The NHS Ten Year Plan, the Data Use and Access Act, and the direction of travel across every major health policy document point to the same destination: enhanced, governed interoperability. A world in which clinical data flows seamlessly and securely across organisational boundaries, enabling safer handoffs, faster pathways, and better outcomes.
But interoperability without governance is just connectivity. And connectivity without security foundations is exposure.
Before healthcare can achieve the interoperability it needs, the foundations must be laid: infrastructure that ensures clinical safety by design, provides assurance against data breaches and ransomware attacks, and enforces governed responsibility transfer at every organisational boundary. The legislation is now demanding exactly this — and it is demanding it of private providers, not just the NHS.
For years, the burden of digital compliance sat squarely on the NHS. Information standards, clinical safety frameworks, data security toolkits — these were problems for trusts, ICBs, and commissioning bodies. Private providers could operate in their slipstream, adopting what they chose, ignoring what they didn't.
That era is over.
A series of legislative changes — some already in force, others moving through Parliament — have collectively extended mandatory digital infrastructure obligations to every private healthcare provider operating in England. Not as guidance. Not as best practice. As law.
And at the centre of this new reality is a problem that legislation alone cannot solve: the governed transfer of clinical responsibility across organisational boundaries.
The Legislative Convergence
What makes the current moment different isn't any single piece of legislation. It's the convergence. Private healthcare providers now face overlapping obligations from at least seven distinct legislative instruments, each addressing a different facet of the same underlying problem: how do you ensure patient safety when care crosses organisational boundaries in a digital environment?
Mandatory Information Standards: From “Have Regard” to “Must Comply”
The Health and Care Act 2022 amended Section 250 of the Health and Social Care Act 2012 to fundamentally change the obligation on private providers. Previously, private health and adult social care providers had a statutory duty to “have regard” to Information Standards — language that allowed discretion. The law now requires both public and private providers to comply with any mandatory Information Standards that apply to them.
This isn't theoretical. The legislative changes explicitly allow for monitoring and enforcement action against private providers who fail to comply. NHS bodies already face this as a condition of their provider licence. Private providers are now on the same footing.
The Data Use and Access Act 2025: IT Suppliers in the Crosshairs
The Data (Use and Access) Act 2025, which received Royal Assent in June 2025, goes further. Where the Health and Care Act extended obligations to healthcare providers, the DUAA extends them to the technology layer itself.
Schedule 15 and Section 121 impose mandatory information standards on IT suppliers engaging with the NHS. The definition of “relevant IT provider” is deliberately broad, covering providers of both IT devices and services. The standards will address functionality, connectivity, interoperability, portability, storage, access, and security of information.
For private healthcare providers, this creates a double obligation. They must comply with information standards as providers. And they must ensure their technology stack — whether built in-house or procured — meets the incoming IT standards. The enforcement mechanism includes the Secretary of State publishing statements identifying non-compliant providers.
The Act also raises the bar on automated decision-making. A decision is now considered “solely automated” only where there is no “meaningful” human involvement. For any provider using digital triage, automated referral routing, or AI-assisted clinical pathways, this means demonstrable, auditable human oversight at every clinical decision point.
Clinical Safety Standards: Already Mandatory, Widely Ignored
DCB 0129 and DCB 0160 — the clinical risk management standards for manufacturers and deployers of health IT systems — have been mandatory under Section 250 of the Health and Social Care Act 2012 for some time. NHS England's own step-by-step guidance is clear: digital products developed with private funding but subsequently deployed in a publicly commissioned care service fall within scope.
In practice, this captures any private provider whose systems touch NHS-commissioned pathways — which, given the growth of NHS-funded private provision, is an expanding category. Even for purely private deployments, NHS England strongly recommends adoption, and the direction of travel under the DUAA makes future mandatory extension likely.
These standards require a named Clinical Safety Officer, a maintained hazard log, a clinical safety case report, and continuous risk management throughout the system lifecycle. They are not one-off assessments. They are living governance obligations.
Duty of Candour: The Accountability Gap
Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 applies to every provider registered with the Care Quality Commission — including every private provider delivering regulated activities. When a notifiable safety incident occurs, providers must notify the affected person in person, provide a true account of the facts, advise on further enquiries, and offer a formal apology. The CQC can prosecute breaches without warning.
Here is the problem that legislation creates but does not solve. When a patient's care pathway crosses organisational boundaries — from GP to private provider, from private provider to NHS trust, from one private network to another — who holds the duty of candour at the point of failure? The legislation assigns it to the registered provider. But if the failure occurred during a handoff between providers, and neither has infrastructure to evidence exactly when responsibility transferred and what information was communicated, both are exposed.
This is not a compliance problem. It is an infrastructure problem.
The DSPT: No Longer Optional for Private Providers
The Data Security and Protection Toolkit is now mandatory for any organisation that processes NHS health data, uses NHS systems, delivers services under an NHS contract, or is registered with the CQC. Non-completion risks loss of NHS systems access, contract eligibility, and reputational damage.
The framework is tightening. Version 8, released in September 2025, aligns with the NCSC's Cyber Assessment Framework and introduces outcome-based auditing. IT suppliers must now complete mandatory independent audits. The days of tick-box self-assessment are ending.
Cloud Security: The 14 Principles
NHS England has adopted the NCSC's 14 Cloud Security Principles as the mandatory baseline for all cloud-deployed healthcare systems. These require continuous compliance monitoring, least-privilege access based on federated identity, encryption at rest and in transit, network isolation of protected data, and annual penetration testing.
For private providers deploying clinical systems in the cloud — which is increasingly all of them — this means the cloud landing zone itself must be designed for healthcare compliance from the ground up. Retrofitting security and governance onto a generic cloud deployment does not meet the standard.
The Cyber Security and Resilience Bill: The Incoming Wave
The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, represents the most significant expansion of cyber regulation since the NIS Regulations 2018. For the first time, managed service providers and critical suppliers — including healthcare diagnostics providers — will be directly regulated.
The Bill was explicitly motivated by the Synnovis ransomware attack of 2024, which disrupted over 11,000 NHS appointments and procedures. It imposes incident reporting obligations, empowers regulators to investigate supply chain vulnerabilities, and introduces fines of up to £100,000 per day for failing to act against relevant threats.
For private healthcare providers, this means their technology suppliers, their managed service providers, and potentially their own operations will all fall within scope of a cyber resilience regime that didn't previously apply to them.
The Infrastructure Gap
Taken individually, each of these obligations is manageable. Taken together, they describe a compliance environment that few private healthcare providers are currently equipped to handle through manual processes, consultant engagements, and bolt-on governance.
Consider what a private healthcare provider now needs to demonstrate, simultaneously:
- Clinical safety governance across their digital systems (DCB 0129/0160), with a named CSO, maintained hazard logs, and continuous risk management
- Information standards compliance that is mandatory, monitored, and enforceable (Health and Care Act 2022)
- Data security evidenced through annual DSPT assessment aligned to the Cyber Assessment Framework, with independent audit
- Cloud infrastructure meeting the NCSC 14 Principles, with encryption, isolation, federated identity, and continuous monitoring
- Duty of candour processes that can evidence exactly what happened, when, and who was responsible when incidents cross organisational boundaries
- Automated decision oversight that is meaningful, not symbolic, with auditable evidence of human involvement at clinical decision points (DUAA 2025)
- Cyber resilience that satisfies incoming obligations on them and their suppliers under the Cyber Security and Resilience Bill
Each of these is currently addressed in isolation. Different consultants, different frameworks, different systems, different evidence trails. The result is a compliance patchwork that satisfies individual audits but fails the fundamental test: can you evidence the safe, governed transfer of clinical responsibility when a patient's care crosses an organisational boundary?
That is the question that sits beneath every one of these legislative instruments. And it is the question that current approaches do not answer.
From Compliance as Overhead to Compliance as Infrastructure
The pattern across all of this legislation is clear. The direction of travel is toward mandatory standards rather than guidance, private providers rather than just the NHS, technology suppliers rather than just care providers, continuous assurance rather than annual assessment, and enforcement rather than encouragement.
The instinct of most organisations facing this kind of regulatory convergence is to address each obligation separately: hire a clinical safety consultant, engage an IG specialist, procure a cloud security audit, appoint a DPO. The result is a patchwork of compliance activities that satisfies individual requirements but creates no coherent foundation.
The alternative is foundational. Build the infrastructure itself to be safe, compliant, and governed from the ground up — cloud landing zones that are pre-compliant with the NCSC Principles and DSPT requirements, with guardrails that prevent the security and governance errors that have plagued healthcare operators. Clinical safety frameworks embedded in the deployment pipeline, not maintained in a separate spreadsheet. Responsibility transfer protocols that create auditable evidence at every handoff point, satisfying duty of candour, information standards, and clinical safety obligations simultaneously.
On that foundation, applications and cross-organisational transactions can happen safely and reliably — not because each application has been individually assessed and bolted together with bespoke governance, but because the infrastructure beneath them enforces the rules. The guardrails are structural. They are not dependent on individual compliance efforts, human memory, or organisational discipline. They are properties of the platform.
This is the difference between building a house on sand and reinforcing each room individually, versus laying proper foundations and building with confidence. The legislation tells providers what they must do. What's missing is the foundation that makes doing it possible.
The Scale of the Problem
The NHS spends approximately £3.4 billion per year on clinical negligence claims. Research consistently identifies failures at organisational boundaries — referral handoffs, discharge communications, shared care protocols — as a dominant category of preventable harm. Up to 80% of serious medical errors involve miscommunication during care transitions.
Private healthcare is not insulated from this. The Clinical Negligence Scheme for Trusts has been open to independent sector providers of NHS care since 2013. Contribution levels are influenced by claims history — creating a direct financial incentive for the kind of infrastructure that prevents boundary failures.
The legislative convergence described above is not happening in a vacuum. It is a response to a patient safety problem that everyone in the system recognises but nobody has the infrastructure to address. The legislation creates the obligation. The foundation must create the capability.
The organisations that move first — building on compliant, governed infrastructure rather than retrofitting governance onto ungoverned systems — will not only meet their statutory obligations. They will be the ones that other providers trust to transact with safely. In a world where every cross-organisational interaction carries regulatory exposure, that trust becomes the most valuable asset in the market.
Enhanced, governed interoperability is the next stage for safer, more efficient healthcare. Everyone agrees on the destination. But you cannot build interoperability on ungoverned foundations. The legislation now converging on private healthcare providers is not an obstacle to that future — it is the specification for the foundations that make it possible.
The question is not whether these foundations will be built. It is who builds them first.
