Tiny Medical Apps Ltd

Digital Health Passport

Our core service is a personal health record (PHR) app for children and young people with long term conditions called the Digital Health Passport which is being implemented within the NHS in London, Sheffield and Manchester and supported by NHS England Innovation and Technology Payment Evidence Generation Fund for PHR.


  • Onboarding and screening module: safe app personalisation and user assessment.
  • Health tracker: Recording clinically validated patient focused and symptom measures
  • Health and Emergency Action Plan: clinician approved and shareable
  • Health Hacks: Health and wellbeing education resource videos and links
  • Air Quality, Pollution and weather alerts: Triggered by location services
  • Remote condition review: in advance medication use and health check
  • Training Modules: Structured content around condition reinforced by quiz questions
  • NHS App Library, Apple App Store, Google Play: Widely available
  • NHS and Social Login: Secure log in
  • Interoperable with LHCR, EMIS, System1 and other EHR’s


  • Improving patient understanding and patient self-management
  • Supports patient self-management
  • Increases patient activation
  • Minimising face-to-face and unnecessary appointments (follow-up management)
  • Improving facilitation of knowledge and training around condition and medication
  • Enhancing quality and efficiency of consultations and reviews
  • Validated Behavior Change
  • Moves from paper based action plans and records to digital
  • Reduces unplanned hospital attendance
  • Facilitates better population health management amongst Children and Young People


£2,100.00 to £6,250.00 a licence a month

  • Free trial available

Service documents


G-Cloud 12

Service ID

3 2 3 2 8 3 3 7 0 3 3 7 1 8 4


Tiny Medical Apps Ltd Matt Bourne
Telephone: 02078594169
Email: Matt@tinymedicalapps.com

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Incoming messages from users are responded to within one (1) business day.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
Onsite support
Yes, at extra cost
Support levels
Please refer to service level agreement within the Service Definition
Support available to third parties

Onboarding and offboarding

Getting started
We provide 1-on-1 web based training and support on the DHP platform for clinical sponsor and champion and develop onboarding based on our standard onboarding workflow for the wider service. Typically we run an online webinar training session for the project sponsor, clinical sponsor and clinical champion which is recorded and made available to other team members. Links to documentation, how to’s and support are provided and linked during this session.
Patient Users are onboarded in app through an interactive module. Help and how to’s and support are accessed within the app.

The standard plan has these headings: Welcome Pack, Clinical Safety, Workshop, Information Governance Workflow, Deployment Plan, Reporting Schedule. Clinical sponsor and champion will be assigned a single point of contact within Tiny Medical Apps.
Service documentation
Documentation formats
  • HTML
  • Other
Other documentation formats
Video / MP4
End-of-contract data extraction
Users of the app will be notified in app that NHS supported features are to be terminated. Users can request to extract their data in line with GDPR in a portable format.
End-of-contract process
On receipt of termination request we will notify the project sponsor, clinical sponsor and clinical champion by email of the service end date and confirming that access and support will be withdrawn.
Users of the app will be notified in app that the NHS supported features are to be terminated and can request to extract their data in line with GDPR in a portable format.
Once the contract has ended unsupported app users will be logged out of NHS login and will be able to login using social login. Their data will still be accessible and users will no longer have access to NHS supported features within the app.

Using the service

Web browser interface
Application to install
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Differences between the mobile and desktop service
The service is mobile only and not supported on desktop devices
Service interface
Customisation available


Independence of resources
Our backend infrastructure is built on public cloud technology which has the capacity to scale automatically. Tiny Medical Apps can flexibly upgrade instances if required.


Service usage metrics
Metrics types
Downloads; Users numbers; Active monthly users; Training module activity
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can request export of data using support functions within the app. This is detailed in our privacy policy.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our SLA available on request covers availability of the service.

A "Downtime Period" means a period of 120 consecutive seconds of Downtime. Intermittent Downtime for a period of less than 120 consecutive seconds will not be counted towards any Downtime Periods.

A Financial Credit is available where in a given calendar month service availability falls between 1. 99% and 99.99% - at 10% of monthly service costs.
2. Below 99% - at 25% of monthly service costs.

Customer Must Request Financial Credit
In order to receive any of the Financial Credits described above, Customer must notify TMA support within thirty days from the time Customer becomes eligible to receive a Financial Credit.

Maximum Financial Credit
The aggregate maximum number of Financial Credits to be issued will not exceed 50% of the amount due from the Customer for the Covered Service for the applicable month. Financial Credits will be made in the form of a monetary credit applied to future use of the Covered Service and will be applied within 60 days after the Financial Credit was requested.

SLA Exclusions
The SLA does not apply to any features designated Alpha or Beta (unless otherwise stated in the associated Contract).
Approach to resilience
Available on request
Outage reporting
When an estimated prolonged outrage is detected we will communicate directly via an email alert to our customers with details of downtime and when the issue is resolved. This is documented in our Service Level Agreement standard operating procedure available on request.

Identity and authentication

User authentication needed
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Only designated users can access management interfaces in line and ISO27001 (standard operating procedure cover user access control and staff training)
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials +
  • Supplier Conformance Assessment List / NHS Login
  • Data Security and Protection Toolkit
  • Clinical Safety DCB 0129

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our security policy and processes are internally and externally ISMS ISO27001 auditor. We follow the Data Security and Protection Toolkit to provide assurance that we are practising good information security and that personal information is handled correctly.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Operations Security Change Management is governed by our ISO 27001 accredited SOP (TMA-SOP-G005 - Operations Security - Change Management).
Request For Changes (RFCs) are routed to the SIRO who acts as the first filter looking at impacts to information security and other business impacts. After that our Clinical Director or Clinical Safety Officer will assess clinical impacts and impacts on clients and end-users. Finally our Product Owner will assess the RFC’s impact on the product and roadmap. If approved these changes are scored using ICE and added to JIRA with a priority.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Operations Security Management is governed by our ISO 27001 accredited SOP (TMA-SOP-G005+-+Operations+Security).
We take a number of approaches to mitigate threats. These approaches are documented, monitored and audited.
All assets and services are managed in the cloud using providers that meet ISO27001. These platforms are automatically patched.
We train all staff on Information Security using Advisera.
We perform regular penetration tests on all our APIs.
We adhere to TMA-SOP-G008+-+Mobile+and+Teleworking including the “BYOD” policy. During our Cyber Essentials + accreditation we check that Operating Systems are configured to automatically patch all vulnerabilities.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Our cloud-only approach facilitates a zero-trust architecture which significantly mitigates the issues of traditional ICT. Access to secure platforms is enforced with 2FA and Access Controls are backed up with fully featured auditing and monitoring baked into Google Cloud Platform. Sensitive data is encrypted at rest and cannot be viewed without authenticating via audited APIs. We use honeypot emails and a subscription to a breach alert system to further alert us of a potential incident. How we respond, how we communicate is governed by our TMA-SOP-E011+-+Incident+Management and TMA-SOP-G004+-+Business+Continuity SOPs.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our incident management process is governed by our
TMA-SOP-E011+-+Incident+Management and TMA-SOP-G004+-+Business+Continuity SOPs.
The stages are: Logging & Triage, Engagement, Risk Assessment, Replication, Root Cause Analysis & CAPA, Risk Management, Delivery, Closure.
Our Business Continuity Plans guide us through the most common scenarios and are tested annually. Users can report incidents by email, through the chat form on our website and portal or by phone.
Our SOPs outline legal requirements in terms of reporting to ICO and requirements to customers.
The incident owner will provide tactical calls to impacted stakeholders (engagement phase) followed by a full report (closure phase).

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£2,100.00 to £6,250.00 a licence a month
Discount for educational organisations
Free trial available
Description of free trial
The Digital Health Passport is available to download from the Apple App Store and Google Play. The free version does not have interoperability with clinical systems or care plans but does show the range of functionality including pollution and weather alerts, health hacks and health trackers.

Service documents