FAQ - Frequently asked questions- Common queries about developing or adopting digital technologies for health and social care

The AI and Digital Regulations Service for health and social care is a collaborative initiative designed to support the development and adoption of AI and digital technologies within the UK health and social care sectors. This service provides a centralised source of regulations, guidance, and resources for individuals and organisations that develop (manufacturers) or plan to use (adopters) AI or digital technologies in healthcare settings. The goal is to facilitate the safe, effective, and value-adding integration of these technologies into health and social care services.

For developers, the service offers guidance and signposting for core regulations throughout the lifecycle of a product. For adopters, it provides resources to make well-informed decisions about purchasing or integrating digital technologies into health and social care environments. The website also highlights advice services for those seeking more specific support related to the regulation or evaluation of digital healthcare technologies.

The service is a joint effort by several UK regulatory and evaluation organisations in health and social care: the Medicines and Healthcare products Regulatory Agency (MHRA), the Care Quality Commission (CQC), the Health Research Authority (HRA), and the National Institute for Health and Care Excellence (NICE). This initiative is part of a broader effort to increase the uptake of innovative digital solutions across health and social care services in the UK.

To help you get the most value from this site, we recommend you read our “how-to guides”:

• How to use this site as a developer
• How to use this site as an adopter in health
• How to use this site as a developer or adopter in social care

Register your technology with the NHS Innovation Service. You'll be offered support from a range of organisations, including some of the AI and Digital Regulations Service partners. Read our Get Support page to find out more.

If your technology is a medical device, you must obtain the relevant regulatory approvals for the appropriate classification. Read our page on the UK MDR regulations to understand more.

If a clinical investigation is needed before deployment, you may need to notify the MHRA and obtain approvals before the investigations start. For more about clinical investigations see the MHRA’s Flowchart.

The development of a technology may constitute research. Read the getting research approvals section of our data guide and use the HRA's is my study research tool to help you decide.

You must check if the use of your technology constitutes regulated activity. For more information read our page on checking if you need to register with the Care Quality Commission.

If your digital healthcare technology is a medical device, you must comply with medical device regulations. Read our page on determining if a technology is a medical device and the Medicine and Healthcare products Regulatory Agency (MHRA) guidance on medical device software including apps to understand more about how to decide if your technology is a medical device.

If you are unsure whether your technology is a medical device, contact the MHRA for further support: software@mhra.gov.uk

NICE assesses the value of digital healthcare technologies. A NICE approval gives developers the best chance of technology adoption by the health and care system. NICE can help developers build the evidence needed to achieve market access and improve lives. For more information read our page on understanding routes to NICE health technology assessment.

If you’re a developer, read our page on getting research approvals, if needed. This gives examples of activities that could be considered research. You should also use the Health Research Authority’s (HRA) is my study research tool to help you decide whether your study is research. If you need further guidance, contact queries@hra.nhs.uk

If you’re an adopter, read our page on determining if your activities are research and understanding the difference between research and non-research activities. You should also use the HRA’s is my study research tool to help you decide whether your study is research. If you need further guidance, contact queries@hra.nhs.uk

If you’re a developer and have established that your study is research, read our page on getting research approvals to consider what approvals you will need.

You should also use the HRA’s do I need NHS REC review tool to help you decide if you need ethical review.

If you do not need approval from a Research Ethics Committee you may still require HRA Approval. To receive identifiable confidential patient and service user information without consent (for projects that are research or non-research), you must submit an application to the Confidentiality Advisory Group. If you need further guidance, contact queries@hra.nhs.uk.

If you’re an adopter, read our page on determining if your activities are research to consider what approvals you will require.

You should also use the HRA’s do I need NHS REC review tool to help you decide if you need ethical review.

If you do not need approval from a REC you may still require HRA Approval. To receive identifiable confidential patient and service user information without consent (for projects that are research or non-research), you must submit an application to the Confidentiality Advisory Group. If you need further guidance, contact queries@hra.nhs.uk.

Use our data compliance checklist to consider the legal requirements when using health and care data as a developer of digital healthcare technologies. Each step will give you links to relevant sections of our data guide.

Use our data compliance checklist to consider the legal requirements when using health and care data as an adopter of digital healthcare technologies. Each step will give you links to relevant sections of our data guide.

There is a set of baseline criteria for digital health technologies (DHTs) entering the NHS and social care. In England, it is governed by the Digital Technology Assessment Criteria (DTAC).

DTAC is designed to be used by healthcare organisations to assess suppliers at the point of procurement or as part of a due diligence process, to make sure new digital technologies meet minimum baseline standards. For developers, it sets out what is expected for entry in to the NHS and social care.

You can download the assessment criteria on the DTAC website. If your innovation uses personal data, then you must comply with the Data Protection Act. This is also covered within DTAC.

This depends on the innovation's situation.

If the innovation falls under any NHS England supported programmes:

• The DTAC team can centrally assess it.
• They can provide an in-depth triage process to prepare the innovation for assessment. This can take up to several weeks depending on the innovation's level of preparedness.
• When ready for assessment the innovation will be passed on to the assessment team. These assessments can currently take up to 6 weeks to complete.
• The supported NHS England programme should contact the DTAC team on your behalf requesting an assessment.

If the innovation is not eligible for a central assessment:

• The review or assessment needs to be carried out by the commissioner of your innovation. To support the DTAC team could provide a single light touch triage (usually within 2 weeks) to check documentation.
• However, the responsibility for review will be the commissioners.
• For more information, visit the DTAC webpage

No, there is a requirement that any innovation should be reviewed for DTAC as part of the contract renewal process. Therefore, you should have an evidence pack available for any NHS organisation that may request it.

All new digital technology should be assessed against DTAC, even if you are piloting or trialling it.

A health IT system is defined as “a product used to provide electronic information for Health and social care purposes”. DCB0129 applies to all health IT systems including medical devices. You are therefore still required to undertake the DCB0129 activities and produce the required clinical safety artefacts to evidence your approach to CRM in the manufacture of the product in compliance with the DCB0129 standard.

With respect to ISO14791 and the MHRA compliance, you may use such evidence as supporting information for the DTAC purpose. If the product falls within the UK Medical Device Regulations 2002. it is required to be registered with the MHRA. The product must have a valid registration, Declaration of Conformity and, if applicable, certificate of conformity issued by a Notified Body / UK Approved Body.

If your innovation uses or connects to any third-party products, the relevant CRM documentation and conformity certificate is required. The Clinical Safety Case Report scope should encompass a clinical risk assessment of any third-party products, for which the innovation is reliant on. Such considerations should encompass patient data where the data is obtained from a third-party product.

This is required for any health IT system including any medical device connected to the network.

If the technology does not use NHS Login, then that is acceptable.

However, if you are using NHS numbers to identify patient record data, then you do need to explain how the NHS number is validated, used, and how its security is ensured. This would still be the case if the software allows patient records to be stored. Assurance would be needed by the NHS organisation about how secure the data would be and the integrity of the patient data identification and retrieval processes.

DTAC is a checklist of certifications to demonstrate that standards of quality have been built into digital products and services that are used by the NHS. Think of it like a checklist of certificates that you need in order to drive a car. If you were required to, you should be able to show your driving licence, MOT certificate and insurance certificate. DTAC is the list of certificates that you need in order to pass the basic digital standards as required by a NHS procurement process.

Yes, the below requirements must be maintained. Note that this list is not exhaustive.

• If the clinical safety officer (CSO) changes
• If the data protection officer (DPO) changes
• Any MHRA registration changes
• Other third-party conformity certification changes
• ICO registration certification
• Annual Data Security and Protection Toolkit Assessment status
• Cyber Essentials Certificate needs to be updated annually
• External penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities must be renewed every 12 months with moderate to high level risk issues resolved
• Any changes to the functionality of the innovation (especially for medical devices). For example, processing or controlling of data