Today, we are going to talk more about a topic that every HealthTech clinicians should be aware of - HealthTech Regulations and Compliance.
Thrilling! We know. 😏
Simple, because regulations and compliance are crucial for:
If you are operating in the HealthTech space but are unaware of the compulsory steps in place that founders need to navigate - you are prone to potentially trip up where it matters.
And also, you learn to separate companies that are taking the safe and responsible approach VS those looking to take shortcuts.
Now the first point to realise is that not all HealthTech companies are the same.
And therefore not every single company needs to adhere to every single standard.
I will outline the most important standards and when they are applicable below.
Starting off with something incredibly basic.
If a healthtech company is operating in the UK/EU and will be collecting/ collating/ processing ANY form of data of UK/EU citizens - they MUST have GDPR.
This is one standard that virtually all companies will require, and the fines for not complying with this is HEFTY.
If a company touches upon sensitive personal health data (which most healthtech companies will do), they will need an EXTRA standard known as a Data Protection Impact Assessment (DPIA) and will need to have a Data Protection Officer in place.
This is an added layer of accountablity within the GDPR itself.
In the UK, you will also need to register with the Information Commissioner’s Office (ICO) and pay a fee.
If a company is looking to work WITHIN the NHS and will be touching upon NHS patient data, they will need to complete a Data Security Protection Toolkit (DSPT) self assessment before they can do so.
If the company is direct to consumer or operating in the private sector, this is not needed.
When it comes to ensuring the safety of HealthTech Products within the NHS, there is the LEGALLY required standard known as the DCB 0129/0160.
DCB 0129 applies to the manufacturers of health IT systems whereas DCB 0160 applies to the healthcare organisations implementing them.
This standard is governed by NHS Digital and compliance is mandatory under the Health and Social care Act 2012.
The interesting thing about the DCB 0129 is that this requires a CLINICAL SAFETY OFFICER to complete - and this has to be someone that has maintained an active clinical registration and who have completed the required training by NHS digital.
(They can be nurses, pharmacists, doctors, physiotherapists etc - but they need to still be actively registered with their professional bodies)
Now this is perhaps the most important consideration right from the start.
Whenever you approach an early stage HealthTech startup, you should try and understand whether their product would constitute a medical device or software-as-a-medical device (SAMD) or not.
Here is the definition as per the IMDRF which sets the tone for the rest of the world.
As you can see, there is a VERY broad scope that it covers - which means that inadvertently founders may be building a medical device without realising it.
From here, companies need to understand what risk classification their device will fall under as shown below:
In short, the higher your classification, the more intense your evidence requirements are.
Class 1 medical devices are technically self assessments and does not required Notified Body approval - and many companies will try and claim (rightly or wrongly) that they are a class 1 device.
But there are changes happening soon to effectively remove this “loophole”, so I would exercise a healthy amount of scepticism and care.
If your product is a medical device, you need a CE (for EU) or CA (for UK) mark to be able to sell within these countries.
If you were to market or sell a medical device WITHOUT a CE/CA mark - you will get into very serious trouble VERY quickly.
But besides that, one has to remember that it is quite an EXPENSIVE and LENGTHY process to go through medical regulation under the MHRA (The UK’s governing body).
And this is something an early stage startup have to consider very carefully before they embark on it as it can and will cost up to £2-3 million to complete.
Medical Device Regulation is a MASSIVE TOPIC to cover, so we will leave this here for the moment. (More on this in the future)
If you deliver health and social care services in England, you need CQC registration.
If a HealthTech companies provide a regulated activity, they will need to register with the CQC.
This is very important to note if there is a service element to their HealthTech offerings. Often times, the activity that they would fall under is “Treatment of disease, disorder or injury”.
Meaning companies that wish to deploy clinicians along with their digital products / pharmaceuticals.
Please note that this is a LEGAL requirement and there are hefty fines to be paid if a company violates this.
In the UK, there exists a standard called Cyber Essentials that is not healthcare specific.
In fact, any company looking to work with the public sector within the UK will require Cyber Essential to be eligible to qualify for bidding of tenders.
Cyber Essentials is mainly a self assessment, whereas there is another higher level called Cyber Essential PLUS that is more expensive - but includes an in person evaluation to determine if your cybersecurity measures are up to scratch.
There is also an international standard called ISO 27001 that is quite popular which essentially demonstrates that a company has taken their information security seriously and to a high level.
It is a step above cyber essential plus BUT UK companies looking to work with the NHS will still need Cyber Essentials nonetheless.
The Digital Technology Assessment Criteria is essentially the infinity gauntlet that assesses all the standards above.
The DTAC is designed to be used by healthcare organisations to assess suppliers at the point of procurement or as part of a due diligence process, to make sure digital technologies meet our minimum baseline standards.
UK HealthTech companies will need to fill in the DTAC form and present it to the NHS organisation that they are hoping to work with/ sell to, to demonstrate that they have all their ducks in a row.
Besides the standards above, they also take into consideration the interoperability and usability of a product.
This is a quick whistle-stop tour of all the important standards, here is everything in one poster to give you a quick summary. Hope this helps!
