So, you’d like to launch healthcare software or apps linking with NHS? Either for direct use in the NHS or for a solution which uses NHS data to drive how it works. This business guide will help to guide you on the things you need to do.
You’ve likely found this article because you've discovered an opportunity to innovate but quickly realise it’s not simple to get your idea approved, you may not even know whether your idea is possible. There are many hoops to jump through as you must comply with data rules, processes and bureaucracy. It isn’t easy to know where to start, and you might be tempted to give up.
This article will guide you through common things you will need to consider when launching the technology in the NHS or using NHS data in your own apps, web apps, processes or software. Including the criteria you must follow to get your software approved for use in the NHS or that uses NHS data. I will also provide you with techniques you can use to research whether your idea is possible and allowable.
Please be aware that each NHS trust can have slightly differing guidance and requirements, so it is important you;
In this article:
This article comprises the following sections:
- The NHS Healthcare Ecosystem Overview
- NHS Digital API Catalogue
- NHS Developer Hub and Requesting Access
- NHS Digital Technology Assessment Criteria Guidelines (DTAC)
- Tips for Launching an NHS App and Gaining Traction
- Summary of Key Actions
- What Next
See this guide as a solid starting point on your journey to release an NHS Healthcare App. The information in this article is provided AS IS. Some types of app and app use cases may be required to meet additional checks and criteria, so please make sure to be thorough in your research. If in doubt, contact NHS Digital to ensure you operate lawfully and in a clinically safe manner.
The NHS Healthcare Ecosystem Overview
If you are new to working in the NHS, I’d recommend familiarising yourself with the healthcare ecosystem.
This outlines the different types of care, Such as Primary, Secondary, Community Health, and Tertiary Care:
If you aim to provide a product that the NHS will use, you will need to know which category of care it falls under and which audience of users it applies to. For example, whether your innovation is a point-of-care application, back-end application, or patient-facing application.
You’ll also hear the term “National Spine” mentioned a lot; this means the suite of NHS applications which operate on a national level. It’s the Spine because it’s the backbone which underpins everything.
The NHS Digital API Catalogue
Your journey should begin with the NHS Digital website, a fantastic source to guide you on integrating with the NHS. NHS Digital provides digital healthcare services at a national level:
To understand the full capabilities of integrating with the NHS, I first need to explain what an API is. An API (Application Programming Interface) is like a shop window into a system or source of information. You can use an API to connect with other systems, either to read information, send information, or issue instructions.
The most valuable area of his website is the NHS API Catalogue. Here you can browse the different sources of information within the NHS, see what capabilities exist, and learn how to integrate these sources with your software or business.
You can skip this section if you don’t need access to NHS data.
How to use the NHS catalogue
If you have an idea of how to innovate in the NHS by using NHS data, then most of the time, you will need to research which APIs you need to use, what they are capable of, who is allowed to use them, and what requirements you must meet to be granted access.
Some NHS APIs are internal only, meaning that only internal NHS departments and trusts have permission to access and use them. Others allow for external use, providing that you comply with NHS standards and procedures. This is something we will cover in more detail later.
Let’s take a close look at some of the APIs in the catalogue to give you an idea of what is possible using NHS APIs.
For example, one of the available data sources is the Directory of Healthcare Services API. You can use this API to find information about organisations that provide NHS healthcare services, NHS organisation types, and coronavirus (COVID-19) walk-in sites.
But how can you tell what is possible using this API?
Example NHS API Page
Most of the API Catalogue pages will refer to “interactions” or “Endpoints”, which are a list of the different things you can do using the API. Some endpoints may be for reading data, others for asking the API to perform some action.
We can see with the Directory of Services API that they have an endpoint for getting a list of the organisation types, which looks like this:
Underneath, it explains what information you can ask the endpoint for and what it returns. In this example, we can see the endpoint “get OrganisationTypes” returns a list of organisation info which includes their Type and Display Name:
If you have an idea about how you’d like to innovate using NHS data, then you can research the APIs to see if one provides you with the functionality you need. You can then check which API endpoints exist to see if they give you the required information.
Other Catalogue Use Considerations
As you explore the different NHS APIs, you will notice that each has different access criteria and will display guidelines on who can use the API, which look like this:
Just because an API exists does not mean that you will be granted access to use it. If in doubt, contact the NHS digital team with a summary of what you plan to build, which APIs you need access to, and how you plan to use them.
NHS Developer Hub and Requesting Access
If you are a developer, then NHS Digital includes a full-featured Developer Hub where you can register to learn how to build healthcare software and integrate with NHS APIs. This consists of a host of guides and documentation about best practices.
If you aren’t a developer, this site section isn’t aimed at you but may still contain useful information to inform your business planning. For example, it provides details about how to request access to specific APIs by submitting a PSD Access request, which looks like this:
Here you (or your developers) will be asked to provide information about your project, confirm the requirements, demonstrate that you conform to the NHS technical requirements, and agree to their terms and conditions.
It’s a good idea to complete this information at the beginning of your project to see if your access is granted before undertaking development work. If your access request is rejected, you’ll be told the reason. Sometimes issues are easy to rectify, but sometimes they may have a fundamental objection to your use case, which may not be possible to overcome (such as an external provider wanting to use an API restricted for internal use only).
NHS Digital Technology Assessment Criteria Guidelines
If you wish to launch a new digital technology product into the NHS, you must meet their Digital Technology Assessment Criteria(DTAC for short). Visit the DTAC page and download the DTAC document to read the full criteria and questions.
The DTAC (at the time of writing) consist of the following sections, some of which are assessed, meaning you will pass, fail, or be assigned a score based on your answers.
Company information (not assessed)
Information about your organisation and contact details.
Value proposition (not assessed)
Context of your product's clinical, economic or behavioural benefits to support the review of your technology.
Clinical safety (assessed)
Establishing that your product is clinically safe to use.
Data protection (assessed)
Establishing that your product collects, stores and uses data compliantly (including personal data).
Technical security (assessed)
Establishing that your product meets industry best practice security standards and that the product is stable.
Interoperability criteria (assessed)
Establishing how well your product exchanges data with other systems.
Usability and accessibility (assessed/scored)
Establishing that your product has followed best practices.
Think of the DTAC as a list of all the hoops you must jump through for your app to be accepted in the NHS. Familiarise yourself with the various DTAC requirements, and ensure you pass or score highly on the assessed questions.
Some requirements will require your business to comply with, such as meeting certain standards like Cyber Essentials Certification or DCB0129 risk assessment requirements. Others will require you to take a certain approach to plan and build your app.
Cyber Essentials is fairly easy to comply with; it’s a set of basic security measures you must implement in your business combined with an audited self-assessment to decide if you pass the standards. It includes requirements such as having a secure password policy, locking down admin accounts on devices, and using two-factor authentication where possible.
DCB0129 compliance is a little more complicated as the extent to which you must comply depends on your digital product's nature and use case. It requires you to implement risk with management processes, assign certain roles such as a clinical safety officer, and conduct a clinical risk analysis. Given the consequences of not meeting these risk assessment criteria could be severe, we recommend that you engage with a qualified professional who specialises in helping healthcare businesses to meet this standard.
You must also comply with the various GDPR and data protection guidelines, as with any other app that uses personal information. We’ve written a separate article recommending ways to navigate GDPR and data protection regulations.
If you are still to build your NHS product, it may be possible to work towards achieving compliance in parallel to building your solution.
App Requirements needed to meet DTAC Requirements
Several DTAC questions impose requirements of your app, design, and project management approach. Here are the main ones for easy reference:
Follow an Agile project management approach that involves target end users in the design, validation, and testing processes.
Ensure your development services and support contract with your chosen tech team enables continuous product development over time.
Define your business objectives, and what success looks like.
Define your product's value proposition based on your user's interests, and use this to guide how you prioritise what to build (I’ve written a book on how to Execute Your Tech Idea if you need support with this).
Build your app infrastructure to be ‘Internet First’. This means it will work on any device with an internet connection because your app servers or web services are connected to the internet.
Where possible and practical, use open-source libraries and frameworks to demonstrate that you “use open standard, common components, and patterns”.
Ensure you meet accessibility standards (WCAG 2.1 AA compliance).
Map key user journeys to support your project requirements.
Ideally, only store app data in the UK.
Run a Penetration Test on your technology before the official launch to catch and fix any issues raised.
Conduct an internal or external security review of the source code before launch.
Implement Multi-Factor Authentication into the sign-in process.
Ensure logging and protective monitoring are in place. Some of this can be aimed at the app server software, and others at the servers or web services.
Load tests any cloud services before the launch. (We use a tool called Locust to conduct load tests)
Ensure you work with a ‘multi-discipline team’; for example, one with a project, graphics, and development team like Scorchsoft.
Ensure any hosting or web services have a 99.9% uptime requirement. Ideally, you should be able to demonstrate evidence of this from your chosen host.
Our friendly team at Scorchsoft can assist in helping to ensure your tech meets the above requirements from a development perspective.
Or, if you need more specialist support complying with DTAC, such as achieving DCB0129 Compliance, Scorchsoft has teamed up with DTAC DCB0129 experts, The AbedGraham Group. Their experienced team is here to guide you through the process, including achieving clinical compliance. This process requires someone with a clinical background to oversee elements of the sign-off procedure. We can integrate our methods into the AbedGraham group's clinical review process, providing evidence that change management and release processes have undergone clinical risk assessment.
There are more requirements in the full DTAC document, so please review the full guidance. The information provided here is a general summary so you know what to expect; it is not an exhaustive list.
Tips for Launching an NHS App and Gaining Traction
I’m not going to provide generic app marketing advice here. There are many ways to launch and gain traction for app ideas, which you can read in my book's marketing principles and 25 marketing channels chapters. Instead, here are a couple of NHS-specific ways you can boost the launch of your NHS app:
Earn an NHS Website Recommendation
The NHS used to have a service called the NHS App Library, which was a directory of the apps and digital services that could be used within the NHS. Unfortunately, this service has now been retired in favour of linking to recommended apps and digital services throughout the NHS website.
So if you would like your app to be recommended on the NHS website, you should first find where on the NHS website you think is suitable and then request an update to the page to link to your app using the suggest a website improvement form. You will need to explain how you meet technical standards, clinical standards and prove that your app is approved by experts in your area of specialism. There is no guarantee that they will accept your request, so make sure you have demonstrable medical, social and expert proof before trying this approach.
Use NHS Innovation Hubs
Due to the way the NHS is structured, some services (Such as NHS Digital) are nationwide, others are regional. Several government-funded innovation hubs exist in most regions across the UK that aim to support innovation in the NHS. They work with NHS trusts to encourage and spread innovation throughout the NHS.
For example, suppose one NHS trust builds a new game-changing innovation that improves patient outcomes or saves money. In that case, it’s in the public interest for that innovation to be adopted by other Trusts across the country. From your perspective, if your app adds value, you can launch your app through one NHS Trust and then use the innovation networks to grow your business by launching to other trusts.
These innovation hubs also aim to encourage people working in the NHS to find opportunities for innovation and launch new ideas which improve the NHS. They want to encourage a culture of Intrapreneurship.
For example, NHS Innovation Hub MidTech is a non-profit organisation which helps NHS innovators to protect, develop and commercialise their work. They provide many support services from advance, networking and introduction opportunities, links to industrial partners, collaborations, and More. They can advise on ways to secure funding, assess your ideas' suitability, and provide training.
There is also a service called the Meridian Health Innovation Exchange which helps innovators to understand and overcome the different challenges you will face when dealing with regional and national NHS entities when innovating. It also provides a platform where you can find ‘opportunities’ to innovate, such as others sharing their new ideas, looking for co-creation opportunities, or looking for conversations with others in their area of interest. Here you will find lists of healthcare accelerators, grant and support schemes, mentoring opportunities, and resources.
MidTech and Meridian are examples of West Midlands Initiatives, but there are many more across the country that may help you on your journey. Including several Academic Health Science Networks (AHSN). Here are some that we know of:
This is not an exhaustive list, so please do your research to discover which innovation and support hubs exist near you. And please let us know if you would like your non-profit NHS innovation hub to be added to this list.
Summary of Key Actions
Here is a summary of actions which will help you to get ready to launch an NHS app:
Familiarise yourself with the NHS Digital Website to learn more about their operations.
Browse the NHS API Catalogue to find useful APIs, then see what interactions or endpoints exist.
Contact the NHS Digital team to get their opinion on your use case.
Review the NHS Digital Assessment Criteria Guidelines, and make sure you comply with their requirements.
Make sure you understand and comply with DCB0129 standards around clinical risk management.
Make sure your business is Cyber Essentials Certified.
Create requirements documents for your project, including mapping the most important user journey flows following the NHS DTAC guidelines. You may ask your chosen development company to support you in making these (Scorchsoft can help if you need support with this).
Familiarise yourself with the Data Security and Protection Toolkit, as you will need to ensure you comply.
Begin the build of your app using Agile project management processes.
Sign up for NHS Digital and request an Organisation Data Service Code.
Explore which NHS innovation hubs serve the area where your business is registered.
Scorchsoft is here to help. For over a decade, we are a team of experienced developers passionate about creating Progressive Web Applications (and React Native apps) that show off your brand. Whatever your ambitions, we can help you achieve them.
If you're ready to get started, get in touch with our team and let's start developing your app together.
Or, if you aren't ready to start your project yet and feel you have more to learn about apps and tech, please check out my book and audiobook: Execute Your Tech Idea - A Step-by-Step Guide for Non-Techies, Professionals, Managers, and Startups. Execute Your Tech Idea gives you everything you need to find, qualify, implement, and launch your tech idea. Discover your ‘aha!’ moment in this plain-speaking, easy-to-read guidebook suitable for non-technical readers.
THE WORK PROVIDED IS “AS IS”. THE AUTHOR AND SCORCHSOFT MAKE NO GUARANTEES OR WARRANTIES AS TO ACCURACY, ADEQUACY, OR COMPLETENESS OF OR THE RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING INFORMATION THAT CAN BE OBTAINED VIA HYPERLINK OR OTHERWISE. THE LEVEL OF SUCCESS YOU MAY EXPERIENCE WILL DIFFER FOR EACH INDIVIDUAL AND BUSINESS.