Where to start with the Digital Technology Assessment Criteria (DTAC)?

DTAC compliance, introduced by NHSX in 2021, is presently a requirement for healthtech innovators to sell into the NHS. It brings together a number of strands of good practice, and existing, mandated standards into one neat package that innovators must provide evidence for in order to be procurable.

Having worked in the healthtech compliance space for over 20 years, through which time the compliance mandate has shifted and changed, I think DTAC provides a great baseline of the things needed to ensure healthtech innovators are delivering clinical applications that are safe, secure and interoperable.

But one thing that has not changed in my experience, is that usually the main driver to ‘get compliant’ is a request from the NHS themselves, asking for a compliance evidence file as they are interested in procuring your healthtech product.

That’s great if you’ve all your compliance sorted, but what if you don’t?

And what can be done to help embed a compliance culture into a healthtech innovator’s research and delivery practices?

Here are my top tips:

Tip 1 – Start your compliance journey early

The likelihood is that, given your experience and progress to date with your innovation, you’ve already amassed much knowledge and possibly even documentation around some of the key elements of the DTAC.

A good starting point to get compliant with the DTAC is to walk through the DTAC document and note down anything you do have, even if that evidence is in a rough format or in someone’s head.

This will give you a starting point for your DTAC evidence file and an understanding of where the trickiest gaps may be!

Depending on the gaps, and despite the many pressures for your time, you may need to take some time out to begin assembling compliance information, even if just to organise what you have.

The reality is, the longer you leave compliance, the more time and money it will cost to document this later, and to effectively maintain your innovation’s alignment with the DTAC standard.

Starting compliance early can be made easy with templates and the right guidance. You could even outsource compliance outright if you have the budget.

Starting early could mean discovering whether your innovation would be classified as a medical device, or simply, starting early could mean getting specific registrations in place that will be needed to become DTAC compliant, e.g. acquiring an ODS code (needed for DSPT) and registering your company with ICO . 

By starting early you will also be embedding a compliance culture into your organisation, which done right, means it will be simpler to assemble the evidence required for the DTAC, now, and as your product grows.

Tip 2 – Prevent ‘Compliance Debt’

As well as determining what you need to do to get your DTAC compliance evidence up to date, you’ll also need to maintain your DTAC evidence file with every release of your product.

Much like ‘technical debt’ in software engineering, you will be accruing ‘compliance debt’ each time you deliver a product feature without impacting that feature against the DTAC (or other healthtech) compliance.

For example, if you have a product backlog for your innovation, every time you have refined a feature for your product, you should be impacting that feature against each DTAC compliance domain.

A simple way to begin doing this for DTAC is by asking these starting questions:

• Clinical Safety - Does this feature have the potential to bring patient harm?
• Technical Security - Does this feature increase cyber risk?
• Data Protection - Does this feature have any data protection implications?
• Interoperability - Does this feature introduce data that would be useful for the patient’s ongoing care?
• Accessibility - Who is the feature’s audience and do I need to consider accessibility?
• Usability - Has this feature been created as a result of input from user research?

Make a note of your answers against the product backlog item in JIRA, Azure DevOps or whichever issue tracking system you are using.

Using an issue tracking system is again a necessity for proving feature provenance and traceability that will also be of great assistance the further you get in your compliance journey.

And remember, identifying a feature’s compliance needs is only the beginning in relation to product delivery. You’ll also need to mitigate any identified risks, which may mean more work to deliver a safe, secure and interoperable feature!

Ultimately though, the critical thinking and collaboration that is required to prevent compliance debt can actually drive innovation, protect your reputation, improve the wellbeing of people and save lives.

Tip 3 - Remember, DTAC is a living standard!

The DTAC is a living standard, it does not stop once you create your initial DTAC evidence file!

As mentioned in Tip 2, you need to continuously assess your innovation against the DTAC, release by release of your product. If you fail to do so, you risk quickly losing your DTAC alignment and therefore your opportunity to serve the NHS.

Having to maintain an evidence file can appear scary if you’re short on resources or expertise, and I’ve seen it happen a number of times that once the initial DTAC evidence file is created, and despite best efforts, alignment with the standard falls away.

In my experience, this most often happens following completion of the initial DTAC evidence file when there is a collective sigh of relief at the achievement and focus switches to the next challenge!

To help prevent this and to ensure that your DTAC evidence file does not become stale, I’d recommend:

• When you’re building your evidence file, assign owners to the compliance domains. This will help distil ownership for compliance throughout your organisation.
• Introduce a weekly compliance catch up (perhaps piggyback an existing backlog refinement or sprint planning meeting) to help understand product development aims and deliveries. This can help you capture required evidence file changes, is a good way to build on Tip 2 and to help prevent compliance debt.
• Make someone responsible for compliance. Although I’d recommend compliance becomes a team sport, having someone either internally or through an outsourced partner who will keep on top of compliance for you can pay dividends!

If you’re looking to outsource, a sign of a good partner is one who will help you embed a culture of compliance throughout your team, and will also know how to scale compliance in line with your product development and strategic aspirations

These are some simple starting tips and, if followed, they'll help set you up for a long and happy compliance journey!