Guidance

Criteria for health app assessment

Published 9 October 2017

漏 Crown copyright 2017

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: [email protected].

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at /government/publications/health-app-assessment-criteria/criteria-for-health-app-assessment

Evidence of effectiveness

All apps must work and must be clear about their purpose, their benefits to patients and medical practitioners, and the outcome they want to achieve.

They must also be grounded in the best and most up-to-date knowledge, derived from research, clinical experience and patient preferences.

You must provide evidence that the app:

  • improves outcomes for patients and users
  • provides value for money
  • meets user needs
  • is stable and simple to use, and that people actually use it

Evidence based on independent research will score highly on an assessment.

App developers will need to demonstrate a high level of clinical effectiveness for the app to be considered for 鈥�NICE evaluated鈥� status. This will represent the gold standard for apps.

Apps must show that they meet covering:

  • clarity of purpose and intended use
  • their evidence basis
  • the data that forms the basis their evidence and findings
  • any published academic studies

Read the NICE commissioned produced by the York Health Economics Consortium.

Regulatory approval

The regulation of health apps provides patients and healthcare professionals the assurance that apps are high quality, safe and ethical.

If you鈥檙e building an app, there may be regulations that you need to conform to before being considered for the app assessment process. The main 2 types of regulation are:

Medical device regulation

Medical devices must be registered with the Medicines and Healthcare Products Regulatory Agency (MHRA) and have a CE mark before continuing in the app assessment process.

If your app meets the definition of a medical device then it will need to be regulated by the MHRA.

CQC registration

If your app provides a health or social care service that fits in one of the 14 , you鈥檒l be required to register with the CQC before continuing in the app assessment process.

Clinical safety

We can鈥檛 endorse any app that can cause harm, for instance by miscalculating a drug dose or giving incorrect medical advice to a consumer or patient. This would also be the case if the app is unstable, and crashes midway through a diagnosis.

All apps must be clinically safe: this means that they they鈥檙e safe for people to use - not just for healthcare professionals and patients but everyone involved in creation, testing and approval of the apps.

You must outline:

  • plans and policies to limit and mitigate risk for all apps
  • any risks that the app could pose to people鈥檚 health if it crashes or is used incorrectly

Apps must meet the requirements of the .

It must be shown that they meet criteria covering:

  • mandatory
  • health and safety
  • risk assessment and mitigation
  • identification of potential adverse events

Privacy and confidentiality

Apps must capture and handle personal data legally and securely, and must make sure that the end user understands what the app will do with any data they provide. The user must be able to give 鈥榠nformed consent鈥� to the use of their personal data.

In effect, this means that the app - and any back-end systems it links to - must ensure that all data relating to a user is kept private and secure.

It must also explain clearly to users exactly what will happen to their data: who it will be shared with and whether it will be anonymised. The same goes where the app will pull in patient record information from NHS systems. As a minimum, it must comply with .

Apps must meet covering:

  • the collection and processing of user data
  • the ability for users to make an informed decision about whether they鈥檙e happy to use the app
  • who the data will be shared with, and how long it will be retained

The Information Commissioner鈥檚 Office (ICO) outlines how app developers should meet the Data Protection Act.

The sets out what you need to do to manage records correctly and how long you need to keep records.

The Information Security Management: NHS Code of Practice is a guide to the management of information security for people who work in or with NHS organisations in England and will advise you on the process and use of NHS information.

Security

You must ensure that user data is collected, transmitted and stored safely. You need to consider:

  • the technologies you use
  • your policies
  • your practices

Check that your app is built to the required standards and test it for completeness and consistency with the .

The mobile security standards include a number of checks to show that your app鈥檚 processes and architecture are secure. This applies to the collection, transmission and storage of user data.

You鈥檒l need to demonstrate that you鈥檝e addressed all security concerns and vulnerabilities, and explain how you鈥檝e done this.

All apps must meet covering:

  • data storage and privacy
  • authentication and session management
  • network communication

Usability and accessibility

All apps need to meet the needs of a diverse set of users, including people with disabilities or those with limited technical knowledge.

Your app must be . This must include:

  • the way you write
  • the navigation you adopt
  • the types of content you include in your app

You鈥檒l also need to show that you鈥檝e followed the and have evaluated your app with users during all stages of app development and deployment.

You鈥檒l also need to show how you will make continuous improvements to your app following user feedback.

Apps must meet the and be:

  • easy to understand
  • easy to operate
  • informative

Interoperability

If your app needs to communicate with clinical systems to share data, you will need to ensure it complies with the relevant technical standards. For example, you鈥檒l need to do this if your app writes clinical information to records held by GPs, or allows users to access their own records.

You will need to demonstrate that the app - and its back-end systems - will share data seamlessly with other clinical systems and software. There are rules around how you capture, present and store data, as well as the protocols you use to share this data with other systems.

As a minimum you should follow globally-accepted standards in the work you do. You鈥檒l need to follow the standards set out in the .

All apps must meet covering:

  • data sharing
  • service level agreements for your services and APIs
  • reliance on third-party services

Technical stability

All apps must be robust and stable.

It鈥檚 not enough to show that you have fixed all issues prior to launch. You should also provide a plan that explains how your app will continue to be developed and managed, and what resources are in place to test and monitor it for technical faults during its lifetime and when a new version is released.

You must also prove that your app has the ability to rollback to previous version should you encounter any significant problems following an update, and will limit and mitigate any risk to patient data and, more importantly, patient health.

All apps must show that they meet covering:

Back to top