Approaching Information Governance can feel a bit like navigating a minefield at times. Having worked at Inhealthcare for five years implementing a stringent IG framework for our digital health services, I have become very familiar with the various IG frameworks that must be covered off.
Here are my three top tips on the hoops healthcare innovators must jump through to ensure compliance with their digital health projects.
Top tip 1: Start by mastering the IG Toolkit
If you have access to NHS patients and/or to their information, provide support services directly to an NHS organisation; and/or have access to national systems and services, such as the NHS virtual network called N3, you will be asked each year to provide assurance that you comply with the law and Department of Health Policy by completing an on line self-assessment called the Information governance toolkit. As a minimum you need to initially aim for Level 2 but ideally you want to be making your way up to Level 3.
The framework is independent from gaining access to the N3 network which requires you to go through a process called Information Governance Statement of Compliance (IGSoC).
Top tip 2: Go through Clinical Risk Management – SCCI0129 and SCCI0160
SCCI0129 and SCCI0160 are information standards providing a set of requirements for managing clinical risk when developing and operating IT systems. SCCIO129 involves managing clinical risk associated with software development and is aimed at Manufacturers.
SCCIO160 is aimed at health organisations who will manage any clinical risk when the software is in use. Together, they ensure risks are captured and mitigated and sign off is required by the Clinical Safety Officer (CSO). Both standards apply only to those Health IT Systems that are not controlled by medical device regulations.
By going through this process within your organisation you will find that employees will start to identify and manage clinical risks in a different way. It will change your way of developing services and it will make sure that you place clinical safety at the heart of everything that you do.
Top tip 3: Stay up to date on data protection regulations
Currently every supplier of digital health services should ensure that they are compliant with the data protection act and its eight principles which includes ensuring that data is only used for lawful purposes and that it is not kept for longer than necessary. It is important to keep up to date with data protection regulation and from May 2018 there are some big changes coming in the form of the General Data Protection Regulation, known as GDPR.
The General Data Protection Regulation is an EU regulation intended to unify data protection for individuals in the EU. Even with Brexit looming, this regulation is set to replace the data protection act and it has important implications for data processors and makes big changes to the way in which we gather consent from users on how their data is going to be used. In addition, it is important to note that users have a ‘right to be forgotten’ and depending upon your industry and whether you are the data controller this can have big technical implications on your solution.
Whilst IG can be a confusing landscape with lots of different conflicting information, try and stick to the basics and start small and simple. If you try and cover too much at once you will be setting yourself up for failure.
If you have any questions or you need some advice on getting started with the above, I would be happy to share my knowledge.
Inhealthcare is one of 31 companies on the DigitalHealthLondon Accelerator 2016-17.
Jamie Innes is a senior product manager at Inhealthcare with a special interest is Information Governance procedures and working with customers to map out specific digital health requirements.