There is a clear drive to digitise health and social care services; however, providers’ digital transformation varies enormously. No matter where suppliers are on their journey, all regulated providers must assure themselves and the CQC that they are safely introducing technology into their service. Guidance on how to do this is hidden in plain sight – this blog discusses what guidance is available, what it means and how it may impact an organisation’s CQC rating.
The Problem
The Department of Health and Social Care (DHSC) recently extended its target date of migrating 80% of providers onto digital social care records by March 2024 until March 20251, with an additional £25 million pounds of funding. Extending the deadline aligns the target with a wider DHSC ambition – most health and social care services will have digital foundations in place, including electronic records, by March 20252. But why is the extension needed?
A recent literature review on the complications of digitising healthcare concluded that the main barriers are related to:
- Usability and technical issues
- User attitudes and perceptions
- Infrastructure challenges.
Ignoring these barriers when introducing tech into health and social care is proven to reduce the chances of successful integration of new technology into clinical workflows and effective outcomes as a result.
The NHS was the first to recognise the need to support deploying organisations in procuring and implementing technology safely. With a wide range of products on the market and the drive to digitise, understanding what a good-quality health IT system looks like can add to the complexities of implementing and adopting potentially transformative technologies..
The Introduction of DTAC
The Digital Technology Assessment Criteria (DTAC) was introduced by NHSX in 2021 to bring together national health and social care compliance standards for health technology deployment in the UK. Due to the surge in digital technology adoption caused by the COVID-19 pandemic, coupled with limited awareness among suppliers and NHS providers about essential regulatory requirements, prompted the development of DTAC. The DTAC establishes common expectations that health and care organisations should consider when procuring and deploying health and care technology.
While designed as a national compliance baseline, DTAC’s purpose extends beyond standardising expectations. It also serves as a framework to guide companies through the complex landscape of regulations and compliance requirements necessary for collaborating with health and social care providers.
By asking suppliers to complete a DTAC, organisations can be assured of product safety and compliance with legal requirements, which is crucial for successfully implementing digital technology in any health and care environment.
What is DTAC?
DTAC comprises of 5 key elements that health and social care organisations should review when procuring IT systems:
Clinical Safety (DCB0129): assessed to ensure that baseline clinical safety measures such as a Clinical Risk Management System, Clinical Safety Report and Hazard Log, Clinical Safety Officer (CSO) and MHRA compliance (where applicable) are in place
Data Protection: assessed to ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected, including registration with the Information Commissioner’s Office (ICO), appointing a named Data Protection Officer (DPO), completing the NHS Data Security and Protection Toolkit (DSPT) and developing a high quality a Data Protection Impact Assessment (DPIA)
Technical Assurance: assessed to ensure that products are secure and stable, including Cyber Essentials certification, External Penetration Testing, Multi-Factor Authentication (MFA) and logging, reporting and load testing
- Interoperability: assessed to ensure that data is communicated accurately and quickly whilst staying safe and secure.
- Usability and Accessibility: Products are allocated a conformity rating after being benchmarked against good practice and the NHS service standard.
Full details are available on the NHS website.
Is the DTAC mandatory?
Yes – in a roundabout way. The DTAC itself is a collection of other standards and should form the backbone of procurement processes for Health IT Systems. For example:
- A clinical safety assessment is covered under the DCB information standards. These are broken down into DCB0129 (for the manufacturer) and DCB0160 (for the deploying organisation), which is mandated under section 250 of the Health and Social Care Act 2012.
- The General Data Protection Regulation (GDPR) for most part requires technology companies to register with the Information Commissioner’s Office (ICO), appointment a Data Protection Officer (DPO) and the complete a Data Protection Impact Assessment (DPIA) as part of implementation to identify and mitigate potential risks to individuals privacy rights. These are mandated requirements included in the UK Data Protection Act 2018.
Therefore, is the DTAC mandated? No. However, some of the parts are covered by other mandated standards that predate the establishment of the DTAC.
A DTAC provides an audit trail which top management can utilise to provide assurance to the CQC that a comprehensive review process has been undertaken when procuring new technology. It may also be the case that the CQC asks for evidence of this assurance for service critical technologies such as Digital Care Record systems. As the number of innovative health technology systems on the market increases, the CQC is likely to request more aspects of a DTAC, as previously discussed in this blog.
The CQC’s position on Digitisation
The Single Assessment Framework details how the CQC will look for evidence to support the Quality Statements that underpin their Key Questions. Although DTAC is not mentioned in the Single Assessment Framework, parts are highlighted within the best practice references. Elements of a DTAC are also mentioned in a wide variety of literature that the CQC has published, co-produced or referenced, including:
- NHS England’s What Good Looks Like Success measure 3
- CQC’s Sandboxing on Digital Triage Solutions
- CQC’s Machine Learning in Diagnostic and Screening Services
- The CQC’s involvement in creating the AI and Digital Regulations Service.
Those looking to achieve the best scores against the quality statements should consider what the CQC recognises as best practice. Each Quality Statement has a number of prompts on what may be considered when looking at the quality of evidence available.
Those looking for more detail on this should examine the key prompts under each quality statement relating to “Is the service safe?” and “Is the service well-led?” There is clear reference to driving improvement through technology, the digitisation of records and the use of business data in service improvement – a clear demonstration the CQC is looking for evidence of in the introduction of technology to assist in the delivery of care. They also specifically mention the safe use of data, the security of systems and the interoperability of systems. All required assessments as part of a DTAC.
Technology and the CQC’s new methodology
Good technology solutions that have been correctly implemented provide efficiency savings and organisational intelligence—paper-based systems can not provide these. The new inspection methodology will require more frequent sharing of evidence to provide assurance to the CQC that service users are safe. Digital systems and good governance processes will more effectively supply the CQC with this evidence, while paper-based solutions will be onerous.
Health organisations resisting technological advances should know resistance to innovation will not be seen as best practice. For those needing greater guidance, the AI and Digital Regulations Service provides guidance across the regulatory, evaluation and data governance pathways – enabling the safe implementation of tech.
Health organisations implementing tech and not aligning themselves to DTAC, including the clinical safety standards, need to be aware that, at best, they are not aligning with CQC best practices and may well not be satisfying their legally mandated activities.
For organisations that deem individual tech outside the scope of a DCB0160 it is worth recording that decision in case of external scrutiny – aligning the decision process to the applicability guidance. But that tech will still need a form of risk assessment as part of the broader organisation’s governance process. And just because an organisation deems a DCB0160 not to be applicable, it does not mitigate the need to do other elements of a DTAC as part of due diligence activities.
My Experiences
When done well, a DTAC can metaphorically cast light into areas of organisational darkness. For example, as part of a DCB0160 assessment, evidence from wider organisational practice will be necessary, enabling fresh scrutiny and the ability to alter practice. Assessments of Information Governance can highlight opportunities to tighten data access and sharing requests, whilst Accessibility assessments can often educate teams as to the requirements set out under Web Content Accessibility Guidelines 2.2
Organisations with a robust process for technology implementation will likely have a robust process for change management, including good consultation and dissemination of information with patients and staff. Immediately being able to present evidence of DTACs being done builds a picture of the organisation’s culture, governance, and leadership.
On the flip side, what does the lack of a DTAC or suitable compliance information from suppliers suggest?
When organisations are unable to produce information that aligns with the DTAC framework, what they are effectively saying to the CQC is:
- We haven’t properly assessed the technology before we introduced it.
- We have not followed legally mandated requirements for all health and social care providers.
- We do not have an organisational understanding of our requirements for the use of technology.
The CQC’s follow-up step is to explore the impact of this. If patients suffered as a result of the failure, ignoring the most critical issue – that not having a proactive approach to risk management has resulted in service users coming to harm when they should have been cared for – it will be reflected in the inspection report and could lead to further enforcement measures. What is more, it will lead to other questions:
- What else aren’t they doing?
- What else don’t they know?
- What else haven’t they got the resources to do safely?
Too often, I have been on inspections where all appears well until one line of evidence gathering opens up a rabbit warren of issues that demonstrate organisation-wide gaps.
Health and Care organisations are expected to digitise. The benefits of this are well documented. However, in doing so, organisations must pay attention to their legally mandated obligations. Failure to do so can lead to negative scrutiny by external agencies such as the CQC and, worse, can harm service users.
References
We’re the experts that have your back.
Let us help you find a route from from where you are, to where you need to go. We’re here to help.