What does high quality, trustworthy V1C look like? Explore the IMPACT Core Competencies framework to discover what good V1C looks like and how to get there.

Produces outcomes that are valuable to key stakeholders View Resources
Delivers an ethical, equitable, and safe digital experience View Resources
Minimizes implementation and operational frictions View Resources
Fits seamlessly within an individual’s larger healthcare context View Resources

Core Competency: Trustworthy Digital Experience

Delivers an ethical, equitable, and safe digital experience

New flows of data are enhancing our ability to care for people. As ‘digital natives,’ V1C providers rely heavily on digitized health data and digital health technologies to power the responsive, personalized, and ‘always on’ care that is a hallmark of the V1C delivery model. A trustworthy digital experience is a non-negotiable core competency of high quality virtual first care.

Although this sector is evolving rapidly and requires constant vigilance, we know what good looks like: V1C adheres to all laws applicable to healthcare delivery, companies take responsibility to protect patients and users from harms associated with theft or misuse of their sensitive health data, providers address the barriers preventing the use of platforms and select technology that is fit-for-purpose. Exceptional V1C providers embed safe, ethical, and equitable practices by design into everything they do, from cybersecurity infrastructure and platform design to technology selection and deployment.

Choose a stakeholder to explore their perspective on a Trustworthy Digital Experience.

Patients trust providers to safeguard their sensitive information and are increasingly aware of their right to choose how their data is used. Patients value accessing and using technology in a way that fits into their lives, regardless of language, socioeconomics, and education.
Providers need to trust the integrity of the data they use for patient care and be assured that the technology used in V1C practice is fit-for-purpose. In addition, they want tools such as artificial intelligence and machine learning (AI/ML) to reduce administrative work and augment their ability to care for patients without increasing the risk of unintended error or bias or medical malpractice liability.
Payers conduct rigorous security reviews and value prospective partners that can streamline contract discussions and audits by demonstrating that they meet or exceed accepted industry standards for security controls and the use of sensitive data.
Health systems face a myriad of challenges with security and privacy. They need assurances that potential partners appropriately manage risks.
Investors seek a trustworthy digital experience as a key indicator of a venture's scalability and sustainability from the standpoint of market acceptability, as well as reduced reputational risk.

Maturity: Established

The digitization of healthcare and the rise of V1C promises enormous benefits, including benefits to the most under-served patients for which our industry exists to care. But, it also introduces new risks. For example, V1C providers are feeling the scrutiny now being applied to all digital health and software interconnections due to several high-profile instances of online tracking and advertising re-targeting which regulators say have violated applicable privacy laws.

An ethical approach to V1C

Current legal protections for health data with healthcare providers covered by HIPAA are sufficient. Yet not all digital health solutions are covered by HIPAA, and some that claim to be HIPAA compliant in public have acted contrary to their public claims. Yet, from the consumer perspective, they do not know the difference between the privacy rules that apply to the app from their doctor’s office and the privacy rules that apply to a health app they download for free and that is not part of their doctor’s office. So, there are data showing trust in digital health privacy is falling generally. High quality V1C providers may operate as HIPAA covered entities, comply with those standards, and commit to a culture of ethics that ensures they not only meet industry standards and comply with regulations, but take accountability for being excellent stewards of the trust that patients and partners put in them.

Taking an ethical approach to digitally-enabled virtual first care comes down to:

  1. Weighing the benefits and risks of developing and deploying digital solutions
  2. Understanding how disclosative of a person’s private information digital data can be, and engineering to avoid any uses or disclosures not necessary to provide just the sought-after healthcare (and reimbursement for it)
  3. Ensuring that the benefits outweigh the risks for all people

Protects against data breaches and other misuse of private health information, including unauthorized access of sensitive, confidential, or private information via cyber attacks

Security systems and networks that are designed appropriately have:

  • Implemented a security umbrella protocol
  • A software bill of materials (SBOM) and coordinated vulnerability disclosure (CVD) policy

Security systems and networks that are appropriately maintained:

  • Follow standard procedures for routine security audits, testing, and access review
  • Install secure, agile, and prompt security updates
  • Provide continual security education and training for all users, clinical and non-clinical
  • Adopt and implement industry standards such as NIST or ISO

Data on all digital tools and technologies are encrypted in storage and transit

  • Data is automatically encrypted

Regularly audit compliance to applicable regulatory requirements and industry standards

Emerging Gold Standard Practices

Invest in independent verification and validation of security controls, e.g, cybersecurity certifications, such as SOC type 2 audits and/or HITRUST.

Engage third-party security firm to audit, test security, prove system resiliency, and remove avoidable bias from the process of penetration and vulnerability testing

Proactively plans for breaches: documented and tested steps in preparation for events improve risk management and limit the impact of exposure to a security incident


Protects against data misuse, including:

  • Selling of legitimately collected data beyond its intended purpose without appropriate transparency and consent from patients.
  • Targeted marketing and advertisements, research and development outside of IRB oversight, access for data brokers without transparency and consent, outside of internal quality and performance improvement

Adheres to applicable regulatory requirements and industry standards; uses appropriate mechanisms (e.g., Business Associate Agreements (BAA)) when sharing data with partner organizations outside of treatment, payment, and health care operations (TPO).

Provides user-centric contracts including: terms of service (ToS), end-user license agreements (EULAs), and privacy policies (PPs) that govern the rights to generate, collect, monitor, analyze, and/or share user data.

  • Clear and comprehensible to broad populations
  • Presented proactively as part of the terms of obtaining services through the V1C
  • Users can opt in or out of third-party transfer/use of their data at any time


Digital health technologies used to monitor, diagnosis, and treat patients have been developed with appropriate regulatory oversight and used according to label claims if they apply due to FDA oversight of the technology

Internally developed AI/ML tools perform without unintended algorithmic bias, and are free of drift

Data from digital sensor technology (DHT) meets ART criteria (accessible, relevant, trustworthy) and contextualized for clinical decision-making.


Leverages user-centered design, engaging diverse end-users in the development and testing of solutions

The technology required for using the platform doesn’t unintentionally exclude or raise barriers for individuals with limited access to safe broadband, data plans, and technology literacy; it has mechanisms to respond to ongoing needs for technical support

Content and support are tailored to the intended users, with consideration for language, literacy levels, physical limitations (e.g. vision and dexterity), and cultural appropriateness.

Platform requirements don’t assume the latest connectivity network (e.g. 5G) and work for all smartphone operating systems

Provides offline capabilities – important features are available in the absence of internet connectivity or with limited internet connectivity.


PDF Download

Data Privacy: Extra resources for ethical practice

PDF Download

Data Security: Extra resources for ethical practice


DATAcc Inclusivity Framework for Inclusive Development


Sensor Data Integrations Implementation Toolkit: Considerations and Best Practices

PDF Download

The Playbook: Digital Healthcare Edition

PDF Download

The Playbook: Digital Healthcare Edition Connected Sensor Technology

PDF Download

The Playbook: Digital Healthcare Edition Engagement and Social Media

PDF Download

The Playbook: Digital Healthcare Edition: AI/ML