NHSX, the technology and digital unit of the UK’s National Health Service (NHS), recently published its draft Digital Health Technology Standard.
The Standard aims to accelerate how digital health technologies (DHTs) are reviewed, commissioned and scaled for use across the wider health and care system, and provides guidance to support digital health technology developers. The Standard is in draft form at the moment, and NHSX are seeking feedback via a short survey until 22 April (although it’s possible the survey will remain open for longer in light of COVID-19).
The Standard builds on existing guidance already gaining traction in the UK, and there’s some overlap with the UK’s Code of Conduct for Data-Driven Health and Care Technologies. However, it’s still a useful resource for developers trying to navigate the NHS as a potential customer. It signposts the array of guidance and legislation applying to healthcare technology in the UK.
NHSX’s Standard contains 10 core components, which we’ve summarised into 3 main categories:
1. Standards covering Data Driven Technology (DDT)
- DDTs should take into account issues such as transparency, fairness and bias on the data which is being used.
- DDT should comply with the Code of Conduct for Data-Driven Health and Care Technologies.
- If research is conducted with medical data, approval needs to be sought from the UK’s Health Research Authority.
2. Standards covering the Development and Design of DHTs
a) Designed to achieve a clear outcome/benefit for users or the system
- Developers must set out a hypothesis for how the DHT will contribute to the provision of better care and/or improved health outcomes.
- Developers must set out clear and defined user needs (i.e. clinical, practical or emotional).
b) Accessible and clinically safe
- DHTs should be easy to understand, and meet relevant requirements like the ergonomics of human-system interaction ISO 9241-210:2019.
- Authorship of source data should be medically valid and up to date, and there should be a plan to ensure that it remains up to date.
- There should be risk mitigation measures where the app could pose a risk to people’s health if used incorrectly.
- DHTs should make the best possible use of open standards and comply with all relevant technical standards.
c) Generate evidence that the product is fit for purpose, and achieves clinical, social, economic or behavioural benefits
- NICE has developed an Evidence Standards Framework which DHTs must comply with, based on evidence for effectiveness standards, evidence for economic impact standards and supporting resources including case studies.
- Post market surveillance must be undertaken and feedback should be risk assessed and acted upon.
3. Standards covering Data Protection, Security and the Regulatory Framework
a) Personal data
- Developers must ensure that their DHTs comply with the UK’s Data Protection Act, which treats health data as special category data.
- DHTs must use data in a way that is proportionate, and must guarantee that data linkage does not provide access to patient data to those without legal right.
- With respect to confidential patient data, the user must be able to give ‘informed consent’ to the use of their personal identifiable data.
- The DHT terms and conditions must set out clearly and simply exactly what will happen to user data, who it will be shared, and in what form it will be stored.
- The DHT must comply with NHS’s Information Governance requirements.
- Developers must complete the NHS’s Data Security and Protection Toolkit to provide assurance that good data security practice is implemented.
- DHTs must be built and tested in accordance with the OWASP Application Security Verification Standard (ASVS).
- DHTs will need to demonstrate that all security concerns and vulnerabilities are addressed, and explain how this has been done.
c) Regulatory compliance
- If the DHT meets the definition of a medical device, then it must be registered with the Medicines and Healthcare Products Regulatory Agency (MHRA) and have a CE mark.
- If the DHT provides a health or social care service that fits in one of the 14 regulated activities, there is a requirement to register with the Care Quality Commission.