Digital Health Software – Accreditation for NHS use
7 March 2023
Digital Technology Assessment Criteria (DTAC)
Anyone involved in the development of digital health technologies (including everything from public-facing health Apps to digital systems used in hospitals) needs to be aware that NHS England has introduced the Digital Technology Assessment Criteria (DTAC) for health and social care. DTAC is intended to provide staff, patients and citizens confidence that the digital health tools they use or purchase meet clinical safety, data protection, technical security, interoperability and usability and accessibility standards. Without this accreditation, it will not be possible for developers to deploy their product into the NHS.
DTAC will form the new national baseline criteria for procurement of digital health technologies by the NHS and social care. It sets out, for digital health suppliers, what is expected for entry into the NHS and social care and forms part of the due diligence process for NHS procurement.
Digital technologies are assessed against 5 core areas:
- Clinical safety: to ensure that baseline clinical safety measures are in place and that organisations undertake clinical risk management activities to manage this risk
- Data protection: to ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected
- Technical assurance: to ensure that products are secure and stable.
- Interoperability: to ensure that data is communicated accurately and quickly whilst staying safe and secure.
- Usability and accessibility: to ensure that products are allocated a conformity rating having been benchmarked against good practice and the NHS service standard.
For further information visit:
Clinical Risk Management
It should also be borne in mind that prior to accessing the NHS procurement market there are additional development standards that must be demonstrated to have been met before any new digital product will be considered for use.
DCB 0129 and DCB 0160 are two standards issued by NHS Digital. They require developers of health IT systems and healthcare organisations to carry out a particular type of risk assessment on the product. This process determines whether or not the product is acceptably safe to go live. Compliance with DCB 0129 and DCB 0160 is mandatory under the Health and Social Care Act 2012 (see NHS Digital page). It may also be a requirement to obtain approval prior to applying for DTAC certification.
DCB 0129 applies to the developers of health IT systems whereas DCB 0160 applies to the healthcare organisations implementing them. The requirements in the two standards are almost identical. The idea is that the developer carries out a risk assessment, documents the findings and passes these to the healthcare organisation. They, in turn, look at how they are customising and configuring the product and conduct a further risk assessment. This is also documented. NHS Digital may ask to see the final report before the product goes live.
In the main, the two standards have got little to do with security, privacy or information governance. Those are covered by other standards and frameworks such as ISO 27001. DCB 0129 and DCB 0160 are strictly about safety, i.e. ensuring that the system doesn’t cause patient harm. Each standard consists of two important documents; a specification which sets out what MUST be done to comply and Implementation Guidance which provides helpful advice.
Where To Find The DCB Standards
The DCB (SCCI) Standards for managing clinical risk occasionally change names and where they are hosted. Below are the definitive locations:
Applicability of DCB 0129 and DCB 0160
The latest specification for developers – DCB 0129 specification
The latest specification for healthcare organisations – DCB 0160 specification
Contact firstname.lastname@example.org if you need any help on this topic.