How Heidi meets all NHS guidance requirements

At Heidi, we actively collaborate with regulators around the world including NHS England to ensure clinicians are using Heidi safely. Read on to see how we ensure all UK clinicians meet the latest guidance from NHS England.

✅ DTAC: We’ve completed a full internal DTAC assessment aligned to NHS expectations, with supporting evidence available across the five domains. This can be provided again on request.

✅ DSPT: Heidi has a current and fully compliant DSPT submission listed on the NHS portal, addressing all relevant data protection and cyber security obligations.

✅ Security Certifications: Heidi holds ISO 27001, SOC 2 Type II, and ISO 9001 certifications, all globally recognised standards for cybersecurity, information security, data protection, and quality management. These certifications are independently audited multiple times per year. We also hold Cyber Essentials certification and are currently undergoing an audit for Cyber Essentials Plus to meet the newly updated requirement in the latest guidance. 

✅ Penetration Testing: We conduct annual penetration testing using a CREST-accredited security firm, covering infrastructure, APIs, and application-level vulnerabilities.

✅ DPIA: We’ve completed a comprehensive DPIA for NHS deployments, including lawful basis, risk mitigation, and data flow transparency. Versions have already been used to support ICB governance approvals.

✅ Named Clinical Safety Officer: Heidi has three NHS-accredited Clinical Safety Officers with responsibility under DCB0129 and DCB0160 including our UK Chief Medical Officer and practicing GP Dr Hannah Allen, UK based Dr Samuel Adedero and Dr Kieran McLeod. Our clinical safety documentation, including the hazard log and Clinical Safety Case Report, is kept current and reviewed as part of our governance and quality process.

✅ Encryption and GDPR Compliance: Heidi uses end-to-end encryption (TLS 1.2+ in transit and AES-256 at rest), is fully compliant with UK GDPR and the DPA 2018, with strict controls for data minimisation, subject access, and purpose limitation.

✅ No Unsafe Functionality (e.g. Prompt Injection): The intended use of Heidi is to support the clinician through arduous admin not to provide clinical support. This is reflected in our terms of service and safety controls in the product including filters, prompt review, flags for any attempted use for clinical support, and review of all user-defined or inputted information including templates and free text. 

✅ Appropriate Integration with NHS Clinical Systems: Heidi has the technical capability to support integration with major NHS clinical systems across both primary and secondary care, using FHIR, HL7, or custom APIs where supported by the local environment. This enables NHS clinics, practices and hospitals to choose the appropriate level of integration for them, from stand alone to fully embedded.

✅ MHRA Classification: Heidi is currently registered as a Class I medical device under MHRA guidance for summarisation functionality. We do not generate diagnoses, management plans, or clinical referrals autonomously, and do not infer new clinical decisions. As we explore new and innovative features and functionality for the clinician to extend themselves and their capacity, our regulatory footprint will increase which is why we are progressing what Class II certification would look like for Heidi. 

✅ Evidence of impact: Heidi supports 1.5million consults a month in the UK alone, from primary care to acute care. Clinicians using Heidi report increased wellbeing, reduction in burnout and improved patient experience. For instance, In primary care, Heidi has been shown to save GPs at least 90 minutes a day in note taking and administration. In the SDEC setting, Heidi has been shown to reduce documentation time by 85%, accelerating patient flow and improving the clinician and patient experience. 

As always, if you need anything, the Heidi team is here to help. We’re just an email away at hello@heidihealth.com