The world of health IT and app compliance can be an impenetrable and, at times, almost mystical field. 


Lost in the maze of Health IT Standards and Regulations?

The world of health IT and app compliance can be an impenetrable and, at times, almost mystical field. The Information Governance Toolkit, Medical Device Directive and SCCI 0129/0160 standards are three very different beasts. And depending on precisely what your solution does, the various frameworks may or may not apply for a given product.

For start-up manufacturers and experienced developers alike the myriad of health IT standards and regulations can be overwhelming. What’s more, get it wrong and it’s not just sales that could be affected…you might well end up committing a criminal offence. Safehand are specialists in health IT assurance. In addition to professional consultancy they provide some free straight-forward tools to help you along the way. In this article, they summarise the standards and regulation in three of the most important areas.

Medical Device Directive

The EU Medical Device Directive or MDD is the big daddy of regulation in this sector. Fail to comply with this one and the Medicines and Healthcare products Regulatory Agency (MHRA) have the powers to introduce you to the concept of the dawn raid. The MDD is woven into the UK’s Consumer Protection Act and if your application falls within scope of the Directive, you may be facing some serious regulatory overheads. And make no mistake, waivers, warnings and other limitations of liability rarely cut the mustard with the MHRA.

Products which comply with the MDD proudly display a CE Mark, a legal and public declaration by the manufacturer that the requirements of the directive have been met. But this badge of honour must be earned through a combination of careful evidence gathering, validation and formal assurance.

Medical Devices are classified into four categories; I, IIa, IIb and III depending on the risk they present to the patient. Class I devices are at the lower end of the risk spectrum and compliance can be achieved through self-certification. One can, in theory, submit a simple form to the MHRA and for less than £100 receive approval to affix the CE Mark to a Class I device. But remember that to do so without completing the underlying assurance work (which can be substantial) is a criminal offence. In practice, getting at least some expert help is essential.

For other classes of Medical Devices, the manufacturer can expect audits and inspections by organisations called Notified Bodies. These sentries of the regulatory world put manufacturers through their paces and demand proof that devices are safe, clinically effective and appropriately risk managed. And of course, this must all be paid for by the device manufacturer ultimately raising development costs.

But here’s the interesting catch, not all health IT products need to conform with the Medical Device Directive at all. On the surface, the MDD tells us that if a product is for the diagnosis, prevention, monitoring, treatment or alleviation of disease, handicap or injury or for the control of conception then it needs to be CE Marked. But that’s just the start of the story. Other guidance from the MHRA and steering groups clarifies that if a health IT system is only for the purposes of storing and retrieving information then the MDD doesn’t apply. And let’s face it, that’s just what most health IT systems do; they allow one user to enter information and another (or the same user at a different time) to bring it back.

It’s this quirk of MDD exemption which means that most health IT systems and apps we see in everyday practice are not CE Marked. But, if your system goes further than storage and retrieval, the regulatory position quickly changes. If a system makes a clinical decision, takes a measurement, performs a calculation, employs a clinical algorithm, makes a diagnosis or raises an alarm then it’s likely that it needs to conform.

At Safehand, they’ve constructed a useful decision tree to help you decide whether your application might need to comply. You can access the tool by registering for their Members Area:

SCCI 0129 and SCCI 0160

Just because your product isn’t a Medical Device doesn’t mean you can throw caution to the wind and forget about safe design. In 2012, NHS Digital issued their SCCI 0129 and 0160 standards to fill an assurance gap which was becoming increasing visible. There are plenty of health IT solutions which could cause very real harm even though they are not Medical Devices. Electronic Medical Records systems, Patient Administration Systems, Result Management solutions, etc. all have the potential to adversely affect care delivery if they were to provide misleading information or become unavailable. SCCI 0129/0160 fill this void.

These standards are mandatory for suppliers and NHS organisations and, increasingly, it’s just not possible for credible health IT vendors to do business with the NHS without implementing them. The appearance of bodies like NHS Choices, ORCHA and Our Mobile Health which review and endorse health apps are also driving the SCCI 0129/0160 conformance agenda. Providing health services with safe tools is in everyone’s interest and the prospect of defending a legal challenge in court without compliance is an unenviable position.

SCCI 0129/0160 are similar to the risk management requirements of the Medical Device Directive but other facets of the CE Marking process such as clinical evaluation are not required in this lower risk arena. Nevertheless, there is no lack of rigour called for here and the need to formally appoint a Clinical Safety Officer underlines the needs for at least one clinical individual to put their neck on the line. Interestingly, the SCCI 0160 element dictates that the healthcare organisation needs to play their part in operating the system safely, something which is conceptually less clear with Medical Devices.

But once again not every health IT system needs to comply with SCCI 0129/0160. If your product deals with data at the population level or the purely administrative functions of a health service like Estates or HR then you might not need to comply.

Safehand has developed a decision tree and detailed FAQs to help suppliers in this area too. Again, these can be accessed for free through

Information Governance Toolkit

Whilst SCCI 0129/0160 primarily deal with a system’s potential to cause harm to individuals, Information Governance sets out to deal with the security and privacy of data. It’s essential that BOTH these areas are considered by all suppliers.

The security of personal and clinical data is governed by a number of disparate UK/EU laws and NHS policies. Some time ago, the Department of Health acknowledged that even figuring out which of these applied to health IT suppliers was a mind-bending task. What was needed was a simple tool to bring together all the requirements in one place and to facilitate a self-assessment by a supplier. This essentially became the Information Governance Toolkit or IGTK which is available at

The Department of Health states that “IG Toolkit assessments must be completed and published by all bodies that process the personal confidential data of citizens who access health and adult social care services.” This pretty much means that any software organisation involved in the management of personal, social or clinical health data needs to provide a submission using the tool. This might seem an onerous and administrative overhead but comply here and you’ll conform with most of the relevant Information Governance rules in the UK.

The toolkit sets out a number of requirements and asks users to score themselves from one to three for each element. Suppliers are expected to demonstrate that those who handle data understand their privacy and security obligations, that practical measures have been implemented to control access to data and that policies are in place to govern how data is transported and looked after.

In practice, organisations are expected to achieve at least level two compliance in each area and demonstrate continual improvement and vigilance. The overall result is publicly available on the IGTK website so it’s worth putting in some thought before you make the submission. Without help, constructing the policies and templates from scratch is time-consuming so you might want to work with a partner to simplify the task.


Standards and regulation in health IT are complex and with so much at stake it pays to tackle compliance from a position of knowledge. Working with an experienced partner such as Safehand not only gives you the confidence to go to market on the front-foot but also allows you to reach this position without diverting resources from other business-critical functions.

But whether you choose to benefit from the experience of others or to go it alone, make sure you operate in the health IT industry with your eyes wide open. Above all else, avoid the temptation to ignore compliance in the hope that it will simply go away. Embrace it, and leverage the assurance it brings to drive the quality of your product.

For more information about assuring health IT visit or contact

This article was written by Adrian Stavert-Dobson, a doctor, safety consultant, blogger and published author on the subject of managing clinical risk in health IT. He is the Managing Partner of Safehand Consulting.