Digital Technology Assessment Criteria (DTAC)

NHS England’s Digital Technology Assessment Criteria for health and social care (DTAC) gives staff, patients and citizens confidence that the digital health tools they use meet our clinical safety, data protection, technical security, interoperability and usability and accessibility standards. This page outlines Concentric Health’s conformance with the DTAC.

Value proposition

Who is this product intended to be used for? Patients and clinical workforce.

What is the product designed to do and how is it used? Concentric is a digital consent to treatment (aka econsent) application that is used in place of traditional paper consent forms. Concentric supports clinicians and patients with evidence-based information that can be personalised to the individual. Consent information is made available to patients outside their consultation, including the ability to give consent remotely where appropriate.

What are the intended or proven benefits for users?

• Consent process flexibility - Consent process becomes more flexible and adaptable to the needs of the individual and the system, including access over time, access from anywhere, and remote consent functionality through an intuitive application.

• Consent information personalisation - Consent information can be easily adapted and personalised to the individual.

• Integration delivering joined-up care - Integration of the consent process into other systems to deliver joined-up care, including (where available) a main electronic health record (EHR) and patient held record (PHR).

• Trusted content across all specialties - Standardised, evidence-based information and risk profiles - including COVID-19 risks - across over 1,200 operations, procedures and treatments to support use across the organisation as the default mechanism of consent. Trusted across multiple NHS and private sector organisations.

• Supporting best practice - Support in meeting best practice consent processes through visibility of process (e.g rate of consent on the day of surgery), and nudges (e.g personalisation of information and documenting personalised notes).

• Reduced clinical errors - Reduced risk of wrong site surgery and patient identification errors through legible consent PDFs.

• Accessible from anywhere - Cloud-based, integrated system meaning that the clinical consent record can be accessed and amended from anywhere without the need for complex paper logistics.

• Full audit trail, cryptographically secured - Full audit trail maintained and available for each consent episode, including any customisations, when information was shared, when consent was given etc. Advanced cryptography ensures that the audit trail cannot be tampered with and the state of the episode at each stage can be demonstrated.

• Advanced Electronic Signature - The patient signature recorded within Concentric is classed as an advanced electronic signature by eIDAS UK regulation and is fully admissible in a court of law.

• Improved clinician experience and wellbeing - Improved clinician experience of the consent process, including the ability to deal with complex clinical scenarios (e.g combined procedures). Improved clinician wellbeing due to reduced clinical risk associated with the consent process.

• Saves clinicians time - Reduced consent process administration time due to integration with patient demographics, document storage, and user authentication, an intuitive application and procedure-specific templates.

• Reduced day-of-surgery cancellations and delays - Increased completion of consent prior to the day of surgery (supported by remote consent) and improved visibility of the consent status within Concentric and the EHR reduces day of surgery delays and cancellations.

• Reduced medico-legal risk from lost forms - The risk of losing legal consent forms is removed with a digital process.

• Reduction to near zero use of paper for consent forms and information leaflets - Use of paper, both carbon-copy consent forms and paper information leaflets can be reduced, with paper copies printed only where necessary for a patient without digital access.

What are the user journeys when using the product?

• Our onboarding guide describes the user flow, and the different ways Concentric is used.
• Our information security page outlines the data flows between clinician, patient, Concentric, and the healthcare organisation’s other systems.

Technical questions

Clinical safety

Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129? Yes.

Please supply your clinical risk management plan: Incorporated within our clinical safety case report.

Please supply your Clinical Safety Case Report and Hazard Log:

• Clinical safety case report
• Clinical safety hazard log

Clinical Safety Officer (CSO) details: Dr Dafydd Loughran | GMC 7265351 | CSO training completed (NHS Digital)

Is the product registered with the Medicines and Healthcare products Regulatory Agency (MHRA)? Not applicable, outside of the scope of the UK Medical Devices Regulations 2002.

Do you use or connect to any third party products? If yes please detail relevant Clinical risk management documentation.

• Google Cloud Platform (cloud hosting). Google Cloud Platform data processing and security terms
• Postmark (patient and clinician emails). Postmark / Concentric Health data processing addendum
• Twilio (patient SMS). Twilio data processing addendum

Data protection

• Are you required to be registered with the Information Commissioner? No - as per ICO self-assessment questionnaire, as an organisation which is only a data processor, not a data controller, there is no expectation to be registered with the Information Commissioner (ICO).

• Do you have a nominated Data Protection Officer (DPO)? Yes - Martyn Loughran | CTO | martyn@concentric.health

• Does your product have access to any personally identifiable data or NHS held patient data? Yes

• Please confirm you are compliant with the annual Data Security and Protection Toolkit Assessment. Confirmed - Concentric DSPT

• Please attach the Data Protection Impact Assessment (DPIA) relating to the product. Different integrations mean that organisations put in place slightly different DPIAs based on the data flows occurring within the organisation. This is the template DPIA used.

• Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer. Confirmed

• Please confirm where you store and process data: UK Only (for UK healthcare organisations)

Technical security

• Cyber Essentials Plus certificate

• Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12 month period.

  • Summary from Pen Test Partners Web Application Security Assessment conducted between the 18th and 24th November 2022:

  Concentric Health Limited (Concentric) required Pen Test Partners (PTP) to conduct a web application assessment of their Concentric platform, an application which manages the consent flow between clinicians and patients for medical interventions. The testing was conducted in line with PTP’s standard methodology which is based on the Open Web Application Security Project (OWASP) web application security guidelines. The Concentric application was found to be well secured from both an authenticated and unauthenticated perspective, with clear implementation of security best practice throughout. The main concern facing the application relates to disclosure of sensitive patient information to unauthorised parties, for which no attack vector was identified during the engagement. Concentric should consider the findings presented in this report for implementation to continue to improve the application’s security posture.

• Please confirm whether all custom code had a security review: Yes, internal code review

• Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)? Yes

• Please confirm whether logging and reporting requirements have been clearly defined: Yes

• Please confirm whether the product has been load tested: Yes

Interoperability criteria

• Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? Yes - details relating to our integrations, including FHIR integrations are found within this publicly available integration documentation.

• Do you use NHS number to identify patient record data? Yes

  • Is this done via NHS Login? No
  • If no, please set out the rationale, how your product establishes NHS number, and the associated security measures in place: Secure integrations are put in place between Concentric and the PAS database for the healthcare organisation, including search by NHS number where available. For patient access, a secure link is shared with the patient and authenticated with the patient’s date of birth. Read more about our authentication approach.

• Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability? Yes. Industry standard approaches for secure interoperability are preferred, such as FHIR APIs for patient demographics and document storage. Regarding data security in transit, web and API servers only allow requests made using TLS version 1.2 or above, which provides protection against snooping and man in the middle attacks on data. Non-HTTPS requests are denied by API servers.

• Is your product a wearable or device, or does it integrate with them? No

Usability and accessibility

Understand users and their needs in context of health and social care

• Do you engage users in the development of the product? Yes, in the following ways:

  • User research: Throughout development and live use, user research insights - both patient and clinician - have driven development decisions. Patient and clinician insights from Autumn 2020 user interviews are described in this summary document.

  • Patient feedback: If wished by the healthcare organisation (as the data controller) a digital patient feedback survey is sent to all patients 2 weeks following consent to get their feedback on experience, ease of use, quality of information, and areas for improvement. Approximately 2000 patient feedback responses have been received in the past 12 months (average overall experience = 9/10), and directly input into sprint planning. Patient feedback can also be shared within the application at any time.

  • Clinician feedback: Collected within the application and feedback survey sent out at intervals, asking for feedback on overall experience, preference compared to paper process, perceived quality of consent process compared to paper process, and any areas of improvement.

  • Publications: The Concentric team, alongside academics, have published findings relating to the problems of traditional paper-based consent processes, and early work demonstrating the impact of introducing digital consent. Examples include:

    • Assessment of the introduction of semi-digital consent into surgical practice - BJS
    • Completion of hand-written surgical consent forms is frequently suboptimal and could be improved by using electronically generated, procedure-specific forms - Surgeon
    • Surgical consent: the world’s largest Chinese Whisper? A review of current surgical consent practices - BMJ Medical Ethics

  • Search data and analytics: Real world use of the product is monitored to guide improvements in product, content, and process. Examples include:

    • Consent statistics demonstrating use of ‘on the day’ consent, guiding quality improvement programmes.
    • Custom modifications to templates allowing content review based on real-world use.
    • ‘No treatment search results’ allowing addition of missing but required content.

Work towards solving a whole problem for users

• Are all key user journeys mapped to ensure that the whole user problem is solved or it is clear to users how it fits into their pathway or journey? Concentric has a clear role in the treatment pathway, with consent being a required step prior to undergoing invasive treatment. Clinicians initiate a Concentric episode for patients, and share the information with patients during or following a consultation. A system map was developed during development to ensure consideration of all key user journeys.

Make the service simple to use

• Do you undertake user acceptance testing to validate usability of the system? Patients are routinely asked at post-consent for their feedback on the usability of the system. Quality assurance testing is undertaken on all common browsers prior to each release and Concentric is a responsive web application with all functionality available across all screen sizes. The following are usability testing results from patients at one healthcare organisation over the past 12 months.

Make sure everyone can use the service

• Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? Yes, most recent accessibility audit 4 Aug 2020. Published accessibility statement.

Miscellaneous

• Does your team contain multidisciplinary skills? Yes, the Concentric web application is developed by a multidisciplinary team including developers, clinicians, designers, and service users.

• Do you use agile ways of working to deliver your product? Yes, product development is undertaken in two week sprints in response to user requirements and research insights.

• Do you continuously develop your product? Yes, continuous updates are released approximately every 2 weeks. Updates may include new features, bug fixes, security patches, and other changes in response to feedback and changes in user needs, clinical evidence, or policy. There are mechanisms and appropriate resource in place to identify and respond to feedback, review content, understand user priorities.

• Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes, this can be found here.

• Does this product meet with NHS Cloud First Strategy? Does this product meet the NHS Internet First Policy? Yes. Concentric Health advocates a cloud first approach (all current deployments are cloud deployments).

• Are common components and patterns in use? Yes, common components such as the Common User Interface patient banner are used, and data patterns such as the FHIR patient demographic lookup. Integration of further common components such as the NHS FHIR PDS and NHS Login are currently in progress.

• Do you provide a Service Level Agreement to all customers purchasing the product? Yes, a service level agreement of 99.9% uptime or above is offered to all healthcare organisations.

• Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes, uptime reporting is made available to customers. A template report is shown here.

• Average service availability for past 12 months: >99.95%. Status page with latest uptime data available at our statuspage.