There are a bewildering number of guidelines and rules when it comes to meeting healthcare compliance. For example, the documentation alone required to set up as a software vendor and depending on the size of your company and the resources available to you, some of these certifications may seem too complex to put in place.
This lesser known guideline kicks in when you start processing patient data, or you are involved in decision support or telehealth. This involves performing Clinical Risk Management on all changes and new features in your software. It is a development task resulting in a Safety Case document showing the risk analysis before and after changes and should be released in line with your regular release notes.
Complying a data security and protection toolkit is a more involved process and one which starts you on the road to having ISO27001. This online questionnaire requires you to evidence all processes and procedures relating to Data Security and protection. If you have done the above properly then you should have these processes in place such as internal governance policies, staff contracts and training and physical and cyber security. Most NHS Trusts will require this as the basic standard for working with patient data.