Skip to main content

Surgery Intellect - Compliance and Regulations

Introducing the Compliance and Regulations of Surgery Intellect powered by TORTUS

Updated this week

Surgery Intellect, powered by TORTUS, is a voice-enabled AI assistant that uses ambient voice technology (AVT) to listen, transcribe and code consultations in real time

This document shows how Surgery Intellect is 'Compliant by Design' - putting clinical safety, data privacy and cyber security at the heart of what we do

Surgery Intellect is a chargeable feature. To register your interest, please use our Enquiry Form here

UK MHRA Class I Medical Device Status

In the UK, medical devices are regulated but the Medicines and Healthcare products Regulatory Agency (MRHA) under the UK Medical Devices Regulations 2002 (as amended)

TORTUS is classified as a Class I Medical Device (SaMD) and is UKCA-marked and registered with the MHRA. Class I is the lowest-risk category of Medical Device. For this class:

  • The manufacturer conducts a self-assessment of conformity against the General Safety and Performance Requirements (GSPRs)

  • Devices must be formally registered via the Device Online Registration System (DORS) before being placed on the UK market

What’s involved in compliance?

Device Classification: Based on intended medical purpose and level of risk

Self-Certification: Manufacturers must prepare technical documentation and declare compliance

Quality and Risk Management: Implementation of appropriate processes, such as a Quality Management System (QMS)

Ongoing Monitoring: Post-market surveillance and incident reporting obligations to ensure continued safety

Why this matters:

Compliance with UK medical device regulations helps:

  • Protect patient safety by minimising risks during clinical use

  • Ensure legal marketing of the device in the UK healthcare system

  • Build clinical trust through transparent safety and performance claims

  • Enable innovation while upholding regulatory safeguards for NHS integration

TORTUS’ UKCA Class I registration can be verified through the MHRA Public Access Registration Database

Security and GDPR Compliance

GDPR

The UK General Data Protection Regulation (GDPR) is a vital framework that mandates strict guidelines for handling personal data in the UK's healthcare sector. Healthcare organisations and health tech companies in the UK must comply with several practices, including implementing robust data protection measures, obtaining consent from patients, having effective incident response plans, facilitating patients' rights, justifying data processing on legal grounds, and complying with international data transfer regulations

Compliance with these regulations ensures ethical handling of sensitive health data, enhances patient trust and security in digital health technologies, and impacts how patient data is managed, shared, and protected

Cyber Essentials Plus

Cyber Essentials Plus is a UK government backed certification scheme that demonstrates an organisation has implemented essential cybersecurity controls and has them independently verified through a technical audit

It means we have been independently tested to prove we have strong protections in place against common cyber threats - like hacking, phishing, or data breaches. For you, it means added reassurance that:

  • Your data is handled securely

  • Our systems are regularly checked by security experts

  • We meet NHS and public sector cyber security expectations

CREST-approved Certification

CREST is a globally recognised accreditation and certification body that sets rigorous standards for penetration testing in the information security industry. Choosing a CREST-approved penetration tester provides several advantages such as high standards of conduct, assurance of quality, comprehensive support and guidance, and insurance protection

CREST certification is particularly valuable for organisations that need to ensure their digital assets are secure against cyber threats and supports compliance with various regulatory requirements such as ISO, GDPR, and PCI DSS

DPIA

A Data Protection Impact Assessment (DPIA) is a process to help an organisation identify and minimise the data protection risks of a project/product, especially for processing that is likely to result in a high risk to individuals

It is a formal process to ensure that personal data is handled safely, legally and with minimal risk. By carrying out a DPIA and providing it to you we:

  • Identify any privacy or data protection risks early

  • Take steps to reduce or remove those risks

  • Illustrate that we are meeting legal duties under GDPR and UK data protection law

View our Data Protection Impact Assessment here

Clinical Compliance

DSPT

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool used by organisations within the NHS and social care to demonstrate their adherence to data security standards. It helps organisations measure and demonstrate their performance against the National Data Guardian's 10 data security measures

All organisations that have access to NHS patient data and systems must use the DSPT toolkit to provide assurance that they are practising good data security and that personal information is handled correctly

DTAC

The Digital Technology Assessment Criteria is a framework that was introduced by NHS England in 2021. Its primary objective is to ensure that digital health technologies meet essential standards before being used within the NHS and social care environments. The framework evaluates and approves digital health products by focusing on five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility

DCB0129

DCB0129 is a mandatory clinical risk management standard in the NHS, specifically for manufacturers and suppliers of health IT systems intended for use in NHS settings. It requires us to demonstrate that our products are clinically safe for patients and healthcare providers to use and do not cause harm. Compliance with DCB0129 is mandatory under the Health and Social Care Act 2012

Manufacturers/suppliers must implement a robust clinical risk management system that includes appointment of a suitably qualified Clinical Safety Officer (CSO), risk analysis, mitigation strategies, and documented evidence of effective risk management

The standard requires us to:

  • Start the clinical risk management process early in the product development lifecycle and continue through to decommissioning.

  • Continuously assess and manage risks throughout the lifecycle.

  • Document and provide evidence of their clinical risk management system including continuous improvement and learning from incidents.

In accordance with DCB0129 we fully comply with the standard and operate a clinical risk management system that enables us to demonstrate the safety of our digital health products through:

  • a clinical safety case report - link to

  • a hazard log and

  • a clinical risk management plan.

  • structured incident reporting mechanisms, enabling proactive and reactive patient safety measures, investigation, and learning

Clinical Safety Case Reports and supporting documentation are available to clients and stakeholders upon request

DCB0160

DCB0160 is a mandatory NHS clinical risk management standard for healthcare organisations that deploy or use digital health systems. It ensures that health IT systems are implemented and operated in a way that safeguards patient safety and supports clinical effectiveness. This standard is mandated under the Health and Social Care Act 2012

Compliance with DCB0160 means a health organisation (surgery) must:

  • Appoint a Clinical Safety Officer (CSO)with demonstrable oversight and ongoing involvement in the clinical safety process

  • Carry out a comprehensive clinical risk assessment prior to go-live and throughout the system lifecycle, including any significant system changes, updates, or decommissioning

  • Maintain detailed clinical safety documentation, including a Clinical Safety Case Report, Hazard Log, and Clinical Risk Management Plan

  • Implement structured incident reporting and investigation, ensuring continuous improvement by learning from incidents and implementing safety improvements

As part of DCB0160 you must produce both a Clinical Risk Management Plan (CRMP) and a Clinical Safety Case Report upon the deployment of a new health IT system. The CRMP outlines the planned risk management activities, while the Clinical Safety Case provides a structured, evidence-based justification that the system is safe for its intended use

Digital clinical risk management has to be a rigorous, methodical, and clearly documented process to ensure that any clinical risks have been assessed and, if required, mitigated appropriately. The purpose of a Clinical Risk Management Plan is to document and schedule the clinical risk management activities to support the safe deployment, maintenance, and decommissioning of the Health IT System. This process must be systematic, well-documented, and demonstrably support both patient safety and regulatory compliance

How Tortus Handles Patient Data

Tortus prioritises patient data security and privacy. Here's how it works:

Local Recording: When you record a dictation/consultation, and active internet connection is not required. The audio is recorded locally within your browser and the data is stored temporarily in your browser session

Server Transfer and Processing: Upon ending the dictation, the audio file is securely transferred to our GDPR-compliant, UK-based server systems for transcription. If its a consultation, a letter will also be generates. Importantly, no data is stored on the cloud after processing

Data Retention: The only remaining data in this process is what is stored within your browser session. By default, each consultation will expire and be deleted after 24 hours

Single Session Security: For enhanced security, only one instance of Tortus can be open at any given time. If a second window is opened, you will be prompted to confirm, and your active consultations will be carried over. The first window will close and return to the Tortus website homepage without any link to your recorded consultations

Data Erasure upon Sign Out: Signing out of Tortus will immediately erase all locally stored data from your browser. this includes any recordings that are still within the 24-hour timeframe

Further Information

For more further information, see our Understanding Compliance and Surgery Intellect Academy Course here

Disclaimer

This is provided for information purposes only and does not replace the official Instructions for Use (IFU), terms of service, or contractual documentation supplied within the product

Surgery Intellect is a clinical documentation solution that incorporates TORTUS, which is registered as a UK Class I Medical Device with the MHRA. All compliance, regulatory, and safety claims within this document relate to the TORTUS software component

TORTUS is intended to assist healthcare professionals by automating the transcription and documentation of clinical consultations. It is not intended to provide clinical decision support, replace clinical judgement, or be used as the sole basis for clinical decisions

Users must always exercise profession clinical judgement and refer to the full regulatory documentation and user manuals for detailed information on safe and appropriate use

Did this answer your question?