At NHS Expo 2018, we saw the commitment of the NHS to technology and innovation as a key theme, with the announcement of more funding for Global Digital Exemplar NHS Trusts, further discussions about the art of the possible for the “NHS App”, and the creation of a Health Tech Advisory Board. We have also recently seen the Royal College of Physicians calling on doctors to embrace artificial intelligence, as long as it works for patients, alongside a speech from the Rt Hon Matt Hancock, Secretary of State for Health, confirming a commitment by the NHS to embrace digital first primary care.
The health and social care sector is a fragmented sector that is often criticised for its slow adoption of technology, however it is now looking much more carefully at the potential that can be unlocked from these solutions. Amongst other factors, this is driven by the burning platform created by funding pressures and demographic challenges.
The pace of development of data-driven medical technology brings with it a range of opportunities and risks to operators and commissioners considering implementation. On 5 September 2018, the Department for Health and Social Care published an initial code of conduct for data-driven health and care technology (“Code”). In this briefing, we consider the scope of the Code, and its likely impact.
The Code is of particular interest for:
- health technology (including AI) providers;
- commissioners of technology in the NHS and independent sector (including NHS England, CCGs, and health and care operators); and
- investors in health technology providers.
The current version of the Code can be found here, although the DHSC wants the Code to be co-designed with relevant stakeholders and so there is an opportunity to comment on its contents (by way of questionnaire) with a view to re-publishing an updated version in December.
The ultimate aim is for the Code to become a "collaboratively agreed standard for technology partnerships". The Code will initially be voluntary; the DHSC hopes that signing up to it will become attractive to technology providers as demonstrative of their "world-leading approach".
Approach and Principles
The approach of the Code is to set out:
- 10 key principles for safe and effective digital innovations; and
- 5 commitments from the government with a view to ensuring that the health and care system is in a position to take advantage of new technology at scale.
The principles are as follows:
1. Define the user
Taking steps to identify the ultimate user of the technology in question, and as a result their specific needs, will enable providers to demonstrate to commissioner/investors the merits of their particular solution by focussing on the particular problem which it solves.
2. Define the value proposition
The particular added value which the technology brings will ultimately help with its uptake. It will also help to define KPIs, cost savings and better outcomes for patients.
3. Be fair, transparent and accountable about what data is being used
The implementation of the General Data Protection Regulation and the Data Protection Act 2018 has created the most extensive data regulatory regime we have ever seen, and individuals have more extensive rights and safeguards over their personal data than ever before. In the light of failed projects such as care.data, public trust and confidence in the use of their health data is not what it could be. Technology providers must ensure that:
- data protection safeguards are built into their product from the very start, and demonstrated by developing a data flow map to work out exactly what personal data is being used, in what manner, the legal bases for doing so and the safeguards to ensure that data protection rights are fully implemented;
- a Data Protection Impact Assessment is undertaken to identify particular areas of risk which need to be mitigated.
4. Use data that is proportionate to the identified user need
It is a requirement of data protection law that personal data, i.e. data which identifies a living individual, is only used to the extent that it is 'necessary' to do so. The Code requires that technology providers can explain to members of the public why the data was needed and how it is meeting a user's need. It also references the national data opt-out programme, in force since May 2018, which allows patients to opt out of their health data being used for any purposes other than direct care. However, those restrictions do not apply to fully anonymised data although care must be taken to ensure that it is truly anonymous and not merely pseudonymised. Personal data which is pseudonymised effectively allows an individual to be identified when it is combined with other data in your possession, and this will constitute personal data under the GDPR such that all of the various safeguards set out therein will still apply.
5. Make use of open standards
The NHS, particularly through NHS Digital but also NHS England and others, produce a range of data, clinical and interoperability standards for health and social care data. These should be expressly factored into technology solutions.
6. Be transparent to the limitations of the data used
The Code suggests a two-stage approach to promote completeness and accuracy of data, by training algorithms to understand the levels of data quality first and then achieve their objective with the variables given. There should be continuous anomaly detection in place, and specific attention should be paid to the NHS England, UK Statistics Authority, and National Institutes of Health (US) guidance on data quality.
7. Make security integral to the design
It is a requirement under the GDPR not only to implement appropriate technical and organisational security measures to safeguard personal data, but also to adhere to the principle of data protection by design and default. This means that data security and protection should be an inherent and fundamental part of the technology as it is designed and developed. In addition, all organisations with access to NHS patient data and systems must complete NHS Digital's new Data Security and Protection Toolkit with a view to demonstrating that they are actively practising good data security.
8. Define the commercial strategy
This is primarily aimed at commissioners, which the Code suggests should develop a clear idea of the vision in terms of the use of technology before engaging with industry. It sets out a number of factors for consideration, including the scope of any intended arrangement, the length of term, the value added, legal compliance and ownership of intellectual property. This latter point is likely to be key to NHS bodies negotiating with commercial providers.
9. Show evidence of effectiveness for the intended use
The Code will require a proportionate level of evidence of effectiveness, taking into account the function of the tool being assessed. In particular, there is a tiered system of evidential requirements depending on the potential impact and harm of the technology in question. This is still under development under the Evidence for Effectiveness project, which is being worked on by the DHSC, NICE, Public Health England, Academic Health Science Networks with leadership by NHS England.
10. Show the type of algorithm being developed or deployed, the evidence base for using that algorithm, how performance will be monitored on an ongoing basis and how performance will be validated
The development of algorithms will be an area of crucial importance, given their inherent value in driving innovation and improvements for the health service going forward. The Code recommends that their development should take place on a collaborative basis, taking account of information governance, data flow maps, ongoing regulation and intended use of the output. There should be transparency and openness in order that those commissioning the technology can understand why a decision was made or not made by the clinical decision support system/algorithm, the level of clinical and model evaluation, the accreditation of the algorithm, why an error may occur, etc.
Commitments
The Code also contains 5 broad commitments from the government designed to promote the use of technology in the health sector. In very brief terms, they are to:
1. Simplify the regulatory and funding landscape;
2. Create an environment that enables experimentation;
3. Encourage the system to adopt innovation;
4. Improve interoperability and openness; and
5. Listen to users.
What next?
The Code is currently voluntary, and the DHSC has invited feedback from stakeholders, with a view to updating the Code in December 2018. The development of the Code depends upon the engagement of industry and those in the health and care sector to help shape it. The way that the Code is enforced will be critical to its success. It may be the case that we see obligations to adhere to the Code being included in standard contractual documentation where, for example, the NHS engage data driven technology providers in due course.
In our work on integration projects in the health and social care sector, we see huge potential benefits of the use of data driven technology, whether this relates to enabling risk stratification in a population health context, or the provision of AI tools to help with diagnosing conditions. Given the pace at which such technology has developed, and the skill set of those commissioning it in the NHS, it is often the case that fundamental issues like those outlined in the Code have not been properly considered or documented prior to implementation. It is in the interests of both the NHS and the medical technology industry to be clear and transparent about the possibilities, as well as the limitations of data driven technology. This will create relationships of trust, built upon a solid understanding of implementing safe, effective and secure technology for patients, with providers of such technology being accountable for the same.
Commissioners of such technology will find the Code a useful aide memoire when undertaking due diligence prior to adoption, and providers will have a steer on the sorts of issues that commissioners will be looking to have covered off. The Code should also be viewed alongside the ongoing Topol review which is exploring how to prepare the health system to deliver the digital future. We will provide an update on the Topol review when it is published in early 2019.
Should you wish to provide feedback to the DHSC on the Code or discuss any of the legal issues arising from this article, we would be pleased to discuss this further with you.