Implementing the National Safety and Quality Digital Mental Health Standards

Implementing the National Safety and Quality Digital Mental Health (NSQDMH) Standards is voluntary for digital mental health service providers. Providers include non-government, public or private organisations, or individuals who make a digital mental health service available for others to use. Service providers using the NSQDMH Standards should have systems and processes in place to reduce the risk of harm, protect privacy and increase confidence and assurance in the quality of their digital mental health services. 

A risk management approach

Service providers using a risk management approach will assess the risks associated with each action in the NSQDMH Standards. The risk assessment findings will help you to prioritise and mitigate risks identified and implement the standards.

Not all actions within each standard will apply your organisation and the digital mental health services you offer. The nature, size and complexity of your digital mental health services and the risk to service users and their support people will decide which actions apply and the strategies needed to implement them. The models of care that digital mental health services are using may also inform whether an action is relevant. For example, if your service only provides information, actions about recognising and responding to a deteriorating mental state may be not applicable. The fact sheet below, Applying the NSQDMH Standards Using a Risk Management Approach summarises the key processes.

Fact sheet - Applying the NSQDMH Standards Using a Risk Management Approach

Who may digital mental health services put at risk?

Some service users and support people may be more at risk than other people. For example, children and young people, older people, people from diverse population groups, including Aboriginal and Torres Strait Islander peoples, and those with low digital literacy.

The service provider workforce may be exposed to risk. For example, clinicians, peer workers, technicians and others who provide or support the delivery of digital mental health services.

Service providers may have corporate, clinical or technical risk associated with their services. Such risk may be related to the design of the digital mental health service and how it is delivered.

Risk management process

The first step in the risk management process is to consider each action in the NSQDMH Standards and decide whether it is applicable to them and the digital mental health services they offer. When an action is determined as not consistent with the type of services offered, it should be recorded as ‘not applicable’, along with the rationale for the decision. The self-assessment tool is a good place to record these decisions.

For actions that apply to your organisation, you should conduct a risk assessment of the relevant systems and processes you have in place for your digital mental health services. 

In practice, this means that you should assess the risk associated with each action and what you need to do to manage or mitigate  that risk. Risk assessment considers the:

  • Size and complexity of an organisation
  • Types of digital mental health services offered
  • Levels of risk associated with the services.

For example, a service provider may be an organisation with multiple services and a large workforce, or a sole trader with a single service. The level of risk and the required mitigation strategies will be different for each provider.

In addition to determining the tasks required to ensure that an action is met, you can use the level of assessed risk to set a priority for each task. The tasks and the priority ratings can then be included in an action plan.

See the Conducting a Self-Assessment Using the NSQDMH Standards fact sheet below to learn how you can use the self-assessment tool to monitor your implementation of the NSQDMH Standards.

How to determine risk

To help assess risk, consider the five basic principles of risk management, which are to:

  • Avoid risk. Identify strategies that avoid the risk whenever possible; a risk that cannot be eliminated must be managed
  • Identify risk. Assess the risk, identify the nature of the risk and who is involved
  • Analyse risk. Examine the risk, how likely it is to happen, and what the consequences are if it happens
  • Evaluate risk. Determine how the risk can be reduced or eliminated, and document the processes, responses and outcomes
  • Treat risks. Manage the risk by determining who is responsible for taking actions, and when and how this will be monitored.

To consider these principles more closely, ask the following questions:

  1. Who is at risk?
  2. What is involved?
  3. What factors allow it to happen?
  4. How likely is it?
  5. What are the consequences?
  6. What can be done?
  7. Is there a solution for each identified situation or risk?

Likelihood and possible consequences of the risks

The risk assessment requires you to assess the likelihood of the risk occurring and the potential consequences. Data sources that may help you understand how likely a risk is to occur include:

  • Monitoring and audit results
  • Surveillance data
  • Complaints
  • Observations
  • Literature
  • Benchmarking.