The Hidden Cost of Compliance

As we enter peak procurement season, I thought it would be worth a bit of an explainer as our Open Pricing policy has attracted a lot of attention and questions. The root of this is how do we actually derive the prices we charge for our products and services? Carefully is the short answer! We’re acutely aware of the pressures the NHS is under to do more for less and need to ensure that we don’t price ourselves out of the market whilst maintaining ourselves as a sustainable business. This is a fine line to tread and the penalties for getting it wrong are severe (as witnessed by Vision and Jayex amongst others in the last 6 months).

We’ve been doing what we do for a long time and have a good understanding of the basic overheads and staff costs. We are also not out to extract as much as we can from our customers, but you’ll forgive us if we try to make a modest profit on our activities. One area that our customers are not quite so aware of is the overhead of maintaining our assurances to satisfy NHS requirements.

As I said, we’ve been doing this a long time now and back in the early 2000s our first integration with Torex Premiere (remember that?) was essentially being given database credentials and told to get on with it. Whilst I’m very pleased to say that things have changed considerably since those days, the current assurance requirements do add cost and slow down the pace of development somewhat but that’s an acceptable price to pay as ensuring standards, availability, patient safety, data security, and wider regulatory adherence is non-negotiable.

In a far cry from those days of 2 decades ago, this year alone, Engage Health has spent the sunny side of £75,000 on external costs evidencing our compliance:

  • ISO Certifications: We hold 9001, 20000-1 and 27001 which all need annual reassessment by a UKAS certified organisation.
  • Penetration Testing: A week of aggressive testing to ensure our services are robust. Again, an annual certification that has to be by a CHECK certified organisation
  • CE and CE Plus Certifications: CyberEssentials is a detailed look at our internal operations, ensuring that we do things like have our personal machines up to date with a standardised build and appropriate password policies and protections in place.
  • Accessibility Audits: Ensuring digital products are accessible to all users, in line with legal requirements. We meet the WCAG 2.1 AA standard in all areas and exceed in some.
  • Clinical Risk Management: Complying with DCB0129 and DCB0160 standards to ensure patient safety in digital health solutions.

I’m not including in here the staff hours for managing these certifications and maintaining documentation for every single release along with the associated NHS documentation such as SCALs for things like NHS Login, NHS App, NHS Notify, PDS, IM1 etc etc. but you can probably safely double that figure.

To put this into perspective, let’s talk about cost-to-return. With the average price envelope per patient for Online Consultation and Video Consultation systems sitting around 27p, we would need to serve over half a million patients to break even just on compliance costs. If you’re a niche provider, you’re going to be expensive. With scale, you can spread this around some.

These expenses are not optional, they are the price to pay for companies wishing to work with the NHS. Why Does This Matter?

  1. Barrier to Entry: High compliance costs deter smaller, agile companies from entering the market, limiting the NHS’ access to some fantastic technology. I speak to people with great ideas all the time and it’s heartbreaking to burst their bubble and explain the realities of our market. Our current one size fits all model isn’t always appropriate; burdening someone with a cool idea for a niche MH app with the same requirements as we have dealing with millions of patients isn’t right.
  2. Slows Innovation: A strong assurance wrapper is great when it moves at a sensible pace. It does, however, need to be appropriate and proportional to the innovation being sought. Through the NHS IM1 forum, we regularly see companies waiting over a year for their pairings to progress. We ourselves have been waiting since December for a very minor change request to be even acknowledged, let alone actioned. The IM1 team are doing what they can but staffing cuts in NHSE are not helping at all and none of us can move on without their sign-off.
  3. Inequitable Playing Field: Scale helps a lot and larger corporations can more easily absorb these costs, creating an uneven landscape where only the biggest players thrive and making it an expensive gamble for newcomers. The Tech Innovation Framework is a good start here, but needs to expand its scope if we want to give new ideas a chance.
  4. Procurement scrutiny: It’s very depressing when you see awards being made to organisations that are cheaper because you know they are not meeting the mandated standards. When did you last check your vendor’s DTAC?

This isn’t a whinge (Ok, maybe a little one) but assurance is an accepted and major part of our world that it seems a lot of our customers are unaware of. I hope this gives you a little more insight into what goes on behind the scenes 🙂

Jon Witte

Founder