For digital health solutions, this can mean improving the quality of software development, patient support services, and overall user experience.
ISO 9001 certification also demonstrates your organisation's commitment to continuous improvement and customer satisfaction, which is highly valued by private buyers and international partners. Although ISO 9001 is not always required in the NHS procurement process, many digital health companies find it useful as it helps meet the growing expectations of private healthcare providers who are increasingly looking for quality-assured solutions.
Additional standards may apply to your digital health solution depending on the markets in which you want to operate. For example, if you're targeting the US, you must comply with HIPAA and potentially SOC 2 for security controls. In Europe, there's NEN 7510, the upcoming NIS2 regulations, and frameworks like DiGA in Germany for digital health apps.
Mapping out all the standards you need to comply with, not just now but as your organisation scales and your solution develops, is essential for staying ahead in the healthcare market.
It's important to recognise that many of these standards overlap, so it's crucial to clearly map out your specific regulatory requirements. By doing so, you can identify areas where meeting one standard helps you tick off requirements for others, saving time and resources. For example, aligning with GDPR will also put you on the right track for HIPAA or ISO 27001 compliance.
Another key consideration is that compliance is not a one-and-done task. It must evolve with your organisation, product, and regulatory developments. In digital health, where requirements are consistently changing, compliance needs to be built into your organisation's processes. Early consideration of this will allow you to implement these frameworks from the start, ensuring that your digital health solution develops with compliance in mind.
Managing all of this compliance manually makes the process far more complex than it needs to be. Naq's platform takes the complexity out of managing compliance with all these standards and more. Cut your time to compliance by 70% versus doing it manually while saving thousands in costs. Speak to our team today to see how we can help streamline your compliance journey.