The digital transformation of the National Health Service (NHS) is currently accelerating at an unprecedented pace. As the government rolls out its ambitious 10-year health plan—centering on the vision of a "single patient record" for every citizen—a critical infrastructure pillar is facing intense scrutiny. A landmark report published on May 28, 2026, by the Health Services Safety Investigations Body (HSSIB) has issued a stark warning: the electronic prescribing and medicines administration (ePMA) systems currently deployed across acute hospitals are characterized by dangerous levels of inconsistency, leaving individual NHS trusts to shoulder the burden of managing complex, systemic safety risks.
The HSSIB investigation suggests that without a fundamental shift toward national oversight and standardized procurement, the very tools designed to reduce human error may inadvertently become a new vector for patient harm.
The Core Investigation: A Lack of National Frameworks
ePMA systems are the digital backbone of modern inpatient care. They are used by clinicians to prescribe medications, manage dosages, and record the administration of drugs to patients. While the move away from paper-based prescribing was intended to mitigate common errors—such as illegible handwriting or calculation mistakes—the HSSIB investigation reveals that the digital transition has introduced its own set of "unwarranted variations."
The report highlights that there is currently a vacuum in national leadership regarding how these systems are designed, procured, and validated. Because there are no binding national patient safety standards for ePMA software, hospitals are left to interpret safety requirements on their own. This has resulted in a fragmented landscape where a clinician moving from one trust to another may find the same fundamental medication management software configured in entirely different, and sometimes counter-intuitive, ways.
Chronology of Digital Safety Concerns
- December 2025: HSSIB publishes a thematic review revealing that Electronic Patient Record (EPR) training is consistently perceived by staff as inadequate, hindering effective use.
- Early 2026: The UK government ramps up the "10-year health plan," pushing for rapid, digital-first healthcare delivery.
- May 28, 2026: The HSSIB releases its formal report on ePMA safety, highlighting systemic failures in oversight and procurement.
- June 2026 and Beyond: Industry stakeholders and national health bodies are tasked with addressing the report’s recommendations regarding medical device classification and safety assurance.
The Burden on NHS Trusts: A "Resource-Intensive" Reality
Clare Crowley, senior safety investigator at the HSSIB, articulated the gravity of the situation in her commentary accompanying the report. "ePMA is a core component of modern healthcare, but its safety depends on how it is designed, implemented, and overseen," Crowley stated.
She emphasized that the current model is unsustainable. "NHS hospital trusts are being asked to carry the responsibility of assuring themselves that the ePMA software they choose to use is safe. This is a complex and resource-intensive task. Not all trusts have the capacity, capability, or support they need to do it robustly."
This reality places smaller or financially strained trusts at a significant disadvantage. When an organization lacks the internal digital clinical safety expertise to vet a complex software suite, they are essentially flying blind. Furthermore, the HSSIB found that even when incidents occur, the "lessons learned" are not being disseminated. Instead of a centralized reporting system that flags software-related risks for all trusts, clinicians rely on informal professional networks. This "whisper network" approach means that a critical safety workaround discovered in one hospital may never reach the ears of staff in a neighboring trust, allowing the same hazards to persist unchecked.
The Regulatory Vacuum: Who Holds the Reins?
One of the most concerning findings in the HSSIB report is the "confusion around the responsibilities of national bodies." Specifically, the investigation identified a lack of clarity regarding the roles of the Care Quality Commission (CQC) and the Medicines and Healthcare products Regulatory Agency (MHRA).
While the CQC oversees the quality of care and the MHRA regulates medical devices, there is an evident "grey area" regarding where an ePMA system sits in the regulatory hierarchy. Is it an administrative tool, or is it a medical device? Because of this ambiguity, there is no clear path for an NHS trust to seek formal, national-level assurance that their digital prescribing system is robust.
The report notes that while legally mandated standards for digital clinical safety and interoperability do exist, compliance is sporadic. Without an enforcement mechanism or a central body responsible for auditing these systems against national safety benchmarks, the standards remain "aspirational" rather than foundational.
Supporting Data and Evidence of Risk
The HSSIB investigation draws on a broad range of evidence, including interviews with clinical staff, reviews of procurement documents, and an analysis of how digital safety incidents are reported.
Key Findings:
- Lack of Standardization: No national framework exists to define the safety requirements for ePMA software, leading to a "lottery" of safety features depending on the software vendor and local configuration.
- Fragmented Accountability: National regulators are struggling to define their specific remits, creating a vacuum that leaves frontline staff to manage software risks.
- Information Silos: Digital safety incidents are rarely shared nationally, preventing the NHS from learning from its mistakes.
- Implementation Gaps: Digital clinical safety standards are legally mandated but poorly implemented, with wide variations in adherence across different hospital trusts.
Implications for the NHS 10-Year Plan
The government’s plan to transition to a "single patient record" is heavily dependent on the interoperability and reliability of these digital systems. If the underlying software—the ePMA—is inconsistent and unregulated, the goal of a seamless, data-driven health system is at risk.
If a patient’s medical data is transferred between hospitals using incompatible or poorly configured systems, the risk of medication error does not vanish; it simply changes shape. The HSSIB warns that if digital transformation continues at this pace without "safety built in from the outset," the NHS risks scaling up existing safety hazards rather than eliminating them.
Recommendations: A Roadmap to Safety
To address these systemic failings, the HSSIB has proposed a comprehensive series of recommendations to national health leaders. These include:
- A National ePMA Framework: Development of a mandatory national framework that defines the core safety requirements for all ePMA systems.
- Regulatory Clarity: Formalizing the classification of ePMA systems as medical devices where appropriate, providing clear regulatory oversight by the MHRA.
- National Assurance Mechanisms: Establishing a central body or process to ensure that all trusts have access to robust, pre-vetted digital safety standards.
- Capacity Building: Providing additional resources and specialized training to NHS trusts to ensure they have the expertise required to manage digital safety internally.
- Integrated Safety Reporting: Mandating the national sharing of digital safety incidents so that learning can be applied system-wide, rather than relying on informal professional networks.
Conclusion: Building Safety into the Digital Future
The HSSIB report serves as a wake-up call for the digital health sector. As the NHS undergoes the largest digital transformation in its history, the focus must shift from the speed of deployment to the safety of implementation.
Clare Crowley’s concluding remarks resonate with the urgency of the moment: "As the NHS continues its rapid shift towards digital care and a single patient record, it is essential that patient safety is built in from the outset, rather than relying on individual organisations to identify and manage the risks."
For the NHS, the path forward is clear. It must abandon the fragmented, trust-by-trust approach to digital procurement and adopt a unified, safety-first national strategy. Only through clear regulation, robust national standards, and a commitment to shared learning can the promise of digital healthcare be fully realized without compromising the safety of the patients it is intended to serve. The era of digital "unwarranted variation" must come to an end if the NHS is to build a sustainable, resilient future.
