Clinical Risk Management: Telehealth / Mobile Health Solutions - Implementation Guidance

Document filename: Clinical Risk Management Telehealth_Mobile Health Solutions - Implementation Guidance v1.0 Directorate / Programme Solution Design Standards and Assurance Project Clinical Safety Document Reference NPFIT-FNT-TO-TOCLNSA-1311.01 Director Rob Shaw Status Approved Owner Stuart Harrison Version 1.0 Author Lorraine Olowosuko Version issue date 31.05.2013 Clinical Risk Management: Telehealth / Mobile Health Solutions - Implementation Guidance

Document Management Revision History Version Date Summary of Changes 0.1 12.10.2012 Revised to take into account comments from Safety Engineers 0.2 29.01.2013 Revised to take into account comments from HSCIC Clinical Safety Officers and external Health IT Manufacturer 1.0 31.05.2013 First issue Reviewers This document must be reviewed by the following people: Reviewer name Title / Responsibility Date Version HSCIC Safety Engineers 12.10.2012 0.1 HSCIC Clinical Safety Officers 29.01.2013 0.2 Dr Alex Yeates Medical Director Advanced Health and Care 29.01.2013 0.2 Approved by This document must be approved by the following people: Name Title Date Version Rob Shaw Programme Director 21.05.2013 1.0 Maureen Baker CBE Clinical Director for Patient Safety 21.05.2013 1.0 Stuart Harrison Lead Safety Engineer 31.05.2013 1.0 Related Documents These documents provide additional information and are specifically referenced within this document. Ref Doc Reference Number Title Version 1. ISB 0160 Amd 38/2012 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems - Specification 2. ISB 0129 Amd 39/2012 Clinical Risk Management: its Application in the Manufacture of Health IT Systems - Specification 3. NPFIT-FNT-TO-TOCLNSA-1293 Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems Implementation Guidance 2 2 3.1 Page 2 of 21

Ref Doc Reference Number Title Version 4. NPFIT-FNT-TO-TOCLNSA-1300 Clinical Risk Management: its Application in the Manufacture of Health IT Systems Implementation Guidance 5. ISO 14971:2007 Medical Devices -- Application of Risk Management to Medical Devices 2.1 2007 Glossary of Terms Term Clinical risk Clinical risk analysis Clinical risk control Clinical risk management Clinical Risk Management Plan Clinical safety Consequence Harm Hazard Hazard Log Health IT System Health Organisation Lifecycle Manufacturer What it stands for Combination of the likelihood of occurrence of harm to a patient and the severity of that harm. Systematic use of available information to identify and estimate a risk. Process in which decisions are made and measures implemented by which clinical risks are reduced to, or maintained within, specified levels. Systematic application of management policies, procedures and practices to the tasks of analysing, evaluating and controlling clinical risk. A plan which documents how the Health Organisation will conduct clinical risk management of a Health IT System. Freedom from unacceptable clinical risk to patients. Degree of severity of harm to a patient. Death, physical injury, psychological trauma and/or damage to the health or wellbeing of a patient. Potential source of harm to a patient. A mechanism for recording and communicating the on-going identification and resolution of hazards associated with a Health IT System evaluation. Product used to provide electronic information for health or social care purposes. The product may be hardware, software or a combination. Organisation within which a Health IT System is deployed or used for a healthcare purpose. All phases in the life of a Health IT System, from the initial conception to final decommissioning and disposal. Person or organisation with responsibility for the design, manufacture, packaging or labelling of a Health IT System, assembling a system, or adapting a Health IT System before it is placed on the market and/or put into service, regardless of whether these operations are carried out by that person or on that person's behalf by a third party. Page 3 of 21

Term Medical Device Mobile Health Mobile working Patient Procedure Process Telehealth Top Management What it stands for Any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of: diagnosis, prevention, monitoring, treatment or alleviation of disease, diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap, investigation, replacement or modification of the anatomy or of a physiological process, control of conception, and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted by such means. (Article 1, clause 2(a), http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=consleg:1993l0042:20071011:en:pdf) The use of emerging mobile communications and network technologies for healthcare. (Istepanian et al 2005) The ability to work anywhere, irrespective of place and time, enabling staff to access and update information and communicate on the go. (http://systems.hscic.gov.uk/qipp/mobile/general/index_html#introduction-1) A person who is the recipient of healthcare. Specified way to carry out an activity or a process. Set of interrelated or interacting activities which transform inputs into outputs. The use of telecommunications and information technologies to provide access to health information and services across a geographical distance, including (but not limited to) consultation, assessment, intervention and health maintenance. (Glueckauf et al, 2002) Person or group of people who direct(s) and control(s) the Health Organisation and has overall accountability for a Health IT System. Document Control The controlled copy of this document is maintained in the HSCIC corporate network. Any copies of this document held outside of that area, in whatever format (e.g. paper, email attachment), are considered to have passed out of control and should be checked for currency and validity. Page 4 of 21

Disclaimer The document principally provides details of some generic clinical safety hazards relating to the development and use of telehealth / mobile health solutions in normal and fault conditions, as well as their potential controls / mitigations. It is provided "as is", without any conditions, warranties or other terms of any kind. It supports the standards ISB0 129 (Clinical Risk Management: its Application in the Manufacture of Health IT Systems [Ref 2]) and ISB 0160 (Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems [Ref 1]) and is a supplement to the more generic detailed Clinical Risk Management Implementation documents on demonstrating compliance to the standards. This document does not relate to telehealth / mobile health devices and solutions controlled by Medical Device Directives. It also does not apply to or attempt to add or deviate from ISO 14971 [Ref 5], which covers the requirements for a risk management system for medical devices. ISO 14971 [Ref 5] is widely used throughout the world for compliance with medical device manufacturing safety regulations which in most countries encompass software that is necessary for the proper application of a medical device or software that is an accessory to a medical device. The document is not intended to ascertain legally enforceable responsibilities or cite regulatory or statutory requirements for the development, implementation or use of telehealth / mobile health solutions in Health Organisations within the NHS. It may be subject to future additions, modifications or corrections without notice. As with any guidance document, it will evolve over time, largely based on contributions from the Health Organisations and Manufacturers. It only considers telehealth / mobile health solutions within the Health Organisations in England, and as such, international standards and guidelines on how to govern telehealth / mobile health solutions should be assessed and incorporated where applicable. All employees of the Health and Social Care Information Centre (HSCIC) disclaim all liability for the completeness of this guideline and disclaim all warranties of any kind, express or implied, including any warranty of fitness for a particular purpose. In no event will HSCIC and its employees be responsible for any loss or damage arising out of or resulting from any defect, error or omission in this document or from anyone s use or reliance on this document. Page 5 of 21

Contents 1 Introduction 7 1.1 Background 7 1.2 Audience 8 1.3 Scope 8 1.4 Assumptions 9 2 Generic Clinical Safety Hazards 10 2.1 HAZ01 - Clinical information missing from display 11 2.2 HAZ02 - Misleading or confusing presentation of clinical information 12 2.3 HAZ03 - Loss and/or corruption of clinical Information subsequent to synchronisation 13 2.4 HAZ04 - Loss of clinical information subsequent to interruption during use of telehealth / mobile health solution 16 2.5 HAZ05 - Access to information on device unavailable 17 2.6 HAZ06 - Inappropriate or erroneous access to clinical information 18 2.7 HAZ07 End user (patient) information incorrectly entered in telehealth / mobile health device 19 2.8 HAZ08 - Infection or contamination 20 2.9 HAZ09 - Electrical or Electromagnetic Interference 21 Page 6 of 21

1 Introduction 1.1 Background Telehealth in the context of this guidance is as defined by Glueckauf et al (2002) 1 as the use of telecommunications and information technologies to provide access to health information and services across a geographical distance, including (but not limited to) consultation, assessment, intervention and health maintenance. Mobile Health is an aspect emerging within the telehealth field. Istepanian et al (2005) 2 defined Mobile Health as the use of emerging mobile communications and network technologies for healthcare. Mobile Health solutions referred to in this guidance includes mobile health apps and mobile health technology based on this definition. Examples, though not extensive, could include: the use of mobile communication devices, such as mobile phones, tablet computers and PDAs to view a patient s electronic health record the use of these devices to enter patients information offsite to be later synchronised with Health IT Systems onsite in the Health Organisation (from here on referred to as parent system) SMS medication reminders patients entering or accessing information from telehealth / mobile health devices solutions on devices used for mobile working. One of the clinical risk management processes as highlighted in Figure 1 of section 2.1 of ISB 0160 [Ref 1] and ISB 0129 [Ref 2] is Clinical Hazard Identification. Based on this and elaborated in Requirement 4.3.1 of both ISB 0160 [Ref 1] and ISB 0129 [Ref 2], this document principally provides details of some generic clinical safety hazards relating to telehealth / mobile health solutions in both normal and fault conditions. Details of potential controls or mitigations for these hazards are also provided as guidance. This aims to assist Manufacturers and Health Organisations comply with Requirement 4.3.1 of the safety standards. 1 Glueckauf, R. L., S. P. Fritz, E. P. Ecklund-Johnson, H. J. Liss, P. Dages and P. Carney. 2002. Videoconferencing-based Family Counseling for Rural Teenagers with Epilepsy: Phase 1 Findings. Rehabilitation Psychology. 47(1), pp. 49-72. 2 Istepanian, R., S. Laxminarayan and C. S. Pattichis. 2005. M-Health: Emerging Mobile Health Systems. (eds) Springer: New Jersey. Page 7 of 21

Both the ISB 0160 and ISB 0129 Implementation Guidance documents [Ref 3 and Ref 4] provide Health Organisations and Manufacturers respectively, informative guidance to support the interpretation of the specific requirements established in the standards. Manufacturers should ensure that they adhere to ISB 0129 in the development of their telehealth / mobile health solution and Health Organisations in which these solutions are to be used should also ensure that this is done. In adhering to ISB 0160, Top Management in the Health Organisation must ensure that the approved Clinical Risk Management Plan for the implementation of such telehealth / mobile health solutions highlights clinical risk control measures that would be in place. The Manufacturer should undertake their own clinical risk assessment to identify any potential clinical hazards in developing the telehealth / mobile health solution and how those hazards would be controlled or mitigated. The Health Organisation need to review this and in addition to their own identified clinical hazards relating to the use of the solution, confirm the potential hazards that are specific to their organisation. They also need to ensure that appropriate mitigations are in place to manage the risks. 1.2 Audience The primary audience of this document are: Health Organisations implementing and using these solutions and seeking to demonstrate compliance to Requirement 4.3.1 of ISB 0160 [Ref 1] Manufacturers of telehealth / mobile health solutions seeking to demonstrate compliance to Requirement 4.3.1 of ISB 0129 [Ref 2]. 1.3 Scope In Scope: this document provides generic clinical hazards to inform Health Organisations implementing and using telehealth / mobile health solutions, as well as Manufacturers developing these solutions. it is intended as a supplement to the more generic detailed clinical risk management guidance on Manufacturers and Health Organisations demonstrating compliance to ISB 0129 and ISB 0160 respectively. telehealth / mobile health solutions referred to in this document covers mobile health apps on all mobile platforms provided by all mobile service providers, all mobile health technology and all telehealth solutions that are medical devices or accessories to medical devices. throughout this document the term clinical is used to make clear that the scope is limited to matters of risks to patient safety as distinct from other types of risk, such as financial end users referred to in this guidance could include patients as well as healthcare professionals. Page 8 of 21

Out of scope: this guidance does not apply to telehealth / mobile health solutions, including mobile health apps that are medical devices, accessories to medical devices or clinical decision support systems. 1.4 Assumptions The following assumptions have been identified that apply to Manufacturers and Health Organisations developing and implementing telehealth / mobile health solutions: sufficient resource from stakeholders involved in development activities, meetings, document reviews, will be made available in agreed timeframes. These assumptions are specific to the Health Organisations: Top management has approved the Health Organisation s readiness for the implementation of telehealth / mobile solutions patients have been fully informed as to the purpose and processes involved in the use of the telehealth / mobile health devices, as well as the normal care alternatives the parent system used in the Health Organisation is sufficiently mature in service. This would avoid issues with end user confidence and use of the end to end solution. Page 9 of 21

2 Generic Clinical Safety Hazards This section provides a list of generic clinical safety hazards associated with the development and implementation of telehealth / mobile health solutions under both normal and fault conditions. It is important to note that the hazards detailed below were derived from an overall telehealth / mobile health device clinical risk analysis (in the context of this guidance) and are NOT definitive to any one system or device. Many techniques exist for hazard identification and an appropriate technique will need to be chosen depending on the telehealth / mobile health solution and the available expertise. Appendix B of both Implementation Guidance for Health Organisations [Ref 3] and for Manufacturers [Ref 4] provides examples of different hazard identification techniques. The techniques described in the Implementation Guidance and used in identifying the generic hazards detailed in this document were: Functional Failure Analysis (FFA) - takes a functional view of the system and for each function considers what the potential safety consequences may be if the function is not available when it is required is available but performs an unintended action and is provided when not required, i.e. function performs as intended but not at the correct time or out of sequence Hazard Identification (HAZID) - that focuses on the characteristics of information flow within a system and Structured What-IF Technique (SWIFT) - that uses pertinent questions to explore the consequences of unintentional actions. It can include functions, information and users. Based on the telehealth / mobile solutions in the context of this guidance, these techniques were the preferred options. Some factors such as flow of information from telehealth / mobile health devices to parent systems, how the devices were used, users actions on the devices, were considered. There are no clinical risks assessments specified for the hazards as it is expected that Manufacturers and Health Organisations work collaboratively to complete this based on the outcomes of a hazard assessment workshop (more guidance on hazards identification and hazard assessment workshop can be found in Section 4.3 of both the Implementation Guidance for Health Organisations [Ref 3] and for Manufacturers [Ref 4]). It is therefore a generic list that can be used as a starting point and needs to be individually assessed in relation to the overall product or release. It is not a definitive list and is in no way exhaustive. Each hazard is presented with a unique identifier HAZ number, for example HAZ01, however, this is not definitive, as Manufacturers and Health Organisations may employ unique hazard identifiers specific to their own clinical risk management system process. Page 10 of 21

2.1 HAZ01 - Clinical information missing from display 2.1.1 Hazard Description Small handheld (e.g. PDA, mobile phones) devices tend to have smaller screen displays and therefore reduced screen real estate could prevent information from being displayed in its entirety. 2.1.2 Potential Clinical Impact There is a potential for any Healthcare Professional (HCP) acting on incomplete information presented by the solution, to administer inappropriate care, which could result in patient harm. 2.1.3 and Screen real estate is not optimised The telehealth / mobile health solution is designed specifically for use on an approved handheld device with particular versions of the firmware and operating system. Optimise screen resolution and display settings on telehealth / mobile health device. Incorrect wrapping of text If all the information cannot be displayed in its entirety on a small screen, a vertical scroll bar could be used on the screen; the vertical scroll bar serving as an alert to the end user that more information is available. Information may be only presented in a particular orientation e.g. landscape mode, with end users not able to change the setting. Truncation of information If all the information cannot be displayed in its entirety on a small screen, a vertical scroll bar could only be used on the screen; the vertical scroll bar serving as an alert to the end user that more information is available. Telehealth / mobile health solution used on device does not meet screen resolution requirements Telehealth / mobile health solution s user interface not fit for purpose Information may be only presented in a particular orientation e.g. landscape mode, with end users not able to change the setting. Telehealth / mobile health solution designed to allow access to only one patient record at a time. Validation of design. Extensive test assurance to confirm the minimum screen resolution and size combination to display information. Ongoing user acceptance testing throughout the design and development process. Extensive test assurance of the solution on real Telehealth / mobile health devices or Telehealth / mobile health device emulators. Page 11 of 21

Placing the device to a particular orientation e.g. portrait, could incorrectly change display of information and possibly cause loss of data Information may be only presented in a particular orientation e.g. landscape mode, with end users not able to change the setting. Manufacturers to provide intensive end user training on modes of navigation. 2.2 HAZ02 - Misleading or confusing presentation of clinical information 2.2.1 Hazard Description Telehealth / Mobile health device displays the clinical information in a misleading and confusing way to the end user. 2.2.2 Potential Clinical Impact The ability to provide data or records pertinent to the care of any patient is critical in terms of accuracy and timing. Misleading or confusing clinical information may contribute to a delay in treatment of the patient or no patient care given. Potential to incorrectly diagnose or treat a patient as a result of having misleading or confusing clinical information 2.2.3 and Inappropriate user interface layout and design Telehealth / Mobile health solution s functionality unclear and inconsistent Placing the device to a particular orientation e.g. portrait mode, could incorrectly change display of information Adherence to relevant user interface standards on the presentation of data e.g. Common User Interface standards 3. Clear and consistent solution response to device functionality e.g. scrolling, text selection, back button. Information may be only presented in a particular orientation e.g. landscape mode, with end users not able to change the setting. Use of simple navigation structures. Manufacturers to provide intensive end user training on modes of navigation. 3 http://www.isb.nhs.uk/use/baselines/cui Page 12 of 21

Poor user interaction or flow of telehealth / mobile health solution Patient banner on clinical record not displayed on every screen Font / Text colour not suitable for telehealth / mobile health device Font / Text colour not suitable telehealth / mobile health solution s background colour and / or theme Usability testing to address issues such as intuitiveness, consistency, user-friendliness of solution, clarity of user interface, ease of use, navigation, incorporated in solution development lifecycle. Clear alerts and feedback to end users on the progress of task completion in solution. Validation of design. Extensive test assurance to ensure patient banner is visible on the screen at all times and on every screen, when viewing a clinical record. Ongoing user acceptance testing throughout the design and development process. Appropriate font / text colour used in telehealth / mobile health solution. Extensive test assurance of the solution on real telehealth / mobile health devices or telehealth / mobile health device emulators. Ongoing user acceptance testing throughout the design and development process. Appropriate font / text colour used in telehealth / mobile health solution. Extensive test assurance of the solution on real Telehealth / mobile health devices or Telehealth / mobile health device emulators. 2.3 HAZ03 - Loss and/or corruption of clinical Information subsequent to synchronisation 2.3.1 Hazard Description Failure or issues with the synchronisation of data (device to device or integrating with a parent system) either real time or as a download, resulting in the loss and/or corruption of clinical information. 2.3.2 Potential Clinical Impact The ability to provide data or records pertinent to the care of any patient is critical in terms of accuracy and timing. Denied access to clinical information may contribute to a delay in treatment of the patient. Potential to incorrectly diagnose or treat a patient as a result of not having clinical information available. Page 13 of 21

2.3.3 and Information is not sent through correctly either to the right device or is corrupted during transmission, or there is partial transmission only No lock out function when one or more users attempt to update the same patient record End user hibernates telehealth / mobile health device while transmitting or receiving data End user turns on screen lock while transmitting or receiving data Architecture design of transmission protocol minimises corruption and loss of messages. Extensive testing and assurance of transmission protocols. Contingency procedures in place to manually transfer data from telehealth / mobile health device to parent system. The system or service to provide the facility to view an audit trail of all interactions on the device and / or record to ensure data quality is maintained. Appropriate alerts in place, to inform end users record is being used elsewhere. Extensive test assurance on any patient record locking functionality. The system or service to provide the facility to view an audit trail of all interactions on the device and / or record to ensure data quality is maintained. Date and time of last synchronisation presented on information. Configure session persistence in solution to maintain the solution state information during usage. The system or service to provide the facility to view an audit trail of all interactions on the device and / or record to ensure data quality is maintained. Date and time of last synchronisation presented on information. Date and time of last synchronisation presented on information. Configure session persistence in solution to maintain the solution state information during usage. The system or service to provide the facility to view an audit trail of all interactions on the device and / or record to ensure data quality is maintained. Page 14 of 21

Data corruption Contingency procedures in place to manually transfer data from telehealth / mobile health device to parent system. Training of end users to check validity of information using live like patient data or scenarios. Telehealth / mobile health solution conformity to NHS data and technical standards for interoperability such as: o Open Standards Interconnection (OSI) model to level 6 and 7 (ISO/IEC 7498-1:1994) 4 o EDIFACT 5 o HL7 6 o e-government Interoperability Framework (e-gif) 7. o NHS Data Dictionary 8 o NHS Reference Information Model (RIM) 9. Telehealth / mobile health device lost or stolen Hardware or software failure of parent system Appropriate procedures in place to disable telehealth / mobile health device when reported as lost or stolen. Password protection on all devices strong passwords enforced. Encryption of data on telehealth / mobile health devices. Contingency procedures in place to manually transfer data from telehealth / mobile health device to parent system when issues with parent system is resolved. The system or service to provide the facility to view an audit trail of all interactions on the device and / or record to ensure data quality is maintained e.g. last modified date and time, last accessed date and time and by whom, is available. Issues regarding parent system fixed and automatic synchronisation in place. Alerts in place on both parent system and telehealth / mobile health solution if there is more up-to-date information recorded on a patient on either systems. 4 http://standards.iso.org/ittf/licence.html 5 http://www.unece.org/trade/untdid/welcome.html 6 http://www.hl7.org.uk/ 7 http://www.cabinetoffice.gov.uk/govtalk/schemasstandards/e-gif/e government_interoperability_framework_version_61.aspx 8 http://www.datadictionary.nhs.uk/ 9 http://www.hl7.org/documentcenter/public/calendarofevents/himss/2011/hl7%20reference%20information%20model.pdf Page 15 of 21

2.4 HAZ04 - Loss of clinical information subsequent to interruption during use of telehealth / mobile health solution 2.4.1 Hazard Description Loss of clinical information when telehealth / mobile health solution does not restore to its previous state when interrupted during use. 2.4.2 Potential Clinical Impact HCP acting on incomplete clinical information may lead to inappropriate or no care being given, resulting in patient harm. 2.4.3 and Low memory Configure session persistence in solution to maintain the solution state information during usage. Extend memory of telehealth / mobile health device. Network disruptions Caching end users logon credentials for an agreed period during network disruptions which reduces the repeated need for end users to re-enter login details. Telehealth / mobile health solution interrupted by other actions such as phone call, text message, low battery alert, other device solution End user moves out of network coverage range Implement solution which offers network session persistence. This keeps the existing network session open at both ends of the connection while the connection itself is down. Alternative secure connection options when mobile data coverage is low e.g. the use of wifi. Configure session persistence in solution to maintain the solution state information during usage. Caching end users logon credentials for an agreed period during network disruptions which reduces the repeated need for end users to re-enter login details. Implement solution which offers network session persistence. This keeps the existing network session open at both ends of the connection while the connection itself is down. Configure session persistence in solution to maintain the solution state information during usage. Page 16 of 21

Low battery Extensive test assurance of the solution on real telehealth / mobile health devices using different battery states e.g. behaviour of solution during full, half or very low battery. End user accidently quits the telehealth / mobile health solution and restarts it End user hibernates device or turns on screen lock while entering, receiving or transmitting data Configure session persistence in solution to maintain the solution state information during usage. Telehealth / mobile health device should notify users when battery is low. Ongoing user acceptance testing by end users throughout the design and development process. Telehealth / mobile health solution auto saves information entered at regular intervals. Configure session persistence in solution to maintain the solution state information during usage. The system or service to provide the facility to view an audit trail of all interactions on the device and / or record to ensure data quality is maintained. Date and time of last synchronisation presented on information. 2.5 HAZ05 - Access to information on device unavailable 2.5.1 Hazard Description HCP denied access to clinical data or the patient record. 2.5.2 Potential Clinical Impact The ability to provide data or records pertinent to the care of any patient is critical in terms of accuracy and timing. Denied access to clinical information may contribute to a delay in treatment of the patient. Potential to incorrectly diagnose or treat a patient as a result of not having clinical information available. 2.5.3 and Telehealth / mobile health device malfunction Contingency plans for service unavailability should be in place in the Health Organisation. Issues with the telehealth / mobile health device resolved. HCP given a replacement telehealth / mobile health device. Page 17 of 21

Telehealth / mobile health device power outage/supply issues Intermittent connectivity or connection to Telehealth / mobile health device or solution HCP could be in an area with poor mobile signal coverage and the device is unable to connect to the mobile data network HCP is unable to log on or access clinical information due to lack of knowledge Telehealth / mobile health device should notify users when battery is low. Training of end users in the recharging/replacing of device batteries. Policy in place for HCP to carry spare batteries and / or chargers. Alternative secure connection options when mobile data coverage is low e.g. the use of wifi. Alternative secure connection options when mobile data coverage is low e.g. the use of wifi. Intensive end user training on how to access clinical information on telehealth / mobile health device. End user forgotten log in details Disaster recovery plans in place if the telehealth / mobile health device is solely relied on. Policy in place for username and password recovery. 2.6 HAZ06 - Inappropriate or erroneous access to clinical information 2.6.1 Hazard Description Clinical information in the telehealth / mobile device inappropriately accessed by an unauthorised user or another solution on the device. 2.6.2 Potential Clinical Impact Clinical information maliciously modified which could consequently affect patient care. Where device is the sole storage of mobile patient encounter, HCP would have to reacquire patient data. 2.6.3 and Stringent security protocols have NOT been applied to the telehealth / mobile health device End users should be aware and formally agree to the information security policy for mobile working. Extensive security test assurance on telehealth / mobile health solution. Page 18 of 21

Inadequate telehealth / mobile health device usage policies Deliberate unauthorised use or insufficient Information governance rules applied Telehealth / mobile health device lost or stolen results in the inappropriate access to the device Malicious actions to access the data whilst being sent to the telehealth/mobile health device Extensive security test assurance on telehealth / mobile health solution. End users should be aware and formally agree to the information security policy for mobile working. Only NHS and/or Health Organisation s approved telehealth / mobile health solutions allowed on device. Functionality in place to allow for remote data wiping or removal. Other physical device to be allowed to access the device or telehealth / mobile health solution (e.g. Smartcard). Encryption of data on telehealth / mobile devices. Professional duty of HCP to look after telehealth / mobile health device as well as clinical information before or during mobile patient encounter. Password protection on all devices strong passwords enforced. Encryption of data on telehealth / mobile devices. Appropriate procedures in place to disable telehealth / mobile health device when reported as lost or stolen. Functionality in place to allow for remote data wiping or removal. Encryption of data while being sent to telehealth / mobile device. Handshaking between receiving telehealth/mobile health devices and sending system in place to ensure that data is sent to the right device. 2.7 HAZ07 End user (patient) information incorrectly entered in telehealth / mobile health device 2.7.1 Hazard Description To monitor their condition, end user (patient) incorrectly enters information about themselves in telehealth / mobile health device. 2.7.2 Potential Clinical Impact HCP acting on incorrect patient s clinical information may lead to inappropriate or no care being given, resulting in patient harm. Page 19 of 21

2.7.3 and Telehealth / mobile health device inappropriate for patient Patient does not know how to use the telehealth / mobile health device Ongoing user acceptance testing by end users (patients) throughout the design and development process. Appropriate device given to patient taking into account their varying medical conditions e.g. poor eye sight, colour blindness. Intensive end user (patient) training on how to use the telehealth / mobile health device to enter their information. Support available to end user (patient) in ensuring proper telehealth / mobile health device usage. Procedure to allow for patients feedback on their telehealth / mobile health device usage and review processes to act on feedback received, in place. End user (patient) error Alert available to HCP when information received from the telehealth / mobile health device is missing or incorrect. Intensive end user (patient) training on how to use the telehealth / mobile health device to enter their information. 2.8 HAZ08 - Infection or contamination 2.8.1 Hazard Description The contamination of any device used in the treatment of patients in an environment where infection or similar can be transferred to subsequent patients. 2.8.2 Potential Clinical Impact The transmission of infection such as MRSA or Clostridium Dificile can lead to serious clinical consequences including death. Any object that comes into contact with patients either directly, or in this case indirectly, has the potential to harbour infectious organisms that could be transmitted between patients. Page 20 of 21

2.8.3 and This could happen if the device is used in multiple patient locations. Infection could be spread to patients causing further illness and patient harm. Health Organisation infection control policies / guidelines in place. Telehealth / mobile health devices should be suitable for the environment they are being used in. Adherence to any universal NHS guidelines on infection Anti-bacterial touch screens on telehealth / mobile health devices. 2.9 HAZ09 - Electrical or Electromagnetic Interference 2.9.1 Hazard Description Devices may be susceptible to electrical or electromagnetic noise / interference in unsuitable environments, limiting its functionality. 2.9.2 Potential Clinical Impact Devices may not work as designed or intended if subject to adverse conditions. 2.9.3 and Device is not compliant with Electromagnetic Compatibility (EMC) directive 10. Device compliance with Electromagnetic Compatibility (EMC) directive. Devices should be fully compliant with the certification / standards required for operation in the environment intended. Health Organisation should have back up plans in place or business continuity options for other devices or solutions should this hazard occur. For example proven compliant alternative device suppliers. 10 Electromagnetic Compatibility (EMC) directive: http://ec.europa.eu/enterprise/sectors/electrical/emc/ Page 21 of 21