Every day is a compliance day

Growing pains – Digital Health  

Like any start-up sector, health tech has had its fair share of failures and missteps. But unlike other start-up sectors, health tech is accountable ultimately not to consumers or end-users, but patients and – often – public funding and institutions. Dr Shailesh Suri, Clinical Risk Consultant at 8foldGovernance explains, “It is very much part of app culture to just have an idea and release it, but health is highly regulated. ’ It’s about ensuring that all of these considerations are met whilst maintaining the agility and innovation that is so valuable. Many organisations are not aware of the regulations. It’s much better, cheaper and less painful to build these into your practices early on than trying to fix problems later.” More can be found from Dr Suri on his blog.

With huge growth, comes heightened scrutiny. Babylon itself has been the subject of a number of negative press articles. Perhaps this is the fate of any Unicorn which dares to disrupt not only a sector but a beloved institution like the NHS (and primary care in particular). However, some commentators are urging caution at this time of rapid adoption and behaviour change. “I think it’s really important we look into these things,” GP and researcher Sam Finnikin told Wired recently. “At the minute patients are being experimented on – and not in a good way. I worry about that, and I don’t think we know that these are safe and effective technologies.” Lyndon Johnson suggests that “Digital Health Tech is currently a frontier-land with lots of SMEs striving to provide innovative services and no really big players ruling the market. There is a lack of compliance and governance and that has been identified by the NHS. The NHS is now trying to ensure that existing suppliers have the right governance standards in place and new suppliers will be excluded unless they are compliant. That is why we founded 8foldGovernance, to support these companies and help them get to where they need to be.” 

There is a sense that governance and compliance are somehow at odds with agility and entrepreneurialism. Anthony Anandan – director and lead management consultant who has recently joined 8foldGovernance – says, “From an SME perspective, governance and compliance can appear as bureaucracy and can be seen to slow down the process.”

There is already anecdotal evidence that health tech companies require greater awareness of the potential pitfalls that await once they launch into the market. A number of recent health tech initiatives have failed once they have gone live, as noted by online publication Sifted

“Already, we’re seeing examples of things that didn’t work out. These include the NHS contract with remote consulting tool Attend Anywhere, which has not been renewed. Elsewhere, mobile health company Now Healthcare Group shocked staff when it announced in May that it was to shut up shop following a critical CQC report and the loss of a lucrative contract. In June, a group of North London hospitals axed the use of the Health Help Now app (which was designed to signpost users to relevant local healthcare services) after it failed to meet clinical and governance standards.”

In June 2020, it was reported that the Health Help Now app would be deleted after it was judged “clinically unsafe”. The app had been developed by NHS North West London for use by patients. Announcing the move in a letter to colleagues, NHS North West London stated, “The app has been downloaded to date by just 0.4% of the NW London population, and the CCGs do not have the funding resource to promote it more widely. The lack of clinical assurance presents a risk to patient safety.” At the time, the app had been in use by patients for three years. 

This was not even the first time that the Health Help Now app had met with compliance and governance issues. DigitalHealth.net reports that In October 2017 the app was briefly taken out of service “due to clinical assurance concerns and continued difficulty with the accreditation of health apps.” The service was restored after the provider was able to demonstrate the app fully complied with the NHS England clinical safety standards for health ICT systems”. 

These examples suggest that some UK health tech companies still fail to include governance and compliance as part of their due diligence. This is despite these standards being not only imperative to launch, but needed to continue due to annual compliance audits. Information Governance Consultant at 8foldGovernance Noreen Doyle confirms, “organisations have annual assessments that they need to do. For example, DSP toolkit, Cyber Essentials and others.” Clinical safety is a mandatory requirement but – according to Dr Shailesh Suri at 8foldGovernance – “a lot of these companies don’t even know that a [Clinical Safety Officer] is a requirement and then when they find out they will look for a company like ours who offer the service on an ongoing basis”. 

According to Dr Suri, clinical risk analysis “should be a vital part of the software development lifecycle for healthcare IT systems, in the same way as one would consider software quality, performance and security”. In the UK, this is enshrined in law under the Health and Social Care Act 2012 under DCB 0129. 

Compliance is not just about safety and the law – it is about inclusion. According to Dr Suri, developers often fail to consider the profile of the patient population vis a vis the general population; “inclusivity and accessibility are so vital because a higher proportion of patients fall into these categories.” 

Cost and accessibility/recruitment may be one reason SMEs don’t access this expertise currently. As Lyndon Johnson explains, “It is tough to get top-flight expertise in these areas if you are an SME; it can be expensive and hard to come by. If you get it wrong, it can be a business killer …. It is important not to wait until you are contracting to be told that you need a Clinical Safety Officer, DPIA, DPO, DSP toolkit etc. I have seen significant deals lost as a result” 

The risks that SMEs run by not covering off compliance are not just commercial – the reputational damage can also be a business killer. Adam Spinks, Governance Expert and co-founder of 8foldGovernance explains, “People underestimate the reputational damage that can occur if you don’t have your compliance and security arrangements in place, particularly when engaging with clients.  Equally though, you shouldn’t underestimate the confidence and assurance you can instil when you are able to speak with confidence about this.” 

Neither is compliance a one-off, something to check-off an SME’s to-do list. Noreen Doyle at 8foldGovernance speaks of “putting in place a ‘compliance culture’. It doesn’t just happen once – every day is a compliance day.”

This Blog is an excerpt from the 8folGovernance White Paper written by Sussex Innovation. The full whitepaper can be downloaded from our newsletter upon sign up 

Leave a Reply

Your email address will not be published.