Should we be issuing innovation passports?

Regulation and compliance processes are a major topic within healthtech. While concerns raised are largely fair, we also feel that an over-focus on this area could be something of a red herring. If all attention is placed on compliance challenges, we risk ignoring broader structural inefficiencies that are equally - if not more - critical to enabling innovation.

From our viewpoint, compliance isn’t a major blocker in itself - it’s certainly an area of friction, but we find that most existing regulatory challenges are surmountable. Those providers and innovators who are driven towards impact will simply persevere and push through regulatory / compliance challenges. Those who are less inclined will likely follow in time once others have forged a clear path. That being said, it’s clear there are inefficiencies which slow down adoption, create unnecessary work, and generate frustration for both innovators and providers.

Below, we summarise the key regulatory challenges faced today, followed by our perspective on what solutions could help address these issues.

The Challenges

1️⃣ Fragmentation and Duplication

There are too many different documents and compliance standards today, leading to significant time and resource investment in completing multiple, largely duplicative processes.

Instead of a single compliance pathway, vendors must navigate a patchwork of frameworks, often requiring near-identical information in slightly different formats.

Some of the compliance framework documents we have been asked to complete include:

• DCB-0129

• DTAC

• DPIAs

• DSPT

• Cyber Essentials

• ISO27001

Many of these frameworks overlap significantly or serve similar functions, but must be completed separately, creating an unnecessary administrative burden.

2️⃣ Inconsistent Standards

Different interpretations of compliance requirements create inconsistency and uncertainty. What is considered ‘reasonable’ compliance can vary significantly from place to place, adding delays and inefficiencies.

For examples

• We were told that our Data Processing Agreement “isn’t long enough”, despite it meeting all security and legal standards.

• In another case, we went through 19 iterations over five months on a single compliance document because of the variety of local stakeholders involved. 😩

This level of variation discourages innovation and slows adoption, as vendors must cater to a moving target rather than a clear national standard.

3️⃣ Disjointed Approval Processes

Different levels of approval (practice, PCN, ICB, national) often result in redundant, conflicting, or slow decision-making. In some cases, even when practices have completed due diligence, external bodies override their decisions or introduce new barriers. This can all lead to significant delays and often complete loss of momentum in deploying innovation.

For example:

• We were told recently that despite a practice doing its diligence on our Hippo product, the ICB was simply banning any ‘AI’ blocking their deployment outright despite the time already invested from both sides 😩

This creates an unpredictable environment where investment in compliance and due diligence does not necessarily lead to implementation.

4️⃣ Understanding of Processes Lacking

Many compliance processes are not well understood by those enforcing them, leading to confusion, misapplication, and the wrong outcomes.

For example:

• We are frequently asked to complete documents that are actually meant for healthcare providers, not vendors. To manage this, we now maintain ‘template’ responses for providers to implement, although in our experience most providers are unlikely to actually read these documents. 😩

In many cases, compliance ends up being a waste of time rather than a meaningful assessment of security and risk.

Summary

Despite these challenges, we have observed that most regulatory processes are surmountable with enough time and effort from both the provider and the supplier. In fact, because most practices/PCNs/ICBs are not well-versed in compliance processes, they can often end up being a fairly rapid ‘tick-box exercise’ or just skipped over entirely! That being said, a better solution would no doubt help both new and existing customers.

A Thoughtful Solution - Innovation Passports

A national regulatory ‘passport’ system could effectively address these challenges and reduce friction, but it must be designed carefully to ensure success without becoming an innovation blocker itself:

1. Appropriate compliance levels – The set compliance threshold should be carefully considered to strike the right balance between enabling early-stage innovation and ensuring patient safety. Overly burdensome requirements, particularly for smaller companies, risk stifling innovation before it begins. A tiered approach - where compliance requirements scale with adoption (and consequent risk) - could help mitigate this.

2. Build on existing standards - Rather than starting from scratch, the ‘passport’ should be based on established frameworks to create a fast route to a strong standard. Learning from existing systems like ISO27001, with its thoughtful certification and recertification processes, will help to build a robust new framework and a strong foundation. Using existing frameworks will also act as a bridge, enabling existing companies to more smoothly transition rather than starting from ground zero in a new system.

3. Appropriate resourcing - Any new system would have to be adequately resourced and properly managed - we’ve seen first-hand how national systems like the NHS App can become blockers rather than enablers if they are underfunded or poorly managed (we waited >2 years to start the integration process). A poorly resourced system would leave innovation stuck in a queue before it even gets a chance to prove itself.

4. Clear branding and communication - Simplicity is key to success here. Any new system would need to be a well-branded system with an intuitive, clear name (e.g. “NHS Approved”) to stand out against the current alphabet soup of acronyms and give providers and commissioners something easy and clear to rally around and adopt.

5. Top-Down Consistency – Once a new national system is in place, local teams should be discouraged from introducing additional, redundant approval processes. While local ownership sounds appealing, these teams are not experts in regulatory frameworks, and their added layers often lead to duplication or unnecessary barriers. A clear national mandate is essential to maintain efficiency and mitigate the risk of bureaucratic overreach.✅

   
   

A well-designed national regulatory ‘passport’ system could streamline compliance, reduce friction, and support innovation by adopting a tiered approach, leveraging existing standards, ensuring proper resourcing, utilising clear branding, and maintaining consistency.