| Steps to consider | Why is it important? | Guidance type |
|---|---|---|
| Are digital technologies the right solution to your problem? | You need to assess whether digital healthcare technologies or AI are the right solution to the problem you are trying to solve. There may be a simpler solution. | Best practice |
Adopters - All adopters' guidance
List of all the guidance and regulations that apply to adopters of digital technologies in health and social care.
Loading sections...
| Steps to consider | Why is it important? | Guidance type |
|---|---|---|
| Complying with NHS Digital clinical risk management standards | Once you are satisfied with the evidence, if you still want to adopt a digital technology on behalf of the NHS, you need to first meet the safety standards set by NHS Digital. | Required |
| Understanding the evidence for a technology before adopting it | When deciding whether to adopt a digital healthcare technology, you need to review the evidence and make sure you understand it. | Best practice |
| Thinking about whether a medical device will meet your needs | You need to think about whether the medical device is fit for purpose and likely to meet your needs before deciding whether to adopt it. | Best practice |
| Steps to consider | Why is it important? | Guidance type |
|---|---|---|
| Understanding how the Care Quality Commission (CQC) regulates services | If you provide a regulated health or social care activity in England, you are legally required to register with CQC. You need to understand which regulations you must meet and whether an application is required. | Required |
| Complying with Ionising Radiation (Medical Exposure) Regulations (IR(ME)R) | The CQC enforces the Ionising Radiation (Medical Exposure) Regulations (IRMER). If you will be using ionising radiation, you need to understand and comply with these regulations to protect patients from risk of harm. | Required |
| Planning for local validation and integrating a digital technology | It is important to integrate and validate digital healthcare technologies before deploying them in a health or care service. Adopters should plan for this during procurement, in liaison with the developer or vendor. | Best practice |
| Piloting digital technologies in a health or care service | Before deciding whether to adopt a digital healthcare technology, you may need to pilot it in your service. | Best practice |
| General staff-training and product-specific user training | There are 2 levels of training adopters need to consider regarding digital healthcare technologies: general training for all staff so they understand how to implement, use and govern technologies and product-specific user training so they can use specific technologies. | Best practice |
| Steps to consider | Why is it important? | Guidance type |
|---|---|---|
| Understanding post-market surveillance of medical devices | Post-market surveillance of medical devices is the legal responsibility of the developer. But it is important for adopters to understand and support post-market surveillance of medical devices. | Required |
| Monitoring safety and effectiveness of digital technologies | It is important to monitor digital technologies once deployed, as they contain algorithmic systems and models. These models may be affected by changes in the external environment. This can result in ‘model drift’ in which the model’s performance and accuracy reduces over time. | Required |
| Reporting safety issues about medical devices to the MHRA | Adopters should report safety concerns about medical devices to the MHRA via the Yellow Card reporting site. | Best practice |
| Managing changes to medical devices after adoption | Managing changes to medical devices is the legal responsibility of the developer, but adopters support developers in these processes and are required to follow the clinical risk management standard. These help make sure devices stay safe and effective. | Best practice |
| Meeting your public sector equality duties | Public bodies should consider the public sector equality duty when thinking about whether to use digital healthcare technologies. This also applies to any digital healthcare technologies that public bodies are already using or that others are developing or using on their behalf. | Required |
| Planning for managing legacy systems and decommissioning | A legacy system is an outdated or unsupported technology that is still in use. It is important to plan for managing legacy systems and decommissioning before deploying a digital healthcare technology. Adopters should do this planning during procurement, in liaison with the developer or vendor. | Best practice |
| Steps to consider | Why is it important? | Guidance type |
|---|---|---|
| Data regulations for digital technology in health and social care: a guide | An introduction to the data guide for adopters who need to know what legal requirements govern the use of this data. | Required |
| Understanding types of health and care data | Two types of health and care data can be distinguished to help you determine when the relevant legal and regulatory frameworks apply. | Required |
| Understanding laws that regulate the use of health and care data | Learn about the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). | Required |
| Using data during the adopted technology’s lifecycle | When considering adopting digital healthcare technologies, you need to know that data protection legal requirements that will apply at the different stages of the technology's lifecycle. | Required |
| Data considerations related to compatibility testing | Both developers and adopters must make sure that use of data during compatibility testing is done lawfully. | Required |
| Technology adoption: using health and care data | You may need to use personal health and care data during the adoption of the technology. This requires a lawful basis. | Required |
| Complying with the UK GDPR Steps 1 - 7: an introduction | If you are using personal data, you are obliged to protect it and comply with data protection law. | Required |
| Common law duty of confidentiality | The common law duty of confidentiality means that when someone shares confidential information in confidence, you cannot disclose it without some form of legal authority or justification. | Required |
| Data access and re-identification risk intervention | If you share, or provide access to, health and care data with the developers of a digital technology, you will need to consider the identifiability of the data. | Required |
| Understanding the difference between research and non-research activities | How to determine if your activity classifies as research or non-research, and whether you need research approvals. | Required |
| Data Protection agreements and contracts | It is important for adopters to have appropriate data agreements and contracts in place to formalise arrangements around access to and use of health and care data. | Required |
| Using data during deployment and after rollout | Learn how to use or process data during and after deployment of your digital technology. | Required |
| Changing a technology’s purpose | A change in processing purpose has implications for your obligations under data protection law. | Required |
| Steps to consider | Why is it important? | Guidance type |
|---|---|---|
| Cyber security and resilience for health or care services | Requirements and guidance for cyber security and resilience for health and care services | Required |
Other helpful links
-
Glossary
Demystify the complex world of digital health regulation terminology with our glossary.
-
Using this service
Learn how to use this service as a developer or adopter of AI or digital health technologies.