Skip to main content

ORCHA baseline review (OBR)

The OBR is primarily an assessment of an Apps compliance with current standards, regulation and good practice (together ‘Standards’).

A standard is an agreed way of doing something. It could be about making a product, managing a process, delivering a service or supplying materials – standards can cover a huge range of activities undertaken by organizations and used by their customers.

'Standards are the distilled wisdom of people with expertise in their subject matter and who know the needs of the organizations they represent – people such as manufacturers, sellers, buyers, customers, trade associations, users or regulators.' (British Standards Institute)

They can be of regulatory significance or form non regulatory requirements or required best practice in a given jurisdiction or area.

The Standards we currently look at in the OBR are:


CQC – Care Quality Commission
The independent regulator of all health and social care services in England. If an App provides a health service to the user, it may need to be registered with the CQC.

Caldicott Principles
We assess whether Apps comply with the NHS Data Standards. The Caldicott Principles ensure that any patient information which could identify them is protected, and is only used and shared when it is appropriate to do so.

DSPT – Data Security and Protection Toolkit
We assess whether Apps comply with the NHS Data Standards. An online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

ESF – Evidence Standards Framework
Guidelines published by NICE used to measure the effectiveness or impact of Apps.

FDA – Food and Drug Administration (US)
The FDA are responsible for protecting public health by ensuring the safety and efficacy of food products and pharmaceutical products. If relevant, we establish if an app is FDA Approved or FDA Cleared.

GDPR/DPA 2018 – General Data Protection Regulation/Data Protection Act 2018.
We assess whether an App is fully compliant with GDPR and follows the correct data protection guidelines.

GPhC - General Pharmaceutical Council
The independent regulator for pharmacists, pharmacy technicians and pharmacy premises in the UK. If relevant, we assess whether an App constitutes a pharmacy service, which would need to be registered with the GPhC.

HSCN – Health and Social Care Network
The HSCN provides a reliable and efficient way for health and care organisations to access and exchange electronic information.

ISO 13485
Quality management system for medical devices

ISO 14971
Application of risk management to medical devices.

ISO 27001
An International Data Management Standard, specifically concerning information security management.

ISO 9241
App design standards

MDR – Medical Device Regulations (successor to MDD – Medical Device Directive)
The European Union Medical Device Regulations replaces the existing Medical Device Directive in May 2020. Products which display features or make claims which may pertain to be a medical device should have a CE mark. The MDR makes sure that such devices are safe and effective for public use.

MHRA – Medicines and Healthcare products Regulatory Authority
The MHRA ensures that medicines and medical devices work and are safe. The MHRA are a notified body who will determine whether a product is a medical device, and therefore determine if it requires a CE mark.

NICE – The National Institute for Health and Care Excellence
NICE provide guidance, advice and information services for health, public health and social care professionals. NICE published the ESF guidance to measure the effectiveness or impact of Apps.

WCAG 2.0 AA/WCAG 2.1 AA – Web Content Accessibility Guidelines 2.0 and 2.1
We establish whether an App has been designed and developed according to the appropriate App design standards.

Follow us on: