Lost in the maze of Health IT Standards and Regulations?

Lost in the maze of Health IT Standards and Regulations?

The world of health IT and app compliance can be an impenetrable and, at times, almost mystical field. The Information Governance Toolkit, Medical Device Directive and SCCI 0129/0160 standards are three very different beasts. And depending on precisely what your solution does, the various frameworks may or may not apply for a given product.

For start-up manufacturers and experienced developers alike the myriad of health IT standards and regulations can be overwhelming. What’s more, get it wrong and it’s not just sales that could be affected…you might well end up committing a criminal offence. Safehand are specialists in health IT assurance. In addition to professional consultancy they provide some free straight-forward tools to help you along the way. In this article, they summarise the standards and regulation in three of the most important areas.

Medical Device Directive

The EU Medical Device Directive or MDD is the big daddy of regulation in this sector. Fail to comply with this one and the Medicines and Healthcare products Regulatory Agency (MHRA) have the powers to introduce you to the concept of the dawn raid. The MDD is woven into the UK’s Consumer Protection Act and if your application falls within scope of the Directive, you may be facing some serious regulatory overheads. And make no mistake, waivers, warnings and other limitations of liability rarely cut the mustard with the MHRA.

Products which comply with the MDD proudly display a CE Mark, a legal and public declaration by the manufacturer that the requirements of the directive have been met. But this badge of honour must be earned through a combination of careful evidence gathering, validation and formal assurance.

Medical Devices are classified into four categories; I, IIa, IIb and III depending on the risk they present to the patient. Class I devices are at the lower end of the risk spectrum and compliance can be achieved through self-certification. One can, in theory, submit a simple form to the MHRA and for less than £100 receive approval to affix the CE Mark to a Class I device. But remember that to do so without completing the underlying assurance work (which can be substantial) is a criminal offence. In practice, getting at least some expert help is essential.

For other classes of Medical Devices, the manufacturer can expect audits and inspections by organisations called Notified Bodies. These sentries of the regulatory world put manufacturers through their paces and demand proof that devices are safe, clinically effective and appropriately risk managed. And of course, this must all be paid for by the device manufacturer ultimately raising development costs.

But here’s the interesting catch, not all health IT products need to conform with the Medical Device Directive at all. On the surface, the MDD tells us that if a product is for the diagnosis, prevention, monitoring, treatment or alleviation of disease, handicap or injury or for the control of conception then it needs to be CE Marked. But that’s just the start of the story. Other guidance from the MHRA and steering groups clarifies that if a health IT system is only for the purposes of storing and retrieving information then the MDD doesn’t apply. And let’s face it, that’s just what most health IT systems do; they allow one user to enter information and another (or the same user at a different time) to bring it back.

It’s this quirk of MDD exemption which means that most health IT systems and apps we see in everyday practice are not CE Marked. But, if your system goes further than storage and retrieval, the regulatory position quickly changes. If a system makes a clinical decision, takes a measurement, performs a calculation, employs a clinical algorithm, makes a diagnosis or raises an alarm then it’s likely that it needs to conform.

At Safehand, they’ve constructed a useful decision tree to help you decide whether your application might need to comply. You can access the tool by registering for their Members Area: www.safehand.co.uk/members.

SCCI 0129 and SCCI 0160

Just because your product isn’t a Medical Device doesn’t mean you can throw caution to the wind and forget about safe design. In 2012, NHS Digital issued their SCCI 0129 and 0160 standards to fill an assurance gap which was becoming increasing visible. There are plenty of health IT solutions which could cause very real harm even though they are not Medical Devices. Electronic Medical Records systems, Patient Administration Systems, Result Management solutions, etc. all have the potential to adversely affect care delivery if they were to provide misleading information or become unavailable. SCCI 0129/0160 fill this void.

These standards are mandatory for suppliers and NHS organisations and, increasingly, it’s just not possible for credible health IT vendors to do business with the NHS without implementing them. The appearance of bodies like NHS Choices, ORCHA and Our Mobile Health which review and endorse health apps are also driving the SCCI 0129/0160 conformance agenda. Providing health services with safe tools is in everyone’s interest and the prospect of defending a legal challenge in court without compliance is an unenviable position.

SCCI 0129/0160 are similar to the risk management requirements of the Medical Device Directive but other facets of the CE Marking process such as clinical evaluation are not required in this lower risk arena. Nevertheless, there is no lack of rigour called for here and the need to formally appoint a Clinical Safety Officer underlines the needs for at least one clinical individual to put their neck on the line. Interestingly, the SCCI 0160 element dictates that the healthcare organisation needs to play their part in operating the system safely, something which is conceptually less clear with Medical Devices.

But once again not every health IT system needs to comply with SCCI 0129/0160. If your product deals with data at the population level or the purely administrative functions of a health service like Estates or HR then you might not need to comply.

Safehand has developed a decision tree and detailed FAQs to help suppliers in this area too. Again, these can be accessed for free through www.safehand.co.uk/members.

Information Governance Toolkit

Whilst SCCI 0129/0160 primarily deal with a system’s potential to cause harm to individuals, Information Governance sets out to deal with the security and privacy of data. It’s essential that BOTH these areas are considered by all suppliers.

The security of personal and clinical data is governed by a number of disparate UK/EU laws and NHS policies. Some time ago, the Department of Health acknowledged that even figuring out which of these applied to health IT suppliers was a mind-bending task. What was needed was a simple tool to bring together all the requirements in one place and to facilitate a self-assessment by a supplier. This essentially became the Information Governance Toolkit or IGTK which is available at https://www.igt.hscic.gov.uk.

The Department of Health states that “IG Toolkit assessments must be completed and published by all bodies that process the personal confidential data of citizens who access health and adult social care services.” This pretty much means that any software organisation involved in the management of personal, social or clinical health data needs to provide a submission using the tool. This might seem an onerous and administrative overhead but comply here and you’ll conform with most of the relevant Information Governance rules in the UK.

The toolkit sets out a number of requirements and asks users to score themselves from one to three for each element. Suppliers are expected to demonstrate that those who handle data understand their privacy and security obligations, that practical measures have been implemented to control access to data and that policies are in place to govern how data is transported and looked after.

In practice, organisations are expected to achieve at least level two compliance in each area and demonstrate continual improvement and vigilance. The overall result is publicly available on the IGTK website so it’s worth putting in some thought before you make the submission. Without help, constructing the policies and templates from scratch is time-consuming so you might want to work with a partner to simplify the task.


Standards and regulation in health IT are complex and with so much at stake it pays to tackle compliance from a position of knowledge. Working with an experienced partner such as Safehand not only gives you the confidence to go to market on the front-foot but also allows you to reach this position without diverting resources from other business-critical functions.

But whether you choose to benefit from the experience of others or to go it alone, make sure you operate in the health IT industry with your eyes wide open. Above all else, avoid the temptation to ignore compliance in the hope that it will simply go away. Embrace it, and leverage the assurance it brings to drive the quality of your product.

For more information about assuring health IT visit www.safehand.co.uk or contact contactus@safehand.co.uk

This article was written by Adrian Stavert-Dobson, a doctor, safety consultant, blogger and published author on the subject of managing clinical risk in health IT. He is the Managing Partner of Safehand Consulting.

ORCHA nominated in 101 Tech Startup Rising Stars List

ORCHA nominated in 101 Tech Startup Rising Stars List

We are delighted to announce that we were chosen from over 300 nominations from across the UK for BusinessCloud’s 101 Tech Startup Rising Stars List, sponsored by UKFast.

Everyone selected was invited to attend a prestigious half-day conference at UKFast’s Manchester campus on Wednesday 7th June from 2pm, where there were a number of inspirational startups and the brains behind successful, self-made companies talked about how to accelerate business growth.

Startup 101 was a chance to hear those lessons from UKFast’s CEO Lawrence Jones, and a range of successful businesspeople who made the leap from startup to business star.

Topics included:

  • Goal setting
  • Hiring the right people
  • Marketing to the right audience
  • Make the most of your infrastructure to boost your productivity
  • Investment: how to stand out from the crowd


A Guide to Apps for the Public and Professionals

A Guide to Apps for the Public and Professionals

Healthier Lancashire and South Cumbria, including Lancashire County Council and Blackburn with Darwen Borough Council have partnered with us to offer a validated selection of health and care apps for the public and professionals.

Since there are an estimated 170,000 apps in health and care, it is impossible for members of the public or care professionals to know which are safe and valuable to use and recommend without an independent assessment. To this end, we carry out a rigorous 118-point review process and present the results in clear, searchable web content with rankings.

Dr Amanda Thornton, Clinical Director of Lancashire Care Foundation Trust and a digital champion comments:

‘We’re excited to be working with ORCHA to give citizens and clinicians more confidence in considering what health apps are out there to look after themselves. Clinicians can know what risks and value are attached to these apps and recommend ones if, say, their patient wants to eat well, exercise more or manage their diabetes. We will be building particular apps into our pathways, for example, people waiting for a rheumatology appointment might be recommended a pain management app, so that when they come to the clinic they’ve started thinking about managing their pain. They can share the information with the clinician and collaboratively consider the history of the previous months and decide on the best outcomes and support plan.’

We make the results of our reviews public on our website, but the advantages to the NHS and councils in partnering with us are:

  • Clinicians and care professionals can login and issue a recommendation to their patient/client that generates a personalised link for downloading the app. by text message or email.
  • The person can then read about and download the app, and will soon be able to leave feedback about it. • Dashboard management information is available about numbers of recommendations, click-throughs, etc. • The site can be ‘white-labelled’ with the local public sector organisations’ branding.
  • For more details on our partner site, please visit https://lancashire.orcha.co.uk


Read the full briefing: “Effective use of national information sources

Welcome to ORCHA, Clive Flashman!

Welcome to ORCHA, Clive Flashman!

Welcome Clive Flashman!

ORCHA are delighted to introduce and welcome Clive Flashman who is joining ORCHA as Director of Strategy.

Clive Flashman

Clive comes to the team with a strong background and interest in digital transformation in health and care. Clive was one of the leading innovators of Knowledge Management in the UK at the start of the dotcom boom, and published in a range of journals at the time. He then re-entered the NHS where he set up a national Knowledge System for patient safety, facilitated a WHO committee, chaired a global HL7 Special Interest Group and sat on the NHS Information Standards Board and NHS National Knowledge Service.

He is a member of the eHealth & TeleMedicine Council for the Royal Society of Medicine, and has lectured and mentored at a number of Universities. Clive has worked as one of a small team of global healthcare specialists within CSC where he was tasked with thinking about how CSC can best position itself to deliver the solutions that the healthcare markets around the world.

We feel very lucky to be able to welcome Clive to the team and we know he will help our mission to “promote better health apps for better outcomes”

Get in touch with Clive at clive.flashman@orcha.co.uk or on LinkedIn

Thousands sign up for new health app comparison site

Thousands sign up for new health app comparison site

Thousands of people in Lancashire and South Cumbria have used a new health and care app comparison site since its launch at the start of the year.

ORCHA (the Organisation for the Review of Care and Health Applications) carries out independent and impartial reviews of health and care-related apps – making it easy to find and compare the best apps for particular health needs.

More than 3,000 local patients and approximately 50 GPs have been using the platform since its launch in January, while health organisations in Lancashire and South Cumbria – the Lancashire and Bay Partners – are working closely with NHS-backed ORCHA.

Liz Ashall-Payne, CEO of ORCHA, said: “This has been a tremendously encouraging launch and the platform will now be rolled out in Essex, Liverpool, and nationally with Right at Home a Care provider and will be tested in parts of America over the next few months.  If more people can use the best health apps and better manage their health, we are one step towards the goal of connecting proven technology to the health care system.”

There are now more than 172,000 mobile apps that claim to improve health and wellbeing, self-monitor, manage treatments and help develop prevention strategies, and 4 million health apps are downloaded every day. As most apps are either free or very low cost, and with more smartphones in the UK than there are people, most people can access mobile apps.

But the quality of health apps available to the public varies, with some offering no medical benefit, or presenting risks to the user.

Dr Amanda Thornton, Clinical Director for Lancashire Care Foundation Trust and a digital champion, said:


“ORCHA is a hugely exciting development for the people of Lancashire and South Cumbria as well as the clinicians who support them.  Health and care apps can offer a huge benefit to patients, really empowering them to manage and improve their health. However, there is a huge choice out there, so ORCHA really helps people to understand which are the best and most trustworthy.“


Declan Hadley, Digital Lead for Lancashire and South Cumbria Change Programme, said:


“This will help us to bring true digital health innovation to Lancashire and South Cumbria. It is also one of the many exciting projects we have lined up as part of our Digital Roadmap.”

Digital health solutions are emerging as a key element in the future strategies of the NHS and many comparable healthcare systems. The opportunities offered by health and care apps, and other tech such as associated wearable devices, are seen as a major way of helping to balance the demands that are being placed on existing healthcare services.

However, neither common platforms, Google Play or the App Store, offer any information on the quality of mobile apps. Using these platforms to find and compare apps can be a confusing process.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

To keep up to date with events, fundraising, campaigning and other work, please fill in the form.

Thanks for joining our mailing list!