Skip to main content
Back to articles

Protect Clinical Insights

What to Ask Vendors Before You Sign a New Health Tech Contract

Use this vendor due diligence checklist to lock in clinical safety assurance before signing new digital contracts.

Published · 14 October 2025Topics: procurement, vendor-management, clinical-safety

Executive Overview

Choosing a health technology supplier affects patient safety, data protection, and operational resilience. Before signing a contract, GP practices and PCNs should ask structured questions to verify compliance with NHS standards, understand support models, and ensure the solution fits local workflows. This guide sets out the essentials.

Prepare for Vendor Conversations

  • Define your clinical and operational requirements (use cases, user numbers, integration needs, response times).
  • Review internal policies (DCB0160 safety file, DSPT action plan, information governance rules) so you know what evidence you require.
  • Assemble a buying team including the Clinical Safety Officer (CSO), practice manager, digital lead, and, if relevant, PCN representatives.
  • Draft a checklist to record responses and supporting documents; store it in the safety file.

Critical Questions to Ask Suppliers

  1. Clinical safety compliance
    • Do you have current DCB0129 Clinical Safety Case Reports and hazard logs? How do you share updates?
    • Who is your CSO and how do we contact them during incidents?
  2. Risk and incident management
    • How do you notify customers about safety concerns or urgent changes?
    • What is your incident response process and escalation timeline?
  3. Technical integrations and reliability
    • Which systems do you integrate with (EPR, NHS Spine, NHSmail, third-party apps)?
    • What service levels do you guarantee for uptime, performance, and data recovery?
  4. Data protection and privacy
    • Where is patient data stored and processed? Provide Data Protection Impact Assessments (DPIAs) and information governance certificates.
    • Do you support role-based access, audit trails, and retention controls aligned with NHS requirements?
  5. Change control and roadmap
    • How often do you release updates? How much notice do customers receive and what testing is required locally?
    • How do you involve customers in product roadmap decisions and feedback loops?
  6. Training and onboarding
    • What training materials, e-learning, or super-user programmes do you provide?
    • Do you offer local configuration support, go-live assistance, and refresher sessions?
  7. Commercial and contractual terms
    • What are the contract length, exit clauses, and renewal terms? Are there additional costs for integrations or premium support?
    • How do you manage sub-contractors and ensure they meet NHS standards?

Document responses, request evidence (PDFs, certificates, references), and note any gaps for follow-up.

Evaluate Supplier Fit and Risk

  • Score vendors against weighted criteria (clinical safety, functionality, support, cost, strategic alignment).
  • Check references from other NHS customers, ideally similar-sized practices or PCNs.
  • Conduct due diligence on financial stability and company structure.
  • Review accessibility compliance, inclusive design features, and patient engagement tools.

Align Contractual Terms With Safety Requirements

  • Embed SLAs for incident response, uptime, data restoration, and change notifications.
  • Include obligations to provide updated DCB0129 documentation after major releases.
  • Specify training and support deliverables (initial onboarding, annual refreshers, support hours).
  • Agree review points for joint safety checks, roadmap updates, and pricing adjustments.

Plan Post-Selection Onboarding

  • Update the DCB0160 safety file with supplier evidence and risk assessments.
  • Schedule joint workshops to map workflows, configure the system, and develop test scripts.
  • Integrate supplier contacts into incident escalation plans and change calendars.
  • Arrange regular checkpoints (monthly in first quarter) to review performance and address issues.

Scenario: Harbour View Surgery

Harbour View evaluated remote monitoring vendors using a structured question set. By requesting DCB0129 hazard logs and release schedules, they discovered a planned change in video infrastructure that required firewall updates. Addressing it before go-live prevented downtime and gave assurance to commissioners.

Pitfalls to Avoid

  • Assuming compliance: never accept verbal assurances—request documented evidence.
  • Ignoring staff workflows: involve end users early to test usability and workflow fit.
  • Overlooking exit clauses: ensure you can leave the contract if safety or service levels are breached.
  • Skipping reference checks: learn from other practices’ experiences before committing.

Action Checklist

  • Define requirements and assemble your evaluation team.
  • Prepare a supplier question checklist covering safety, data, support, and commercial terms.
  • Gather evidence from vendors and score responses against agreed criteria.
  • Align contract clauses with clinical safety and support expectations.
  • Update the safety file and plan onboarding activities before go-live.

Resources to Bookmark

Key Takeaways

Structured questioning and evidence gathering help practices choose vendors who support safe, resilient digital services. By embedding clinical safety, information governance, and operational requirements into the procurement process, you reduce risk and build stronger supplier partnerships.