PCMIS is a flexible, intelligent and easy to use case management system for mental health IAPT services. PCMIS is clinically proven and evidence based web application, supporting a wide range of pathways, managing patient risk, track and analyse patient care, helping you to effectively monitor and report service activity.


  • Highly configurable and flexible system
  • Dynamic and granular real-time reporting options
  • Built-in, evidence based clinically proven risk management technology
  • Seamless integration with digital therapies and other clinical systems
  • Integrated Digital Pathway for online patient access and Spine Integration
  • Intuitive User Interface and system design
  • NHS Dataset compliant including IAPT v2.0 and MHSDS
  • Centralised appointment and slot booking system
  • Comprehensive Clinical Note section and Supervisor Notes
  • Wide range of supported pathways including IAPT, CYP, Complex Services


  • Effectively manage risk and prevent deterioration
  • Improve access with online patient to service touchpoints
  • Reduce time consuming administration tasks and processes
  • Achieve 360 view of service performance using dynamic reporting dashboards
  • Increase engagement with integrated SMS text communications
  • Ensure the highest levels of data quality, completeness and compliance
  • Enjoy full system access remotely and securely
  • Access comprehensive user guides and video walkthroughs
  • Integrate with a range of Internet Enabled Therapies
  • Reduce treatment costs and increase outcomes


£4,950.00 a unit a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@pcmis.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

4 8 6 9 5 8 6 4 7 7 9 8 8 4 2


Telephone: 01904 321322
Email: enquiries@pcmis.com

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
A current supported web browser is required with at least 2Mbps Internet Connection.
System requirements
  • Current supported Web Browser including IE, Chrome, Safari and Mozilla
  • Internet, HSCN or NHSNet/N3 Connection
  • Minimum Internet Speed of 2 Mbps

User support

Email or online ticketing support
Email or online ticketing
Support response times
Telephone and email support, 08:30-17:00 Monday to Friday. Excludes bank holidays and public holidays.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
A dedicated PCMIS client engagement manager will be assigned to the life time of the contract to monitor and review contract performance. System service management is proactively monitored and any issues raise automatic alerts to the PCMIS support team who will investigate as a priority.

The delivery of PCMIS is supported by a dedicated service desk team and is included within the contract as standard. Project management and system development team ensuring that an acceptable level of service is provided. We are passionate about providing a high quality service. 8 out of 10 services ranked PCMIS as good or very good in the following areas; customer contact and communication, data protection and security, PCMIS system functionality, compared to other IT systems and help desk support.
Support available to third parties

Onboarding and offboarding

Getting started
A dedicated Client Engagement Manager will be assigned to your service and a kick off meeting arranged to understand requirements and project scope. A project plan and timescales will be produced and used to manage and track progress of system implementation. The PCMIS business team and BA team will undertake initial scoping and project management, system configuration and training needs analysis. UAT will be included to ensure signoff of system and that it meets service requirements.
Service documentation
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • DOCX
  • DOC
  • XLSX
  • XLS
End-of-contract data extraction
All data will be extracted by the PCMIS Support Team and securely transferred in encrypted files using standard CSV format and PDF format to the service within 30 days.
End-of-contract process
When written confirmation has been received to terminate the contract, all patient data for the service will be transferred securely in a standard CSV and PDF format. A single data extract of all data will be provided free of charge, any additional extracts or bespoke extracts would be chargeable.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Service interface
What users can and can't do using the API
PCMIS supports a wide range of system integration capability using PCMIS API Web Services and coding standards including HL7, XML and JSON through integration with national and local Trust integration engines.

The following interfaces have been developed and are currently operationally live:
Web API IAPT Portal eReferrals
Web API IAPT Patient Portal
Web API Platform integration with Digital Enabled Therapies
Web API eReferral registration integrated with Digital Enabled Therapies
NHS Choices/NHS.UK eReferrals
NHS Spine
Postcode Lookup API
SMS Appointment Reminder API
Patient Portal Appointment Reminder API
Patient Experience PEQ SMS API
Database Analytics API

The API's will be setup on behalf of the service and changes supported by PCMIS Service Desk.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
PCMIS includes the flexibility to amend data entry screens through assigned system permissions, including custom fields, customising drop down items, setting fields as mandatory and adding local reporting items.

PCMIS menus are tailored to access levels. Built in systems permissions grant/deny access to menu items and built in user preferences can be set to customise individual view settings.

Display columns are configurable to allow users to select which details are to be included in the display.

PCMIS system configurability including custom fields, custom forms, letter templates and configurable care pathways can all be used to create and define local care plans.

Built in role based systems permissions allow users with the appropriate system access to add/amend reference data. These permissions are granular and can be setup to ensure only appropriate users can amend appropriate fields.

Granular system permissions ensure appropriate clinical access and governance is maintained.


Independence of resources
PCMIS is hosted on scalable infrastructure using state of art technologies and by default can support over 1,000,000 patient records. The architecture of the storage capacity is designed not to impact the system operations.

PCMIS application and data is stored and hosted on a high performance and a dedicated server, which guarantees data security and high performance - the speed of the system will not be affected by other services or numbers of active users.


Service usage metrics
Metrics types
PCMIS operates on a dedicated server, data is not shared or accessible by any other organisation, guaranteeing data security but also high performance as the speed of the system will not affected by numbers of active users.

We provide a high level of resilience and capacity using dedicated servers with failover to ensure high availability. Any performance or service delivery incidents are reported automatically using built in network system monitoring. PCMIS operates with spare capacity and additional capacity is available for future increased volumes.
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach
All data at rest is protected using AES256 encyption.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Exportable reports and dashboard are available within PCMIS allowing services the ability to quickly and easily export real-time data in CSV or Excel format to undertake any local data reporting at a click of a button.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • PDF
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
All transferred data is fully encrypted throughout the entire technology stack. PCMIS is protected by five levels of security including internal and external E3 compliant firewalls and powerful Elliptic Curve Cryptography (ECC).
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
All transferred data is fully encrypted throughout the entire technology stack using Elliptic Curve Cryptography. Data is protected by an E3 compliant firewall.

Availability and resilience

Guaranteed availability
Our average up time exceeds 99.999%. Outside working hours including weekends and Bank Holidays, target percentage up time is 99.9256% (estimated downtime for weekly 05:00 system patches that may require a server restart). A service level agreement is available on request.
Approach to resilience
The PCMIS application is hosted on a multi-core, multi-processor Enterprise Level Server with RAID disk storage and redundant power supplies, with backup power provided by an N+1 UPS with 24 hour backup power. The server is subject to the manufacturer’s level 1 on-site warranty. There is a failover server and on onsite spare DR (Disaster Recovery) server available for immediate business continuity.
Outage reporting
Email alerts are used to inform services in advance of any planned maintenance. We aim to provide at least one week advance notice for maintenance and two weeks advance notice for system upgrades.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Role based access, application security controls, system permissions and firewall network restrictions are used to restrict system permissions, system access and access to management interfaces.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials
  • NHS Digital Data Security Protection Toolkit (Level 3)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
NCSC Cyber Essentials. NHS Digital Data Security and Protection Toolkit (DSPT) Level 3.
Information security policies and processes
PCMIS is Cyber Essentials accredited, NHS Digital DSPT Approved and operates from an ISO27001 compliant Data Centre. We have a dedicated internal security team and are externally audited by CREST security specialist. Controls and security policies are implemented to ensure patient data is protected at all times. Mandatory Information Governance/Data Security training is annually monitored for all staff. Spot checks are undertaken and all security policies are annually reviewed including Disaster Recovery, Business Continuity, Acceptable Use Policy, Secure Application Development, Physical Access, Patch Management and Anti-virus/anti-malware policy.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
ITIL best practice change management process is used to approve any security changes. Staff are ITIL qualified. Change requests are logged, risk assessment undertaken and approval process signed off prior to any configuration changes. The risk assessment process is used to identify and potential security impact. The requests for change (RFC's) are linked to Incident Management process to allow components to be tracked through their lifetime. Each release of PCMIS also includes Privacy Impact Assessment and Clinical Risk Assessment compliant with NHS Digital DCB160/DCB0129. Application development changes are tracked using centrally managed version control with access control.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
PCMIS receives automatic notification of any potential threats and vulnerabilities from security bulletins, from the specialist security team and direct from IT system suppliers. Application vulnerability scanning is undertaken, IT security specialist are used to assess any risks and critical patches are installed within 48 hours, following internal testing. Monthly released security updates are installed within 14 days of release.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A dedicated security team proactively monitor security threats. Automated frequent vulnerability scanning is undertaken. Annual penetration testing is undertaken. Any identified threat would be responded to immediately.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are reported to senior management immediately and the security and data protection team informed. An incident report is completed and reviewed by security and IG specialists to identify impact and actions taken compliant with best practice security and GDPR. Client will be contact immediately and actions are reviewed and implemented on all systems and processes involved in the incident to mitigate further risk and prevent further re-occurrence.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Health and Social Care Network (HSCN)


£4,950.00 a unit a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@pcmis.com. Tell them what format you need. It will help if you say what assistive technology you use.