Clinical Boundary Risk Assessment FAQs
Clinical Safety & Statutory Compliance
Yes. DCB 0129 is mandated under section 250 of the Health and Social Care Act 2012, which gives the Secretary of State powers to publish information standards. Compliance is required for manufacturers of health IT used in NHS-funded care.
However, DCB 0129 addresses clinical safety within a single manufacturer's product. It does not explicitly address the clinical safety risks that arise when that product operates across organisational boundaries — where data crosses between two organisations with different governance frameworks. The Boundary Risk Assessment extends DCB 0129/0160 assurance to these boundary-specific risks.
DCB 0129 applies to manufacturers of health IT — they must demonstrate that clinical risks in their product have been identified and managed. DCB 0160 applies to organisations deploying health IT — they must manage the clinical risks specific to their deployment context (configuration, integration, training, workflow).
Together, they create a comprehensive safety framework within a single organisation. The gap is at boundaries: when a manufacturer's product is deployed by Organisation A and exchanges data with Organisation B, neither standard requires the boundary-specific risks to be in either organisation's hazard log.
Clinical handover is the transfer of clinical responsibility from one provider to another. Within a single organisation, this is typically governed by handover protocols like SBAR. Between organisations — at discharge, referral, or care pathway transitions — clinical handover is rarely governed at all.
We use the term Minimum Viable Responsibility Transfer (MVRT) for the principle that handover must be explicit, bilateral, and confirmed before it is complete. In our assessments, most inter-organisational handovers fail MVRT.
Assessment Methodology
A Boundary Risk Assessment evaluates governance at the joins between healthcare organisations — where data crosses, responsibility transfers, and clinical risk is highest. Using the Seven Flows methodology, every boundary is scored across seven governance dimensions (Identity, Consent, Provenance, Clinical Intent, Alert & Responsibility, Service Routing, Outcome) with cascading failure logic that reveals structural dependencies.
The output is a per-boundary scorecard with statutory traceability, a Constitutional Transition Analysis for cross-domain boundaries, and a funded remediation roadmap.
MVRT — Minimum Viable Responsibility Transfer — is the principle that clinical responsibility cannot be relinquished until the receiving party has explicitly accepted it. In aviation, a sector handover cannot complete until the receiving controller electronically confirms. Healthcare routinely violates this principle — discharges complete without confirmed receipt, referrals are sent without acknowledged acceptance.
In the Boundary Risk Assessment, MVRT is the normative control for the Alert & Responsibility flow. A boundary that fails MVRT cannot achieve Managed status.
A constitutional crossing occurs when patient data or clinical responsibility moves between organisations operating under different legislation, different regulators, and different institutional orientations. An NHS Trust operates under the NHS Act 2006 with a statutory duty to care. A private insurer operates under the Financial Services and Markets Act 2000 with a fiduciary duty to shareholders. When clinical data crosses between them — for example, during pre-authorisation — it crosses a constitutional boundary.
The governance requirements at constitutional crossings are more demanding than same-domain boundaries. We identify ten constitutional domains and map twelve common crossing types.
Cost, Timeline & Technology
Three engagement tiers are available:
Boundary Risk Snapshot (from £5,000): Rapid desktop assessment of 2–5 boundaries with traffic-light scoring across the Seven Flows. Typical turnaround: 2 weeks.
Boundary Governance Audit (from £15,000): Comprehensive on-site audit with full hazard register, constitutional crossing analysis, and remediation roadmap. Typical turnaround: 6–8 weeks.
Boundary Governance Programme (from £35,000): Ongoing governance infrastructure with embedded support, quarterly reassessment, and board-ready reporting.
Pricing depends on the number of boundaries, constitutional crossings involved, and whether technology assessment is included.
NHS rules state that NHS and private treatment cannot be mixed within a single episode of care. A patient can receive private diagnosis and then return to the NHS, but they rejoin the NHS waiting list.
However, the governance question is rarely addressed: when a patient moves from NHS to private care, the legislative framework changes (NHS Act 2006 → Companies Act 2006 / Health and Social Care Act 2008), the regulator emphasis shifts (NHS England → CQC with commercial considerations), and the institutional orientation towards the patient changes. We call this a constitutional transition, and it carries governance requirements beyond what standard data sharing agreements address.
Healthcare due diligence is the assessment of clinical, regulatory, financial, and operational risks when acquiring a healthcare provider. Standard DD assesses the target as a standalone entity. It typically does not assess what happens to the organisational boundaries after acquisition — the governance between the target and the acquiring group, or between the target and its existing partners.
A Boundary Risk Assessment adds this dimension: pre-acquisition boundary mapping, Constitutional Transition Analysis, per-boundary scoring, and a post-acquisition governance roadmap.
In many cases, yes. The AWS Migration Acceleration Program (MAP) Assess phase provides up to $75,000 in partner cash — enough to fully fund a Boundary Risk Assessment including the technology assessment. The assessment then produces the business case data required to unlock further MAP funding for remediation.
Combined with Strategic Partner Incentives and the OGVA 2.0 public sector agreement, the remediation roadmap can present a largely self-funding proposition. We quantify the available funding stack for each client.