Digital Health Assessment Framework V1.0
With more than 86 million Americans already using a health or fitness app, digital health brings new possibilities for the healthcare industry.
Yet, in a field of 365,000 products, where the vast majority fall outside of existing regulations, such as the medical device regulations, federal laws and government guidance, there has been no clear way to determine if a product is safe to use. This is stopping the national adoption of digital health, particularly in the fields of condition management, clinical risk assessment and decision support.
The Digital Health Assessment Framework has been created to:
Be an open, objective framework, accessible for anyone to use.
Support the adoption of high-quality digital health technologies.
Help healthcare professionals and consumers make better-informed decisions.
Meet the specific needs and requirements of the US market.
The Framework includes components, specific to the needs of the US, crafted across across four fields:
Data and Privacy
Clinical Assurance and Safety
Usability and Accessibility
Technical Security and Stability
Rather than try to reinvent the wheel, the Framework recognizes and points to relevant existing US regulations, and applies several leading international standards and frameworks, ISO 82304-2 in Europe, Digital Technology Assessment Criteria (DTAC) and NICE evidence standards framework in the UK, and DiGA in Germany.
The American College of Physicians (ACP) and the American Telemedicine Association (ATA) collaborated with industry leaders to develop the framework. This includes the Organization for the Review of Care and Health Apps (ORCHA), which has over six years of experience and is equipped to assess digital health products at scale. ORCHA has evolved frameworks for the deployment of digital health in the UK, across Europe and the Middle East.
The Digital Health Assessment Framework is intended to be an open framework, accessible for anyone to use, to support the adoption of high-quality digital health technologies. The Framework will be updated regularly with input from healthcare providers, consumers, technology developers and other stakeholders to reflect changes in clinical practice, and the latest guidelines and best practices.
The framework is managed and published by an independent steering committee, featuring members from across the industry. If you would like to join the committee, or find out more about the framework, please do get in touch, we’d love to hear from you.
For more information visit: dhealthframework.org
Development Collaborators
- INRODUCTION
- SCENE SETTERS
- App Characteristics
- Data - Data Types, Data Collection and Data Sharing
- Algorithm/AI
- Information
- Clinical Decision Support - Pre-Diagnosis, Diagnosis and Treatment Support
- Monitoring
- Online Consultations
- Administrative Services
- Pharmacy
- Reminders/Notifications
- External Device
- Forums and Contacts
- Goal Setting
- Customization
- Business Model
- Benefits
- DATA & PRIVACY
- CLINICAL ASSURANCE & SAFETY
- USABILITY AND ACCESSIBILITY
- TECHNICAL SECURITY & STABILITY (ENHANCED REVIEW COMPONENT)
INRODUCTION
The Digital Health Assessment Framework ( ‘DHAF’) is designed to assess Digital Health Technologies in the form of native apps, web apps or websites. This can include ‘wellness’ oriented apps as long as there is a clear health related focus and benefit.
The DHAF is applied independently of the Developer and means the product itself is assessed (app, web app or website), any supporting website (for native apps) and the relevant ‘app store’ entry (for native apps).
Information is also derived at the time of review via general ‘google’ searches of the relevant product to check, for example, references to Clinical Trials or Studies. These are the assessment sources (“Assessment Sources”) and only information that is available publicly through these sources is considered in the assessment.
Sometimes the evidence being sought for assessment does exist but has not been made available to end users. We do not believe that this is appropriate for the types of information assessed and will only take into account information that can be freely accessed by end users.
A fundamental principle of the DHAF is that all the assessment components within it are constructed to enable an objective and evidence-based analysis of the app. This means that the process between an assessment and quality assurance signoff should provide an objective consensus.
Assessment Domains
The DHAF examines an app’s compliance with relevant regulation, guidelines and best practice in three distinct areas (‘Domains’). These are – Data & Privacy, Clinical Evidence & Safety and Usability & Accessibility.
In addition the DHAF contains an ‘Enhanced Component’ to assess Technical Security & Stability - this domain area requires additional interaction with a DHT Developer to assess the relevant elements. It is envisaged that individual Digital Health Libraries will adopt this and other bespoke Enhanced Review Components dependent on local basis dependent on application.
Each of these Domains has been developed by relevant subject matter experts and consist of a series of objective questions and strict guidance on the criteria that justifies either option. To achieve this relevant regulation and guidance is ‘deconstructed’ into smaller pieces that can be objectively assessed and then built up into a broader picture of compliance. We have done this for example in relation to the intricacies of HIPAA compliance. This approach also allows us to avoid duplication in the assessment process as it is often the case as there are many overlapping principles and data elements.
The DHAF draws on existing and emerging Digital Health assessment frameworks both in the US and Internationally. Where we haven’t used any particular aspect of an alternative framework it will be because either:
· The assessment component is not capable of objective assessment; or
· The assessment component would require evidence from a Developer that isn’t habitually made publicly available (i.e. Risk Logs, Security Assessments etc); or
· The nature of the assessment component is too onerous for the ‘Foundation’ nature of the DHAF and is better considered as an Enhanced Component.
Value and Risk Points
The scoring is made up of Value earning points and Risk earning points.
Each scoring question has either a Risk implication or a Value implication
The quantum of the Risk or Value implication is decided by the relevant tariff which range from small, medium, high or exceptionally high in the Risk area and small, medium or high in the Value area.
The following table sets out the actual numeric value of each Tariff:
Tariff |
Risk |
Value |
|---|---|---|
Small |
10 |
5 |
Medium |
20 |
10 |
High |
40 |
20 |
Exceptionally High |
80 |
- |
In addition to the base tariff, some risk and value related questions attract a multiplier that will increase the relevant tariff based on certain related app characteristics.
Maximum risk can be applied based on responses for certain questions. Maximum risk is applied to a whole section (i.e Data), rather than an individual question. It is the sum of all the risk points that could be applied if were not for the questions being disabled by earlier responses.
SCENE SETTERS
The USDHA begins with a series of questions to capture an app's core purpose and functionality. These include the target audience, the type of data the app collects and the app’s primary functions and features. None of the scene setter questions is intended to have any scoring or risk implications and are purely to decide on the line of enquiry further in the review.
The scene setters are grouped into distinct areas, all of which can be seen below.
Note all references to the app/App are references to the relevant Digital Health Product. These can be mobile applications or web-based applications.
Every question within scene setters does not have a scoring value.
App Characteristics
Is the App health focused? |
ORC_SS01 |
|---|---|
|
Further Information
Guidance/Context The purpose of this question is to identify apps which are within the DHAF scope of assessment. This includes any apps which have a clear health or medical purpose, are condition specific, or have a valid place in a clinical setting. This also includes wellness apps if they have a clear focus on a particular need or condition, eg. yoga apps for pregnancy. Apps which have no clear or specific health focus are excluded, eg. generic meditation apps. Response Yes / No Answer Criteria Yes: If the app has a specific health, fitness, lifestyle purpose or claim. If the app is condition specific. If the app has a clear place in a clinical setting. No: If app has no obvious health purpose (e.g. voice recorder, screen recorder, keyboard, a timer app, recipe books)If the app has no health purpose and does not relate to any kind of health condition (e.g. general meditation apps). Fitness app where exercises are not designed to prevent a specific condition e.g. a circuit training app with no health claims. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Data - Data Types, Data Collection and Data Sharing
Does the App collect data? |
ORC_D01 |
|
Further Information
Guidance/Context The purpose of this question is to identify if the app collects data so the relevant data questions are disabled appropriately. Response Yes/No Answer Criteria Yes: If any data is collected by or through the app, in any way. Including data such as usage data, cookies etc. No: If no data is collected from the user or the app. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
|---|---|
What type of data is collected by the App? |
ORC_DT10 |
|
Further Information
Guidance/Context This question aims to identify what type of data the app collects. This is answered based on what information can be submitted into the app and also what is visible in the privacy policy. Response Multiple Choice Answer Criteria Name (Full Name, Nickname or First Name Only), Username, Mobile Number/Device Number/Home Phone Number, Email, Full Address/Postcode, Age/DOB, Location Data, IP Address, Device IMEI Number, Other Unique Device Identifiers, General Wellness Data, General Identifier e.g. NHS No, Physical Description, Martial Status/Family/Lifestyle/Social Circumstance, Income/Financial/Tax Situation, Education/Qualifications/Professional Training/Awards, Employment/Career History, Cookies/Web Beacons etc. (used for tracking an individual’s online browsing behaviors/movements), Usage Data, Card/Payment/Financial Information, Race/Ethnic Origin, Political/Religious/Philosophical Beliefs or Opinions, Trade Union Membership, Genetic or Biometric Data (where this is used for identification purposes e.g. fingerprint or facial recognition), Physical and/or Mental Health Data, Sexual Orientation or Sex Life, Gender (self-declared or observed), Offences Committed/Alleged to have Committed/Criminal Proceedings/Outcomes/Sentence, Other Online Identifiers, Other (please specify). Logic DISABLEMENT LOGIC - Disabled if D01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
What Permissions does the app request? |
ORC_ERC_OTS_P01 |
|
Further Information
Guidance/Context This question is only relevant if the platform is a mobile app. You can find the answer to this question through the device’s settings and through the google play store and app store. This question helps inform the Technical Security questions which are asked later in the assessment. Response Free text Answer criteria N/A Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Are users required/able to sign up/register to use the service? |
ORC_DT14 |
|
Further Information
Guidance/Context If a user is required or able to sign up to use the app, it indicates that personal information is undoubtedly collected and processed as part of the service. The assessor may then have to determine whether or not the collection and processing of personal information is strictly necessary for the provision of services. Response Yes / No Answer Criteria Yes: If any part of the service provided requires a user to set up an account. Yes: If account creation is not mandatory, but is optional for the purpose of backing up information. No: If account creation is not possible in any circumstance. Logic DISABLEMENT LOGIC - Disabled if D01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is data collected through cookies? |
ORC_DT11 |
|
Further Information
Guidance/Context This question is pre-filled if 'cookies/web beacons etc.' has been selected in DT10. This will require validation from the assessor. To answer yes, any cookies mentioned in the privacy policy/cookie policy must be in reference to the relevant app and not the associated website. This question determines whether the following cookie questions will be asked throughout the assessment. Response Yes / No Answer Criteria Yes: If the privacy policy/cookie policy states the application uses cookies. Yes: If the application stops functioning when cookies are disabled through the device settings. No: If there are no mention of cookies in the app or on the privacy policy. No: If cookies are only mentioned in relation to the associated website. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DT10 does not contain cookies/web beacons etc. Scoring Impact There is no scoring impact associated with this question. |
|
What type of cookies are used? |
ORC_DT12 |
|
Further Information
Guidance/Context The type of cookies hold different level of importance on what rights must be upheld for the user and can also act as indicators as to the nature of the data collected through cookies and whether “profiling” might be occurring, making a user identifiable. Response Multiple Choice Answer Criteria Third party: If the privacy policy or cookie policy states that third party cookies are used. Session: If the privacy policy or cookie policy states that third party cookies are used. Persistent: If the privacy policy or cookie policy states that third party cookies are used. Unclear: If the privacy policy or cookie policy is unclear to the user what types of cookies are being used. Answer Criteria Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DT10 does not contain cookies/web beacons etc OR DT11 equals no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the data (cookie and/or none cookie) collected: |
ORC_DT13 |
|
Further Information
Guidance/Context This question aims to determine what level the data is classified as i.e. sensitive, personal or nonpersonal. The level of data impacts what level of rights should be upheld for the user. The assessor will select the appropriate level of data by referring to the data they selected in DT10. ‘Personal’ data relates to data which can be used to identify someone whereas ‘Personal (combined)’ data refers to a number of pieces of data which when combined can be used to identify someone. Response Multiple Choice Answer Criteria Sensitive: Physical / Mental Health or Condition (past, current or future status), Sexual Life / Orientation, Political, Religious or other beliefs or opinions, Offences Committed / Alleged to have Committed / Criminal Proceedings / Outcomes / Sentence, Financial data (that might be used for payment fraud), Trade Union membership, Racial / Ethnic Origin, Genetic or Biometric Data (e.g. fingerprints / facial Recognition) for the purpose of uniquely identifying a person Personal (combined): Cookies, web beacons, flash cookies, server logs etc which track individual’s browsing behavior, Other Unique Device Identifiers eg. Device MAC Address, Name, Age/DOB, Gender (self declared or observed), Marital Status |Family / Lifestyle / Social Circumstance, Education / Qualifications / Professional Training / Awards, Other online identifiers / Event Logs, Location Data (Travel / GPS / GSM Data / radio frequency identification tags (RFID)) Personal: Address/Postcode (full), Email Address, Mobile Phone Number / Device Number / Home Phone Number, Physical Description, Username, IP Address, General Identifier e.g. Social Security Number, Income / Financial / Tax Situation, Employment / Career History, Device IMEI No Non-personal: General Wellness data Logic DISABLEMENT LOGIC - Disabled if D01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
How is non-cookie data collected? |
ORC_DC01 |
|
Further Information
Guidance/Context This question aims to uncover how data is collected from an individual, this information is key to other parts of the assessment. It is particularly important to ensure that organizations make it clear to their users when there is any “blind” processing occurring. Response Multiple Choice Answer Criteria Device measurement capability: Auto GPS, motion, microphone, camera Other apps: Google fit, Apple health, Facebook Devices: Wearables, Medical devices Third party sources: Google analytics, card payment processors (stripe, PayPal) Automatically generated by the app: Usage data From Device storage: Photos saved on device From Device Information: IP address Other (please specify: Assessor to specify what other is in the comment box Logic DISABLEMENT LOGIC - Disabled if D01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
What other apps is the App connected to? |
ORC_DC02 |
|
Further Information
Guidance/Context Integration of information between different apps/platforms can be of value to certain individuals. That said, it can also present additional security risks. The organization should consider and mitigate these security risks when they have enabled personal information to be shared to and from their product. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DC01 does not contain ‘other apps’. Scoring Impact There is no scoring impact associated with this question. |
|
What device(s) does the App connect to? |
ORC_DC03 |
|
Further Information
Guidance/Context Integration of information from devices can be of value to certain individuals. That said, it can also present additional security risks. The organization should consider and mitigate these security risks when they have enabled personal information to be shared to and from their product. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DC01 does not contain ‘other devices’. Scoring Impact There is no scoring impact associated with this question. |
|
Can the user prevent cookie data being collected and still use the App? |
ORC_DS01 |
|
Further Information
Guidance/Context Under the Privacy directive any organization must minimize access restrictions, even if a user refuses to accept certain cookies. Response Yes / No Answer Criteria Yes: If the assessor has been able to leave the app > go to device browser > identify that cookies are in use > turn off all cooking relating to the service > launch and access the app again > check back on browser to ensure the previously removed/blocked cookies have not become active again. Yes: If the user is informed that they can prevent cookies and that this will only possibly prevent some functionality/access to features. No: If cookies have become active again on the device’s browser after following the steps to turn them off. No: If strictly necessary cookies are in use. No: If users are not given the option or informed how to control/prevent/turn off cookies. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DC01 does not contain 'cookies/web beacons etc’. Scoring Impact There is no scoring impact associated with this question. |
|
Does the disabling of cookies impact the use of the App in any way? |
ORC_DS02 |
|
Further Information
Guidance/Context This helps to identify whether cookies are necessary for the app to function. Response Yes / No Answer Criteria Yes: If the assessor has been able to leave the app > go to device browser > identify that cookies are in use > turn off all cooking relating to the service > launch and access the app again > has been unable to access certain features. Yes: If the user is informed that they can prevent cookies and that this will only possibly prevent some functionality/access to features. No: If disabling the cookies through the browser has no impact on functionality/access to features. No: If strictly necessary cookies are in use. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DC01 does not contain 'cookies/web beacons etc’. Scoring Impact There is no scoring impact associated with this question. |
|
Can/is data shared? (excluding cookies) |
ORC_DS03 |
|
Further Information
Guidance/Context This question determines whether the following data sharing questions are asked. Response Yes / No Answer Criteria Yes: If any data type that has been identified as collected is shared/exported from the App, on the device, in any way. This includes data being transferred and stored by the developer on external servers and includes the ability for the user to manually move data out of the app. Yes: If you have to create an account to access the app. No: If there is no data transferred from the app, to another location, on or off the device, either automatically or by manual export by the user. Logic DISABLEMENT LOGIC - Disabled if D01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Can data be shared through a direct, manual action by the user? {e.g. by sending data via email or manually choosing to post/share something within the app etc} |
ORC_DS04 |
|
Further Information
Guidance/Context This question helps inform the user if they are able to share their own health data via the app. Response Yes / No Answer Criteria Yes: If any data only leaves the app or the device when the user carries out a direct action for this to occur. This action needs to be carried out every time the user wishes to share this data. (sharing data via email or sending reports manually within the app). Yes: Manually choosing to post/share something within the app. No: If data is shared without a direct action from the user. No: If data is automatically transferred following a single action of turning on a permission in the app. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
How is the user able to manually share their data? |
ORC_DS05 |
|
Further Information
Guidance/Context This question helps inform the user how exact they are able to share their health data. Response Multiple Choice Answer Criteria Exporting a report to the device: If the user can store data, outside of the app, on the device itself. Exporting data to a preset email: If the user has the option to email reports/data and is taken to the device email app to send information. Exporting data to messaging services: If the user has the option to share information/data and the share options include any messaging services/apps on the device. Emails do not count as messaging services. Transfer through Bluetooth: If the user can manually share information using the devices Bluetooth. This does not include automatic transfer of data to a device that automatically connects. Nor does it include apps that continuously run Bluetooth in the background to communicate and recognize other devices (such as track and trace). Transfer through NFC (near-field communication): If the user can transfer data to another device using NFC capabilities. Manually choose to post/share something in the app: If there is any form of in app communication between two or more users, where the information/content posted is done so through the user opting to do so each time. Other (please specify): If the app is transferring through manual user intervention but the option has not been listed. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS04 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is data ONLY shareable through a direct, manual action by the user? (excluding cookies) |
ORC_DS06 |
|
Further Information
Guidance/Context If data on the app is only manually shared, the app with external third parties of the user’s choice and is often something that is not managed or decided by the developer. Therefore if this is the only form of data sharing, and the developer cannot access or process the data away from the device that the app is on, they will be less likely to be subject to GDPR principals. Response Yes / No Answer Criteria Yes: If the only data transfers that occur are through the direct user interactions identified. No: If there is any data transferred by a means that has not been done through a direct user intervention. For example if you have selected “usage data” and this is collected automatically, then you would answer No. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS04 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Can the user control any automatic data sharing, through setting individual sharing preferences in the app? (excluding cookies) |
ORC_DS07 |
|
Further Information
Guidance/Context This question aims to find out whether users can set up automatic data sharing. Signing up through Facebook does not count, the user has to have control for example, toggle something in the app to choose ‘yes you can collect usage data’. Response Yes / No Answer Criteria Yes: If the user has control over when data is automatically shared, for example, through having individual options that can be toggled on and off, in the app. Yes: If the user can create social circles, or choose who can view/access their profile/data. Eg. Making an account private or public, or specifically selecting which members of your clinical support network can view which data. No: If the user has no choice in whether or not to sign up to the app in order to use it, i.e. if the user MUST sign up to use, or CANNOT sign up at all. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS03 is no OR if DS06 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Where/With who can the user share data automatically by manually setting sharing preferences in the app? |
ORC_DS08 |
|
Further Information
Guidance/Context If the user can control automatic data sharing via a toggle, this question identifies with whom the user can share the data. Response Multiple Choice Answer Criteria Developer Clinician/HCP Other users Third parties: Google Fit, Apple Health, Facebook, google analytics, etc. Other devices: Wearables, scales, medical devices. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS07 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is any data (excluding cookie data) shared automatically as soon as the App is accessed – based only on agreement to relevant Terms of Use or Privacy Policy? |
ORC_DS09_US |
|
Further Information
Guidance/Context This question aims to identify if any automatic sharing of data occurs without any input from the user beyond agreeing to the Privacy Policy and/or T&C’s. Response Yes / No Answer Criteria Yes: The privacy policy states that data is automatically shared. No: The privacy policy / app clearly states that no data is shared without the users input. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS03 is no or IF DS06 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Where/With who is data automatically shared - based only on user agreement to the developer’s Privacy Policy and/or Terms of Use? |
ORC_DS10_US |
|
Further Information
Guidance/Context This question highlights with who the user’s data is automatically shared with. Response Multiple Choice Answer Criteria Developer, Clinician/HCP Other users Third parties: Google Fit, Apple Health, Facebook, google analytics, etc. Other devices: Wearables, scales, medical devices. Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS09 is no. Scoring Impact There is no scoring impact associated with this question. |
|
What data is automatically shared with the developer? |
ORC_DS12 |
|
Further Information
Guidance/Context If the policy has clearly stated that data is automatically shared with the developer but is not clear exactly what data is shared then assessors can assume that all collected data is automatically shared. Do not select Biometric data if it is using the phone's native scanner/face ID rather than an in-app one scanner. Response Multiple Choice Answer Criteria Name (Full Name, Nickname or First Name Only), Username, Mobile Number/Device Number/Home Phone Number, Email, Full Address/Postcode, Age/DOB, Location Data, IP Address, Device IMEI Number, Other Unique Device Identifiers, General Wellness Data, General Identifier e.g. NHS No, Physical Description, Martial Status/Family/Lifestyle/Social Circumstance, Income/Financial/Tax Situation, Education/Qualifications/Professional Training/Awards, Employment/Career History, Cookies/Web Beacons etc. (used for tracking an individual’s online browsing behaviors/movements), Usage Data, Card/Payment/Financial Information, Race/Ethnic Origin, Political/Religious/Philosophical Beliefs or Opinions, Trade Union Membership, Genetic or Biometric Data (where this is used for identification purposes e.g. fingerprint or facial recognition), Physical and/or Mental Health Data, Sexual Orientation or Sex Life, Gender (self-declared or observed), Offences Committed/Alleged to have Committed/Criminal Proceedings/Outcomes/Sentence, Other Online Identifiers, Other (please specify). Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS06 is yes. OR if DS08 does not contain developer AND DS10 does not contain developer. Scoring Impact There is no scoring impact associated with this question. |
|
What data is automatically shared with physicians / healthcare professionals? |
ORC_DS13_US |
|
Further Information
Guidance/Context If the policy has clearly stated that data is automatically shared with the physicians / healthcare professionals but is not clear exactly what data is shared then assessors can assume that all collected data is automatically shared. Do not select Biometric data if it is using the phone's native scanner/face ID rather than an in-app one scanner. Response Multiple Choice Answer Criteria Name (Full Name, Nickname or First Name Only), Username, Mobile Number/Device Number/Home Phone Number, Email, Full Address/Postcode, Age/DOB, Location Data, IP Address, Device IMEI Number, Other Unique Device Identifiers, General Wellness Data, General Identifier e.g. NHS No, Physical Description, Martial Status/Family/Lifestyle/Social Circumstance, Income/Financial/Tax Situation, Education/Qualifications/Professional Training/Awards, Employment/Career History, Cookies/Web Beacons etc. (used for tracking an individual’s online browsing behaviors/movements), Usage Data, Card/Payment/Financial Information, Race/Ethnic Origin, Political/Religious/Philosophical Beliefs or Opinions, Trade Union Membership, Genetic or Biometric Data (where this is used for identification purposes e.g. fingerprint or facial recognition), Physical and/or Mental Health Data, Sexual Orientation or Sex Life, Gender (self-declared or observed), Offences Committed/Alleged to have Committed/Criminal Proceedings/Outcomes/Sentence, Other Online Identifiers, Other (please specify). Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS06 is yes. OR if DS08 does not contain physician/healthcare professional AND DS10 does not contain physician/healthcare professional. Scoring Impact There is no scoring impact associated with this question. |
|
What data is automatically shared with other users? |
ORC_DS14 |
|
Further Information
Guidance/Context If the policy has clearly stated that data is automatically shared with other users but is not clear exactly what data is shared and assessors are unable tp infer this from using the app, it should be assumed that all collected data is automatically shared. Do not select Biometric data if it is using the phone's native scanner/face ID rather than an in-app one scanner. Response Multiple Choice Answer Criteria Name (Full Name, Nickname or First Name Only), Username, Mobile Number/Device Number/Home Phone Number, Email, Full Address/Postcode, Age/DOB, Location Data, IP Address, Device IMEI Number, Other Unique Device Identifiers, General Wellness Data, General Identifier e.g. NHS No, Physical Description, Martial Status/Family/Lifestyle/Social Circumstance, Income/Financial/Tax Situation, Education/Qualifications/Professional Training/Awards, Employment/Career History, Cookies/Web Beacons etc. (used for tracking an individual’s online browsing behaviors/movements), Usage Data, Card/Payment/Financial Information, Race/Ethnic Origin, Political/Religious/Philosophical Beliefs or Opinions, Trade Union Membership, Genetic or Biometric Data (where this is used for identification purposes e.g. fingerprint or facial recognition), Physical and/or Mental Health Data, Sexual Orientation or Sex Life, Gender (self-declared or observed), Offences Committed/Alleged to have Committed/Criminal Proceedings/Outcomes/Sentence, Other Online Identifiers, Other (please specify). Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS06 is yes. OR if DS08 does not contain other users AND DS10 does not contain other users. Scoring Impact There is no scoring impact associated with this question. |
|
What data is automatically shared with third parties? |
ORC_DS15 |
|
Further Information
Guidance/Context If the policy has clearly stated that data is automatically shared with third parties but is not clear exactly what data is shared then assessors can assume that all collected data is automatically shared. Do not select Biometric data if it is using the phone's native scanner/face ID rather than an in-app one scanner. Response Multiple Choice Answer Criteria Name (Full Name, Nickname or First Name Only), Username, Mobile Number/Device Number/Home Phone Number, Email, Full Address/Postcode, Age/DOB, Location Data, IP Address, Device IMEI Number, Other Unique Device Identifiers, General Wellness Data, General Identifier e.g. NHS No, Physical Description, Martial Status/Family/Lifestyle/Social Circumstance, Income/Financial/Tax Situation, Education/Qualifications/Professional Training/Awards, Employment/Career History, Cookies/Web Beacons etc. (used for tracking an individual’s online browsing behaviors/movements), Usage Data, Card/Payment/Financial Information, Race/Ethnic Origin, Political/Religious/Philosophical Beliefs or Opinions, Trade Union Membership, Genetic or Biometric Data (where this is used for identification purposes e.g. fingerprint or facial recognition), Physical and/or Mental Health Data, Sexual Orientation or Sex Life, Gender (self-declared or observed), Offences Committed/Alleged to have Committed/Criminal Proceedings/Outcomes/Sentence, Other Online Identifiers, Other (please specify). Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS06 is yes. OR if DS08 does not contain third parties AND DS10 does not contain third parties. Scoring Impact There is no scoring impact associated with this question. |
|
What data is automatically shared with other devices? |
ORC_DS16 |
|
Further Information
Guidance/Context If the policy has clearly stated that data is automatically shared with other devices but is not clear exactly what data is shared then assessors can assume that all collected data is automatically shared. Do not select Biometric data if it is using the phone's native scanner/face ID rather than an in-app one scanner. Response Multiple Choice Answer Criteria Name (Full Name, Nickname or First Name Only), Username, Mobile Number/Device Number/Home Phone Number, Email, Full Address/Postcode, Age/DOB, Location Data, IP Address, Device IMEI Number, Other Unique Device Identifiers, General Wellness Data, General Identifier e.g. NHS No, Physical Description, Martial Status/Family/Lifestyle/Social Circumstance, Income/Financial/Tax Situation, Education/Qualifications/Professional Training/Awards, Employment/Career History, Cookies/Web Beacons etc. (used for tracking an individual’s online browsing behaviors/movements), Usage Data, Card/Payment/Financial Information, Race/Ethnic Origin, Political/Religious/Philosophical Beliefs or Opinions, Trade Union Membership, Genetic or Biometric Data (where this is used for identification purposes e.g. fingerprint or facial recognition), Physical and/or Mental Health Data, Sexual Orientation or Sex Life, Gender (self-declared or observed), Offences Committed/Alleged to have Committed/Criminal Proceedings/Outcomes/Sentence, Other Online Identifiers, Other (please specify). Logic DISABLEMENT LOGIC - Disabled if D01 is no OR if DS06 is yes. OR if DS08 does not contain other devices AND DS10 does not contain other devices. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app allow users to access to their personal health record via an ONC certified EHR? |
ATA_DS01 |
|
Further Information
Guidance/Context ONC = Office of national coordinator The ONC Health IT Certification Program is meant to signal which health IT systems meet federal requirements and include useful functionality. Response Yes / No Answer Criteria Yes: If users are able to access their Patient Records/Data held in an ONC certified EHR through the app. No: If users cannot access Patient Records through the app. No: If users can create personal health records that are separate from ONC certified EHR. Logic DISABLEMENT LOGIC - Scoring Impact There is no scoring impact associated with this question. |
|
Does the app appear to access and/or process patient information from an ONC certified EHR? |
ATA_DS02 |
|
Further Information
Guidance/Context The ONC Health IT Certification Program is meant to signal which health IT systems meet federal requirements and include useful functionality. Response Yes / No Assessment Criteria Yes: If the app appears to access and/or process EHR Patient Data in any way. Yes: If a Clinician/HCP focused app that has been designed to allow the HCP to access and view patient records that have been pulled into the product from EHR Patient Data or the data is exported and added to individual EHR Patient Data No: If the app allows users or HCPs to build individual user/patient records and does not integrate with EHR Patient Data in any way, but instead simply keeps a separate record. Logic DISABLEMENT LOGIC - Scoring Impact There is no scoring impact associated with this question. |
|
Algorithm/AI
Does the app contain algorithms? |
ORC_AI01 |
|---|---|
|
Further Information
Guidance/Context This question aims to identify if there are any algorithms used in the app. This question then influences if other questions around AI and Clinical Calculators are asked later on in the assessment. Response Yes / No Answer Criteria Yes: If the app uses an algorithm to provide an output, using the health data input by the user OR If the app provides an average from input data, or calories burned. No: If the app does not calculate anything with the data it collects OR If the algorithm doesn’t come from health data input. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
How does the app use the algorithm? |
ORC_AI02 |
|
Further Information
Guidance/Context This question allows the assessor to describe what the algorithm does and what area it focuses on. There are questions later on in scene setters which will probe diagnoses/treatment further. Response Free Text - E.g. perform a calculation for diagnosis etc. Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if AI01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app appear to use AI? |
ORC_AI03 |
|
Further Information
Guidance/Context This question aims to identify if is any form of AI used within the app. Somethings this may be difficult to decipher from just using the app so the assessor should read around the app to see if the Developer makes these claims. Response Yes/ No Answer Criteria YES: If the app uses a chatbot which learns from and reacts to what the user says. YES: If the app/developer claims to use AI techniques. YES: If the app uses machine learning to improve the quality of its automated decision making. NO: If the app doesn’t use a chatbot. NO: If the app/developer makes no claim about using AI techniques. NO: If the app doesn’t use machine learning to improve the quality of its automated decision making. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
What AI technique is used in the app? |
ORC_AI04 |
|
Further Information
Guidance/Context The Developer may state in app store description or their website what type of AI they use. If it is unclear what AI is used within the app, the assessor should try and find this information through reading the app store description and app website. Response Free text Answer Criteria Examples: Natural Language Processing (NLP) - Includes Natural Language Understanding, Natural Language generation, Machine Translation. E.g. If the app uses a chatbot which learns from and reacts to what the user says. Machine Learning - If the app uses machine learning to improve the quality of its automated decision making. Image Recognition - If the app uses AI to identify something in a picture Logic DISABLEMENT LOGIC - Disabled if AI03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the AI monitored/ maintained? |
ORC_AI05 |
|
Further Information
Guidance/Context To ensure AI is used both appropriately and effectively, humans should have oversight through monitoring/maintaining/updating the app. Developers may monitor their AI by asking healthcare professionals to review the decision making and output. If the output does not appear be in line with the healthcare professionals knowledge, the Developer should correct this. Assessors should look for these mentions via the app, the app/google play store and associated website. Response Yes / No Answer Criteria YES: If the developer mentions specifically that their AI is monitored/maintained/updated. No: If there is no specific mention of them updating/maintaining the AI. No: If they only mention improvements based upon input (learning from input). Logic DISABLEMENT LOGIC - Disabled if AI03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Information
Is the app designed to provide information or guidance? |
ORC_I01 |
|---|---|
|
Further Information
Guidance/Context This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering. Response Yes / No Answer Criteria Yes: If the app provides any generic info around the general topic area, in text or diagram form. Yes: If the app can provide information as a diary back to the user if monitoring is taking place. No: If the app provides no real information or guidance aimed at health or wellbeing. No: If the only information is provided by other users on a forum, information must come from the developer/app itself. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide information that is personalized to an end user’s specific circumstances? |
ORC_I02 |
|
Further Information
Guidance/Context This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering. Response Yes / No Answer Criteria Yes: If any of the information provided is personalized to the user. E.g. provides recommended activities/actions based on assessment over a period of time OR tailors therapy/treatment program based on one off assessment which includes taking a lot of information from the user. No: If the app provides no information which is personalized to the user. Logic DISABLEMENT LOGIC - Disabled if I01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide users with information regarding where they are able to find local or suitable support services? |
ORC_F08 |
|
Further Information
Guidance/Context This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering. Response Yes / No Answer Criteria YES: If the app provides links/signposts to online services or local services. YES: If the app points to services where the user can take control of their/somebody’s condition e.g. pharmacy. NO: If the app provides no information which is personalized to the user. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide environmental data not specific to the patient? |
ORC_F03 |
|
Further Information
Guidance/Context This question aims to contribute to the apps functions and features. It is also used to inform the ESF tiering. Response Yes / No Answer Criteria YES: If the app provides details of external environmental factors which may impact health/wellbeing, such as temperature, pollen count etc. NO: If the only information provided is the location. Logic DISABLEMENT LOGIC - Disabled if I01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the App provide information, resources or activities to the public, patients or physicians, either about a specific condition or general health and lifestyle? |
ORC_EF07 |
|
Further Information
Guidance/Context In most cases the answer to this question will be yes because the scope of the question is so broad. The only instance an assessor should answer no to this question is if the app is aimed at providing information, resources or activities for administrative purposes instead of health related purposes. If I01 is yes, this will also be yes. This question also guides the ESF tiering later. Response Yes / No Answer Criteria Yes: Any app that provides a resource, either condition specific or generalized. No: Administration apps which have no effect on patient outcomes for instance a schedule system. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Clinical Decision Support - Pre-Diagnosis, Diagnosis and Treatment Support
Is the data the app collects, automatically assessed, for the purposes of evaluating: risk; or providing diagnostic support? |
ORC_PD01 |
|---|---|
|
Further Information
Guidance/Context This is looking at apps which provide individual risk to a user, which is personalized based on the user health data collected (e.g. apps which have red zones/percentages of having a condition for specific readings). Response Yes / No Answer Criteria Yes: If the app provides a calculation, paragraph, table or diagram indicating a users risk, or potential diagnoses. No: If the app provides no form of risk assessment or diagnoses to a user. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app diagnose a specific condition? |
ORC_DG02 |
|
Further Information
Guidance/Context This question aims to discover if the app diagnoses/screens/detects a disease or condition (i.e., using sensors, data, or other information from other hardware or software devices, pertaining to a disease or condition). This is a key question for identifying diagnostic medical devices under FDA. Response Yes / No Answer Criteria Yes: A healthcare professional can see “We think you have..”. Yes: If the app diagnoses a specified clinical condition using clinical data. No: If it states ‘you might have a condition please see a professional’, this would be no as it is not specific enough. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide an assessment (of the risk) to an individual - based on data input or collected by the app - of: Contracting or Suffering a healthcare condition The impact on their lifestyle and health indicators No Risk Assessment provided |
ORC_DG01 |
|
Further Information
Guidance/Context This is looking at apps which provide individual risk assessments to the user. Both ‘Contracting or suffering a healthcare condition’ and ‘The impact of their lifestyle choices and health and wellbeing indicated’ can be selected at the same time. Response Multiple Choice Answer Criteria Contracting or suffering a healthcare condition: The app provides a risk indicator of a condition or diagnosis to an individual. The impact of their lifestyle choices and health and wellbeing indicators: The app provides a risk indicator based on the person's lifestyle to an individual, eg a person’s risk of type 2 diabetes based on food intake. No risk assessment provided: The app provides no risk indicator or diagnoses. Logic DISABLEMENT LOGIC - Disabled if PD01 is no AND DG02 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide an assessment (of the risk) to a healthcare professional - based on data input or collected by the app - of: Contracting or Suffering a healthcare condition The impact on their lifestyle and health indicators No Risk Assessment provided |
ORC_DG03 |
|
Further Information
Guidance/Context This is looking at apps which provide individual risk assessments to a healthcare professional. Both ‘Contracting or suffering a healthcare condition’ and ‘The impact of their lifestyle choices and health and wellbeing indicated’ can be selected at the same time. Response Multiple Choice Answer Criteria Contracting or suffering a healthcare condition: The app provides a risk indicator of a condition or diagnosis to an individual. The impact of their lifestyle choices and health and wellbeing indicators: The app provides a risk indicator based on the person's lifestyle to an individual, eg a person’s risk of type 2 diabetes based on food intake. No risk assessment provided: The app provides no risk indicator or diagnoses. Logic DISABLEMENT LOGIC - Disabled if PD01 is no AND DG02 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide the option for further assessment or analysis by a healthcare professional? |
ORC_DG04 |
|
Further Information
Guidance/Context This question is applicable to apps which provide individual risk to a user using some kind of algorithm or AI. It aims to identify if the user can send their result/information to a healthcare professional to get a further assessment, for more information. Response Yes / No Answer Criteria Yes: If the app provides a calculation, paragraph, table or diagram indicating a users risk, and allows this to be sent to a HCP for further investigation/information (being able to get a second opinion from a real clinician by sending information on). No: If the app provides no form of further investigation/information by a HCP. No: If the app offers solely virtual consultations with HCP with no transfer of health data logged within the app. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app/does the app include a Symptom Checker? |
ORC_DG05 |
|
Further Information
Guidance/Context This questions aims to identify apps which collect check the user’s symptoms and provide a possible diagnosis/diagnoses based on the inputted information. The purpose or benefit of the app must be its symptom checking functionality. For instance, if an anxiety/depression app contained GAD-7 or PHQ-9, this would not be a symptom checker. Response Yes / No Answer Criteria Yes: If the app provides a possible diagnosis based upon the collection of a user’s symptoms. No: If the app provides no form of diagnosis or risk assessment based upon the collection of a user’s symptoms. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app indicate likelihood of a match for the listed conditions? |
ORC_DG06 |
|
Further Information
Guidance/Context This is looking at whether a symptom checker provides an assessment of what is the most likely cause to the user. For example, 9/10 people who have your symptoms suffer from X. Response Yes / No Answer Criteria Yes: If the app provides an assessment of chance, or likelihood of certain conditions based on collected symptoms. No: If the app provides no assessment of chance, or likelihood of certain conditions based on collected symptoms. Logic DISABLEMENT LOGIC - Disabled if DG05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Can users filter results to display by highest risk / likelihood / severity? |
ORC_DG07 |
|
Further Information
Guidance/Context This question aims to identify if an app allows the user to filter through the list of conditions the symptom checker provided. It is crucial that the user has the option to turn the filter on or not, if the list is automatically generated in a particular order, this is not providing the user the autonomy to filter. Any filtering rules are applicable from likelihood of symptoms matching a condition to most severe condition symptoms may relate to. Response Yes / No Answer Criteria Yes: If the app provides a filter for the provided risks. The app needs to provide a specific filter option, and sorting by order of likelihood automatically is NOT sufficient. No: If the app provides no filter for the provided risks. Logic DISABLEMENT LOGIC - Disabled if DG05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide treatment recommendations for the listed conditions? |
ORC_DG08 |
|
Further Information
Guidance/Context This question aims to identify if symptom checker apps provide treatment suggestions alongside the listed conditions. If next to a symptom the app recommends a user should seek treatment through signposting to further services, this is not sufficient. The app must be providing the treatment details itself for this question. Response Yes / No Answer Criteria Yes: If the app provides any treatment suggestions for the listed conditions. No: If the app provides no treatment options for the listed conditions. Logic DISABLEMENT LOGIC - Disabled if DG05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app only signpost the user to suitable care or recommend seeking further advice? (eg. Go to ER, book an appointment with your family physician, call 911) |
ORC_DG09 |
|
Further Information
Guidance/Context This question aims to identify if the symptom checker app provides suggestions for the user to seek further treatment, based upon the indicated diagnoses. Anything from calling 911 to a recommended visit to your family physician would be sufficient for this question. Response Yes / No Answer Criteria Yes: If the app provides any signpost to a further service based upon the symptom checker outcome. No: If the app does not signpost to a further service based upon the symptom checker outcome. Logic DISABLEMENT LOGIC - Disabled if DG05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app contain a clinical calculator? |
ORC_TS01 |
|
Further Information
Guidance/Context The FDA takes into account the use of algorithms and AI in relation to identifying and assessing medical devices. The identification of a clinical calculator would help support the argument as to whether an app should be classified as a medical device or not. Response Yes / No Answer Criteria Yes: This includes apps for use by clinicians or users to calculate parameters pertaining to care, such as early warning system software (if there are treatment implications associated with the calculation). No: If the app is not for use by clinicians or users to calculate parameters pertaining to care, such as early warning system software. Logic DISABLEMENT LOGIC - Disabled if AI03 is no AND if AI01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
What type of clinical calculator does the app contain? |
ORC_TS02 |
|
Further Information
Guidance/Context This question allows the assessor to record information about the type of Clinical Calculator which has been located within the app. For example, contained within the app may be something which calculates the amount of water needed to treat a burns victim. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if TS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app intended to be (or does the developer claim it can be) used for the prevention of disease? |
ORC_MD01 |
|
Further Information
Guidance/Context Prevention is another key definition in defining a medical device according to FDA regs. If an app is claiming to be used for prevention or its intended use/benefit relates to prevention of a disease or condition it is likely to be a medical device. Response Yes / No Answer Criteria Yes: If the app is intended to PREVENT a specific disease or condition OR If the actual app will stop you from getting the disease. No: If the app is trying to catch something early before it develops, e.g. skin vision. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
How does the app prevent disease? |
ORC_TS04 |
|
Further Information
Guidance/Context This question allows the assessor to explain how the app prevents disease. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if MD01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide treatment of a condition? |
ORC_TS05 |
|
Further Information
Guidance/Context This question aims to identify if an app provides treatment to a user’s specific condition. This includes both apps that provide information which can be used to enable treatment as well as apps which provide an output which can be used to treat a condition. For example, apps which calculate that are intended to calculate the dose of insulin a diabetic needs to treat their diabetes based on carbohydrate in a meal. Response Yes / No Answer Criteria Yes: Apps that provide information that can be used to enable treatment to be performed or claim that the output from the app can be used to treat a condition. E.g. an app to calculate the dose of insulin a diabetic needs to treat their diabetes based on carbohydrate in a meal. No: If the app is intended to treat non-medical conditions e.g. non-specific stress. OR apps intended to just provide tips or advice or link to support groups OR medication reminders. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
What treatment does the app provide? |
ORC_TS06 |
|
Further Information
Guidance/Context This question allows the assessor to explain what treatment the app provides. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if TS05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app guide the treatment of a condition? |
ORC_TS07 |
|
Further Information
Guidance/Context This question aims to identify apps which are guiding the treatment of a condition. This can occur in a number of ways but it is key that the app is guiding the treatment of a condition following best clinical practice guidelines. Response Yes / No Answer Criteria Yes: Apps which take a user’s health information, and provide specific treatment pathways for the user to follow to treat their condition OR clinician-facing apps that advise treatments. No: Apps intended to just provide tips or advice which is non-specific to the user. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
How does the app guide the treatment of the condition? |
ORC_TS08 |
|
Further Information
Guidance/Context This question allows the assessor to explain how the app can guide the user’s treatment of a condition. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if TS07 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Who does the app provide the treatment guidance to? |
ORC_TS09 |
|
Further Information
Guidance/Context The question allows the assessor to confirm whether treatment guidance is for a general user or a healthcare professional. Response Multiple Choice Answer Criteria User: Refers to the patient / carer using the app. HCP: Health Care Professional. Logic DISABLEMENT LOGIC - Disabled if TS07 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the treatment provided independently of a healthcare professional? |
ORC_TS10 |
|
Further Information
Guidance/Context This question aims to determine whether the app can provide treatment to an individual without a healthcare professional involvement. Response Yes / No Answer Criteria Yes: If the app provides treatment to the user without HCP involvement. No: If the treatment is not provided independently of a HCP, or if the app provides no treatment. Logic DISABLEMENT LOGIC - Disabled if TS05 is no AND if TS07 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app support healthcare professionals’ decisions about treatments? |
ORC_TS03 |
|
Further Information
Guidance/Context This question aims to identify apps which supports a decision made by a healthcare professional on a case by case basis. The app must be more than a generic textbook and provide information directed towards healthcare professionals. Response Yes / No Answer Criteria Yes: The app contributes to a professional’s decision about treatment, so this is for doctors to look at OR Supports decision making on a case by case basis (eg Mersey Burns would be yes (tells clinician how much fluid a patient requires based on percentage burns they have suffered). No: If the app provides generic, non specific care pathways. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app follow the path of a procedure/treatment without making any decisions? |
ORC_TS12 |
|
Further Information
Guidance/Context Whilst the FDA regulations do not specify if following a path of a procedure/treatment makes an app a medical device, the assessor will be made aware of the risk which comes with this functionality as well as understanding that additional functionality which could lead the app to be a medical device under FDA regulations. Response Yes / No Answer Criteria YES: If the app outlines a treatment / procedure but does not make and communicate any decisions to the user. NO: If the app makes any decisions for the user. Logic DISABLEMENT LOGIC - Disabled if TS03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does a healthcare professional make the final decision regarding treatment based on advice and/or options displayed? |
ORC_TS13 |
|
Further Information
Guidance/Context Apps could still potentially be a MD if this is answered as yes, relying on additional functionality too. FDA is unclear about specifics in this area (would depend on other functions too). That said, if this question is answered no, it is very likely the app would be identified as a MD under the FDA. Response Yes / No Answer Criteria YES: If the app outlines a treatment/ procedure but does not make and communicate any decisions to the user. NO: If the app makes any decisions for the user. Logic DISABLEMENT LOGIC - Disabled if TS03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app automate the treatment pathway for an individual patient? |
ORC_TS14 |
|
Further Information
Guidance/ Context Automating the treatment pathway is a software function that makes the app become a regulated medical device by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations. Response Yes / No Answer Criteria YES: The app creates the treatment pathway for the user, and does not rely on a HCP. NO: If the app outlines a set of treatments / procedures but the final decision about which treatment is left to the HCP. NO: If it is a “one size fits all” pathway that doesn’t take into account individual factors. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app intended to be (or does the developer claim it can be) used as a physical intervention to reduce the symptoms or severity of a disease, injury or, physical or mental impairment? |
ORC_TS15 |
|
Further Information
Guidance/Context This question aims to identify if the apps intended purpose is to reduce the symptoms or severity of a disease, injury or physical/mental impairment. The app cannot just support a condition or impairment, the app must provide some sort of functionality to reduce the symptoms. For example, a Tinnitus noise cancelling app reduces the symptoms of Tinnitus. This is to help identify Medical Devices. Response Yes / No Answer Criteria Yes: If an app that provides a physical output to alleviate the symptoms of an existing condition. For example a Tinnitus noise canceling app. No: If an app does not provide a physical output to alleviate the symptoms of an existing condition. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app intended to (or does the developer claim it can be used to) compensate an injury or, physical or mental impairment? |
ORC_MD07 |
|
Further Information
Guidance/Context This question aims to identify if an app compensates for a specific injury or physical / mental impairment. It is important that the assessor identifies this is the app's intended purpose and that it is not meant for general use. Response Yes / No Answer Criteria Yes: Apps which the developer claims can compensate for an injury or handicap or claims that the output from the app can be used for this purpose. For example apps to magnify text specifically for people with visual impairment or apps amplify sounds for people with reduced hearing. No: If the app provides no link to a specific injury or handicap. For example apps to magnify text but there is no mention of visual impairment in the manufacturer’s claims OR apps to amplify sound but there is no mention of hearing impairment in the manufacturer’s claims. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app predict the fertile window? |
ORC_CC01 |
|
Further Information
Guidance/Context This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA). Response Yes / No Answer Criteria YES: If an app informs the user of when their fertile window is. NO: If the app does not identify the user’s fertile window. Logic DISABLEMENT LOGIC - Disabled if MD08 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app claim to be used to prevent pregnancy or to conceive? |
ORC_CC02 |
|
Further Information
Guidance/Context This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA). Response Yes / No Answer Criteria YES: If an app or related website or description claims to make pregnancies more likely or to be able to prevent pregnancy. NO: If an app or related website or description does not claim to make pregnancies more likely or to be able to prevent pregnancy. Logic DISABLEMENT LOGIC - Disabled if CC01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app use body basal temperature (bbt) recorded through an externally connected thermometer? |
ORC_CC03 |
|
Further Information
Guidance/Context This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA). Response Yes / No Answer Criteria YES: If an app has an assistive device which can be used to record BBT. Measurements can be input manually after taking a reading. NO: If an app does not have an assistive device which can be used to record BBT., or it does not record BBT. Logic DISABLEMENT LOGIC - Disabled if CC02 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app use rhythm, body basal temperature (bbt) and cervical mucus methods to prevent pregnancy or to conceive? |
ORC_CC04 |
|
Further Information
Guidance/Context This question helps identify if the app’s intended purpose/benefits focuses around conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA). Response Yes / No Answer Criteria YES: If an app uses rhythm/bbt/cervical mucus methods to aid in the prevention of pregnancy or to help conception. NO: If an app doesn’t use rhythm/bbt/cervical mucus methods to aid in the prevention of pregnancy or to help conception. Logic DISABLEMENT LOGIC - Disabled if CC02 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the developer claim that the app can be used as a natural method of birth control? |
ORC_CC05 |
|
Further Information
Guidance/Context This question helps identify if the app is marketed towards facilitating conception/contraception. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA). Response Yes / No Answer Criteria Yes: If the app markets itself or claims the user can use the app as a natural method of birth control. No: If the app does not claim to be a natural method of birth control. Logic DISABLEMENT LOGIC - Disabled if CC03 is no AND if CC04 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app intended to be used for the control of conception? |
ORC_MD06 |
|
Further Information
Guidance/Context This question aims to identify if apps are to be used to control conception through two or more of the practical methods highlighted in CC01 - CC04. This will in turn help identify if the app is a potential Medical Device as defined by the Food and Drug Administration (FDA). Response Yes / No Assessment Criteria Yes: If the app appears to be a natural form of contraception AND be intended to be used a way of conceiving based on the above answers (CC01, CC02, CC03, CC04 and CC05). No: If the app only claims to be a natural form of contraception OR intended to be used as a way of conceiving, but doesn’t claim to be both. Logic DISABLEMENT LOGIC - Disabled if CC02 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app used in combination with drugs or medication? (e.g. medication reminders) |
ORC_AE20 |
|
Further Information
Guidance/Context This question aims to identify if the app can set medication alerts/reminders, trackers or if the app indicates how much medication the user should take. Response Yes / No Answer Criteria Yes: If an app provides medication reminders or trackers used as an assistive tool OR if the app influences how much you should take e.g. insulin calculator etc. No: If an app does not provide medication reminders or trackers used as an assistive tool OR if there are no alarms to take medications. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app a companion of the device, as opposed to having been designed to connect with a third party manufacturer's device? |
ORC_F26 |
|
Further Information
Guidance/Context This question aims to understand the context of the app and to also examine whether or not it can be used without the device. Response Yes / No Answer Criteria Yes: The app is designed to work with a specific device, and likely doesn’t function fully without it e.g. Garmin Watch with Garmin App. No: The app connects with third party devices e.g. Fitbit watch. Logic DISABLEMENT LOGIC - Disabled if DC01 does not contain Devices. Scoring Impact There is no scoring impact associated with this question. |
|
Monitoring
Does the app allow the monitoring of key health information? |
ORC_MN01 |
|---|---|
|
Further Information
Guidance/Context Due to a logic issue, only one answer should be selected. If the app allows the monitoring of both General Health or Wellness and Specific Condition Data, the assessor should select Specific Condition data. This question will contribute to the outcome of MN04, a question which helps determine what ESF tier the app belongs in. Response Multiple Choice Answer Criteria Yes - General health or Wellness data: If the app has any capability at all which allows the user to monitor any health information which the app records. Yes - Specific Condition data: If the app is aimed towards someone with a pre-existing condition e.g. chronic pain, diabetes etc. No - None: If an app does not collect or allow the monitoring of health information. Logic DISABLEMENT LOGIC - Disabled if D01 is no. OR disabled if DT10 does not contain neither Physical and/or Mental Health Data nor General Wellness Data. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app involve the recording of relevant data over time for the user to access and review (with no ‘intelligent’ manipulation of that data by the app)? |
ORC_MN02 |
|
Further Information
Guidance/Context This question aims to identify if the app allows users to record health information which can be reviewed at a later date. This question contributes to the outcome of MN04, a question which helps determine what ESF tier the app belongs in. Response Yes / No Answer Criteria Yes: If an app allows the recording and reviewing of data over a period of time to allow the user to monitor their health information. No: If an app does not collect or allow the monitoring of health information. Logic DISABLEMENT LOGIC - Disabled if MN01 contains None. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app involve the automated assessment or interpretation of relevant data to deliver alerts, insights, reminders or adjustments regarding the user’s health or lifestyle? |
ORC_MN03 |
|
Further Information
Guidance/Context This questions aims to identify is an app provides further insight around the user’s health data it collects. The app needs to be providing novel insights, automated alerts or reminders from the user’s health data. If the health data is relayed back to the user with no additional information, MN03 will be no. This question contributes to the outcome of MN04, a question which helps determine what ESF tier the app belongs in. Response Yes / No Answer Criteria Yes: If an app allows the user to record health data, and then the app provides insight back to the user. For example in the form of alerts, reminders or adjustments regarding the user’s health/lifestyle. No: If an app doesn’t collect health data, or if it collects it and regurgitates it back to the user in the form of a simple graph, without any further insight or information. Logic DISABLEMENT LOGIC - Disabled if MN01 contains None. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app: |
ORC_MN04 |
|
Further Information
Guidance/Context This questions aims to differentiate between the different types of self-management and therefore different tiers from the Evidence Standards Framework. MN01, MN02 and MN03 all feed into the outcome of this question. Below is a diagram assessors refer to during the assessment process in order to decipher what type of self management tool they reviewing. 
Response Multiple Option Answer Criteria A Simple Self Management app: If an app is simple monitoring with wellbeing and general health focus = Tier Bi A Standard Self Management app: If an app is simple monitoring with a specific condition focus OR complex monitoring with a wellbeing and general health focus = Tier Bii A Complex Self Management app: If an app is complex monitoring with a specific condition focus = Tier C Logic DISABLEMENT LOGIC - Disabled if MN01 contains None. Scoring Impact There is no scoring impact associated with this question. |
|
Is the output of the app’s monitoring intended to affect the treatment of an individual? |
ORC_MN05 |
|
Further Information
Guidance/Context This questions aims to evidence whether the monitoring the app performs is specifically there to impact on the user’s treatment. Response Yes / No Answer Criteria Yes: If the app provides a calculated output which is based on the health information collected, which may directly impact an individual’s decision regarding the treatment management of a condition. For example, a peak flow meter which shows decreasing measurements which acts as an early warning software. No: If the app is not intended to affect the treatment management and is only carrying out complex monitoring that may display trends or other interesting data points. Logic DISABLEMENT LOGIC - Disabled if MN04 does not contain Complex Self Management app. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app allow others (i.e. not the user) to monitor or view the health data captured? |
ORC_MN06 |
|
Further Information
This question aims to evidence whether the app allows the monitoring of the user’s health data by people who are not the user. Response Yes / No Answer Criteria Yes: If the app provides functionality within it that allows someone to monitor the user’s collected health data. This may be a HCP or may be a family member or friend. No: No functionality within the App for someone who is not the user to view the data collected within the app. Functionality needs to be within the app. Scoring DISABLEMENT LOGIC - Disabled if MN01 contains None. Logic There is no scoring impact associated with this question. |
|
Does the app automatically measure and/or record data about a user’s specified condition, and transmit the data to a professional, caregiver or third party organization, without any input from the user? |
ORC_MN07 |
|
Further Information
Guidance/Context This question aims to identify whether the app automatically collects and sends health data, without any sort of intervention from the user. Response Yes / No Answer Criteria Yes: If the app collects user health data and transmits it to somebody else, without any sort of user intervention. No: The app does not automatically collect data OR the app does not automatically transmit data. Logic DISABLEMENT LOGIC - Disabled if MN04 does not contain Specific Condition data. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app generate any alarms or alerts from the data recorded by the app or a connected device? |
ORC_MN08 |
|
Further Information
Guidance/Context This question aims to look at whether the app sends a notification to the user/carer/healthcare professional based on any of the data recorded through the app itself or a connected device. For example, a diabetes app could automatically alert the user by creating a noise that notifies the user their blood glucose levels are either hypo (low) or hyper (high) in regards to the satisfactory levels they should usually be. Response Yes / No Answer Criteria Yes: If the app sends an alarm, alert or notification based on any of the data collected by the app itself or a connected device. No: The app does not generate alarms based on the health data input and the user has to set them themselves. Logic DISABLEMENT LOGIC - Disabled if MN06 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Are the alarms generated by user-defined filtering rules? |
ORC_MN09 |
|
Further Information
Guidance/Context This question aims to identify if the user can define the filtering rules surrounding the health data and choose what boundaries trigger an alarm / alert. Response Yes / No Answer Criteria Yes: If the app alerts the user or HCP to a predefined abnormality manually set by the user. No: The app does not generate alarms based on the health data input. No: The app does generate alarms based on health data input but the user can not set these parameters themselves. Logic DISABLEMENT LOGIC - Disabled if MN08 is no. Scoring Impact There is no scoring impact associated with this question. |
|
What type of intervention or treatment does the app provide? |
ORC_TS11 |
|
Further Information
Guidance/Context This is to determine what type of treatment the app supplies. Assessors can select more than one, for example if an app had a diary and an insulin calculator both Self-management and Monitoring should be selected. This question helps the assessor place the app in the correct ESF tier. Response Multiple Choice Answer Criteria Preventative behavior change: If the app is intended to modify the users behavior to reduce the risk of a condition. Psychological intervention: If the app is intended to provide a psychological intervention to someone with a diagnosed psychological condition e.g. not non-specific stress. CBT: If the app is intended to provide Cognitive Behavioral Therapy to a user in full. Fertility: If the app is intended to be used to help with fertility treatments. Self-management (administering measures): If the app is intended to be used to help provide information about how much medicine should be taken e.g. diabetic patient advised to take X units of insulin based on information inputted into the app. Tailored treatment plan: If the app provides the user with a tailored treatment plan to improve their condition based on collected information. Monitoring (basic): E.g. diary. Logic DISABLEMENT LOGIC - Disabled if TS05 is no AND if TS07 is no AND MN01 is None. Scoring Impact There is no scoring impact associated with this question. |
|
Online Consultations
Can the app be used for patients to have online consultations, conversations, or related Health Care services with a healthcare professional? |
ORC_F14 |
|---|---|
|
Further Information
Guidance/Response This question provides further context around the functionality of the app. Response Yes / No Answer Criteria Yes: If the app allows the user to access consultation with relevant professionals. This would be a call or online chat directly with a doctor or professional in the relevant field. No: The app does not allow consultations or other communication with a relevant professional through the app. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is this through video consultation? |
ORC_OC02 |
|
Further Information
Guidance/Context This question follows on from the previous questions and it is also a data capture question. It aims to determine how exactly online conversations and consultations are held. Response Yes / No Answer Criteria Yes: If the user can have a video consultation directly with a relevant profession via the app. No: If a video call consultation with the relevant professional is not available via the app. Logic DISABLEMENT LOGIC - Disabled if F14 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app allow healthcare professionals to provide clinical advice, as opposed to the app providing advice itself? |
ORC_EF09 |
|
Further Information
Guidance/Context This question provides further context around the functionality of the app and importantly informs the user where the advice comes from. Response Yes / No Answer Criteria YES: If the app enables a HCP to provide advice in whatever format through the app. This may be video consultation, instant messaging or other platform communications. NO: The app does not allow consultations or other communication from a relevant professional through the app. Logic DISABLEMENT LOGIC - Disabled if F14 is no. Scoring Impact There is no scoring impact associated with this question. |
|
If the app allows healthcare professionals to provide clinical advice through the app, rather than the app providing the advice itself, how does it do this? |
ORC_OC01 |
|
Further Information
Guidance/Context This question is a data capture question. It aims to collect information about exactly how the app allows a professional to supply clinical advice. Response Free text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if EF09 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Administrative Services
Is this an administrative app which does not directly impact patient care? |
ORC_AS01 |
|---|---|
|
Further Information
Guidance/Context This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering. Response Yes / No Answer Criteria Yes: If the app provides a digital solution for internal admin running of healthcare systems. If the app aids appointment bookings, staff roster, job lists etc. No: If there is any potential impact on a patients treatment, this includes messaging apps. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
What administrative functions does the app provide? |
ORC_AS02 |
|
Further Information
Guidance/Context This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering. Response Multiple Choice Answer Criteria Schedule Management Appointment Booking Prescription Management Building Maintenance Logic DISABLEMENT LOGIC - Disabled if AS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app used to facilitate communication between healthcare professionals other than for consultation or the delivery of advice? |
ORC_AS03 |
|
Further Information
Guidance/Context This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering. Response Yes / No Answer Criteria Yes: If the app supports communication between healthcare professionals. No: If any communication within the app is between users or patients and does not involve a healthcare professional. Logic DISABLEMENT LOGIC - Disabled if AS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app allow users to book appointments with a healthcare professional? |
ORC_AS04 |
|
Further Information
Guidance/Context This question allows us to understand further the functionality of the app. Response Yes / No Answer Criteria Yes: If users can book appointments with their own GP through patient access. Yes: If users can book appointments through the app. No: If you can only add appointments to a calendar for organizational purposes rather than actually booking in with a healthcare professional. Logic DISABLEMENT LOGIC - Disabled if AS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Pharmacy
Does the app allow users to order and request prescriptions? |
ORC_F13 |
|---|---|
|
Further Information
Guidance/Context This question helps identify if an app can help a user order / request prescriptions. Response Yes / No Answer Criteria Yes: If the app allows users to order or request a prescription from a healthcare professional, healthcare provider or pharmacy. No: If the app allows the user to record what prescription they would like to request. This would only be acting as a reminder to the user. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Reminders/Notifications
Does the app send push notifications? |
ORC_D29 |
|---|---|
|
Further Information
Guidance/Context This is an information capture question which helps inform the functions and features. Response Yes / No Answer Criteria Yes: If the app sends push notifications to the device. No: If there are in-app notifications which are not pushed to the device. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app send email notifications? |
ORC_D30 |
|
Further Information
Guidance/Context This is an information capture question which helps inform the functions and features. Response Yes / No Answer Criteria Yes: If the app sends email notifications relating to the user’s use of the app, personalized. No: If the only emails are marketing/newsletters. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
External Device
Is the app's main functionality dependent on the user having one of the devices to connect with the app? |
ORC_F27 |
|---|---|
|
Further Information
Guidance/Context This question aims to identify if an app can only be used for its intended purposes if a user has access to one of the connected devices. Response Yes / No Answer Criteria Yes: If the app ONLY works with a companion device. For instance, the user is unable to input data and therefore cannot use the app at all without the device. No: If there is a companion device but the app can still be used independently. Logic DISABLEMENT LOGIC - Disabled if DC01 does not contain Devices. Scoring Impact There is no scoring impact associated with this question. |
|
Do any of the features or functions of the app appear to allow it to be used to control a medical device? |
ORC_F30 |
|
Further Information
Guidance/Context This question aims to Response Yes / No Answer Criteria Yes: If the app is used to control an external medical device. No: The app connects with an external device which is not classified as a medical device. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Forums and Contacts
Are there opportunities to link with other users (buddying, forums or group education)? |
ORC_U19 |
|---|---|
|
Further Information
Guidance/Context This is an information capture question which helps inform the functions and features. Response Yes / No Answer Criteria Yes: If there is any way for users to communicate with other users within the app. This can be through messaging, internal forums, connecting with friends, communicating with a healthcare professional etc. No: If you can only send a report to a doctor via email for example. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app provide an internally hosted forum or online community for their users? |
ORC_FC01 |
|
Further Information
Guidance/Context This question refers to forums which are within the app rather than ones hosted externally via Facebook, developer website etc. Response Yes / No Answer Criteria Yes: If the app has an internal forum. No: If the app provides links to a third party forum or an externally hosted forum. One-to-one communication is not a forum. Logic DISABLEMENT LOGIC - Disabled if U19 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app link to a third-party service to host a forum or online community for their users? |
ORC_FC02 |
|
Further Information
Guidance/Context This question refers to forums which are hosted eternally via Facebook, developer website etc. rather than within the app. Response Yes / No Answer Criteria Yes: If the app provides links to a third party forum or an externally hosted forum. No: If the app links to a Facebook page which is not a forum. If the only forum is in-app. Logic DISABLEMENT LOGIC - Disabled if U19 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app allow two-way communication between citizens, patients or healthcare professionals? |
ORC_EF10 |
|
Further Information
Guidance/Context This question is an information capture question which informs functions and features. The two way communication needs to exist within the app through chat functions, a forum, video call and must be between two or more people. Response Yes / No Answer Criteria Yes: If the app allows for any two-way communication between any two people. No: If the app does not enable two-way communication between two or more people. Logic DISABLEMENT LOGIC - Disabled if U19 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Goal Setting
Does the app provide gamification or goal setting features for the user? |
ORC_F06 |
|---|---|
|
Further Information
Guidance/Context This question is an information capture question which informs functions and features. The gamification or goal setting features must somehow relate to the user’s health or wellbeing. Response Yes / No Answer Criteria Yes: If you can choose a goal, get badges or achievements through use of the app. Yes: If the app provides targets or you can set your own targets. Yes: If the app encourages engagement with rewards. No: No goal setting or gamification. If gamification has no real purpose. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app set goals for the user? |
ORC_GS01 |
|
Further Information
Guidance/Context This question follows on from the previous and aims to identify what type of goals exist in the app. Response Multiple Choice Answer Criteria Tailored: If the goals are specific to the user. For example, the user can input health parameters and the app generates a goal based on those readings. Generic: If the set goals are generic for all users. For instance, goals that are pre-set within the app and are the same for each user. User defined: If the user can manually or directly specify or customize their goal. For example, the user can choose a weight loss goal which they can set themselves. Logic DISABLEMENT LOGIC - Disabled if F06 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app allow the user to set goals for themselves? |
ORC_U21 |
|
Further Information
Guidance/Context This question allows us to understand further the functionality of the app, it helps us with our adapted ESF tiering. Response Yes / No Answer Criteria Yes: If ‘User defined' has been selected in the previous question (ORC_F06). No: If only ‘Tailored’ or ‘Generic’ has been selected in the previous question (ORC_F06). Logic DISABLEMENT LOGIC - Disabled if F06 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Customization
Can the app presentation be customized by the user? |
ORC_CUS01 |
|---|---|
|
Further Information
Guidance/Context This question aims to identify if the user can edit the style of the app to suit their needs and / or preferences. Response Yes / No Answer Criteria Yes: If any changes can be made to the presentation theme within the app. This includes editing the background, colors, profile picture, language, measuring units etc. No: If the presentation of the app cannot be edited or customized by the user in any way. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app respond to preferences in the device? |
ORC_CUS02 |
|
Further Information
Guidance/Context This question aims to identify if the user can set preferences on the device which is carried through to the app to suit their needs and / or preferences. Response Yes / No Answer Criteria Yes: If the app responds to changes in font size. Yes: If the app provides support options for users with poor vision/poor hearing. No: If the app only responds to in-app preferences. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Business Model
Is the app totally free? |
ORC_U29 |
|---|---|
|
Further Information
Guidance/Context This is an information capture question which used to inform the users whether the app is completely free or if there are some sort of costs involved in the app. If the app has any costs associated with it ranging from in app purchases to licenses required by a healthcare provider, the assessor should answer this question no. If the app requires the user to purchase the associated device in order to use the app, the assessor should answer this question no. Response Yes / No Answer Criteria Yes: If the app is free to download AND has no in-app purchases or subscriptions AND costs are not incurred or covered by any third party organization/employees. For instance, licenses are NOT needed to be purchased for distribution). No: If licenses are needed to be purchased for distribution. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
How is the app funded? |
ORC_BM01 |
|
Further Information
Guidance/Context This question aims to identify what the business model is behind the app. If the answer is not apparent through publicly available information, the assessor should select Self-funded as a default. Response Multiple Choice Answer Criteria In-app purchase: If the app is funded through the user purchasing something within the app after downloading. Subscription: If the app is funded through subscription fees which the user has to pay in order to download the app. One off payment: If the app is funded through one off payments which the user needs pay in order to download the app. Licensed by doctor/healthcare provider: If the app is funded through licenses which need to be purchased in order for doctors/healthcare providers to provide access to their patients. Donations: If the app is funded through donations. Government or similar grant: If the app is funded through a government or similar grant. Charity / Non profit: If the app is funded by a charity or non-profit organization. Self-funded: If the app is self-funded by the people who run the company. OR if there is no evidence of how the app is funded then Self funded should be selected. Logic DISABLEMENT LOGIC - Disabled if U29 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app contain advertisements? |
ORC_U27 |
|
Further Information
Guidance/Context This question aims to identify if the app displays advertisements for external products/services. If the app advertises their own subscriptions or in app purchases, this does not count. Response Yes / No Answer Criteria Yes: If the app has adverts for other products/services within it. No: If the app contains adverts for its own in-app purchases. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Benefits
What are the claimed or implied benefits of the App? |
ORC_BF01 |
|---|---|
|
Further Information
Guidance/Context This questions aims to identify the intended purpose of the app through highlighting the claimed / implied benefits. If the assessor reads a clear benefit described by the developer, this would be a claimed benefit. If the assessor is having to infer a benefit from text written by the developer, this would be an implied benefit. If a claimed or implied benefit does not appear in the list below, the assessor should select Other Claimed/Implied Benefit and make the benefit very clear. In order for evidence to meet the requirements of the framework, the evidence of efficacy should relate to the benefits / intended purposes of the app. Response Multiple Choice Answer Criteria Cost savings to the healthcare system Increased access to care Improved diagnostic or risk assessment Improved quality of treatment Improved recovery Reduced readmission or re-referral Improved management of a condition Preventative Behavior Change Improved mental wellbeing Improved physical wellbeing Improved system/process efficiency Other Claimed Benefit (please describe) Other Implied Benefit (please describe) Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
DATA & PRIVACY
Prior to answering any questions in the Data & Privacy area of the assessment, the Scene Setters will have captured much of the practical information about the observed data capture and use. There are no scoring implications of the Scene Setter questions. At this point, the assessment will have determined if any data is collected and retained, which data types are collected and shared, and how that data is used.
The DHA is particularly interested in whether the app collects personally identifiable data, or sensitive data, as well as cookies and device information data. If the app does make use of cookies, the DHAF will consider information also provided within the cookie policy (if available).
Also within the Scene Setters section, the DHAF looks at what user data is shared, who it is shared with, how it is shared (either manually or automatically), and whether the user has control or choice over this. The DHAF considers whether the app is able to connect to any third-party apps or external devices. If so, it is then considered whether the app offers the user any choice in connecting to other apps or devices. Data sharing to other apps or devices can be of benefit, providing the user has given explicit consent and has control over the sharing of their data.
The DHAF looks into data use, data storage and transit, data standards and management and compliance with HIPPA, and the application of the best practice as enshrined in the UK/EU General Data Protection Regulation 2018 (GDPR). The assessment looks into privacy information that is publicly available to the end-user, contained within the privacy policy applicable to the health app. The following questions provide detail of what information is expected to be provided to the user in relation to the use of their data.
Need for HIPAA Compliance
Does the person, business, or agency furnish, bill, or receive payment for health care in the normal course of business? |
HIPAA1_1 |
|---|---|
|
Further Information
Guidance/Context A provider of health care services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. Response Yes / No Answer Criteria Yes: If an organisation conducting business in the US furnishes, bills or receives payment for the provision of health care to US citizens, then they are likely fall in scope of being a covered entity under HIPAA. No: The person, business, or agency is NOT a covered health care provider and therefore not a covered entity. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the person, business, or agency transmit (send) any covered transactions electronically? |
HIPAA1_2 |
|
Further Information
Guidance/Context Health care providers (e.g., physicians, hospitals, and clinics) are covered entities if they transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by HHS. (e.g., billing) Response Yes / No Answer Criteria Yes: The person, business, or agency is a covered health care provider and therefore a covered entity. No: The person, business, or agency is NOT a covered health care provider and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA1_1 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the business or agency process, or facilitate the processing of, health information from nonstandard format or content into standard format or content or from standard format or content into nonstandard format or content? |
HIPAA2_1 |
|
Further Information
Guidance/Context A public or private entity, including a billing service, repricing company, or community health information system, that processes non-standard data or transactions received from another entity into standard transactions or data elements, or vice versa. Response Yes / No Answer Criteria Yes: The business or agency may be a health care clearinghouse and therefore may be a covered entity No: The business or agency is NOT a health care clearinghouse and therefore not a covered entity. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the business or agency perform this function for another legal entity? |
HIPAA2_2 |
|
Further Information
Guidance/Context A public or private entity, including a billing service, repricing company, or community health information system, that processes non-standard data or transactions received from another entity into standard transactions or data elements, or vice versa. Response Yes / No Answer Criteria Yes: The business or agency is a health care clearinghouse and therefore a covered entity. No: The business or agency is NOT a health care clearinghouse and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA2_1 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan an individual or group plan, or combination thereof, that provides, or pays for the cost of, medical care? |
HIPAA3_1 |
|
Further Information
Guidance/Context An individual or group plan that provides, or pays the cost of, medical care. Health plans include private entities (e.g., health insurers and managed care organizations) Response Yes / No Answer Criteria Yes: The plan may be a health plan and therefore a covered entity. No: The plan is NOT a health plan and therefore not a covered entity. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan a group health plan? |
HIPAA3_2 |
|
Further Information
Guidance/Context A “Group Health Plan” (GHP) is health insurance offered by an employer, union or association to its members while they are still working. GHP coverage is based on current employment. Response Yes / No Answer Criteria Yes: The person, business or agency may be a group health plan and therefore may be a covered entity. No: The person, business, or agency is NOT a group health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_1 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the plan have fewer than 50 participants? |
HIPAA3_3 |
|
Further Information
Active if HIPAA3_2 is YES Guidance/Context Response Yes / No Answer Criteria Yes: The person, business or agency may be a group health plan and therefore may be a covered entity. No: The person, business, or agency is NOT a group health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_2 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan self-administered? |
HIPAA3_4 |
|
Further Information
Guidance/Context A self-insured group health plan (or a 'self-funded' plan as it is also called) is one in which the employer assumes the financial risk for providing health care benefits to its employees. Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: The plan is a health plan and therefore a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_2 is no OR if HIPAA3_3 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan a health insurance issuer? |
HIPAA3_5 |
|
Further Information
Guidance/Context Health insurance issuer (as defined in section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2) means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_2 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan an issuer of a Medicare supplemental policy? |
HIPAA3_6 |
|
Further Information
Guidance/Context Medigap is Medicare Supplement Insurance that helps fill "gaps" in Original Medicare and is sold by private companies. Original Medicare pays for much, but not all, of the cost for covered health care services and supplies. A Medicare Supplement Insurance (Medigap) policy can help pay some of the remaining health care costs, like: Copayments Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity Logic DISABLEMENT LOGIC - Disabled if HIPAA3_5 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan a health maintenance organization (HMO)? |
HIPAA3_7 |
|
Further Information
Guidance/Context HMO means "Health Maintenance Organization." HMO plans offer a wide range of health care services through a network of providers that contract exclusively with the HMO, or who agree to provide services to members at a pre-negotiated rate. As a member of an HMO, you will need to choose a primary care physician ("PCP") who will provide most of your health care and refer you to HMO specialists as needed. Some HMO plans require that you fulfill a deductible before services are covered. Others only require you to make a copayment when services are rendered. Health care services obtained outside of the HMO are typically not covered, though there may be exceptions in the case of an emergency. Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_6 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan a multi-employer welfare benefit plan? |
HIPAA3_8 |
|
Further Information
Guidance/Context An arrangement offered by two or more employers to provide health or welfare benefits to the employers' employees and their beneficiaries, but excluding arrangements established or maintained: Under a collective bargaining agreement (CBA). Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_7 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan an issuer of long-term care policies? |
HIPAA3_9 |
|
Further Information
Guidance/Context Under HIPAA, qualified long-term care services mean necessary diagnostic, preventive, therapeutic, curing, treating, mitigating, rehabilitative services, and personal care which are required by a chronically ill person and are provided according to a plan of care prescribed by a licensed health care practitioner. Response Yes / No Answer Criteria Yes: The plan may be a health plan and may be a covered entity. No: The plan is not a health plan and is therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_8 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Does the plan provide only nursing home fixed-indemnity policies? |
HIPAA3_10 |
|
Further Information
Guidance/Context Fixed indemnity health insurance is a type of medical insurance that pays a predetermined amount on a per-period or per-incident basis, regardless of the total charges incurred. Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: The plan is a health plan and therefore a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_8 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the plan provide only expected benefits? |
HIPAA3_11 |
|
Further Information
Guidance/Context The requirements of this part do not apply to any individual coverage in relation to its provision of the benefits described in paragraphs (a) and (b) of this section (or any combination of the benefits). (a) Benefits excepted in all circumstances. The following benefits are excepted in all circumstances: (1) Coverage only for accident (including accidental death and dismemberment) (2) Disability income insurance. (3) Liability insurance, including general liability insurance and automobile liability insurance. (4) Coverage issued as a supplement to liability insurance. (5) Workers' compensation or similar insurance. (6) Automobile medical payment insurance. (7) Credit-only insurance (for example, mortgage insurance). (8) Coverage for on-site medical clinics. (9) Travel insurance, within the meaning of § 144.103 of this subchapter.
(b) Other excepted benefits. The requirements of this part do not apply to individual health insurance coverage described in paragraphs (b)(1) through (b)(6) of this section if the benefits are provided under a separate policy, certificate, or contract of insurance. These benefits include the following: (1) Limited scope dental or vision benefits. These benefits are dental or vision benefits that are limited in scope to a narrow range or type of benefits that are generally excluded from benefit packages that combine hospital, medical, and surgical benefits. (2) Long-term care benefits. These benefits are benefits that are either - (i) Subject to State long-term care insurance laws; (ii) For qualified long-term care insurance services, as defined in section 7702B(c)(1) of the Code, or provided under a qualified long-term care insurance contract, as defined in section 7702B(b) of the Code; or (iii) Based on cognitive impairment or a loss of functional capacity that is expected to be chronic. (3) Coverage only for a specified disease or illness (for example, cancer policies) if the policies meet the requirements of § 146.145(b)(4)(ii)(B) and (C) of this subchapter regarding non-coordination of benefits. (4) Hospital indemnity or other fixed indemnity insurance only if - (i) The benefits are provided only to individuals who attest, in their fixed indemnity insurance application, that they have other health coverage that is minimum essential coverage within the meaning of section 5000A(f) of the Internal Revenue Code, or that they are treated as having minimum essential coverage due to their status as a bona fide resident of any possession of the United States pursuant to Code section 5000A(f)(4)(B). (ii) There is no coordination between the provision of benefits and an exclusion of benefits under any other health coverage. (iii) The benefits are paid in a fixed dollar amount per period of hospitalization or illness and/or per service (for example, $100/day or $50/visit) regardless of the amount of expenses incurred and without regard to the amount of benefits provided with respect to the event or service under any other health coverage. (iv) A notice is displayed prominently in the application materials in at least 14 point type that has the following language: “THIS IS A SUPPLEMENT TO HEALTH INSURANCE AND IS NOT A SUBSTITUTE FOR MAJOR MEDICAL COVERAGE. LACK OF MAJOR MEDICAL COVERAGE (OR OTHER MINIMUM ESSENTIAL COVERAGE) MAY RESULT IN AN ADDITIONAL PAYMENT WITH YOUR TAXES.” (v) The requirement of paragraph (b)(4)(iv) of this section applies to all hospital or other fixed indemnity insurance policy years beginning on or after January 1, 2015, and the requirement of paragraph (b)(4)(i) of this section applies to hospital or other fixed indemnity insurance policies issued on or after January 1, 2015, and to hospital or other fixed indemnity policies issued before that date, upon their first renewal occurring on or after October 1, 2016. (5) Medicare supplemental health insurance (as defined under section 1882(g)(1) of the Social Security Act. 42 U.S.C. 1395ss, also known as Medigap or MedSupp insurance). The requirements of this part 148 (including genetic nondiscrimination requirements), do not apply to Medicare supplemental health insurance policies. However, Medicare supplemental health insurance policies are subject to similar genetic nondiscrimination requirements under section 104 of the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-233), as incorporated into the NAIC Model Regulation relating to sections 1882(s)(2)(e) and (x) of the Act (The NAIC Model Regulation can be accessed at http://www.naic.org .). (6) Coverage supplemental to the coverage provided under Chapter 55, Title 10 of the United States Code (also known as CHAMPUS supplemental programs). (7) Similar supplemental coverage provided to coverage under a group health plan (as described in § 146.145(b)(5)(i)(C) of this subchapter). Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: The plan is a health plan and therefore a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA3_9 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the program one of the listed government health plans? |
HIPAA4_1 |
|
Further Information
Guidance/Context
Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity Logic This is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the program an individual or group plan that provides, or pays the cost of, medical care? |
HIPAA4_2 |
|
Further Information
Guidance/Context An individual or group plan that provides, or pays the cost of, medical care. Health plans include government organizations (e.g., Medicaid, Medicare, and the Veterans Health Administration) Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is NOT a health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA4_1 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the program a high risk pool? |
HIPAA4_3 |
|
Further Information
Guidance/Context Similar to the Pre-Existing Condition Insurance Plan under the Affordable Care Act, for years many states have offered plans that provide coverage if you have been locked out of the individual insurance market because of a pre-existing condition. High-risk pool plans may also offer coverage if you're HIPAA eligible or meet other requirements. High-risk pool plans offer health insurance coverage that is subsidized by a state government. Typically, your premium is up to twice as much as you would pay for individual coverage if you were healthy. Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA4_2 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the plan a health maintenance organization (HMO)? |
HIPAA4_4 |
|
Further Information
Guidance/Context A type of health insurance plan that usually limits coverage to care from doctors who work for or contract with the HMO. It generally won't cover out-of-network care except in an emergency. An HMO may require you to live or work in its service area to be eligible for coverage. HMOs often provide integrated care and focus on prevention and wellness. Response Yes / No Answer Criteria Yes: The plan is a health plan and therefore a covered entity. No: The plan is not a health plan and therefore not a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA4_3 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the principal activity of the program providing health care directly? |
HIPAA4_5 |
|
Further Information
Guidance/Context Direct healthcare is healthcare directly purchased by and delivered to an organization and its members, with no third party in between. Most often, the purchasing organization is a large, self-funded employer, or another aggregating entity like an association, trust, Taft-Hartley plan, or labor union. Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: Logic DISABLEMENT LOGIC - Disabled if HIPAA4_4 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the principal activity of the program the making of grants to fund the direct provision of healthcare (e.g. through funding a health clinic)? |
HIPAA4_6 |
|
Further Information
Guidance/Context Grant - a sum of money given by a government or other organization for a particular purpose, in this instance health care. Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: Logic DISABLEMENT LOGIC - Disabled if HIPAA4_5 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is the principal purpose of the program other than providing or paying the cost of health care (e.g. operating a prison system, running a scholarship or fellowship program)? |
HIPAA4_7 |
|
Further Information
Guidance/Context Where the principal purpose of the program is not the provision or paying the cost of health care, then the plan is not a health plan and therefore the organization is not a covered entity. Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: Logic DISABLEMENT LOGIC - Disabled if HIPAA4_6 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Does the program provide only expected benefits? |
HIPAA4_8 |
|
Further Information
Guidance/Context The requirements of this part do not apply to any individual coverage in relation to its provision of the benefits described in paragraphs (a) and (b) of this section (or any combination of the benefits). (a) Benefits excepted in all circumstances. The following benefits are excepted in all circumstances: (1) Coverage only for accident (including accidental death and dismemberment) (2) Disability income insurance. (3) Liability insurance, including general liability insurance and automobile liability insurance. (4) Coverage issued as a supplement to liability insurance. (5) Workers' compensation or similar insurance. (6) Automobile medical payment insurance. (7) Credit-only insurance (for example, mortgage insurance). (8) Coverage for on-site medical clinics. (9) Travel insurance, within the meaning of § 144.103 of this subchapter.
(b) Other excepted benefits. The requirements of this part do not apply to individual health insurance coverage described in paragraphs (b)(1) through (b)(6) of this section if the benefits are provided under a separate policy, certificate, or contract of insurance. These benefits include the following: (1) Limited scope dental or vision benefits. These benefits are dental or vision benefits that are limited in scope to a narrow range or type of benefits that are generally excluded from benefit packages that combine hospital, medical, and surgical benefits. (2) Long-term care benefits. These benefits are benefits that are either - (i) Subject to State long-term care insurance laws; (ii) For qualified long-term care insurance services, as defined in section 7702B(c)(1) of the Code, or provided under a qualified long-term care insurance contract, as defined in section 7702B(b) of the Code; or (iii) Based on cognitive impairment or a loss of functional capacity that is expected to be chronic. (3) Coverage only for a specified disease or illness (for example, cancer policies) if the policies meet the requirements of § 146.145(b)(4)(ii)(B) and (C) of this subchapter regarding noncoordination of benefits. (4) Hospital indemnity or other fixed indemnity insurance only if - (i) The benefits are provided only to individuals who attest, in their fixed indemnity insurance application, that they have other health coverage that is minimum essential coverage within the meaning of section 5000A(f) of the Internal Revenue Code, or that they are treated as having minimum essential coverage due to their status as a bona fide resident of any possession of the United States pursuant to Code section 5000A(f)(4)(B). (ii) There is no coordination between the provision of benefits and an exclusion of benefits under any other health coverage. (iii) The benefits are paid in a fixed dollar amount per period of hospitalization or illness and/or per service (for example, $100/day or $50/visit) regardless of the amount of expenses incurred and without regard to the amount of benefits provided with respect to the event or service under any other health coverage. (iv) A notice is displayed prominently in the application materials in at least 14 point type that has the following language: “THIS IS A SUPPLEMENT TO HEALTH INSURANCE AND IS NOT A SUBSTITUTE FOR MAJOR MEDICAL COVERAGE. LACK OF MAJOR MEDICAL COVERAGE (OR OTHER MINIMUM ESSENTIAL COVERAGE) MAY RESULT IN AN ADDITIONAL PAYMENT WITH YOUR TAXES.” (v) The requirement of paragraph (b)(4)(iv) of this section applies to all hospital or other fixed indemnity insurance policy years beginning on or after January 1, 2015, and the requirement of paragraph (b)(4)(i) of this section applies to hospital or other fixed indemnity insurance policies issued on or after January 1, 2015, and to hospital or other fixed indemnity policies issued before that date, upon their first renewal occurring on or after October 1, 2016. (5) Medicare supplemental health insurance (as defined under section 1882(g)(1) of the Social Security Act. 42 U.S.C. 1395ss, also known as Medigap or MedSupp insurance). The requirements of this part 148 (including genetic nondiscrimination requirements), do not apply to Medicare supplemental health insurance policies. However, Medicare supplemental health insurance policies are subject to similar genetic nondiscrimination requirements under section 104 of the Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-233), as incorporated into the NAIC Model Regulation relating to sections 1882(s)(2)(e) and (x) of the Act (The NAIC Model Regulation can be accessed at http://www.naic.org .). (6) Coverage supplemental to the coverage provided under Chapter 55, Title 10 of the United States Code (also known as CHAMPUS supplemental programs). (7) Similar supplemental coverage provided to coverage under a group health plan (as described in § 146.145(b)(5)(i)(C) of this subchapter). Yes: The plan is NOT a health plan and therefore not a covered entity.No: The plan is a health plan and therefore a covered entity. Response Yes / No Answer Criteria Yes: The plan is NOT a health plan and therefore not a covered entity. No: The plan is a health plan and therefore a covered entity. Logic DISABLEMENT LOGIC - Disabled if HIPAA4_7 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Is there documentation or a statement on the site that indicates this app is a business associate to a covered entity, and therefore should be HIPAA compliant? |
HIPPAA5_1 |
|
Further Information
Guidance/Context A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. They have an obligation to comply with HIPAA in line with each covered entities own HIPAA compliance policies. Response Yes / No Answer Criteria Yes: The business or agency is a business associate and therefore is required to be HIPAA compliant. No: Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the organization required to be HIPAA compliant? |
HIPAA6_3 |
|
Further Information
Guidance/Context If the product has been identified as a covered identity or business associate then they are required to be HIPAA compliant. Response Yes / No Answer Criteria Yes: If any of the above responses indicate that the organization is a covered entity or business associate. No: If the above responses indicate that the organization is not a covered entity or a business associate. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is there a statement or evidence that the organization is compliant with HIPAA requirements? |
HIPAA6_1 |
|
Further Information
Guidance/Context Covered entities would be expected to provide a statement to say they are compliant with HIPAA requirements. If they are a business associate then they would not be required to provide their own statement of HIPAA compliance but many of the rules and regulations would likely be found in their privacy statement e.g. minimum necessary rule, privacy rule etc. Response Yes / No Answer Criteria Yes: If there is a statement of compliance with HIPAA No: If there is no statement of compliance Logic DISABLEMENT LOGIC - Disabled if the developer has not been identified as a Covered Entity or Business Associate based on responses to HIPAA1_1 - HIPAA5_1. Scoring Impact Exceptionally high risk if the organization is required to be HIPAA complaint (HIPAA6_3 is yes) and there is no evidence of HIPAA compliance (HIPAA6_1 is no). |
|
Is there a statement or evidence that the organization is HITRUST certified? |
HIPAA6_2 |
|
Further Information
Guidance/Context This question, for companies that are NOT covered entities, is a demonstration of being “HIPAA Ready”. For those that are covered entities, it is a way of demonstrating their compliance with HIPAA requirements. Response Yes / No Answer Criteria Yes: If the organisation displays a HITRUST badge or certificate. No: If there is no evidence of HITRUST certification. Logic There is no disablement logic written for this question. Scoring Impact High value if the organization is not required to be HIPAA compliant but is HITRUST certified Medium value if there is evidence the organization is HIPAA compliant (HIPAA6_1) and if the organization is HITRUST certified (HIPAA6_2). |
|
Privacy Policy
Initially, the assessment identifies the relevant privacy policy for the app, which is available to users through the app and/or the App Store or Play Store. The more transparent the privacy policy, the better. Ultimately, the privacy policy must clearly state that user data will not be used or shared with other parties, except as described in the privacy policy, or without the express consent of the user. Ideally, it will identify:
· what data is collected from the user and how,
· if the user is informed of the developer’s intentions with processing and sharing their data, and
· if the user’s consent is obtained.
The privacy policy should accurately reflect the data usage of the app. The assessors will be able to note if any data is collected outside of what is detailed in the privacy policy. Additionally, the policy should inform users of the developer’s intent to use their data for marketing purposes. If user data is shared for any other purposes other than basic use of the app, or legal obligations, then the review considers if the user is able to opt-out of these activities.
Is there a Privacy Policy clearly available via the app? |
ORC_D39a |
|---|---|
|
Further Information
Guidance/Context This question should only be active if personal and/or sensitive data is collected by the app and is shared with the developer/third parties etc. If this appears to be wrongly active then check back on data scene setters. Response Type Yes / No Answer Criteria Yes: If any data is collected by or through the app, in any way. Including data such as usage data, cookies etc. Logic DISABLED LOGIC -This question should only be active if personal and/or sensitive data is collected by the app and is shared with the developer/third parties etc. If this appears to be wrongly active then check back on data scene setters. Scoring Impact |
|
Is there a Privacy Summary published anywhere by the developer? (Only relevant to mobile pps) |
ORC_D39b |
|
Further Information
Guidance/Context Due to the nature of the data being collected being non-identifiable a summary privacy is suitable. This question should only be active if personal and/or sensitive data is not collected by the app or is not shared with the developer/third parties etc. If this appears to be wrongly active then check back on data scene setters. Response Type Yes / No Answer Criteria Yes: A privacy summary can be a simple paragraph explaining privacy practices of the developer, as collection of non-personal/sensitive data does not require a full privacy policy. Logic DISABLED LOGIC -Disabled if data is automatically shared/collected. Only enabled when the app/developer collects only none sensitive data OR when the personal/sensitive data is only shared through direct manual intervention from the user. Scoring Impact Maximum risk applied to this question and all questions that are disabled as a result of answering D39b as No. Questions would be disabled as a result of them not being applicable due to the app not having an applicable policy. |
|
Is the Privacy Policy made immediately available when the user first opens the app? |
ORC_DP03 |
|
Further Information
Guidance/Context This question looks to identify when a privacy policy is presented to a user. Making users aware of how their data is collected and used is mandatory. Response Type Yes / No Answer Criteria Yes: If the privacy policy is displayed when the app is first opened. Yes: If the user is prompted to view and/or provided with a link to the policy when the app is first opened or on the login page. Logic DISABLED LOGIC -Disabled if D39a AND D39b are answered no. Scoring Impact High value applied if Yes. Value cannot be applied for both DP03 and DP04. |
|
Is the policy made available when the user is signing up to the service? |
ORC_DP04 |
|
Further Information
Guidance/Context This question looks to identify when a privacy policy is presented to a user. Making users aware of how their data is collected and used is mandatory. Response Type Yes / No Answer Criteria Yes: When the user is provided with the privacy policy during the sign up process. No: If the user is not provided with, or linked to the privacy policy during sign up. Logic DISABLED LOGIC - Disabled if D39a AND D39b are no, OR if DT14 is no. Scoring Impact High value applied if Yes. Value cannot be applied for both DP03 and DP04. |
|
Is it published within the app? |
ORC_DP01 |
|
Further Information
Guidance/Context A privacy policy must be accessible to the user. This and following question look to identify where the privacy policy is located. Publishing within the app or being accessible via the app result in high value than it only being identifiable on the relevant app store. Response Type Yes / No Answer Criteria Yes: If the privacy policy is readily available to read at any time within the app. No: If the privacy policy link takes you out of the app to a web browser. Logic DISABLED LOGIC - Disabled if D39a AND D39b are answered no. Scoring Impact Medium value applied if Yes. Value cannot be applied for both DP01 and DP02 if both are answered Yes. |
|
Is it available externally via the app, or via a linked website? |
ORC_DP02 |
|
Further Information
Guidance/Context A privacy policy must be accessible to the user. To determine if a policy is external, a user can enter the app manager screen. If still on the app the policy is internal, if an internet browser has opened separate from the the app then it is external. Response Type Yes / No Answer Criteria Yes: If the policy links outside of the app to the browser. Yes: If there is an external link to the website, where there is access the privacy policy. This comes under the 2 click rule. Meaning that a privacy policy is easily accessible within 2 clicks/taps. Logic DISABLED LOGIC - Disabled if D39a AND D39b are answered no. Scoring Impact Medium value applied if Yes. Value cannot be applied for both DP01 and DP02 if both are answered Yes. |
|
Is it available via the relevant app store? |
ORC_DP05 |
|
Further Information
Guidance/Context A privacy policy must be accessible to the user. This and following question look to identify where the privacy policy is located. Publishing within the app or being accessible via the app result in high value than it only being identifiable on the relevant app store. Response Type Yes / No Answer Criteria Yes: If the policy is accessible through the app store, making sure the privacy policy applies to the app. If it doesn’t link directly make sure it is accessible within 2 clicks. Logic DISABLED LOGIC - Disabled if D39a AND D39b are answered no. Scoring Impact Low value applied if Yes. |
|
Is the Privacy Policy placed in another prominent location that is easily accessible? |
ATA_DP01 |
|
Further information
Guidance/Context A privacy policy must be accessible to the user. This and following question look to identify whether a privacy policy has been made available to the user in a location different to those listed above. Response Yes/No Assessment Criteria Yes: Assessor is able to find a privacy policy elsewhere. No: The assessor is unable to locate a privacy policy in a alternate place to those listed above. Logic DISABLED LOGIC - Disabled if D39a AND D39b are answered no. Scoring Impact Low value applied if yes. |
|
What data does the Privacy Policy state the developer collects? |
ORC_DP06 |
|
Further Information
Guidance/Context This is a multiple choice question. Choices should be selected based on what is stated in the privacy policy. This would normally be found in a section titled like “What Information do we collect?”. Choices should only be selected if the privacy policy states them, this question should not be based off what can be seen in the app. Response Type Multiple Choice Answer Criteria Sensitive - Physical / Mental Health or Condition (past, current or future status), Sexual Life / Orientation, Political, Religious or other beliefs or opinions, Offences Committed / Alleged to have Committed / Criminal Proceedings / Outcomes / Sentence, Financial data (that might be used for payment fraud), Trade Union membership, Racial / Ethnic Origin, Genetic or Biometric Data (e.g. fingerprints / facial Recognition) for the purpose of uniquely identifying a person Personal (combined - If a number of these items have been selected, then there is a possibility that data can be personally identifiable) - Cookies, web beacons, flash cookies, server logs etc which track individual’s browsing behaviour, Other Unique Device Identifiers eg. Device MAC Address, Name, Age/DOB, Gender (self declared or observed), Marital Status |Family / Lifestyle / Social Circumstance, Education / Qualifications / Professional Training / Awards, Other online identifiers / Event Logs, Location Data (Travel / GPS / GSM Data / radio frequency identification tags (RFID)) Personal - Address|Postcode (full), Email Address, Mobile Phone Number / Device Number / Home Phone Number, Physical Description, Username, IP Address, General Identifier e.g. NHS No, Income / Financial / Tax Situation, Employment / Career History, Device IMEI No Non-Personal - General Wellness data Logic DISABLED LOGIC - Disabled if D39a AND D39b are answered no. Scoring Impact There is no scoring impact for this question. |
|
Is the policy accurate, with regards to the data the developer intends to collect? |
ORC_DP07 |
|
Further Information
Guidance/Context This questions looks to capture if the data that is stated as collected by the developer within the privacy policy matches what has been identified during assessment and usage of the app. Response Type Yes / No Answer Criteria Yes: If DP06 contains the same selections as DT10. Logic DISABLED LOGIC - Disabled if D39a AND D39b are answered no. Scoring Impact High risk applied if No AND DT10 and DP06 do not match. |
|
Does the app explicitly state that data collected by the app is stored locally, unless the user manually exports the data? |
ORC_D10a |
|
Further Information
Guidance/Context This question looks at whether data is stored within the app. An app that requires data to be automatically transferred off the app - even to just be stored remotely - would not meet this requirement. Response Type Yes/No Answer Criteria Yes: “Stored locally on device” is clearly stated. Yes: Data is stored only on the device, unless a user chooses to share it, or no data is collected or stored by the developer. No: Doesn’t state that personal data is stored only on the device. No: Personal data is clearly transferred to and stored in any location outside the device with no involvement from the user. Logic DISABLED LOGIC - Disabled if D01 OR DS06 are No, or if DS07 OR DS09 are answered Yes. Scoring Impact High value if Yes. |
|
How does the developer obtain consent for the processing of user data? |
ORC_DP08 |
|
Further Information
Guidance/Context Consent should be obvious and require a clear, positive, physical action from the user to opt in. Consent requests must be prominent, separate from other terms and conditions, easy to understand, and user friendly. During sign-up to the app attention should be paid to how, if at all, consent is obtained from the user. Response Type Multiple Choice Answer Criteria Unmarked opt in check box, separate from other terms and conditions and/or consent requests (separate boxes for privacy policy, terms/conditions and marketing).- if there is an unmarked checkbox where the user can agree or consent to the privacy policy alone. Clear affirmative acceptance option, separate from acceptance of other terms and conditions and/or consent requests (separate acceptance option for privacy policy, terms/conditions and marketing).- if there is another form of acceptance of the privacy policy, eg. clicking “sign up” after having been presented with the privacy policy. Explicitly through express confirmation in words, rather than any other positive action (e.g. the user is required to email/write to the developer providing a clear confirmation of consent). This does not apply to a statement in the privacy policy such as “by using this app you consent to us collecting your data.”)- if the user is required to email the developer to provide their written consent. Another form of positive action to opt in to giving consent (please detail below) - eg. if the acceptance box is for both privacy policy and T&Cs.- if there is an unmarked checkbox to agree to the privacy policy and T&Cs all together. Other (please detail below), e.g. A statement in the privacy policy such as by using this app you consent to us collecting your data, with no clear confirmation of acceptance of policy. - if there is no clear option to be taken by the user to accept the privacy policy. Logic DISABLED LOGIC - Disabled if D39a is No. Scoring Impact Very high risk applied if “Other” is selected + multiplier based on nature of the data. |
|
Does the Privacy Policy Provide the name and contact details of their Privacy Officer (PO), or similar individual representative for the company? |
ORC_DP14 |
|
Further Information
Guidance/Context A DPO is important to ensure, in an independent manner, that an organisation applies the laws protecting individuals' personal data. Response Type Yes/No Answer Criteria Yes: If an individual person has been named and declared the person responsible for the company’s privacy practices, with contact details (this can include a generic email, such as dpo@company.co.uk, providing the individual responsible has been named). No: If an individual person who is responsible for the role of DPO has not been named/detailed. No: If there is only a generic email address. Logic DISABLED LOGIC - Disabled if D39a is no. Scoring Impact High value applied if yes. |
|
Provide the details of the representative: (Text response) |
ORC_DP15 |
|
Further Information
Guidance/Context Input the details of DPO from within privacy policy, this should be a named person not just a generic email and “data protection officer”. Response Type Free Text Answer Criteria N/A Logic DISABLED LOGIC - Disabled if DP14 has not been answered yes. Scoring Impact None |
|
Data use
Once it is established what data is collected by the app, the assessment looks at how that data is used and shared, and if this is communicated to the user. The privacy policy should state all intended uses and legal basis of processing user data, such as legal obligation, research or marketing. Users should also be given the option to withdraw consent for the use of their data, particularly for marketing.
Does the developer fully inform the user of how they will collect data about them? |
ORC_D69 |
|
Further Information
Guidance/Context This questions identifies if the developers has clearly stated in the privacy policy how data will be collected from users. For example “ data will be collected when registering to use the app”. Response Type Yes/No Answer Criteria Yes: If the developer informs users where any data will be collected from. Eg. directly from the user or through third party sources. No: If the developer has not informed users of all potential sources of information about them. Eg. the user is informed of data collected about them, however, the developers fail to identify that information is obtained from another location, such as Facebook, when the user signs up with this account. Logic DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes OR DS06 has been answered Yes. Scoring Impact Medium risk applied if No + multiplier based on the nature of the data. |
|
Does the developer provide users with details on all the purposes of processing user data? |
ORC_D13 |
|
Further Information
Guidance/Context This question looks to identify if the purpose of processing has been made clear. For example, a developer may state that email addresses are captured to share marketing information with users. Response Type Yes/No Answer Criteria Yes: If the policy clearly explains what the user data collected is used for. Yes: If the policy states all the uses for collected data that are apparent from the app. No: If there is reason to believe that the developer has not explained any of the purposes for processing user data (Please detail in comments section). Logic DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes OR DS06 has been answered yes. Scoring Impact Medium risk applied if No + multiplier based on the nature of the data. |
|
What is automatically shared data used for? |
ORC_DP10 |
|
Further Information
Guidance/Context Selection of answers for this questions should apply to data automatically shared with third parties/HCP/other users/devices - NOT with the developer. The exception to this is marketing should be selected if this a purpose of data sharing with the developer. Response Type Multiple Options Answer Criteria Legal obligations, Performance of contract, Payment transactions, Research, Improving of developer services, Marketing, Provision of service, Other (Please specify), Unclear. Logic DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes OR DS06 has been answered Yes. Scoring Impact None |
|
Does the developer appear to intend to share or process the user data collected by the app for any purposes that have not been made clear to the user, or for any purposes they deem necessary? |
ORC_D38 |
|
Further Information
Guidance/Context This question is asking if there is the possibility that data is being shared without this being made clear to the user. Therefore, No is the positive response. Response Type Yes/No Answer Criteria Yes: If data is shared without user consent, AND users don’t need to agree to the privacy policy. Essentially the opposite of D16. Yes: If there is an obvious purpose for data use, which isn’t made clear or mentioned in the privacy policy. Yes: The policy states that the data will not be shared without first obtaining the user's consent to do so or that the app/developer ‘Won't share for other reasons/ with other parties, except as has been set out in the policy without obtaining your consent’ Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact High risk applied if yes + multiplier based on the nature of the data. |
|
Does the developer inform users that they would like to use their data for the purpose of marketing? |
ORC_D71 |
|
Further Information
Guidance/Context If direct marketing is being undertaken then developers need separate additional consent from the users. Answers for this questions are typically found in a section with name similar to “What we do with the information we collect” or the developers may have a separate “Marketing” section. Response Type Yes/No Answer Criteria N/A Logic DISABLED LOGIC - Disabled if D39a has not been answered yes or DT13 is answered as non-personal or D01 is answered no. Scoring Impact None |
|
Does the developer obtain informed consent separately, for the purpose of marketing? |
ORC_DP12 |
|
Further Information
Guidance/Context Consent for marketing should be obtained separately from consent for any processing user data for any other purpose. This must also be prominent, easy to understand and user friendly. E.g. A separate tick box for marketing and consenting with the privacy policy. Response Type Yes/No Answer Criteria Yes: If consent for marketing is obtained separately for marketing AND the method for gaining this consent is through one of the positive affirmative actions listed in DP08. (Unmarked opt in check box; clear affirmative acceptance option; explicitly through express confirmation in words, another form of positive action to opt in to giving consent (please detail below)). No: If the user is not asked for consent to use data for marketing separately. No: If the user has not been required to provide a positive affirmative action, separate from accepting other T’s & C’s / Privacy Policies, to agree to sharing their data for the purposes of marketing. Logic DISABLED LOGIC - Disabled if DP10 does not contain Marketing, or if DT13 is answered as non-personal. Scoring Impact High risk applied if no + multiplier based on the nature of the data. |
|
Does the developer obtain informed consent separately, for the purpose of marketing, as defined under HIPAA? |
ORC_ATA_DP02 |
|
Further Information
Guidance/Context The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. So as not to interfere with core health care functions, the Rule distinguishes marketing communications from those communications about goods and services that are essential for quality health care. Response Type Yes/No Answer Criteria Yes: If a separate consent is gained for communicating about goods and services that are essential for quality health care. No: If a separate consent is not gained for marketing as defined under the HIPAA privacy rule. Logic DISABLED LOGIC - Disabled if D01 is no, DS06 is yes, D39a is no OR D71 is no. Scoring Impact Medium - high risk applied if no. |
|
Is the user informed of how they can opt out of each of these activities? |
ORC_D28 |
|
Further Information
Guidance/Context The list of activities can be found in question ORC_DP10. The developer should state how a user can opt out of each of these processing activities. Response Type Yes/No Answer Criteria Yes: If the app has an option to opt out/turn off data collection for external research or provides a contact email to get data removed from a study. Yes: If the policy clearly explains to user how they can contact the developer to opt-out of all sharing/processing activities. No: If shared for any other reasons other than legal obligations and no option to opt out (email address in policy explicitly stating how to opt out or sliders within app). No: If the policy only mentions how the user can opt out of one, but not all, activities. Logic DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes. Scoring Impact Medium risk applied + multiplier based on the nature of the data. Risk can not be applied to both D28 and DP13. |
|
If the user can not opt out of all processing activity, does the developer clearly explain which activities they cannot opt out of and why? |
ORC_DP13 |
|
Further Information
Guidance/Context N/A Response Type Yes/No Answer Criteria Yes: If only shared for legal obligations - Policy must state who they will share the data with and for what legal purposes (e.g. protect rights, copyright). Yes: If the developer has clearly set out justifiable reasons for not being able to deal with particular requests with regards to stopping certain processing/sharing activities. No: If users are not informed of how they can either opt out of processing and sharing activities AND there is no justification from the developer as to why users cannot opt out of certain activities. Logic DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes or D28 has been answered Yes. Scoring Impact Medium risk applied if no + multiplier based on the nature of the data. Risk can not be applied to both D28 and DP13. |
|
Is the user informed that their data will not be shared with other parties, except for the purposes that have been set out in the privacy policy? |
ORC_D16 |
|
Further Information
Guidance/Context Developers are required to share who data may be shared with for processing and other activities. Information for this question will typically be located in the privacy policy around information about what third parties data is shared with. Response Type Yes/No Answer Criteria Yes: If no data is shared without user consent. Yes: If the policy states that using the app indicates agreement to the policy/given consent for data sharing specified. No: If data is shared with third parties without user consent. Logic DISABLED LOGIC - Disabled if D39a has not been answered yes or D01 has been answered No or if DT13 has been answered non-personal. Scoring Impact High risk applied if no + multiplier based on the nature of the data. |
|
Data Storage and Transit/Transfer
The key areas in this section are surrounding data storage and data transfer. The data privacy policy should inform the user of where their data is stored, how their data is protected in storage, and how it is protected in transit between the user’s device and the host storage. The DHAF looks for specific and secure storage techniques, such as industry-recognized encryption or firewalls. During transit, it is preferable that data is protected using industry-recognized encryption. A list of deprecated encryption methods will be provided to assessors and regularly updated to ensure the assessment is kept up-to-date with current industry practices.
Does the data privacy policy or equivalent provide detail about where the data collected by the app will be stored (i.e. on the app or in an external data warehouse, cloud server etc.)? |
ORC_DST01 |
|
Further Information
Guidance/Context N/A Response Type Yes/No Answer Criteria Yes: If the policy states the data is stored in a cloud server e.g. physical location e.g. secure server. Microsoft Azure is a cloud storage technology. AWS - amazon web servers. If policy states the physical address of the data controller. “May not be stored in your location” isn’t enough. “In the UK” isn’t enough, has to be an address. Logic DISABLED LOGIC - Disabled if D39a And D39b have not been answered yes. Scoring Impact Medium value applied if yes. |
|
Where is the data stored? |
ORC_DST02 |
|
Further Information
Guidance/Context The purpose of this question is to state where data is stored e.g. in a secure server or an AWS server. Response Type Free Text Answer Criteria N/A Logic DISABLED LOGIC - Disabled if DST01 is no. Scoring Impact There is no scoring impact for this question. |
|
Does the data privacy policy, or equivalent, state whether personal data is stored using recognised secure data storage technologies? |
ORC_DST03 |
|
Further Information
Guidance/Context This question is looking to identify if appropriate technologies are being used for secure storage of user data. Technologies that are considered appropriate are detailed in the answer criteria below. Response Type Yes/No Answer Criteria Yes: If firewall, antivirus, or encryption when in storage/at rest is mentioned. Must state which technology is used, this does not have to be specific. No: Doesn’t state which technology is used. Only mentions “cloud services” but doesn’t specify provider. Logic DISABLED LOGIC - Disabled if D39a And D39b have not been answered yes. Scoring Impact High value if yes. High risk if no. |
|
Is all personally identifiable data encrypted in transit between the device and any external host storage? |
ORC_D17 |
|
Further Information
Guidance/Context The purpose of this question is to ensure that data is transferred securely to ensure there are no breaches of users data. Response Type Yes/No Answer Criteria Yes: If the policy states encrypted during transit or mentions the encryption type. No: Doesn’t state the data is encrypted during transit. Logic DISABLED LOGIC - Disabled if D39a has not been answered yes. Scoring Impact High risk applied if no. |
|
Is the user informed that online video consultations use secure encryption methods? |
ORC_DST04 |
|
Further Information
Guidance/Context Developers need to state that video consultations use secure encryption clearly if appropriate. This should be in addition to the previous question about encryption of other data transfer. Response Type Yes/No Answer Criteria Yes: If it is made explicitly clear to the end-user, that a secure encrypted connection is used for all video consultations. This may be in the policy or elsewhere on the website/app. Logic DISABLED LOGIC - Disabled if D39a has not been answered yes. Scoring Impact High risk applied if no. |
|
Data Standards and Management
The DHAF will award additional points if an app developer is compliant with any recognized US Data Management Standards such as Software Development Life Cycle (SDLC), or any International Data Management Standards such as ISO 27001. The privacy policy should inform users of a data retention period, and a method for data destruction. The DHAF also identifies whether the developer has a policy in place to deal with any data security breaches.
Does the policy state its compliance with recognized Data Management Standards? |
ORC_ATA_DP03 |
|
Further Information
Guidance/Context Developers that are compliant with these international data standards are rewarded for compliance with best practice standards of data management. Response Type Multiple Option: ISOC2 Answer Criteria Yes: If there is a compliance sticker on their website. ISO 27001. (if any other ISOs/BSIs etc. are mentioned, please confirm the appropriateness of the standard for data management. Yes: Needs to be the COMPANY that is ISO compliant, not the server where data is stored, particularly when the company/developer is the data controller. No: If there is no evidence of ISO, BSI etc. compliance. EU-US privacy shield does not count for this question. If the server (e.g. AWS) is ISO compliant but there is no explicit statement to say the company is. Logic DISABLED LOGIC - Disabled if D39a and D39b have not been answered yes. Scoring Impact Medium risk applied if no + multiplier based on the nature of the data. |
|
Does the policy contain details of the length of time data is retained? |
ORC_D19 |
|
Further Information
Guidance/Context Under GDPR, it is a legal obligation for a data controller and/or processor to only retain personal data only for as long as is necessary for the purpose upon which it is being processed. Response Type Yes/No Answer Criteria Yes: If the developer mentions any time period of data retention, even if it’s an indefinite amount of time. Yes: If the developer states “We only keep your personal information for as long as it’s necessary for our original legitimate purpose for collecting it and for as long as we have your permission to keep it.” No: If the only mention of data retention is provided where the developer informs users of the rights under GDPR. No: Developers are obliged to separately inform users of their own policies and procedures regarding data retention in the event that a user has not exercised any of their rights to their data. No: If the policy mentions a timeframe after which data may be stored in aggregate. No: If the policy states “we may retain data for…” Logic DISABLED LOGIC - Disabled if D39a has not been answered yes. Scoring Impact Low risk applied if no. |
|
Is there a statement containing details of a method for data destruction? |
ORC_D20 |
|
Further Information
Guidance/Context Controllers and/or processors should ensure there are set procedures in place to safely and securely delete any personal data when it is no longer needed and. Response Type Yes/No Answer Criteria Yes: If the policy mentions how the data is deleted, if users haven’t exercised any user rights. Yes: If the policy details that user data is deleted after a certain time period. Yes: If users can delete or reset all data within the app, AND it deletes it from the server. Not if it clears the app but stays on the server. Yes: If users are the data controller and the method of deletion is users contacting the developer to remove their data. Yes: If the developer has detailed the process for anonymizing personally identifiable information after a given timeframe of inactivity. No: If the only mention for deletion of data is provided where the developer informs users of the rights under GDPR. Developers are obliged to separately inform users of their own policies and procedures regarding the deletion of data if a user has not exercised any of their rights to their data. No: If the only mention is removal of data for under 13s/minors. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Low risk score applied if D20 has been answered No, + multiplier based on the nature of the data collected. |
|
Is there a statement that sets out a process for managing data confidentiality breaches? |
ORC_D21 |
|
Further Information
Guidance/Context Developers have an obligation to notify the relevant supervisory authority when certain data breaches happen. Developers should therefore have a clear internal procedure in place to help aid the decision-making about whether or not a breach needs to be reported to the supervisory authority or even the affected individuals. Response Type Yes/No Answer Criteria Yes: If users are informed that they can complain to the Information Commissioner's Office (ICO), if they believe that their data privacy rights have been breached. Yes: If users are informed they can lodge a complaint with their local data protection authority, if they believe that their data privacy rights have been breached. Yes: If users are informed that they can complain to the Local Supervisory Authority of the country that the developer is based, if they believe that their data privacy rights have been breached. Yes: If the user is told that they should inform the company, or the company will inform the user, (if you suspect a breach) and users have the right to file a complaint with the competent supervisory authority (GDPR Art. 77). Check T&Cs too. Yes: If the developer has detailed in the privacy policy how they will approach any breaches to data security that they become aware of. For example informing users within a reasonable time frame and informing their relevant jurisdictional supervisory authority. Yes: If the developer has detailed the process in which they will inform the local/jurisdictional regulatory authority of any confidentiality breaches. No: If the policy doesn’t state what happens in the event of a breach. No: If you can complain but only to the developer, not to the ICO in the event of a breach. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium risk applied if D21 has been answered No + multiplier based on the nature of the data collected. |
|
GDPR/HIPAA/Jurisdictional Principles
This review area focuses on Data Protection based on UK and EU General Data Protection Regulation (GDPR). The DHAF is concerned that all apps, particularly those developed in the UK and the EU, are fully compliant with the GDPR and is applied here as best practice in the assessment. This means a clear and explicit statement of compliance, as well as confirming that the user is entitled to the 7 user rights.
The developer should also inform the user of how they can exercise these rights and should commit to responding within a time frame of 2 months or less. Under the GDPR, the policy should outline the legal basis for the collection of user data, and ensure that only minimal data is collected from the user.
Similar and additional requirements and user rights are observed under HIPAA and have been built into this section to be specifically adapted to the DHAF.
All questions relating to this section will only be asked for apps that collect and process personal and/or sensitive data, as a measure of either HIPAA Compliance or “HIPAA Readiness”.
Is there a statement that confirms the app’s compliance with jurisdictionally required laws and regulations? |
ATA_DP05 |
|---|---|
|
Further information
Guidance/Context Jurisdictionally required principle recognition, would be that the developer recognizes their responsibility, at a minimum, to treat the data of an individual from another country in compliance with the data protection laws of the country in which that individual resides. Response Yes / No Assessment Criteria Yes: The assessor finds a statement confirming the app’s compliance with jurisdictionally required laws and regulations. No: There’s no statement confirming the app’s compliance with jurisdictionally required laws and regulations. Logic DISABLED LOGIC - Disabled if D39a and D39b are no. Scoring Impact Medium risk applied if no + multiplier based no nature of the data collected. |
|
Is the user informed of the legal basis for which data is collected from them? |
ORC_D60 |
|
Further Information
Guidance/Context To meet the requirement for this question the developer has to specify ‘the legal basis for data collection is…’ Response Type Yes/No Answer Criteria Yes: If the policy states data is collected under a legal basis, e.g. consent, performance of contract, legal obligation, vital interests, public interest or legitimate interest. Yes: If the policy states that by using the app you consent to the privacy policy, “If you consent to this app, you consent for us to collect data.”, or a statement similar to this. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact High risk score applied if D60 has been answered No + multiplier based on the nature of the data collected. |
|
Is the user informed of the developer’s intent to ensure that only the “Minimum Necessary” data /PHI, as defined under HIPAA are collected? |
ATA_DP06 |
|
Further information
Guidance/Context https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html Response Yes / No Answer Criteria N/A Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact High - Exception risk applied if no + multiplier based on if the organization is required to be HIPAA compliant and based on the nature of the data the app collects. |
|
Is there a statement that the policy will be updated duly should the purpose of data collection change? This may mean re-obtaining consent (if consent was the lawful basis). |
ORC_D61 |
|
Further Information
Guidance/Context The developer has an obligation to inform users of any changes that are made to the processing of data. The level to which the developer must notify is determined by the legal basis for processing and the extent of the change being made. Response Type Yes/No Answer Criteria Yes: If the legal basis is consent and the developer states that if the purpose for processing data changes then consent will be re-obtained before continued use of the service. Yes: If consent is not one of the legal basis and the developer has stated in the privacy policy that they WILL inform users of changes to the policy. No: If the developer states that they MAY inform the users of changes to the privacy policy. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium risk score applied if D61 has been answered No + multiplier based on the nature of the data collected. |
|
Are users informed of their rights with regards to their data? |
ORC_DPR01 |
|
Further Information
Guidance/Context Questions relating to GDPR will only be asked for apps that collect and process personal and/or sensitive data. Response Type Yes/No Answer Criteria Yes: If the developer has made it clear that the user has certain rights with regards to their data and explains what those rights are. Yes: If the developer has set out any of the user rights under GDPR. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Exceptional risk score applied if DPR01 has been answered No + multiplier based on the nature of the data collected. |
|
Has the developer made the existence of the data subject’s right to request that their personal data is deleted clear? |
ORC_D93 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes If the policy clearly states the user’s right to erasure, or method for how data is deleted, OR the user can clear all data from the app. Yes: If the policy clearly states the user’s right to be forgotten. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D93 has been answered Yes. |
|
Has the developer made the existence of the data subject’s right to access their personal data clear? |
ORC_D25 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes: If the policy clearly states the user’s right to access their data, and a contact method is given. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D25 has been answered Yes. |
|
Has the developer made the existence of the data subject’s right to inspect their personal data clear? |
ATA_DP07 |
|
Further information
Guidance/Context This statement should be clearly displayed as HIPAA requires data controllers to allow the user the right to inspect their personal data. Response Yes / No Assessment Criteria Yes: If the assessor can find the user right clearly displayed in the privacy policy or in another accessible location to the user. No: If the assessor is unable to find this user right. Logic DISABLED LOGIC - Disabled if D39a have not been answered Yes. Scoring Impact Low value applied if yes. Low risk applied if no. |
|
Is the user informed of their rights to know how their PHI is used and or shared? |
ATA_DP08 |
|
Further information
Guidance/Context This statement should be clearly displayed as HIPAA requires data controllers to allow the user the right to be informed of how their PHI is used and / or shared. Response Yes / No Assessment Criteria Yes: If the assessor can find the user right clearly displayed in the privacy policy or in another accessible location to the user. No: If the assessor is unable to find this user right. Logic DISABLED LOGIC - Disabled if D39a have not been answered Yes. Scoring Impact Low value applied if yes. Low risk applied if no. |
|
Has the developer made the existence of the data subject’s rights to rectify their personal data clear? |
ORC_D56 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes: The policy clearly states the user’s right to rectify, correct, amend or update their information. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D56 has been answered Yes. |
|
Has the developer made the existence of the data subject’s rights to restrict the use of their personal data clear? |
ORC_D81 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes: If the policy clearly states the user’s right to restrict use, or to stop using data. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D81 has been answered Yes. |
|
Has the developer made the existence of the data subject’s rights to object to the processing of their personal data clear? |
ORC_D57 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes: If the policy clearly states the user’s right to restrict use, or to stop using data. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D81 has been answered Yes. |
|
Has the developer made the existence of the data subject’s rights to portability of (receive) their personal data clear? |
ORC_D59 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes: If the policy clearly states the user’s right to portability, or right to transfer their data, or the right to receive their data in a machine-readable format. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D59 has been answered Yes. |
|
Has the developer made the existence of the data subject’s right to withdraw consent for the use of their personal data clear? |
ORC_D58 |
|
Further Information
Guidance/Context This is a right users should expect under GDPR. Response Type Yes/No Answer Criteria Yes: If the policy clearly states the user’s right to withdraw consent. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D58 has been answered Yes. |
|
Has the developer explained individual rights to users in a manner that is easily understood? |
ATA_DP09 |
|
Further information
Guidance/Context HIPAA requirement. In the policy, the developer should be clear that the user has this right, but also be clear of the repercussions of refusing to share data (eg. being unable to access/provide the service). Response Yes / No Assessment Criteria Yes: If the user rights have been made clear in the privacy policy and the repercussions of refusing to share data has also been made clear. No: If only the user rights have been made clear or if the repercussions have not been made clear. No: If the privacy policy has not mentioned user rights or repercussions of not consenting to sharing data. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium- High risk applied if no + multiplier based on the nature of the data collected. |
|
Has the developer been clear as to the repercussions of refusing to share or allow the processing of data? |
ATA_DP10 |
|
Further information
Guidance/Context In the policy, the developer should be clear that the user has this right, but also be clear of the repercussions of refusing to share data (eg. being unable to access/provide the service). Response Yes / No Assessment Criteria Yes: If repercussions of refusing to share data has also been made clear. No: If the privacy policy has not mentioned the repercussions of not consenting to sharing data. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium- High risk applied if no + multiplier based on the nature of the data collected. |
|
Has the developer made clear the existence of the user’s right to request that they are not subject to a decision based solely on automated processing, including profiling, which produces legal/significant effects concerning the user? |
ORC_DPR02 |
|
Further Information
Guidance/Context Automated processing is what can occur when applying for things such as insurance, finance, mortgage etc. It gives an output which is based on details entered. The result would be a machine driven decision or figure of cost etc. Users have the right to request any such decision be reviewed by a human. Response Type Yes/No Answer Criteria Yes: There may be a simpler statement, such as “You have the right to request that we do not process your personal data for the purpose of automated decision making”. Yes: If the developer has made clear that the user has this right under GDPR, even if they do not specifically process data in such a way. No: If this user right has not been mentioned in the policy. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if DPR02 has been answered Yes. |
|
Does the developer provide details which the user can contact them on to exercise their rights? |
ORC_D82 |
|
Further Information
Guidance/Context When informing users of their individual rights under GDPR, it is also best practice to provide them with details on how the controller can be contacted/communicated with in order to submit subject access requests. Response Type Yes/No Answer Criteria Yes: If a contact method is provided in the policy for the developer, in relation to exercising user rights. No: If a contact method is only provided for one user right, rather than all rights mentioned. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D81 has been answered Yes. |
|
Is the user informed of the time frame in which the developer will respond to any requests to exercise their rights? |
ORC_D83 |
|
Further Information
Guidance/Context By law an organization normally has to respond to a subject access request within one month. If an individual has made a number of requests or a request is complex, extra time may be needed to consider and/or action the request(s). Where this is the case, the organization can take up to an extra two months to respond. Response Type Yes/No Answer Criteria Yes: If a time frame is given, and it is within two months of receipt of the request. No: If there is no separately provided timeframe and response commitment provided with regards to the user exercising their rights. I.e. if there are only contact details for enquiries about the policy as a whole, with an expected response time. Logic DISABLED LOGIC - Disabled if D39a Or DPR01 have not been answered Yes. Scoring Impact Low value score applied if D81 has been answered Yes. |
|
Is the user informed of any charges that might be incurred with regards to exercising their rights to access their PHI? |
ATA_DP11 |
|
Further information
Guidance/Context It is a HIPAA requirement for the user to be informed of any charges which may be incurred with regards to exercise their right to access their PHI. Response Yes / No Assessment Criteria Yes: If users have been informed of charges that might be incurred when exercising their rights No: If users have not been informed that charges may be incurred when exercising their rights. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium value applied if the organization does not need to be HIPAA compliant and this is answered yes. High Risk applied if the organization needs to be HIPAA compliant and this is answered no. |
|
Is the user informed of their right to have an access denial reviewed? |
ATA_DP12 |
|
Further information
Guidance/Context It is a HIPAA requirement for the user to be informed of their right to have an access denial reviewed. Response Yes / No Assessment Criteria Yes: If users are informed that they have the right to request an access denial is reviewed. No: If users are not informed of their right to have an access denial reviewed. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium value applied if the organization does not need to be HIPAA compliant and this is answered yes. High Risk applied if the organization needs to be HIPAA compliant and this is answered no. |
|
Is the user informed that local state laws, providing them with additional rights with regards to their data, are not pre-empted by HIPAA? |
ATA_DP13 |
|
Further information
Guidance/Context It is a general rule under HIPAA that local state laws are not pre-empted by HIPAA. It is also best practice to ensure users are informed of this. Response Yes / No Assessment Criteria Yes: If users are informed that local state laws, are not pre-empted by HIPAA. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium - High Risk applied if no + multiplier based on nature of the data. |
|
Is the user informed of their right to request to be reached somewhere other than home? |
ATA_DP14 |
|
Further information
Guidance/Context It is a HIPAA requirement for the user to be informed of their right to request to be reached somewhere other than home. Response Yes / No Assessment Criteria Yes: If policy states that the user has the right to be reached somewhere other than home. No: If the policy has not mentioned this right. Logic DISABLED LOGIC - Disabled if D39a has not been answered Yes. Scoring Impact Medium value if yes and the organization is not required to be HIPAA compliant. High risk applied is no and the organization is required to be HIPAA compliant. |
|
Other Data Questions
Are users clearly informed of the use of cookies when first landing on the developers site/app? |
ORC_D99 |
|---|---|
|
Further Information
Guidance/Context When reviewing a native (including “hybrid”) app, being informed of the website using cookies, while using the browser, does not answer this question as yes. Reference to “site” in the question is regarding a review of a web app. Response Type Yes/No Answer Criteria Yes (web app): If when first landing on the website a banner/pop up appears asking users to accept cookies. Yes (Native Apps): If when first accessing the app, or at the point at which the app attempts to use cookies, the user is clearly informed of the intended use of cookies. Logic DISABLED LOGIC - Disabled if the app is not collecting cookies, D01 is answered No or DT10 does not contain “Cookies/Web Beacons” Scoring Impact Low risk if answered No + Multiplier based on the nature of the data. |
|
Are user's required to confirm their acceptance of the developer's use of cookies, when initially informed of the use? |
ORC_D100 |
|
Further Information
Guidance/Context It is required that developers gain consent from visitors to the site in order to store or retrieve any information on a computer, smartphone or tablet using cookies. Response Type Yes/No Answer Criteria Yes (web app): If when first landing on the website a banner/pop up appears asking users to accept cookies. Yes (Native Apps): If, when users are informed of the use of cookies, they are required to provide a clear confirmation of their acceptance of the use of cookies. Logic DISABLED LOGIC - Disabled if the app is not collecting cookies, D01 is answered No or DT10 does not contain “Cookies/Web Beacons” Scoring Impact Low risk if answered No + Multiplier based on the nature of the data. |
|
Does the developer address their use of cookies and collected data in their Privacy Policy, or in a separate Cookie Policy? |
ATA_DP24 |
|
Further information
Guidance/Context A paragraph explaining the products use of cookies is sufficient for this question. Response Yes / No Assessment Criteria Yes: If there is a designated paragraph or section within the privacy policy which explains the developer’s use of cookies. Yes: If there is a whole separate cookie policy for the app. No: If the cookie policy only addresses cookies for an associated website and not the app itself. No: If there is no cookie policy or paragraph made available to the user. Logic DISABLED LOGIC - Disabled if DT11 is no. Scoring Impact Low Risk applied if no. |
|
Are users made aware of the use of strictly necessary cookies? |
ORC_ERC_EDC_CK04 |
|
Further information
Guidance/Context Users should be informed of the use of strictly necessary cookies, even if they have no way of restricting the use of these. Response Yes / No Assessment Criteria Yes: If there is a statement in the privacy policy. Yes: If there is a pop up explaining the use of strictly necessary cookies. No: If there is no statement anywhere explaining the user of strictly necessary cookies. Logic DISABLED LOGIC - Disabled if DT11 is no. Scoring Impact Low Risk applied if no + multiplier depending on nature of the data that’s collected. |
|
Is user consent obtained for the use of non strictly necessary cookies? |
ORC_ERC_EDC_CK05 |
|
Further information
Guidance/Context Under the e-Privacy Directive 2002, manufacturers should obtain separate consent for their use of non-strictly necessary cookies. Response Yes / No Assessment Criteria Yes: If there is a pop up on the app which asks the user to consent to the use of non strictly necessary cookies. Yes: If user is asked to provide their consent to non strictly necessary cookies upon sign up. No: If there is no form of consent obtained for non strictly necessary cookies. Logic DISABLED LOGIC - Disabled if DT11 is no. Scoring Impact Low Value applied if yes. |
|
Are users informed of how they can easily opt out of the use of cookies? |
ORC_ERC_EDC_CK07 |
|
Further information
Guidance/Context Under the e-Privacy Directive 2002, manufacturers are required to ensure it is as easy for user’s to opt out of their use of cookies as it was for the user to originally opt in. Response Yes / No Assessment Criteria Yes: If there’s a statement within the privacy policy or on the app about how to opt out of the use of cookies. No: If the user has not been told how to opt out of the use of cookies. Logic DISABLED LOGIC - Disabled if DT11 is no. Scoring Impact Low Risk applied if no + multiplier based on the nature of the data collected. |
|
Is the product aimed at children or likely to be used by children? |
ORC_ERC_EDC_COP01 |
|
Further information
Guidance/Context The question aims to identify if the app is targeted at children, as additional security measures should be in place if a minor’s data is being processed. Response Yes / No Assessment Criteria Yes: The app has stated it’s for child use. No: The policy is quite clear that the app is aimed at people over 18 or they won’t take data from an under 18. Logic DISABLED LOGIC - Disabled if the app doesn’t collect personal data OR if the app doesn’t share any data OR if the data is only shareable through direct actions by the user. Scoring Impact None. |
|
Is the app ‘particularly likely’ to be used by children, even if they are not the primary market for the app? |
ORC_D44 |
|
Further Information
Guidance/Context The question aims to identify if the app may collect data from children as additional security measures should be in place if a minor’s data is being processed. Response Type Yes/No Answer Criteria Yes: The app has content which may be appealing to children, but doesn’t specify an age range, OR the app is intended to be used by children. No: If policy states they won’t collect data from under 13s, GDPR still allows for the 13-16 age range to provide consent independently No: The policy is quite clear that the app is aimed at people over 18 or they won’t take data from an under 18 AND the app does not present any particular content or features that would encourage a minor to attempt to access and use the app. Logic DISABLED LOGIC - Disabled if D01 is no, Or DS06 is answered yes, Or if DT13 is answered none personal. Scoring Impact None |
|
Are users informed of how they can report, to the developer, any knowledge of a child accessing the app and providing personal data, without parental consent? |
ORC_DO01 |
|
Further Information
Guidance/Context This question aims to encourage developer’s to provide the opportunity for people to contact them if they believe a child’s data may have been processed or collected incorrectly or without parental consent. Response Type Yes/No Answer Criteria Yes: If there is a statement that specifically details what a user should do to inform the developer. Yes: If the developer specifically states that if they become aware of a minor/child providing personal data, then they will delete this data within a set period of time. Yes: If the developer explains the app is offering online preventive or counselling services to children and therefore does not obtain parental consent as they are legally obliged to not do so. No: If the policy does not provide any details on how the developer and/or user should respond when they become aware of a minor/child providing personal data. Logic DISABLED LOGIC - Disabled if D01 is no, Or DS06 is answered yes, Or if DT13 is answered none personal. Scoring Impact High, Medium or Low risk applied depending on if D44 is answered yes, if the app is designed for child, Pre-teen or teen with a multiplier applied based on the level of data collected (Non-personal, Personal, Sensitive) |
|
Has a process been designed and put in place that allows children to easily access, understand and exercise their own data protection rights? |
ORC_ERC_EDC_COP02 |
|
Further Information
Guidance/Context User rights should be written in a form that the child can understand them, so they know what they are agreeing to and steps they can take to exercise their rights, this is applied to users under the age of 13 too. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied is no + multiplier based on the nature of the data. |
|
Where consent was the legal basis for processing data was consent, at the time the individual was a child, then requests for the erasure of data are complied with, whenever possible? |
ORC_ERC_EDC_COP04 |
|
Further Information
Guidance/Context
Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low value applied if yes. |
|
Have children been consulted when designing this processing practice? |
ORC_ERC_EDC_COP05 |
|
Further Information
Guidance/Context This question aims to discover if children were involved in the process of making their user rights easily accessible, understandable and exercisable. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low value applied if yes. |
|
Has the privacy policy been written in plain, age appropriate language? |
ORC_ERC_EDC_COP06 |
|
Further Information
Guidance/Context This question aims to discover if the privacy policy has been written in a language which is plain and understandable to the app’s target audience. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk value applied if no + multiplier based on nature of the data. |
|
Is consent sought from a responsible parent /guardian? |
ORC_ERC_EDC_COP07 |
|
Further Information
Guidance/Context This question aims to identify consent from a child’s data use is sought from a responsible parent/guardian. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact None. |
|
Does the developer ensure they do not seek parental/guardian consent when providing online preventive or counselling services to children? |
ORC_ERC_EDC_COP08 |
|
Further Information
Guidance/Context In order to help protect and safeguard children when providing preventive or counselling services, a developer must ensure that the parent/guardian is not aware of the child’s access to the service, as this could result in exposing the child to harm. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no OR COP07 is yes. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Does the policy specify that the developer will reobtain parental consent, should the information collected materially changes, the purpose upon which information is processed changes, or the information is to be offered to new/different third parties? |
ATA_DP15 |
|
Further Information
Guidance/Context Similar to the importance of reobtaining consent from any user, when the purpose of processing changes (or a new purpose arises), where parental consent has been obtained, the consent of the parent should be reobtained. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no OR COP08 is yes. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Does the developer ensure that parents are able to separately consent to their own internal use of the child’s personal information, without having to consent to the disclosure of personal information to third parties? |
ATA_DP16 |
|
Further Information
Guidance/Context It is important that separate consent is gained for sharing data with third parties for processing and the collection of data by the developer for their own internal processing. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no OR COP08 is yes. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Are parents given the option to review the personal information collected from their children? |
ATA_DP17 |
|
Further Information
Guidance/Context Since children need a responsible parent or guardian to consent to how their data is being used, the parent would also be entitled to the same rights as any user who provides their data. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no OR COP08 is yes. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Does the developer have a process for verifying the identity of the requester, before responding to a request? |
ATA_DP18 |
|
Further Information
Guidance/Context It’s important that the person who is requesting to view the child’s data is who they say they are as well as the responsible parent/guardian for that child else data could get in the wrong hands. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Medium value applied is yes. |
|
Are parents given the option to revoke consent for the collection and processing of their children’s personal information? |
ATA_DP19 |
|
Further Information
Guidance/Context Since children need a responsible parent or guardian to consent to how their data is being used, the parent would also be entitled to the same rights as any user who provides their data. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Are parents given the option to request that the information collected from their children be deleted? |
ATA_DP20 |
|
Further Information
Guidance/Context Since children need a responsible parent or guardian to consent to how their data is being used, the parent would also be entitled to the same rights as any user who provides their data. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Are there two separate versions of privacy policies, one aimed at the child and the other at the responsible parent/guardian? |
ORC_ERC_EDC_COP09 |
|
Further Information
Guidance/Context A privacy policy be written in a language that the user can understand it therefore it the user is a child, there should be an appropriate policy in place which they can understand. Additionally, if a responsible parent/guardian is required to provide consent on behalf of their child, an appropriate policy should be in place which is aimed at this user group. Response Type Yes/No Answer Criteria No: If only one policy is available. Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low value applied if yes. |
|
When marketing the product outside of their country of residence, has the developer taken into consideration other jurisdictional laws regarding children’s privacy (eg. age restrictions)? |
ORC_ERC_EDC_COP10 |
|
Further Information
Guidance/Context If the developer intends for the app to be used in other countries, it is important they take into account how old a ‘child’ is defined in that country as this can differ between nations. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Does the policy specify the types of personal data that will be collected from children? |
ATA_DP21 |
|
Further Information
Guidance/Context Based on app and privacy policy, see whether it specifies what personal is collected from children. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Does the policy specify how the developer will use the personal data collected from children? |
ATA_DP22 |
|
Further Information
Guidance/Context Based on app and privacy policy, see whether the policy explains how personal data will be used. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Does the policy specify whether such personal data will be shared with advertisers or other third parties? |
ATA_DP23 |
|
Further Information
Guidance/Context It is important that the policy is completely transparent about where and with who the data is shared. This may cause the responsible parent/guardian to reconsider whether the child should be using the app or not. Response Type Yes/No Answer Criteria Logic DISABLED LOGIC - Disabled if COP01 is no. Scoring Impact Low risk applied if no + multiplier based on nature of data collected. |
|
Is the user made aware that by following links to third party websites, the developer’s policies no longer apply, and that the user should make themselves aware of the third party’s policies? |
ORC_D91 |
|
Further Information
Guidance/Context Developers should make users aware that they should make themselves aware of third party policies as the developers privcay policy no longer applies. This may also be found in the Terms & Conditions. Response Type Yes/No Answer Criteria Yes: The policy mentions that the developer’s policy doesn’t extend to third parties and users are advised to make themselves aware of the privacy policies of any third party site/platform that they visit through the app. Yes: Users are provided links to relevant third party privacy policies. Logic DISABLED LOGIC - Disabled if D39a And D39b have not been answered Yes. Scoring Impact Medium value score applied if D91 has been answered Yes. |
|
Is the user informed of how they can make further enquiries about the company’s privacy policy? |
ORC_D92 |
|
Further Information
Guidance/Context This question is looking to capture if the user has the ability to contact developers if they have questions around the privacy policy and their processes. Response Type Yes/No Answer Criteria Yes: The user is informed of/given a method of contact for any queries regarding the policy. Contact method must be in the policy, normally found toward the end of the policy. No: If it says “contact us” but no contact method is given in the policy. No: If there is no clear statement that directs the user to contact information for the purpose of enquiring about the company's privacy policy/practices. Logic DISABLED LOGIC - Disabled if D39a And D39b have not been answered Yes. Scoring Impact Medium value score applied if D92 has been answered Yes. |
|
Does the app allow the user to set their preferences for sharing the app data with or from other apps (e.g. Facebook / Instagram /Fitbit etc)? |
ORC_D06 |
|
Further Information
Guidance/Context This question looks to capture any sharing preferences includes sharing with third parties, not necessarily other apps. Response Type Yes/No Answer Criteria Yes: If the app allows user controls over data sharing with individual apps/platforms. I.e. gives the choice to turn on/off sharing with google fit, Instagram, Fitbit etc. Yes: If it allows sign up through Facebook/Google+ or separately with an email address, as this gives the option to sign up with or without sharing with/from other apps/platforms. No: If the app doesn’t ask permission to share to other apps, but does so automatically. Even if this is based on user agreement to privacy policies/T’s & C’s. No: If ONLY sign up with Facebook/Google+ is allowed, i.e. you have no choice but to do so. Logic DISABLED LOGIC - Disabled if DS03 is answered No. Scoring Impact Medium value score applied if D06 has been answered Yes. |
|
Is there functionality within the app to allow the user to set their preferences for sharing app data with others users (physicians, caregiver, family, friends, buddies)? |
ORC_D27 |
|
Further Information
Guidance/Context This question is looking to identify if users can choose if information is shared with other users. Added control over users own data is beneficial for maintaining privacy where appropriate. Response Type Yes/No Answer Criteria Yes: Can choose WHAT is being shared with WHO on the app. Yes: If the data is only ever shared with other users through manual user intervention. E.g. users choose to post on a forum/news feed. No: The app gives no control over who sees what. E.g. an open forum/send to all clinicians. Logic DISABLED LOGIC - Disabled if DS03is answered No. Scoring Impact Medium value score applied if DS03 has been answered Yes. |
|
Is it strictly necessary for anyone to easily access the personal information that persists on the device? e.g. to access health info during an emergency. |
ORC_DO02 |
|
Further Information
Guidance/Context This question is specific to the app on the device it has been downloaded onto. e.g Is there a need to access information stored on the app during an emergency. Response Type Yes/No Answer Criteria Yes: If the intended purpose of the app is to provide information to those providing emergency response, in the event that the individual concerned is unable to communicate with the responder. No: If access is for any other reason, including if access is remote for clinicians to monitor patients. Logic DISABLED LOGIC - Disabled if DS03 is answered No. Scoring Impact Medium value score applied if DS03 has been answered Yes. |
|
Are users provided options to introduce additional security measures to protect their data on the app? eg. set additional pass codes for access to the app, after accessing the device is unlocked. |
ORC_DO03 |
|
Further Information
Guidance/Context Data contained within an app may be private to an individual. Adding security features to the app itself reassures users. Response Type Yes/No Answer Criteria Yes: App allows a pass code to be set, or use device security/unlock mechanisms a second time to access the app. Yes: If there is the option to choose who can see information contained within the user profile/set privacy controls on you account. No: If the user can set data sharing controls, such as choosing apps to share data with. Logic DISABLED LOGIC - Disabled if DO02 has been answered Yes. Scoring Impact High value score applied if DO03 has been answered Yes. |
|
Does the app use a sign up/sign in verification/authentication model? |
ORC_DO04 |
|
Further Information
Guidance/Context This question is looking to identify if the users access/identify is verified in any way. This is important to ensure the person creating the account is who they say they are and has access to the related accounts e.g. Email address. Response Type Yes/No Answer Criteria Yes: If there are any forms of user authentication being used. No: If the developer does not have any way, beyond signing in, by which they verify that the person creating/accessing an account, is the person that they claim to be/the owner of the account Logic DISABLED LOGIC - Disabled if DT14 has been answered no. Scoring Impact High value score applied if DO04 has been answered Yes. |
|
What type of model is being used? |
ORC_DO05 |
|
Further Information
Guidance/Context N/A Response Type Multiple Option Answer Criteria None One-step email authentication - if already signed up, check by resetting password, if email link is sent to reset it is this one. Other one-step authentication - e.g. Biometric access, pin number HCP Granted Access/Invite - A referral code needed to access the app which comes from the HCP. Admin Granted Access/Invite - Healthcare provider granting access to each individual HCP/user. SMS authentication - code sent to phone confirming it is you signing in Two-step authentication - Use of a separate authenticator app or a code sent to phone/email whenever you sign into the app which needs to be confirmed. The app uses a second authentication step after the user has clicked an email verification link when signing up e.g. requests a mobile number and sends a verification code by text. Multi-step authentication - any more than 2 steps Qualification/HCP Registration Check - Being able to register as a clinician and having your credentials checked before being accepted as a HCP to provide information to patients. Identification Check (Eg. drivers licence, passport) - scan/take photos of ID for sign up purposes or ID verification e.g. NHS app when signing up or for a clinician to verify the person they are speaking to is the patient they are supposed to be dealing with. Logic DISABLED LOGIC - Disabled if DT14 has been answered no. Scoring Impact None |
|
CLINICAL ASSURANCE & SAFETY
Professional Assurance
Validating the safety and efficacy of a Digital Health Technology (“DHT”) is a key part of any assurance process.
The Evidence Standards for Digital Health Technologies Framework (“ESF”) was created by the UK’s National Institute for Health and Care Excellence (“NICE”). This framework clustered DHT’s into relevant Tiers and identified for each Tier what forms of ‘evidence’ or ‘assurance’ would be required. It is therefore better to think of the ESF as an Assurance Standards Framework, with evidence being just one of many elements within that digital assurance matrix.
An adapted version of the ESF has been developed over time with and has now been adopted in numerous other national and pan-national Digital Health Assessment Frameworks in areas like the NORDICS, New Zealand, Canada, Israel and the Netherlands.
In addition the Clinical Evidence section looks for research backed evidence to support behavioral change techniques within the app and that the development of the app has involved suitably qualified professionals or validated with recognized organizations or bodies.
Evidence of Effectiveness
This is examined using an Evidence Standards Framework. We conduct an analysis of any evidence available through the Review Resources. If this exists, the app is evaluated against a series of questions to determine the quality of this evidence. We look for:
· a suitable sample size and makeup;
· a p-value of below 0.05 to indicate significance;
· a p-value below 0.2 for near significance; and
· an appropriate comparator.
This is scaled against the NICE Evidence Standards Framework and we look for a higher level of evidence for apps with more complex functionality and higher risk.
What type/s of research article/study about the app is available? Survey, RCT, Pilot study, Observational (Case study, Cross-sectional, Cohort), Meta-Analysis/Systematic Review |
ORC_EE02 |
|---|---|
|
Further Information
Guidance/Context The purpose of this question is to identify the evidence that is available. Varying levels of evidence are required to pass the designated ESF tier. Choose all applicable from: survey, RCT, pilot study, observational study (including case study, cross-sectional or cohort), meta-analysis/systematic review, or indicated user acceptance/benefit. The follow on questions will be answerable for each evidence type chosen. Response Type Multiple Choice Answer Criteria Survey: If the app has gotten information from current users on their outcomes or how they utilize the app, and provides a description of the outcomes. Randomized Control Trial: The research paper will state this. An RCT has two (or more) groups of people, where the only major difference should be the treatment they receive, and as the name suggests, people should be randomly assigned to these groups. Pilot Study: A smaller-scale, preliminary study which is completed first to determine whether a study is feasible. A Case study with no p value would come under Pilot. Observational Study: An experimental or quasi-experimental study which demonstrates relevant outcomes. For example, a cohort study of individuals using a depression app. They measure depression before first use, and depression after eight weeks, and compare to see if there is any effect. This type of study also includes cross-sectional studies, which provide an image of people at a certain point in time. For example, it may be that people suffering pre-diabetes use an app. At the point in time studied, they have not developed type 2 diabetes, so the app may have helped. A Case Study would come under Observational Study, if it has a p value A cross-sectional study would come under Observational Study Meta-analysis/Systematic Review: A systematic review refers to the entire process of selecting, evaluating, and collating all available evidence, while the term meta-analysis refers to the statistical approach to combining the data derived from a systematic-review. For our review, this may be that the evidence provided has pulled together all the studies about an app to provide a single p-value to demonstrate the app’s significance. Indicated user acceptance/benefit: A statement or other piece of information which indicates a benefit of the app to users, or indication that the app has undergone a pilot study. This option is to be selected when you are unable to see further evidence that supports any claimed facts or outcomes. For example, the developer website states “9/10 users found their sleep improved”, but you can’t see the evidence behind this statement. Testimonials on the website can be accepted, but not from the app store review section. Any statement of users benefiting from the app. None: The assessor could not find any evidence supporting the app’s efficacy or functionality. Logic There is no disablement logic written for this question. Scoring Impact Varying amounts of risk or value applied depending on the defined ESF tier of the app. Higher tiered apps require more substantial evidence (i.e. an RCT study), if this is not identifiable and the app fails other criteria to pass at it’s defined ESF tier then more risk is applied. If the evidence is appropriate to the designated ESF tier and the app meets other criteria to pass it’s ESF tier then value is applied. |
|
How many pieces of evidence does the app provide? |
ORC_EE14 |
|
Further Information
Guidance/Context The assessor is to select the option depending on how many pieces of evidence they have found. For each piece of evidence up to 5, you have to complete the following questions. Anymore than 5, you should choose the 5 best pieces. If multiple user acceptance statements have been found on one webpage, this would count as 1 piece of evidence. Response Type Multiple Option Answer Criteria One Two Three Four Five More than Five Logic DISABLEMENT LOGIC - Disabled if EE02 contains none. Scoring Impact There is no scoring impact associated with this question. |
|
How many RCT's and/or observational studies does the app have? |
ORC_EE13 |
|
Further Information
Guidance/Context The assessor is to select the number of RCTs and observational studies they found which supports the app. For each piece of evidence up to 5, you have to complete the following questions. Anymore than 5, you should choose the 5 best pieces. Response Type Multiple Option Answer Criteria One Two Three Four Five More than Five Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT OR Observational. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: What category does the evidence relate to? |
ORC_EE10 |
|
Further Information
Guidance/Context This is about the ORCHA category to which the app relates. It may be there is evidence for more than one category, if this is the case input all that apply. Response Type Yes/No Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if EE02 contains none. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: What benefit does the evidence relate to? |
ORC_EE11 |
|
Further Information
Guidance/Context This is about the ORCHA benefit to which the app relates. It may be there is evidence for more than one benefit. Response Type Yes/No Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if EE02 contains none. Scoring Impact There is no scoring impact associated with this question. |
|
Provide links to the publicly available evidence/published evidence that the developer has provided. |
ORC_EE03 |
|
Further Information
Guidance/Context This is a free text option, the answer should contain the links to the evidence found. Only place one link in the text box for each of these. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if EE02 contains none. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Is the sample size appropriate? (Does each sample /group contain 30?) |
ORC_EE04 |
|
Further Information
Guidance/Context This is about the sample size of any type of RCT or observational study that has been identified. There are no scoring implications as this is for data collection only. Response Type Yes/No Answer Criteria Yes: If the sample size is equal to or above 30 participants. No: If the sample size is below 30 participants OR the sample size is not mentioned. Logic DISABLEMENT LOGIC - Disabled if EE02 contains none. OR disabled if EE02 does not contain RCT or Observational. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Does the research article found provide a p-value? |
ORC_EE05 |
|
Further Information
Guidance/Context This question aims to evaluate the significance demonstrated within the findings of the research provided above. Confidence intervals are also accepted along with p values as they too can demonstrate significance. Response Type Yes/No Answer Criteria Yes: If the research paper/article provides a p-value/confidence interval (CI). This will likely be found within the abstract and/or results section. No: If the research paper/article does not provide a p-value. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or Observational. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Does the P-Value demonstrate significance (p<0.05)? |
ORC_EE06 |
|
Further Information
Guidance/Context This question is used to provide indication on whether or not the research article has proven a benefit. There are of course other ways to do this, but the use of a p-value is the most common one. Other situations should be considered on a case by case basis. Response Type Yes/No Answer Criteria Yes: If the p-value identified is a number less than or equal to 0.05. No: If the p-value identified is a number greater than 0.05. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or observational OR disabled if EE05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Does the P-Value demonstrate near significance (p<0.2)? |
ORC_EE12 |
|
Further Information
Guidance/Context ORCHA uses p-values to see if an app has demonstrated a benefit. It is possible that the app can have a benefit, but for the purposes of this one particular study it has not reached the accepted significance level, but do come close. ORCHA use this question to recognise this. Response Type Yes/No Answer Criteria Yes: If the p-value identified is a number less than or equal to 0.2. No: If the p-value identified is a number greater than 0.2. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or observational OR disabled if EE05 is yes and EE06 is no. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Is there a comparator? |
ORC_EE07 |
|
Further Information
Guidance/Context The use of a comparator allows a comparison to be made between the app’s benefits and something else. This gives context for the benefits that the app may or may not have demonstrated Response Type Yes/No Answer Criteria Yes: If the research article/paper identified has a separate group than that which is the experimental condition. For example if the researcher is comparing against a baseline which may have come from the user prior to the intervention. The comparator could be as simple as paid version of app vs free version of an app. No: If the research article/paper identified has only the experimental condition. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or Observational. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Is the comparator validated? |
ORC_EE08 |
|
Further Information
Guidance/Context The use of a comparator allows a comparison to be made between the app’s benefits and something else. This gives context for the benefits that the app may or may not have demonstrated. A validated comparator means a current standard treatment pathway. An example may be a depression app being compared to an antidepressant. Response Type Yes/No Answer Criteria Yes: If the research article/paper identified has a separate group than that which is the experimental condition, and the statement about that group includes “Current standard of care, Usual care or Treatment as usual”. No: If the research article/paper identified has only the experimental condition, or the paper does not mention “current standard of care, usual care or treatment as usual”. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or Observational OR disabled if EE07 is no. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Has the research article been published in a Journal? |
ATA_CE01 |
|
Further Information
Guidance/Context If research has been published in a Journal, that research is verified as scientifically reliable. Response Type Yes/No Answer Criteria Yes: Examples of Journals which the assessor could accept: JMIR, Nature, Lancet, Digital Health, BMJ, JAMA. No: If the research has not been published in a Journal. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or Observational. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Does the journal use peer-review? |
ATA_CE02 |
|
Further Information
Guidance/Context If research has been published in a Journal, that research is verified as scientifically reliable. If an article has been peer-reviewed it means that a board of reviewers, who are experts in the field, review the articles submitted by researchers for relevant, quality and adherence to scientific standards. Peer-review acts as a quality control mechanism. Response Yes/No Assessment Criteria Yes: Examples of leading peer-reviewed Journals which the assessor could accept: JAMA, NEJM, Annals of Internal Medicine, Lancet, BMJ, JAMA Internal Medicine, PLOS Medicine and Centers for Disease Control (esp. for infectious diseases). No: If the research has not been published in a peer-reviewed Journal. Logic DISABLEMENT LOGIC - Disabled if CE01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Is the research article supplied a conference poster? |
ATA_CE03 |
|
Further Information
Guidance/Context Research may appear in the format of a conference poster. This provides a high level summary of the research so usually some detail around the research may not be available to the reader. Response Yes/No Assessment Criteria Yes: If the research has been summarized to fit on one page for conference purposes. No: If the research appears in any other format than a conference poster. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or Observational. Scoring Impact There is no scoring impact associated with this question. |
|
For each type of relevant research article: Is the research article self published only? |
ATA_CE04 |
|
Further Information
Guidance/Context Research articles can be self-published which means he author takes the research through the editorial process themselves. This does mean that it has not gone through the quality control mechanism that a peer-review process serves. Response Yes/No Assessment Criteria Yes: If the research has been published by the author/those involved in writing the article. No: If the research has been published by a Journal. Logic DISABLEMENT LOGIC - Disabled if EE02 does not contain RCT or Observational OR disabled if CE01 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Does the developer provide sufficient evidence that supports all the claimed benefits? |
ORC_EE01 |
|
Further Information
Guidance/Context This question aims to discover if there is evidence which backs up the app’s claims and intensions. The assessor should refer to what they selected in BF01 - ‘What are the claimed or implied benefits of the app?’. Response Yes/No Assessment Criteria Yes: If the evidence found supports all the benefits which you have found/ the developer has claimed. No: If the evidence found supports only some of the claimed benefits, or does not support any benefits at all. Logic DISABLEMENT LOGIC - Disabled if EE02 contains none. Scoring Impact There is no scoring impact associated with this question. |
|
Does the developer provide sufficient evidence that supports some of the claimed benefits? |
ORC_EE09 |
|
Further Information
Guidance/Context This question aims to discover if there is evidence which backs up some and not all of the app’s claims and intensions. The assessor should refer to what they selected in BF01 - ‘What are the claimed or implied benefits of the app?’. Response Yes/No Assessment Criteria Yes: If the evidence found supports some of the benefits which you have found/ the developer has claimed. No: If the evidence found supports none of the claimed benefits, or does not support any benefits at all. Logic DISABLEMENT LOGIC - Disabled if EE02 contains none OR EE01 is yes. Scoring Impact There is no scoring impact associated with this question. |
|
Behavioral Change
There are some scenarios where the app utilizes widely accepted techniques with a breadth of evidence. In this instance, the app may not deem it appropriate to fund a full randomized control trial to demonstrate effectiveness. Therefore we give some value points for fully referencing evidence for behavioral change techniques used within the app. This is not however treated in the same way as to where the app has provided direct evidence of its own effectiveness.
Does the app have its own high quality study? |
ORC_BCT01 |
|---|---|
|
Further Information
Guidance/Context The purpose of this question is to identify evidence that the app has performed its own study on behavior change techniques, which meets the ESF requirements of the tier. This is information gathering, and is more important for the following question, BCT02. Response Type Yes/No Answer Criteria Yes: If the research article/paper identified is suitable evidence for an app of that ESF tier. For example, if the app is tier Cii on the NICE ESF, and the evidence identified is an RCT, with a significant p value and validated comparator. Tier Ci - Needs to be minimum of an observational study with a comparator and a significant P value/confidence interval. Tier Cii - needs to be an RCT with significant P Value/Confidence Interval and validated comparator. Any tier below Ci, the app would only need to tick off the Ci requirements to answer this question yes. No: If the research article/paper identified does not have a high quality study, suitable for an app at that tier. For example, the app is tier Cii on the NICE ESF, but the evidence identified is an observational study but ongoing Logic DISABLEMENT LOGIC - Disabled if TS11 does not contain CBT or Preventative Behavior Change. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app reference and evidence its behavior change technique? |
ORC_BCT02 |
|
Further Information
Guidance/Context This question is to differentiate those apps which don’t have a study. If the app has not got its own study and they use a behavior change technique, then this question looks to see if it is referenced. If it is referenced then this allows a small increase in value to the scoring, even though the developer themselves may not have the necessary study demonstrating efficacy of the specific product. Response Type Yes/No Answer Criteria Yes: If the developer displays research on which the app is based. For example, an app may have built a feature into their app based on other research, or they may refer to a paper about the psychological intervention it is based on, eg CBT, “we added these features based on this paper” etc. No: If the developer does not reference or evidence the behavior change the app is based on OR if they mention briefly, but don’t provide specific links. Logic DISABLEMENT LOGIC - Disabled if TS11 does not contain CBT or Preventative Behavior Change OR disabled if BCT01 is yes. Scoring Impact Medium - High value applied if yes. More value applied if the app is Cii ESF Tier. |
|
Professional Backing
We look for evidence of an appropriate professional being involved in the app's design and development, or if the app has been externally accredited. A relevant professional is deduced in the context of an app. For example, for a simple yoga app, we would accept a qualified yoga instructor as a relevant professional, but for a complex clinical solution, we would only accept a relevant qualified physician. External accreditations are wide-ranging, but we would look for an appropriate body, for example, the American Heart Association (ATA) giving an endorsement to a cardiology app.
Is there a suitably qualified Professional involved in the Development team of the App? |
ORC_PB01 |
|---|---|
|
Further Information
Guidance/Context This question looks to identify if there was a relevant professional part of developing the app, this helps indicate that the information contained within is relevant. Response Type Yes/No Answer Criteria YES: If there is evidence of a suitably qualified professional being involved with the app. For example, a CBT website displays a psychologist on the “Our team” page of their website. No: If the developer does not reference a suitably qualified professional OR it is not clear what role they play. For example, a psychologist is named, but it is unclear whether they simply use the app, or where involved in the development. Logic There is no disablement logic written for this question. Scoring Impact Varying value based on ESF tier of app. Value is not awarded for both PB01 and PB02. |
|
Who was the suitably qualified Professional involved, and what are their qualifications? |
ATA_PB02 |
|
Further Information
Guidance/Context This question looks to identify if there was a relevant professional part of developing the app, this helps indicate that the information contained within is relevant. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if PB01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization behind the App have relevant credentials? |
ORC_PB02 |
|
Further Information
Guidance/Context This question generally looks to assist larger organizations that may not have the ability or practicality to name individuals involved in the creation of the app. Response Type Yes/No Answer Criteria Yes: If the app is made by an institution that is believed to have the relevant experience. For example, the app is produced by the CDC. No: If the app does not have any relevant credentials, and was simply produced by a development company. Logic There is no disablement logic written for this question. Scoring Impact Varying value based on ESF tier of app. Value is not awarded for both PB01 and PB02. |
|
Who was the recognized or national health body involved in the development of the app? |
ATA_PB03 |
|
Further Information
Guidance/Context This question generally looks to assist larger organizations that may not have the ability or practicality to name individuals involved in the creation of the app. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if PB02 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is there evidence of an endorsement by a relevant body? |
ORC_PB03 |
|
Further Information
Guidance/Context This question helps provide assurance that the app works as intended from any endorsements that can be seen from relevant healthcare bodies. Response Type Yes/No Answer Criteria YES: If there is evidence of any sort of accreditation by any sort of relevant organization, or professional body. For example, a Diabetes app with an endorsement from the National Diabetes Foundation. NICE, FDA approval and ISO 13485 would be sufficient here. No: If the app does not have any relevant endorsements OR if the endorsement is from an individual, rather than an organization or body OR if the organization endorsing the app are in some way involved with the development/content of the app. Logic There is no disablement logic written for this question. Scoring Impact High value applied if yes. |
|
Who are the relevant body who have endorsed the app? |
ATA_PB04 |
|
Further Information
Guidance/Context This question helps provide assurance that the app works as intended from any endorsements that can be seen from relevant healthcare bodies. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if PB03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Has the app been adopted by a relevant healthcare organization within the US? |
ATA_PB01 |
|
Further Information
Guidance/Context This question helps provide assurance that the app works as intended if healthcare organizations have adopted the app and are using the app. Response Type Yes/No Answer Criteria Yes: If the on the app’s website there are statements that the app has been adopted and used within X organization. Also yes if an organization has promoted their app on their own website and stated they have adopted it within the organization. Web articles stating an organization's adoption of use would also be acceptable. No: If there’s no evidence publicly available which states the app has been adopted within a relevant healthcare organization. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Which US healthcare organization had adopted the app? |
ATA_PB06 |
|
Further Information
Guidance/Context This question helps provide assurance that the app works as intended from any endorsements that can be seen from relevant healthcare bodies. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if PB03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Are organizations using the app? |
ORC_PB04 |
|
Further Information
Guidance/Context This question helps provide assurance that the app works as intended if healthcare organizations have adopted the app and are using the app. Response Type Yes/No Answer Criteria Yes: If there is evidence (can be a statement) of any sort of relevant organization using the app. For example, the website may display that the platform is used by a CCG, or display the relevant logos. No: If it is not clear any organizations are using the app OR if a person references their position in an organization, but doesn’t make it clear it is organizational use. Logic There is no disablement logic written for this question. Scoring Impact Varying value if yes based on ESF tier of app. |
|
Which relevant organization are using the app? |
ATA_PB05 |
|
Further Information
Guidance/Context This question helps provide assurance that the app works as intended if healthcare organizations have adopted the app and are using the app. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if PB04 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is there a statement that it has been positively evaluated or validated by a relevant healthcare professional? |
ORC_PB05 |
|
Further Information
Guidance/Context This question helps provide assurance that if a healthcare professional is willing to positively evaluate an app, using their own name/qualifications, it provides assurance that the app works as expected. Response Type Yes/No Answer Criteria Yes: If there is evidence of any sort of testimonial or accreditation by any sort of relevant individual (external from company). For example, a Diabetes app accredited by a Diabetologist. No: If the app does not have any relevant endorsements OR if the endorsement is from an organization or body, rather than an individual. Logic There is no disablement logic written for this question. Scoring Impact Varying value based on ESF tier of app. |
|
Please specify who the relevant experts are and what qualifications they hold. |
ORC_AE17 |
|
Further Information
Guidance/Context For data collection purposes, please record who the relevant expert is. Where possible the qualifications of the professional should be validated. Response Type Free text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if PB05 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is there evidence within the app that the developer has validated any guidance with relevant reliable information sources or references? |
ORC_PB06 |
|
Further Information
Guidance/Context The point of this question is to establish whether the information provided comes from a relevant and reliable source (can be a qualified person/organization/citation of original journal article). Response Type Yes/No Answer Criteria Yes: If a link to a source is provided - even if the link can’t be clicked, if you can type it in and it’s valid then yes OR if the Developer uses a well established tool, which they reference (GAD-7, PHQ-9 etc) OR if the Developer links to external information, which comes from a reputable outside source (NHS choices, PHE etc.). No: If the app does not have any relevant guidance which has been validated, either in the form of references, or using cleared named clinical calculators. Logic There is no disablement logic written for this question. Scoring Impact Varying value based on ESF tier of app. |
|
Is there any evidence within the app that the developer has validated the information, advice or guidance with relevant and appropriate academic studies or relevant academic expert input? |
ORC_AE03 |
|
Further Information
Guidance/Context The point of this question is to establish whether the information provided comes from a relevant and reliable source (can be a qualified person/organization/citation of original journal article). US-centric Sources for clinical evidence and professional credibility: Response Yes/No Assessment Criteria YES: If a link to a source is provided - even if the link can’t be clicked, if you can type it in and it’s valid then yes OR if the Developer uses a well established tool, which they reference (GAD-7, PHQ-9 etc) OR if the Developer links to external information, which comes from a reputable outside source eg Websites sponsored by Federal Government Agencies or well known medical schools (CDC, Mayo Clinic etc.). NO: If the app does not have any relevant guidance which has been validated, either in the form of references, or using cleared named clinical calculators Logic There is no disablement logic written for this question. Scoring Impact Varying value based on ESF tier of app. |
|
ORCHA Adapted ESF Compliance
The first part of this section assesses which ESF Tier the app falls under, and is non-scoring. The second part assesses whether the app meets the requirements of that Tier. Compliance with the ESF is determined by the app answering positively to all questions that have been flagged as a requirement for its Tier of the ESF and all Tiers below.
Is the app Tier A? |
ORC_ESF01 |
|---|---|
|
Further Information
Guidance/Context Classification for tiering of an app is defined by the scene setter questions asked to help assess the functions and features of an app. Response Type Yes/No Answer Criteria Yes: To be classified as a Tier A the app must: Have met none of the requirements for any other tier & provides no patient outcomes. E.g. be an administration app. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app Tier Bi? |
ORC_ESF02 |
|
Further Information
Guidance/Context Classification for tiering of an app is defined by the scene setter questions asked to help assess the functions and features of an app. Response Type Yes/No Answer Criteria Yes: To be classified as a tier Bi app it must- Provide information or guidance/context (I01 is yes). Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app Tier Bii? |
ORC_ESF03 |
|
Further Information
Guidance/Context Classification for tiering of an app is defined by the scene setter questions asked to help assess the functions and features of an app. Response Type Yes/No Answer Criteria Yes: To be classified as a tier Bii app it must- Do none of the things listed in Ci/Cii & it is a standard self management app as defined by the scene setter questions (MN04). Example: If an app is simple monitoring with a specific condition focus OR complex monitoring with a wellbeing and general health focus, as defined by the scene setter questions. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app Tier Ci? |
ORC_ESF04 |
|
Further Information
Guidance/Context Classification for tiering of an app is defined by the scene setter questions asked to help assess the functions and features of an app. Response Type Yes/No Answer Criteria Yes: To be classified as a Tier Ci app it must- Have no things listed in Cii Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is the app Tier Cii? |
ORC_ESF05 |
|
Further Information
Guidance/Context Classification for tiering of an app is defined by the scene setter questions asked to help assess the functions and features of an app. Response Type Yes/No Answer Criteria Yes: To be classified as a Tier Cii app it must- - Diagnose a condition (DG02 is yes). Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Tier A requirements? |
ORC_ESF06 |
|
Further Information
Guidance/Context The app has met Tier A requirements if the app has: -Evidence of a survey, pilot study, meta-analysis, RCT, observational, or other indicated user acceptance/benefit (EE02 does not contain none). Response Type Yes/No Answer Criteria Yes: If the app has fulfilled the requirements listed in the guidance. Logic There is no disablement logic written for this question. Scoring Impact High risk if no or high value if yes + multiplier for value applied based on evidence available. |
|
Tier Bi requirements? |
ORC_ESF07 |
|
Further Information
Guidance/Context The app has met tier Bi requirements if the app has all of the following criteria: - Evidence that the developer has validated the information, advice or Guidance/Context with relevant academic expert input (PB01 or PB02 or PB06 is yes). Response Type Yes/No Answer Criteria Yes: If the app has fulfilled the requirements listed in the guidance. Logic There is no disablement logic written for this question. Scoring Impact High risk if no or high value if yes + multiplier for value applied based on evidence available. |
|
Tier Bii requirements? |
ORC_ESF08 |
|
Further Information
Guidance/Context The app has met tier Bii minimum requirements if the app has: - Evidence that the developer has validated the information, advice or Guidance/Context (PB01 or PB06 is yes). NB - If an app has met tier A, tier Bi AND tier Ci requirements, then the app will have met Bii requirements. Response Type Yes/No Answer Criteria Yes: If the app has fulfilled the requirements listed in the guidance. Logic There is no disablement logic written for this question. Scoring Impact High risk if no or high value if yes + multiplier for value applied based on evidence available. |
|
Tier Ci requirements? |
ORC_ESF09 |
|
Further Information
Guidance/Context The app has met Tier Ci requirements if it has: Evidence of an RCT (EE02 answer includes RCT) which has a significant p value (EE06 is yes) Response Yes / No Assessment Criteria Yes: If the app has fulfilled the requirements listed in the guidance. Logic There is no disablement logic written for this question. Scoring Impact High risk if no or high value if yes + multiplier for value applied based on evidence available. |
|
Tier Cii requirements? |
ORC_ESF10 |
|
Further Information
Guidance/Context The app has met Tier Cii minimum requirements if it has: - Evidence of an RCT (EE02 answer includes RCT) which has a significant p value (EE06 is yes). Response Type Yes/No Answer Criteria Yes: If the app has fulfilled the requirements listed in the guidance. Logic There is no disablement logic written for this question. Scoring Impact High risk if no or high value if yes + multiplier for value applied based on evidence available. |
|
Does the app have appropriate evidence for the ESF tier? |
ORC_ESF11 |
|
Further Information
Guidance/Context Use the above questions as a guide to determine the answer. If no, provide an explanation why. Response Type Yes/No Answer Criteria Yes: If the app has met its own tier, plus those below, as the requirements are cumulative. No: If the app has not fulfilled the requirements of its own tier. No: If the app has met only the requirements at its own tier and not those below. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
|
Functionality or Purpose of DHT |
Examples |
Assurance of quality provided by the following (described in more detail below this chart) |
Tier A |
|
|
|
Tier Bi |
|
|
|
Tier Bii |
|
Activity tracker with reminders.
|
|
Tier Ci |
|
DHT which logs your manually entered blood sugar levels, and provides insights regarding whether you are controlling your diabetes better or worse than last month. |
|
Tier Cii |
|
Medical devices as classified by the FDA. |
|
Medical Devices
Is the product a medical device, as defined by the FDA? |
ATA_MD01 |
|
Further Information
Guidance/Context The question aims to identify if the app in question is a medical device based on the FDA guidance. If the app is intended to prevent (MD01), compensate (MD07), monitor (MN05 AND MN08) or Alleviate (TS15) an illness, injury or handicap. Also, if the App diagnoses (PD01 AND DG02 are yes, and DG05 is yes and DG09 is no OR DG06, DG07 and DG08 are yes), TS10 yes If the App is intended to control conception (MD08 is yes, CC01 and CC02 are yes, and CC03 OR CC04 is yes). Response Type Yes/No Answer Criteria Yes: If the app fulfills the above guidance and is a medical device. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Has the app been FDA approved? (Food and Drug Administration) |
ORC_FDA01 |
|---|---|
|
Further Information
Guidance/Context The question is looking for if the FDA has approved a premarket approval (PMA) application, or a Humanitarian Device Exemption (HDE) application. This is for class III medical devices (highest risk) and involves a more rigorous review than the 510(k) review process. Response Type Yes/No Answer Criteria YES: If an app has been APPROVED by the FDA. Logic There is no disablement logic written for this question. Scoring Impact High value applied if yes AND DE01 contains Other or None. |
|
Has the app been FDA cleared? |
ORC_FDA02 |
|
Further Information
Guidance/Context FDA CLEARANCE means that an app uses a feature/algorithm which itself has been FDA approved, and the app has been cleared to use the same feature which functions as it should do. Response Type Yes/No Answer Criteria YES: If an app has been CLEARED by the FDA. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Safety/Risk Management
It is proposed that the assessment looks for any safeguarding measures in the communication functions of the app, if relevant.
Is there a statement or any evidence showing that appropriate safeguarding measures are in place around peer-support and other communication functions within the platform? (Tier Bi requirement - Only asked of apps that require such measures because of it functional capabilities / intended purpose ) |
ORC_AE13 |
|---|---|
|
Further Information
Guidance/Context This question is a Tier Bi and above requirement. It is only asked of apps that require such measures because of the functional capabilities/intended purpose of the app. Response Type Yes/No Answer Criteria YES: If there is an internal forum, the content is moderated, or guidelines are set out, or it is monitored OR there is a full policy in place specific to a forum OR if two-way communication occurs and the data is protected/encrypted OR if there is a registration process where you use a HCP number OR if the communication is made clear it is only with a registered HCP. Logic DISABLEMENT LOGIC - Disabled if there are no communication functions on the app OR disabled if there is no way for a HCP to access user data. Scoring Impact High- Medium value applied if yes based on the ESF tier the app’s classified as. Varying risk value applied if no based on the ESF tier the app’s classified as. |
|
Does the Developer clearly identify who the app should be used by? |
ORC_S01 |
|
Further Information
Guidance/Context The question is looking for a statement or other evidence showing who the app is intended for. Or if there are any demographics who should not use it. Response Type Yes/No Answer Criteria YES: If a developer tells us who the app SHOULD or SHOULD not be used by. Can be specific or general e.g. for 18years +, for anyone who undertakes physical activity, etc. No: If the app does not tell us who the app SHOULD or SHOULD not be used by. Logic There is no disablement logic written for this question. Scoring Impact Low value applied if yes. |
|
Does the Developer clearly identify who the app should not be used by? |
ATA_CS01 |
|
Further Information
Guidance/Context The question is looking for a statement or other evidence showing who the app is not intended for. Or if there are any demographics who should not use it. Response Type Yes/No Answer Criteria YES: If a developer tells us who the app SHOULD NOT be used by. Can be specific or general e.g. not appropriate for anyone under 16 years. No: If the app does not tell us who the app SHOULD be used by. Logic There is no disablement logic written for this question. Scoring Impact Low value applied if yes. |
|
Does the Developer publish their clinical risk management processes? |
ORC_S02 |
|
Further Information
Guidance/Context It is understood that risk management documents may contain company sensitive information. Therefore documents do not have to be made publicly available but could be made available upon request, or there could be a detailed explanation for the process involved within the developers risk management process. Response Type Yes/No Answer Criteria YES: If there is evidence of a risk management process. This may be in the form of a hazard log or safety case, and will likely be made available through the website, if available at all. No: If the developer does not clearly display their risk management processes. Logic There is no disablement logic written for this question. Scoring Impact Low value applied if yes. |
|
Does the Developer make clear risks associated with using the app? |
ORC_S03 |
|
Further Information
Guidance/Context This question provides context to the user to make an informed decision about the risks associated with the app, and whether a user would still want to use it. Response Type Yes/No Answer Criteria YES: If the developer defines clearly what possible risks there are to a user - this may be in the form of a hazard log or safety case. A disclaimer highlighting the risks. No: If the developer does not clearly display the risks associated with their app. A disclaimer highlighting that information in the app is not medical advice or something along those lines is not suitable to meet these requirements. Logic There is no disablement logic written for this question. Scoring Impact Low value applied if yes. |
|
Is there a way for the user to confirm that the data input is accurate? |
ORC_S04 |
|
Further Information
Guidance/Context This question is looking to identify what validation is applied to data inputted by the users. It is looking to see if the app checks for erroneous data, this helps ensure the safety of the app by not allowing mis-calculations from inputted data. Response Type Yes/No Answer Criteria YES: If data is being entered the app requires confirmation. For example if a users was to input 5000 mmol/l for glucose readings, does it ask for confirmation? If the app uses sliders to restrict data entry parameters then this would also be a yes. Should be noted that this should somehow be related to the app function, rather than other data input. No: If the developer does not ask the user to confirm input. Logic DISABLEMENT LOGIC - Disabled if MN01 contains None. Scoring Impact Low risk applied if no + multiplier based on functionality complexity. |
|
Does the app have a clinical person responsible for patient safety risks? |
ATA_CS02 |
|
Further Information
Guidance/Context A person responsible for the management of the clinical risk processes ensuring that any patient safety risk have been mitigated and appropriate controls and safety procedures are being followed. Response Type Yes/No Answer Criteria YES: If there is evidence of responsible person, anywhere within the app or associated sites/documentation. The responsible person should have the relevant experience and expertise for example, previously or currently qualified as a Doctor, or Psychologist etc. No: If the developer does not clearly name a responsible person acting in this position. No: If the responsible person does not have a relevant background to account for patient safety risks. Logic There is no disablement logic written for this question. Scoring Impact Medium risk applied if no. |
|
Is there a way for users to submit safety concerns? |
ATA_CS03 |
|
Further Information
Guidance/Context A way for users to submit concerns they have around the safety of the app. This is different from the user being able to submit technical issues. Response Type Yes/No Answer Criteria YES: If the developer specifically states that the user can submit safety concerns. They would also need to provide an email address, an eTicket service or a another form of contact method for safety concerns. No: The developer only makes available a process where the user can submit technical issues. Logic There is no disablement logic written for this question. Scoring Impact Low value applied if yes. |
|
USABILITY AND ACCESSIBILITY
Design and Development
This considers the design and development of the app and whether it follows any recognized app design standards, such as WC3, WCAG 2.0 AA, WCAG 2.1 AA, ISO 9241, Apple HIG, or Android App Quality Guidelines. The review also considers whether there was any user involvement during the development of the app, user involvement in testing, or if any features were based on user feedback.
Is there a statement about user feedback during design/development? |
ORC_DT01 |
|---|---|
|
Further Information
Guidance/Context This question is to determine if relevant users/user feedback have been considered, in the design of the app - BEFORE or AFTER the app was released. Response Type Yes/No Answer Criteria YES: If the developer has added features based on user feedback, and states what has changed. This can be before or after the app was published, but changes must have been made. If the app was designed by the developer to remedy a problem they were suffering, or caring for someone suffering. If an app is developed by doctors, for doctors. If the app makes changes based on data collected, or users updating database e.g. MyFitnessPal. If the app has undergone a survey/pilot study involving users, and changes were made based on the outcomes. NO: If the app states “may add features based on feedback” - it needs to state which specific features were added. Logic There is no disablement logic written for this question. Scoring Impact Low value applied if yes. |
|
Is there any evidence of user involvement in testing? |
ORC_DT02 |
|
Further Information
Guidance/Context This question is to determine if there is any evidence that users have tested, or provided feedback on the app AFTER it was released. Response Type Yes/No Answer Criteria YES: If there is a case study on the developer website. If there was a Beta version of the app available before the app went live. If user feedback is shown on the website showing the app has been beneficial to users (e.g. 87% of patients have shown improvement from using the app). Any other evidence of user testing rather than opinions from the general public. Any evidence of indicated user benefit (if you have selected this in EE02). No: If the only user feedback is from app store reviews. Logic DISABLEMENT LOGIC - Disabled if CUS01 AND CUS02 are no. Scoring Impact Medium value applied if yes. |
|
Was there evidence of a cross-section of society included? |
ATA_UA01 |
|
Further Information
Guidance/Context This question aims to establish whether a wide range of users/user groups/potential users were considered within the design and development of the product. If user testing was carried out, was it carried out with a cross-section of society, rather than a select or pre-defined group of users? This is to ensure that multiple perspectives were considered in the design and development of the product. Response Yes / No Assessment Criteria YES: Evidence that testing has been done with a good sample of intended users - e.g. various age groups, communities, conditions (if app is not condition specific) or co-morbidities. Logic DISABLEMENT LOGIC - Disabled if DT01 and DT02 are no. Scoring Impact |
|
Is there any evidence that user feedback is considered? |
ATA_UA02 |
|
Further Information
Guidance/Context It’s important that developers respond to user feedback, and continuously update/improve their product based on this feedback, for the user’s benefit. It’s one thing to receive user feedback - this question is to establish what the developer intends to do with it, and if the user feedback is reflected in future updates. Response Yes / No Answer Criteria Yes: Evidence that relevant user comments and feedback are considered during updates. Yes: Evidence that user complaints are recorded and responded to. Logic There is no disablement logic written for this question. Scoring Impact Medium value applied if yes. |
|
Accessibility
Accessibility is important to consider, as the app should be accessible to all users regardless of their specific needs. The review considers whether the app is customizable to suit certain needs, such as poor sight or hearing impairments. If the app uses any specialist or medical terms, these should be clearly explained to the user.
Is there a statement within the app outlining compliance with any currently recognized app design standards? · WCAG 2.0 AA · WCAG 2.1 AA · ISO 9241 · Apple HIG · Android App Quality Guidelines |
ORC_DE01 |
|---|---|
|
Further Information
Guidance/Context This information is likely to be found in the accessibility statement, it may also be found in the about section within the app or on the developer website. Choose from the available options, or click none if none apply. Response Type Multiple Choice Answer Criteria WC3 WCAG 2.0 AA WCAG 2.1 AA ISO 9241 Apple HIG Android App Quality Guidelines Other (please specify) None Logic There is no disablement logic written for this question. Scoring Impact High value applied if WC3, WCAG 2.0 AA, WCAG 2.1 AA, ISO 9241, Apple HIG or Android App Quality Guidelines is selected. |
|
Can the user change the font size in-app/does the app respond to device preferences? |
ORC_U04 |
|
Further Information
Guidance/Context This is a key aspect for improving accessibility of apps to demographics with accessibility needs. Response Type Yes/No Answer Criteria YES: The app responds to font size changes in the device, or the font size can be changed from within the app. Logic DISABLEMENT LOGIC - Disabled if CUS01 AND CUS02 are no. Scoring Impact Low value applied if yes. |
|
Does the app provide support for users with poor sight? |
ORC_U07 |
|
Further Information
Guidance/Context This question aims to address whether the app developer has considered the accessibility needs of people with perceptual impairments, specifically poor sight, e.g. blind, color blind, poor vision. Response Type Yes/No Answer Criteria YES: If the app provides audio description, or visual descriptions of pictures. If the app uses Voice Over (iOS) or Text to Speech (Android). If there is the ability to change the font size, or zoom in, or make color adjustments. Logic DISABLEMENT LOGIC - Disabled if CUS02 are no. Scoring Impact Medium value applied if yes. |
|
Does the app provide support for users with hearing difficulty? |
ORC_U08 |
|
Further Information
Guidance/Context This question aims to address whether the app developer has considered the accessibility needs of people with perceptual impairments, specifically poor hearing, e.g. deafness, or hard of hearing. Response Type Yes/No Answer Criteria YES: If the app provides audio description and you can adjust the volume of Text to Speech/voiceover (if using in-built text to speech on iOS and Android the volume can be adjusted) If subtitles are available for video/audio/in game dialogue Logic DISABLEMENT LOGIC - Disabled if CUS02 are no. Scoring Impact Medium value applied if yes or medium risk applied if no. |
|
Has the product been through FDA approval and therefore meets FDA Usability guidelines? |
DHAF_UA04 |
|
Further Information
Guidance/Context The DHAF is interested in whether the app has been FDA approved, as there are many usability standards in this approval process. FDA approval would therefore give a reasonably confident view of the app’s usability. Response Type Yes/No Answer Criteria YES: If the app provides audio description and you can adjust the volume of Text to Speech/voiceover (if using in-built text to speech on iOS and Android the volume can be adjusted) If subtitles are available for video/audio/in game dialogue Logic
Scoring Impact
|
|
Usability
This also ties into the usability of the app, including further customization options. The review identifies if the app has any functions to aid navigation, such as a home button, back button, help button or search feature. If the app utilizes push or email notifications, the review identifies whether the user has options to manage these for their own preference or privacy, both at the app level and at the device level. Finally, if there are any bugs identified during the review, this will be flagged. If the app contains a forum, then we look for a statement to ensure that forum content is moderated
Can the user change the presentation theme? |
ORC_U06 |
|---|---|
|
Further Information
Guidance/Context This question is looking to see if the app developer has considered accessibility needs for a breadth of audiences, i.e. not specific to certain impairments. Or if they have considered the usability/customization of the product. If users are able to tailor an app to their own preferences/needs will increase usability and accessibility - for example, if they can change the language to their preferred language, change the units to something more understandable, or change the color scheme to something easier on their vision. Response Type Yes/No Answer Criteria YES: If any visible changes can be made, which are not otherwise mentioned. Logic DISABLEMENT LOGIC - Disabled if CUS01 are no. Scoring Impact Low value applied if yes. |
|
Does the app include the following functions: · Home/Menu button · Back button · Help/About button · Search button |
ORC_U32 |
|
Further Information
Guidance/Context By having familiar buttons such as home/help/search/about users can more easily navigate the app, as users will be familiar with things such as a magnifying glass representing the search feature. Response Type Multiple Choice Answer Criteria Home: A button from any page back to the original page the app opens on. This should be accessible from all pages. Back: The ‘back’ on an android phone does not count, it must be in-app. Help: A tutorial, or how to use the app or certain features. Search: A search bar, or any other way to filter and find information. None Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Are any medical, specialist or technical terms explained clearly to the user? |
ORC_U15 |
|
Further Information
Guidance/Context This question is to improve accessibility of the product, ensuring the app developer has considered the needs of users who may have a lower digital literacy, a lower reading level, or a lack of specialist knowledge. Explaining all key terms improves the accessibility of the product, regardless of knowledge level. Response Type Yes/No Answer Criteria YES: An instruction of how to do an exercise, even if it’s a picture. A glossary, or any definition of specialist terms (only 1 definition is needed). Logic DISABLEMENT LOGIC - Disabled if no information is provided on the app, the app does not constitute as a medical device and if no health/wellness monitoring occurs on the app. Scoring Impact Medium value if answered yes. |
|
Does the user have options to manage the notification settings (push/email) within the app for convenience/privacy? |
ORC_D31 |
|
Further Information
Guidance/Context This functionality would allow users to control and manage their notifications which increases the likeability/usability of the product. Apps which show notifications/pop ups with sensitive information may not be preferable to a user, if they have no way to disable this. Additionally, it can be simply annoying. Response Type Yes/No Answer Criteria YES: If there is the ability to toggle notifications, or choose the time they are sent from within the app. Logic DISABLEMENT LOGIC - Disabled if D29 is no and D30 is no. Scoring Impact Low value applied if answered yes. |
|
Does the app inform the user how to manage notification settings for convenience/privacy (to prevent info being shown if device is locked but on show)? |
ORC_D32 |
|
Further Information
Guidance/Context This is related to how a user can control notifications via the device settings. The previous question is within the app, this question is focused at the device level. This helps ensure that no information is shown on the lock screen that may be private to the user. iOS does this by default with the notifications pop-up that appears upon initial opening of an app so the purpose of this question is to target apps which are downloadable on android platforms. Response Type Yes/No Answer Criteria YES: If you can control the privacy of notifications. This is almost always yes for iOS (if it sends a pop-up), and almost always no for android. YES: Android - If they provide instructions of how to disable notifications within the device settings Logic DISABLEMENT LOGIC - Disabled if D29 is no and D30 is no. Scoring Impact Low value applied if answered yes. |
|
Was there any evidence of bugs during review? |
ORC_U23 |
|
Further Information
Guidance/Context If a bug is identified it should be assessed by another person/device to confirm. If a bug is confirmed then the Developer should be notified. Response Type Yes/No Answer Criteria YES: If the app crashes or shuts down. Logic There is no disablement logic written for this question. Scoring Impact High risk applied if yes. |
|
Support
Support is a key area of this section, as it is important that users are informed of ways in which they can contact the developer should they have any problems or questions with the app. The review also identifies what type of support is offered to users, and if there is a commitment from the developer to respond to any user queries. We would expect to see the type of support offered is appropriate to the app level - a higher level app would therefore require a more sophisticated offer of user support.
If there is a forum, is there a statement within the app that the forum content is moderated? |
ORC_FC03 |
|---|---|
|
Further Information
Guidance/Context If there is a forum, or any peer communication between users, it is important that there is moderation, guidelines or safeguards in place, to protect users from harmful or incorrect content. This introduces an element of safety to ensure the users aren’t exposed to false information in relation to their health. Many users will feel more comfortable using forums if they know the content is moderated. Response Type Yes/No Answer Criteria YES: If there is mention of moderation, community guidelines, or if users are asked to report offensive material. NO: If there is a statement about the risks of following third party links and no mention of the above. Logic DISABLEMENT LOGIC - Disabled if there is no internally hosted forum or community. Scoring Impact Medium risk applied if yes. |
|
Is there a statement about how to report issues to the developer? |
ORC_U24 |
|
Further Information
Guidance/Context Users should be able to raise any issues easily to developers. This can be identified either within the app or on the developer website. It needs to be clear the details for contacting are about the app or the website is for the app only. Response Type Yes/No Answer Criteria YES: If a contact method is provided within the app, or accompanying website. NO: If the only way to contact is to provide an app store rating. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Is there a statement about how users can raise a query about their healthcare? |
ATA_UA07
|
|
Further Information
There should be different types of support depending on the query, so the user is directed to the right person. For instance, technical queries can often be addressed by the developer whereas healthcare queries should be addressed by a relevant professional. Response Yes / No Assessment Criteria YES: If the app or website provides detail or directs the user to suitable support in relation to their healthcare or condition. NO: If the only support the app offers is technical/in relation to the app If the app states, for example, ‘we are not qualified to provide medical advice, please consult your physician’. Logic There is no disablement logic written for this question. Scoring Impact Low - Medium risk applied depending on the app’s complexity functionality if answered no. |
|
What kind of support is offered? |
ORC_U33
|
|
Further Information
Guidance/Context Support should be available at an equivalent quantity to the complexity of the app. This needs to be within the app or on the website, NOT an email address on the Play Store. Response Type Multiple Choice Answer Criteria Email address eTicket Live Chat Helpline/telephone number None Logic There is no disablement logic written for this question. Scoring Impact Varying risk applied depending on ESF tier of app. The higher ESF tier, the better support features are required to avoid risk. |
|
Is there any statement within the app about the developer’s commitment to addressing problems reported to them? (e.g. timescales to respond, commitment to eradicate reported bugs and faults) |
ORC_U25
|
|
Guidance
Guidance/Context This question is looking to ensure that app developers are providing an SLA of sorts to their users, that they are committing to responding to and/or resolving any queries in a timely manner. Users may be more likely to reach out for support, if they know when they can expect a response. Response Type Yes/No Answer Criteria YES: If a time frame to respond is specified, it can be “we will get back to you as soon as possible”. NO: If the statement does not give a timeframe or indication they intend to respond e.g. “we will get back to you” is not specific enough for a timescale. Logic DISABLEMENT LOGIC - Disabled if U24 is no. Scoring Impact Medium value applied if yes. |
|
Is there a statement within the app relating to a commitment to a response in relation to healthcare queries? |
ATA_UA08
|
|
Further Information
Guidance/Context User support groups have service level expectations and it is important to understand how the app deals with clinical queries. For instance, will there be a timely response? Will they direct the user to a more appropriate source? Response Yes / No Assessment Criteria YES: If a time frame to respond is specified, it can be “we will get back to you as soon as possible”. YES: If the website states this alongside a contact method. Logic There is no disablement logic written for this question. Scoring Impact Medium Value applied if yes. |
|
TECHNICAL SECURITY & STABILITY (ENHANCED REVIEW COMPONENT)
Security is one of the most challenging area for DHAF.
Overarching principles such as the Open Web Application Security Project (‘OWASP’) guidelines for mobile and web applications provide a very high level frame of reference but this doesn’t equate to a very clear set of measurable requirements..
Whilst OWASP does differentiate between different types of applications, it is a relatively crude 2 tier model and does not account for the wide range of different features and functions that digital health solutions offer
The focus is therefore switching now to a more tangible but flexible requirement that focuses on a graduated or tiered model with expected relevant security ‘credentials’ increasing as the complexity and risk of the relevant product increases.
This enables the specific features of the App and its associated security risks to be calibrated and aligned to different security characteristics /credentials.
This is however still an evolving model and the security ‘credentials’ can change in differing jurisdictions for example CISTop18, SOC2 and HITRUST in the US v Cyber Essentials and ISO 27001 in the UK.
Whilst there is a security risk associated all ‘apps’ the principle adopted in the assessment recognizes that there is a differential ‘risk profile’ for each product based on:
The Technical Architecture and related level of connectivity i.e. Attack Surface
The Data Footprint - personal, sensitive etc
The functional risk profile - i.e. simple information provision v diagnostic or treatment support
These risk profiles can be clustered into relevant risk Tiers that represents a graduated risk profile model and enables each product to be assigned to a relevant risk Tier
Each risk Tier should align to a differential set of ‘requirements’ that incrementally increase the level of expected security assurance /credentials through the Tiers
For the Security and Technical Stability assessment component these principles have been adopted in this Domain.
Tier 1
The app is not a Medical Device, The app does not Collect or Process any Personal or Sensitive data, There is no connectivity with any other digital technology, device or system.
Tier Requirements:
Evidence that the Technology aspects of an Information Security Management System (ISMS) for the DHT Provider are in place. E.g. Cyber Essentials in the UK
Tier 2
The app is not a Medical Device, The app does not Collect or Process any Personal or Sensitive data, There is connectivity with other digital technology, device or system.
Tier Requirements:
Evidence of Security Assessment.
Use the Security Technical Compliance link here (Gray-box Penetration testing required for the Security Assessment methodology); OR
The ‘App’ is scanned dynamically and can confirm that 2 and 3 are TRUE (e.g. Kryptowire for Mobile Apps) and the Security Report can be used for Technical Security Compliance here.
Evidence that the Technology aspects of an ISMS for the ‘App’ Provider are in place and they are compliant with CIS Top 20
Tier 3
The app is not a Medical Device, The app Collects and/or Processes Personal or Sensitive data
Evidence of Security Assessment.
Use the Security Technical Compliance link here (White-Box Code Review & Gray-box Penetration testing required for the Security Assessment methodology); OR
The ‘App’ is scanned dynamically (e.g. Kryptowire for Mobile Apps) and the Security Report can be used for Technical Security Compliance here. Evidence for all aspects of an Information Security Management System (ISMS) for the ‘App’ Provider are in place and have been certified by a 3rd party assessor. E.g. ISO27001, SOC-2, etc.
Technical Stability
The Technical Stability questions are designed to capture evidence good Product and Service Management broadly covering: Robust configuration and change management processes; Responsive to user requirements and issues; Transparency in support and enhancements; and Testing approach is appropriate and robust.
Has the developer submitted evidence for the enhanced technical security and stability assessment? |
ORC_ERC_TSS01 |
|---|---|
|
Further Information
Guidance/Context In order to under go an “enhanced review component” the developer is required to provide information and documentation which is not publicly available. in which the developer is engaged with the assessment process. Response Yes / No Answer Criteria Yes: The developer has engaged with the assessment process and provided relevant information for the Technical Security & Stability enhanced review component. No: The developer has not engaged in the assessment process at all and has not provided any relevant information for the Technical Security & Stability enhanced review component. Logic There is no disablement logic written for this question. Scoring Impact There is no scoring impact associated with this question. |
|
Does the app connect to an internet-based API (e.g. App Developer Web Service, Social Media, Advertisements)? |
ORC_ERC_OTS_C01 |
|
Further Information
Guidance/Context This question is asked to help determine the needs for technical security. Response Type Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
List the APIs the app connects to. |
ORC_ERC_OTS_C02 |
|
Further Information
Guidance/Context The APIs identified by this question are important to assess the appropriateness of the penetration testing carried out on the app. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR ORC_ERC_OTS_C01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is sensitive data persisted to the mobile device? |
ORC_ERC_OTS_D02 |
|
Further Information
Guidance/Context This question helps determine what is the appropriate MASVS level for the platform. This is required to check the appropriateness of the Penetration test (PEN Test). Response Type Yes/No Answer Criteria Yes: If the user can input sensitive data on to the app. No: If the app does not allow the user to input sensitive data. Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Are the source code and any configuration items for the product version controlled with all changes audited? |
ORC_ERC_OTS_PSL01 |
|
Further Information
Guidance/Context This is important to ensure that proper processes are followed. It also allows for changes to be checked individually as well as enabling changes to be reverted if they have been deemed to cause faults. Response Type Yes/No Answer Criteria Yes: The developer describes the people / roles that use the tools and any processes that they work to, even if these are informal. Example screenshots which demonstrate how tools are used must also be provided. Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Provide details of any associated processes / procedures and tools that are used. |
ORC_ERC_OTS_PSL02 |
|
Further Information
Guidance/Context This is important to ensure that proper processes are followed. It also allows for changes to be checked individually as well as enabling changes to be reverted if they have been deemed to cause faults. This question allows the developer to describe the associated processes and procedures. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if ORC_ERC_OTS_PSL01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Do you have the capacity to rollback to previous versions of your product? |
ORC_ERC_OTS_PSL03 |
|
Further Information
Guidance/Context Capacity to rollback allows the developer to resolve back to a known stable version of the product allowing any issues to be fixed within minimum disruption to the product. Response Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Provide details of any associated processes / procedures and tools that are used. |
ORC_ERC_OTS_PSL04 |
|
Further Information
Guidance/Context Capacity to rollback allows the developer to resolve back to a known stable version of the product allowing any issues to be fixed within minimum disruption to the product. This question allows the developer to describe the associated processes and procedures. Response Type Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if ORC_ERC_OTS_PSL03 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Are the processes for accepting and responding to technical faults from end users appropriate? |
ORC_ERC_OTS_PSL05 |
|
Further Information
Guidance/Context N/A Response Type Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Do you provide on-line support for user queries? |
ORC_ERC_OTS_PSL06 |
|
Further Information
Guidance/Context The on-line support can be within the app or on the developer website but it needs to be clear you are contacting about the app or the website is for the app. Response Free Text Assessment criteria Yes: If a contact method is provided within the app, or accompanying website. No: If the only way to contact is to provide an app store rating. Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Do you proactively monitor running of systems and system components to automatically identify faults and technical issues? Provide details of any associated processes / procedures and tools that are used. |
ORC_ERC_OTS_PSL07 |
|
Further Information
Guidance/Context This helps to identify problems faster, resulting in a stabler product as well as helping to prevent any possible breaches of information. Response Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Provide details of any associated processes / procedures and tools that are used. |
ORC_ERC_OTS_PSL08 |
|
Further Information
Guidance/Context This helps to identify problems faster, resulting in a stabler product as well as helping to prevent any possible breaches of information. This question allows the developer to describe the associated processes and procedures. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if ORC_ERC_OTS_PSL07 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Do you have a documented roadmap for future development of your product? |
ORC_ERC_OTS_PSL09 |
|
Further Information
Guidance/Context Planning for future development allows for process to be in place as well as developing the app in a structure that allows these developments to take place with minimum impact. Response Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Provide details of planned development, technical updates. |
ORC_ERC_OTS_PSL10 |
|
Further Information
Guidance/Context Planning for future development allows for process to be in place as well as developing the app in a structure that allows these developments to take place with minimum impact. This question allows the developer to describe the associated processes and procedures. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if ORC_ERC_OTS_PSL09 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the Developer provide details of how they will ensure the continued availability of their product? |
ORC_ERC_OTS_PSL11 |
|
Further Information
Guidance/Context Continued availability of a product is necessary because as user technology updates, the product needs to remain viable for the people that use it. Response Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Do you have a plan for decommissioning your product? |
ORC_ERC_OTS_PSL12 |
|
Further Information
Guidance/Context This is important to ensure that user data is delt with appropriately. Response Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Describe your processes for decommissioning your product and dealing with any identifiable data. |
ORC_ERC_OTS_PSL13 |
|
Further Information
Guidance/Context This is important to ensure that user data is delt with appropriately. This question allows the developer to describe the associated processes and procedures. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if ORC_ERC_OTS_PSL12 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Do you have a plan for dealing with any identifiable data in the event that an individual stops using your product? For example by installing or unsubscribing. |
ORC_ERC_OTS_PSL14 |
|
Further Information
Guidance/Context This is important to ensure that user data is delt with appropriately. Response Multiple Options Answer Criteria Yes No N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no Scoring Impact There is no scoring impact associated with this question. |
|
Provide details of any associated processes / procedures and tools that are used. |
ORC_ERC_OTS_PSL15 |
|
Further Information
Guidance/Context This is important to ensure that user data is delt with appropriately. This question allows the developer to describe the associated processes and procedures. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if ORC_ERC_OTS_PSL14 is no or N/A. Scoring Impact There is no scoring impact associated with this question. |
|
Does the App Developer have robust Disaster Recovery (DR)/ back-up regimes in place? |
ATA_PSL01 |
|
Further Information
Guidance/Context Evidence should include documented processes and procedures. Response Yes/No Answer Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
When were these last tested? |
ATA_PSL02 |
|
Further Information
Guidance/Context The question aims to discover when the DR / back up regimes was last tested. Good practice is for these to be tested at least annually. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if there is no robust DR / back-up regimes in place. Scoring Impact There is no scoring impact associated with this question. |
|
Business Resilience: Does the app developer have a Business Continuity Plan (BCP) in place? |
ATA_PSL03 |
|
Further Information
Guidance/Context Evidence should include documented processes and procedures. Response Yes/No Assessment Criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
When were these last tested? |
ATA_PSL04 |
|
Further Information
Guidance/Context The question aims to discover when the BCP was last tested. Good practice is for these to be tested at least annually. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if there is no business continuity plan in place. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization follow any formal testing standards? |
ORC_ERC_OTS_PSL16 |
|
Further Information
Guidance/Context Evidence should include documented processes and procedures if they exist, and screenshots of any tools that are used. Evidence of formal certification can also be provided. Response Yes/No Assessment criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no Scoring Impact There is no scoring impact associated with this question. |
|
Provide details of any associated processes / procedures and tools that are used. |
ORC_ERC_OTS_PSL17 |
|
Further Information
Guidance/Context Evidence should include documented processes and procedures if they exist, and screenshots of any tools that are used. Evidence of formal certification can also be provided. Response Free Text Assessment criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if no formal testing standards are followed. Scoring Impact There is no scoring impact associated with this question. |
|
Which of these types of testing do you carry out? |
ORC_ERC_OTS_PSL18 |
|
Further Information
Guidance/Context Formal test plans, checklists and screenshots of tools can be provided as evidence. Response Multiple Choice Answer Criteria Unit testing Regression End-to-end User Acceptance A/B PEN/Vulnerability Testing across devices Load / Performance Security Other non-functional tests Other testing None Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
For unit testing please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL19 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Unit testsing. Scoring Impact There is no scoring impact associated with this question. |
|
For Regression testing please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL20 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Regression testing. Scoring Impact There is no scoring impact associated with this question. |
|
For End-to-end / Integration please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL21 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out End-to-end/Integration testing. Scoring Impact There is no scoring impact associated with this question. |
|
For User Acceptance please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL22 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out User Acceptance testing. Scoring Impact There is no scoring impact associated with this question. |
|
For A/B please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL23 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out A/B testing. Scoring Impact There is no scoring impact associated with this question. |
|
For PEN / Vulnerability please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL24 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out PEN / Vulnerability tests. Scoring Impact There is no scoring impact associated with this question. |
|
For Testing across devices please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL25 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Testing cross devices. Scoring Impact There is no scoring impact associated with this question. |
|
For Load / Performance please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL26 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Load / Performance tests. Scoring Impact There is no scoring impact associated with this question. |
|
For Security please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL27 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Security tests. Scoring Impact There is no scoring impact associated with this question. |
|
For Other non-functional tests please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL28 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Other Non-functional tests. Scoring Impact There is no scoring impact associated with this question. |
|
For Other testing please describe the people / roles that are involved, the processes that they work to even if they are informal. |
ORC_ERC_OTS_PSL29 |
|
Further Information
Guidance/Context This question aims to identify what personnel and processes are undertaken to perform this testing. Response Free Text Answer Criteria N/A Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no OR if the developer does not carry out Other testing. Scoring Impact There is no scoring impact associated with this question. |
|
Technical Security
Whilst there is a security risk associated with all Digital Health Technologies, the principle adopted in assessment reflects the differential ‘risk profile’ for each product. Risk Tiers can be based on:
Technical Complexity: Is there a high degree of digital connectivity, functionality and potential “Attack Surface”?
Data: Is the data personal and/or sensitive? Where and how is it stored and transmitted?
Functional Complexity: Is the product providing information v diagnostic or treatment support? Are there data driven calculations and algorithms?
Is the application a native application for a mobile device? |
ORC_ERC_SEC01 |
|---|---|
|
Further Information
Guidance/Context This helps guide what OWASP/ASVS level is required surrounding the PEN test. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the application a web application? |
ORC_ERC_SEC02 |
|
Further Information
Guidance/Context This helps guide what OWASP/ASVS level is required surrounding the PEN test. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no Scoring Impact There is no scoring impact associated with this question. |
|
What OWASP level is the app? |
ORC_ERC_SEC07 |
|
Further Information
Guidance/Context This question aims to identify what OWASP level the app should be by referring to the answers of the previous questions. Response Multiple Options Assessment Criteria MASVS = 2: If the platform is a mobile app and it does accesses, processes or stores personal and/or sensitive data MASVS = 2 + R: If the platform is a mobile app and sensitive data persists on the mobile device MASVS = 1: If the platform is a mobile app and sensitive data does not persist on the mobile device OR If the platform is a mobile app and it does not access, process or store personal and/or sensitive data ASVS = 2: If the platform is a web app and it accesses, processes or stores personal/sensitive data ASVS = 1: If the platform is a web app and it does not access, process or store personal/sensitive data Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Has a Security Assessment been undertaken by an external third-party? |
ATA_SEC05 |
|
Further Information
Guidance/Context This provides assurance that the PEN test will have been scoped appropriately and the methodology will also be appropriate. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the scope of the report cover the full Technical Architecture of Application? |
ORC_ERC_SEC16 |
|
Further Information
Guidance/Context All platforms and technical components should be in scope of the Security Assessment. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Has an industry-standard been used for the risk model in the associated PEN /Vulnerability testing? |
ORC_ERC_SEC17 |
|
Further Information
Guidance/Context This provides assurance that the PEN test has been executed professionally e.g. Common Vulnerability Scoring System (CVSS). Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Have all 'High' and ‘Medium’ Risks / Issues identified been mitigated and resolved; and can this be demonstrated through retesting within six weeks from the original PEN / Vulnerability testing? |
ORC_ERC_SEC18 |
|
Further Information
Guidance/Context Evidence should include the full version of the original PEN test report and any retest. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Has the Code-Level Security Assessment been undertaken against the correct OWASP Level? |
ORC_ERC_SEC19 |
|
Further Information
Guidance/Context This level will be detailed in the Security Assessment report and any associated PEN testing report. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the methodology for the Security Review proportional to the attack surface and risk of the Application? |
ORC_ERC_SEC20 |
|
Further Information
Guidance/Context The scope and methodology should be proportional to the associated risk. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization have CIS Top 20 Compliance? |
ATA_SEC01 |
|
Further Information
Guidance/Context Evidence should include formal certification certificates. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Is the application compliant with the National Institute for Standards and Technology (NIST) Cybersecurity Framework? |
ATA_SEC06 |
|
Further Information
Guidance/Context Evidence should include formal certification certificates. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization have SOC-2 Certification? |
ATA_SEC01 |
|
Further Information
Guidance/Context Evidence should include formal certification certificates. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization have ISO27001:2013 accreditation? |
ORC_ERC_SEC_ORG1 |
|
Further Information
Guidance/Context Evidence should include formal certification certificates and the associated Statement of Applicability should include product development. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization have ISO 13485 Certification? |
ATA_SEC03 |
|
Further Information
Guidance/Context Evidence should include formal certification certificates. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Does the organization have ISO 14971 Certification? |
ATA_SEC04 |
|
Further Information
Guidance/Context Evidence should include formal certification certificates. Response Yes/No Answer criteria Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|
Please confirm whether the product has passed the required criteria for the Technical Security & Stability section of the assessment? |
ATA_TSS01 |
|
Further Information
Guidance/Context If the app fulfils the above criteria they will pass. There are some instances where apps may fail to meet one criterion and then this can be considered on a case by case basis with a subject matter expert as to whether they will pass or fail. Response Multiple Options Answer criteria Pass: If they fulfil all the above criteria. Fail: If they cannot meet the above criteria. Logic DISABLEMENT LOGIC - Disabled if ORC_ERC_TSS01 is no. Scoring Impact There is no scoring impact associated with this question. |
|