My Personal Health Records Express

Minerva Interoperability and Care Coordination Platform

Minerva is a secure, extensible cloud-based platform that enables interoperability, care coordination and patient engagement. It aggregates data from systems across care settings to create a shared, longitudinal patient record. It provides out-of-the-box applications for patients, GPs, clinicians and care coordinators, and is customizable for unique workflows and use-cases.


  • Clinical data aggregation providing a longitudinal patient record.
  • FHIR based storage and APIs. Supports HL7.
  • BPMN based workflow management engine.
  • Multi-channel notification and alert engine.
  • Secure instant messaging and video conferencing facilities supporting remote consultation.
  • Captures Patient Reported Data through secure questionnaires and data uploads.
  • Patient portal and clinical portal with secure, role based access.
  • Fully customisable widget-based user interface with embedded analytics.
  • Care Plan Management and Adherence for care coordination.
  • Supports a customisable patient consent model.


  • Display a unified patient record gathered from multiple care settings.
  • Scalable and open API based Digital Health Platform
  • Provide near real time analytics, reports and dashboards.
  • Built on FHIR interoperability standard: improved cloud and mobile support.
  • Enhance productivity of clinical staff and care coordinators.
  • Improve patient experience and overall patient satisfaction.
  • Reduce care gaps and enhance patient engagement.
  • Easily implement digital transformation strategies while avoiding system complexities.
  • Drive more patient-centric strategies to improve outcomes at marginal cost.
  • Reduce IT management overhead with zero install web applications.


£5 per user per year

Service documents

G-Cloud 11


My Personal Health Records Express

Varun Anand


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Minerva platform can be optionally deployed as a web based care management portal, integrated with the healthcare provider's EMR or any other health IT system across the provider network. This will allow care pathway management of patient across multiple providers with an unified access to patient’s complete medical history.
Cloud deployment model Private cloud
Service constraints We have a dependency on the buyer's EMR vendor to provide standard/non-standards based interface to their system for accessing patient records. Similar resources would be needed for any third party integrations as well.
To ensure there is no service disruption, for all planned maintenance, a communication is sent out to the client 2 weeks prior with multiple reminders. A well documented risk assessment is done prior to any planned upgrade and a mitigation strategy is worked out in consultation with the client. All maintenance activities are carried out during non-production times.
System requirements User machine needs to have the supported browser installed

User support

User support
Email or online ticketing support Email or online ticketing
Support response times MphRx will provide 24x7 L3 application support with agreed SLAs. MphRx’s support team can be reached on E-Mail, Toll free contact number and an Online Ticket Reporting System (OTRS). OTRS which will be used by the customer to raise and track support issues. The response and resolution times are based on the severity levels of issues reported.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Severity 1 incident: Response time: 15 minutes; Resolution time: 4 hours;
Severity 2 incident: Response time: 1 hour; Resolution time: 6 hours;
Severity 3 incident: Response time: 24 hours; Resolution time: 1 week;
Severity 4 incident: Response time: 48 hours; Resolution time: Within applicable time frame as mutually agreed between MphRx and the client

Response time and resolution time is average calculation per month.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We follow a structured on-boarding and service deployment process involving following activities:
1) Discovery of requirements – documentation of patient flow and data flows, establishing any technical barriers and defining which touch points support open standards/ ITK and which do not.
2) Configuration design – deeper analysis of the touch points and systems involved to document the message pay loads, define rules and map trigger events for workflows and services.
3) Integration – developing the interfaces using HL7, FHIR, Open API or proprietary methods. This also involves white labeling the end user applications and configuring roles, user information, setting up authentication mechanisms as well as configuring workflows.
4) Testing – We install the platform instance on test environments and conduct unit tests using dummy data and tools, followed by UAT to validate workflows, notifications and alerts, error handling and UI customizations.
5) Migration – migrating legacy data into the platform. Post this, the platform is made available on the production environment.
6) Training – following trainings are provided as part of each implementation: Integration and Configuration Training, API and Custom Development Training, Support and Management Training and End-user Support Training. These are provided as electronic documentation, webinars or in-person sessions
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The patient data available on Minerva platform is shared with the buyer as FHIR base data objects which can be migrated to the client in the form of JSON, CSV or HL7. In case, the platform also archived DICOM images, they are available for migration using the DICOM protocol.
End-of-contract process In the event of termination or expiration of the agreement, we will de-activate the platform services as well as access to the end user applications. The client shall pay any outstanding balance to MphRx upon termination. Any invoices that are sixty (60) days delinquent will result in service termination.
Terminating the entire platform services usually takes 10 working days.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Our suite of clinical applications(patient and physician portals) are browser based with a responsive web design and can be accessed on any desktop or mobile device. Hence, there are no differences between mobile and desktop services. However, since our native mobile apps have been optimized for mobile devices, the user experience on mobile apps might differ with the web application.
Accessibility standards None or don’t know
Description of accessibility Minerva platform services are accessible via suite of web and mobile (iPhone/Android) applications that the patient or care-giver can use to access the patient's unified record (including encounters, episodes, conditions, allergies, results, documents, images, care plans, etc.) and manage patient care. These applications are secure, HIPAA compliant and can be white-labeled as per buyer's requirement. These applications are compliant with the Common User Interface(CUI) guidelines mandated by NHS Information Standards Board for healthcare IT systems. Additionally, the user interface layer is modular and can be changed to comply with future CUI recommendations.
Accessibility testing Our applications follow the CUI guidelines mandated by NHS Information Standards Board. However, we have not done interface testing with users of assistive technology.
What users can and can't do using the API Minerva platform is built to be open and extensible, exposing its data sets and functionality through FHIR based secure RESTful APIs. This allows third-party developers or in-house IT teams to develop and commission custom applications/services. Hence, while buyers are able to use Minerva's existing applications suite (patient and physician portals), any new requirements or business processes that arise can also be rapidly set up using Minerva's APIs.

With Minerva's FHIR APIs, users can view current and historical patient records, make updates to patient records, create a new patient profile and search across all patient records based on some filter criteria. However, users cannot delete any patient records, only deactivate them so they are no longer visible to external applications.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Minerva platform is built to be open and extensible, exposing its data sets and functionality through FHIR based secure RESTful APIs. This allows third-party developers or in-house IT teams to rapidly develop and commission custom applications/services. Thus, buyers can use these APIs to rapidly develop/commission custom applications as per their specific use case without any dependency on us.
Additionally, Minerva's suite of clinical applications (patient and physician portals) can be easily configured as per user requirements. Its role based access control system can be configured to restrict access to both data as well as functionality based on user-defined rules. In has a built-in workflow configuration tool to configure patient workflows, clinical task workflows, and care pathways for specific disease conditions. The platform also has a complex event processing engine that allows to create configurable event triggers. These triggers can be configured for specific rules (such as upcoming appointments, new results for tests, out of range observations etc.) and for specific notification channels including email, SMS and in-app alerts.


Independence of resources Minerva platform is modular and designed to be horizontally scalable. It can be run across multiple servers in parallel mode to ensure high scalability and availability. The persistence layer (MongoDB and Hadoop) are industry standard distributed databases that can be scaled and shared to support large and diverse data sets. The middleware services (workflow engine, business services) can be distributed and load-balanced for high availability and horizontal scaling.


Service usage metrics Yes
Metrics types The audit trail capabilities of Minerva platform allow us to store all user logins and actions in a central audit trail database. We use this database to report on service usage metrics as per user requirement. Some of the key metrics we report are:
1. User Accounts (Physicians and Patients): Count of total users accounts and active accounts, user login activity, password reset requests etc.
2. User Activity: Number of studies viewed/downloaded, report print requests, external study uploads, sharing of medical reports, etc.
3. Mobile App Activity: Mobile app downloads, Mobile app login activity, etc.
4. Service Uptime
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Patient data is stored as native FHIR (HL7 standard) objects in Minerva’s Mongo DB. Any systems that are compliant with FHIR standard can directly access the data for restoration and migration purpose. Additionally, this data can be migrated to the client in the form of JSON, CSV or HL7. In case the platform also archived DICOM images, they are available for migration using the DICOM protocol.
Data export formats
  • CSV
  • Other
Other data export formats
  • HL7
  • FHIR
  • XDS
Data import formats
  • CSV
  • Other
Other data import formats
  • HL7
  • FHIR
  • IHE Profiles
  • XDS
  • XML
  • Web Services

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability SLAs are typically based on a 99.9% warranted availability.

Agreed SLAs and any associated service discounts for unscheduled downtime will depend on the range of service options selected by the client and their required hours of operation and will be agreed per client and documented within the Call-off contract.
Approach to resilience All infrastructure components have been built in fully resilient pairs. With fully resilient networking links between all components and to external third parties including multiple ISPs. For host availability we use VMware’s HA failover for redundancy.

High Availability resilience is also built into the database configuration for the applications. Further information regarding this is available on request.
Outage reporting All infrastructure is monitored on the network 24/7. Should there be an outage monitoring alerts are sent to the operations team via e-mail and SMS.

Identified client contacts are informed by email.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels • Minerva provides a rule-based access control layer (Citadel) that validates access to both patient data and functionalities
o Rules can be configured to a Resource level, providing granular access rights management to administrators
o Integrates with existing Authentication and Authorization frameworks using LDAP, Oauth and SAML protocols
• Configurable Patient Consent Management and Data Sharing capabilities
• Centralized Audit Trail for every user action on the platform
• Built-in break-the-glass workflows for emergency access with configurable escalation matrices.
• In-built support for two factor authentications using text and email notifications.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 IAS
ISO/IEC 27001 accreditation date 07 January 2019
What the ISO/IEC 27001 doesn’t cover .
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 13485
  • ISO 9001

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We and our hosting partner have the following security policies and processes in place:
Information Security Policy
Acceptable Use Policy
IT Access Control Policy
Asset Management Procedure
Change Management Policy
Clear Desk and Screen Policy
Document Control and Records Management
Incident Management Procedure
Information Control, Classification and Exchange Policy
Internal Audit Procedure
Media Handling and Disposal Policy
Mobile Devices Policy
Physical Security Policy
Risk Management Procedure
Supplier Security Policy
Supplier Management Procedure
Other relevant policies

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change management is performed for all software and infrastructure changes. All non-standard changes must be pre-authorised by going through a peer, senior and CAB approval process where the impact of the change is carefully assessed from a range of perspectives, including security. Standard changes are created in template form and are approved in CAB before being implemented into Change controls.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our hosting provider run an internal penetration test once a week. All reported vulnerabilities that are reported are categorised into priority depending on the severity and a case is logged with the operation team who will fix the vulnerability under the time frames dictated by the security standards.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Our hosting partner have a protective monitoring system where all logs are centralised and checked on a daily basis for security breaches using several key search filters. Alerts are sent out for high risk activity and are pro-actively responded to by the operations and security teams.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach We operate an ITIL aligned incident management process with associated procedures for security related incidents. The process has a clearly defined governance framework, including roles and responsibilities, clear policies and associated KPIs. Users report incidents through the Service Desk and incident reports, which include a summary of activities undertaken or planned to prevent recurrence are provided to clients by email.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks NHS Network (N3)


Price £5 per user per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑