Digital Health Passport
Our core service is a personal health record (PHR) app for children and young people with long term conditions called the Digital Health Passport which is being implemented within the NHS in London, Sheffield and Manchester and supported by NHS England Innovation and Technology Payment Evidence Generation Fund for PHR.
Features
- Onboarding and screening module: safe app personalisation and user assessment.
- Health tracker: Recording clinically validated patient focused and symptom measures
- Health and Emergency Action Plan: clinician approved and shareable
- Health Hacks: Health and wellbeing education resource videos and links
- Air Quality, Pollution and weather alerts: Triggered by location services
- Remote condition review: in advance medication use and health check
- Training Modules: Structured content around condition reinforced by quiz questions
- NHS App Library, Apple App Store, Google Play: Widely available
- NHS and Social Login: Secure log in
- Interoperable with LHCR, EMIS, System1 and other EHR’s
Benefits
- Improving patient understanding and patient self-management
- Supports patient self-management
- Increases patient activation
- Minimising face-to-face and unnecessary appointments (follow-up management)
- Improving facilitation of knowledge and training around condition and medication
- Enhancing quality and efficiency of consultations and reviews
- Validated Behavior Change
- Moves from paper based action plans and records to digital
- Reduces unplanned hospital attendance
- Facilitates better population health management amongst Children and Young People
Pricing
£2,100.00 to £6,250.00 a licence a month
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 12
Service ID
3 2 3 2 8 3 3 7 0 3 3 7 1 8 4
Contact
Tiny Medical Apps Ltd
Matt Bourne
Telephone: 02078594169
Email: Matt@tinymedicalapps.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- NA
- System requirements
- None
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Incoming messages from users are responded to within one (1) business day.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- No
- Web chat support
- Web chat
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web chat accessibility testing
- None.
- Onsite support
- Yes, at extra cost
- Support levels
- Please refer to service level agreement within the Service Definition
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
We provide 1-on-1 web based training and support on the DHP platform for clinical sponsor and champion and develop onboarding based on our standard onboarding workflow for the wider service. Typically we run an online webinar training session for the project sponsor, clinical sponsor and clinical champion which is recorded and made available to other team members. Links to documentation, how to’s and support are provided and linked during this session.
Patient Users are onboarded in app through an interactive module. Help and how to’s and support are accessed within the app.
The standard plan has these headings: Welcome Pack, Clinical Safety, Workshop, Information Governance Workflow, Deployment Plan, Reporting Schedule. Clinical sponsor and champion will be assigned a single point of contact within Tiny Medical Apps. - Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Video / MP4
- End-of-contract data extraction
- Users of the app will be notified in app that NHS supported features are to be terminated. Users can request to extract their data in line with GDPR in a portable format.
- End-of-contract process
-
On receipt of termination request we will notify the project sponsor, clinical sponsor and clinical champion by email of the service end date and confirming that access and support will be withdrawn.
Users of the app will be notified in app that the NHS supported features are to be terminated and can request to extract their data in line with GDPR in a portable format.
Once the contract has ended unsupported app users will be logged out of NHS login and will be able to login using social login. Their data will still be accessible and users will no longer have access to NHS supported features within the app.
Using the service
- Web browser interface
- No
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- The service is mobile only and not supported on desktop devices
- Service interface
- No
- API
- No
- Customisation available
- No
Scaling
- Independence of resources
- Our backend infrastructure is built on public cloud technology which has the capacity to scale automatically. Tiny Medical Apps can flexibly upgrade instances if required.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Downloads; Users numbers; Active monthly users; Training module activity
- Reporting types
-
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
- Physical access control, complying with SSAE-16 / ISAE 3402
- Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users can request export of data using support functions within the app. This is detailed in our privacy policy.
- Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
Our SLA available on request covers availability of the service.
A "Downtime Period" means a period of 120 consecutive seconds of Downtime. Intermittent Downtime for a period of less than 120 consecutive seconds will not be counted towards any Downtime Periods.
A Financial Credit is available where in a given calendar month service availability falls between 1. 99% and 99.99% - at 10% of monthly service costs.
2. Below 99% - at 25% of monthly service costs.
Customer Must Request Financial Credit
In order to receive any of the Financial Credits described above, Customer must notify TMA support within thirty days from the time Customer becomes eligible to receive a Financial Credit.
Maximum Financial Credit
The aggregate maximum number of Financial Credits to be issued will not exceed 50% of the amount due from the Customer for the Covered Service for the applicable month. Financial Credits will be made in the form of a monetary credit applied to future use of the Covered Service and will be applied within 60 days after the Financial Credit was requested.
SLA Exclusions
The SLA does not apply to any features designated Alpha or Beta (unless otherwise stated in the associated Contract). - Approach to resilience
- Available on request
- Outage reporting
- When an estimated prolonged outrage is detected we will communicate directly via an email alert to our customers with details of downtime and when the issue is resolved. This is documented in our Service Level Agreement standard operating procedure available on request.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- 2-factor authentication
- Access restrictions in management interfaces and support channels
- Only designated users can access management interfaces in line and ISO27001 (standard operating procedure cover user access control and staff training)
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
- 2-factor authentication
Audit information for users
- Access to user activity audit information
- You control when users can access audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- You control when users can access audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- BSI
- ISO/IEC 27001 accreditation date
- 13/02/2020
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
-
- Cyber Essentials +
- Supplier Conformance Assessment List / NHS Login
- Data Security and Protection Toolkit
- Clinical Safety DCB 0129
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- Our security policy and processes are internally and externally ISMS ISO27001 auditor. We follow the Data Security and Protection Toolkit to provide assurance that we are practising good information security and that personal information is handled correctly.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
Operations Security Change Management is governed by our ISO 27001 accredited SOP (TMA-SOP-G005 - Operations Security - Change Management).
Request For Changes (RFCs) are routed to the SIRO who acts as the first filter looking at impacts to information security and other business impacts. After that our Clinical Director or Clinical Safety Officer will assess clinical impacts and impacts on clients and end-users. Finally our Product Owner will assess the RFC’s impact on the product and roadmap. If approved these changes are scored using ICE and added to JIRA with a priority. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
Operations Security Management is governed by our ISO 27001 accredited SOP (TMA-SOP-G005+-+Operations+Security).
We take a number of approaches to mitigate threats. These approaches are documented, monitored and audited.
All assets and services are managed in the cloud using providers that meet ISO27001. These platforms are automatically patched.
We train all staff on Information Security using Advisera.
We perform regular penetration tests on all our APIs.
We adhere to TMA-SOP-G008+-+Mobile+and+Teleworking including the “BYOD” policy. During our Cyber Essentials + accreditation we check that Operating Systems are configured to automatically patch all vulnerabilities. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- Our cloud-only approach facilitates a zero-trust architecture which significantly mitigates the issues of traditional ICT. Access to secure platforms is enforced with 2FA and Access Controls are backed up with fully featured auditing and monitoring baked into Google Cloud Platform. Sensitive data is encrypted at rest and cannot be viewed without authenticating via audited APIs. We use honeypot emails and a subscription to a breach alert system to further alert us of a potential incident. How we respond, how we communicate is governed by our TMA-SOP-E011+-+Incident+Management and TMA-SOP-G004+-+Business+Continuity SOPs.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
Our incident management process is governed by our
TMA-SOP-E011+-+Incident+Management and TMA-SOP-G004+-+Business+Continuity SOPs.
The stages are: Logging & Triage, Engagement, Risk Assessment, Replication, Root Cause Analysis & CAPA, Risk Management, Delivery, Closure.
Our Business Continuity Plans guide us through the most common scenarios and are tested annually. Users can report incidents by email, through the chat form on our website and portal or by phone.
Our SOPs outline legal requirements in terms of reporting to ICO and requirements to customers.
The incident owner will provide tactical calls to impacted stakeholders (engagement phase) followed by a full report (closure phase).
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £2,100.00 to £6,250.00 a licence a month
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- The Digital Health Passport is available to download from the Apple App Store and Google Play. The free version does not have interoperability with clinical systems or care plans but does show the range of functionality including pollution and weather alerts, health hacks and health trackers.