EMIS Ltd

Concentric - digital consent

Concentric is a digital consent and shared decision making web application which transforms the paper process of giving consent for treatment.

Personalised information, supported by evidence-based, treatment-specific information supports consent conversations and drives informed, shared decisions. Patients can access consent information and can document consent remotely or with their clinician.

Features

• Digital consent for treatment
• Remote consent functionality with secure patient access
• Evidence-based & SNOMED-CT coded clinical content across 1000+ treatments
• Personalised information for each individual
• Electronic Health Record integration for demographics, documents & authentication
• Device agnostic, web-based, cloud hosted

Benefits

• Remote consent without requiring physical outpatient consultations
• Reduce medicolegal risk by reducing errors and ensuring appropriate documentation
• Reduce inappropriate clinical variation with trusted information supporting decision-making
• Support patient understanding, providing accessible information tailored to them
• Reduce the use of paper within the consent process
• Improve operational efficiency - reduce cancellations and delays
• Administration interface to manage users, review usage and feedback
• Audit trail of all user actions

£25,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Framework

G-Cloud 12

Service ID

668709611399148

Contact

Bid Team
0113 380 3000
bids@emishealth.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Planned maintenance will be notified in advance.
• System requirements: Modern web browser with javascript and cookies enabled

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response time for acknowledgement of a new Incident is immediate; ; Resolution times vary based upon severity, which are set at Severities 1 (very high) to 5 (very low).
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: We use ServiceNow for our support platform. The assistive technologies JAWS, NVDA, and VoiceOver are used to test ServiceNow products.
• Onsite support: No
• Support levels: Support cases are prioritised as severity 1 to severity 5 (provided to the Customer); ; Support documentation is available on our support system, EMISNow, and is available to the Customer or third parties authorised by the Customer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online training and user documentation
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Data is provided to the user at the end of the contract via PDF exports of each consent form accompanied with metadata for each episode.
• End-of-contract process: There is no additional fee for a standard data extract. Where required, other extracts are chargeable at commercial rates.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All functionality is available across mobile and desktop with responsive web design.
• Service interface: Yes
• Description of service interface: Web based front-end
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: 1. Routine audit of compliance with WCAG standards; 2. Service evaluations undertaken within NHS organisations including accessibility assessment.
• API: No
• Customisation available: Yes
• Description of customisation: Through administration and management interfaces, the following areas can be customised by or on behalf of the buyer:; ; 1. Healthcare organisation's branding; 2. Clinical content modifications to meet local requirements; 3. Domain name

Scaling

• Independence of resources: Monitoring data is collected for early warning of increased demand and the system is designed to scale horizontally. The system operates with significant headroom and demand for this service in inherently predictable.

Analytics

• Service usage metrics: Yes
• Metrics types: Consent episodes completed, number of active clinicians, patient access to information. Metrics can be explored by specialty and timeframe.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Concentric Health

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Consent form PDF's can be downloaded by users from within the application. Episode data can be requested, and provided as PDF documents with accompanying metadata.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.9%
• Approach to resilience: Automatic failover configured to handle all server failure, which is designed to cause less than 5 minutes of unavailability. System is designed to not need any scheduled maintenance. Zero downtime deployments of new application code. Designed to be resilient to a single datacenter failure within a region.; ; Data recovery processes are in place, in the unlikely event of total system failure: ; - Database backups can be used in the case of total system failure. This scenario is not anticipated and would be a manual operation taken as a last resort.; - Configuration management system is used to configure all cloud services and hosts, allowing rapid total replacement of cloud infrastructure in the case of total failure.; ; Database backups are taken daily and stored for 7 days.
• Outage reporting: Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability. Tenants are provided a company operational and technical contact for use in an emergency, with emergency support available 24/7.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Role-based administration access to administration interface, with 2-factor authentication.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 13/04/2018
• What the ISO/IEC 27001 doesn’t cover: The Information Security Management in relation to the provision and subsequent support of information and management systems to healthcare and non healthcare professionals. Information Security Management within the supply and deployment of ICT infrastructure and support services. Both in accordance with the Statement of Applicability version 21 dated 13/04/2018.; ; The sub contractor, Concentric Health, is not covered by this certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials Plus. NHS Digital Data Security and Protection Toolkit.
• Information security policies and processes: Healthcare professional access: Best practice for password creation and management are enforced, as per Cyber Essentials recommendations.; ; Patient access: Patients receive an unguessable URL (generated using a secure random generator with in excess of 10 quadrillion possible combinations) via their email address. The email contains no special category data. When patients access this link within the email, they need to enter their date of birth before a consent record may be viewed. In order to ensure that the URL and consent details are kept secure: the URL will be limited to TLS connections, browsers and intermediaries will be prevented from caching, and outbound links will not reveal the full referrer URL.; ; A security incident reporting procedure is in place, alongside confidentiality and data protection, and data security incident monitoring. Incidents are reported to the Chief Technical Officer.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Release notes are made available to each customer at each release. Unit testing and both manual and automatic end-to-end testing is undertaken at each release. Clinical safety and security impacts are considered as part of any release to ensure ongoing compliance with NHS Digital DSPT and Cyber Essentials Plus standards.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Systems run with up to date dependencies. LTS operating system releases used with automatic updates enabled. We subscribe to automatic security vulnerability alerts for all our code dependencies, which are sent to designated individuals. Our policy is to deploy updated dependency versions within 2 weeks, or sooner if deemed necessary by our CTO.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Log data is collected centrally and monitored for signs of unusual activity. ; ; Application logging is carefully designed so that unusual activity is logged at warn level or above. The rate of such logs is monitored to provide an early warning signal. ; ; Internally services are designed along zero-trust principles. This prevents a single compromised component from allowing access to other information.; ; Internal authentication is by way of signed authentication tokens. The private keys underlying these tokens can be replaced in case of a suspected breach which will invalidate all existing tokens and cause all users to become immediately logged out.
• Incident management type: Supplier-defined controls
• Incident management approach: Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability.; Tenants are provided a company operational and technical contact for use in an emergency, with emergency support available 24/7. Root cause analysis investigations are undertaken in response to failure.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £25,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Potential options available on request.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF