Concentric - digital consent

Concentric is a digital consent and shared decision making web application which transforms the paper process of giving consent for treatment.

Personalised information, supported by evidence-based, treatment-specific information supports consent conversations and drives informed, shared decisions. Patients can access consent information and can document consent remotely or with their clinician.


  • Digital consent for treatment
  • Remote consent functionality with secure patient access
  • Evidence-based & SNOMED-CT coded clinical content across 1000+ treatments
  • Personalised information for each individual
  • Electronic Health Record integration for demographics, documents & authentication
  • Device agnostic, web-based, cloud hosted


  • Remote consent without requiring physical outpatient consultations
  • Reduce medicolegal risk by reducing errors and ensuring appropriate documentation
  • Reduce inappropriate clinical variation with trusted information supporting decision-making
  • Support patient understanding, providing accessible information tailored to them
  • Reduce the use of paper within the consent process
  • Improve operational efficiency - reduce cancellations and delays
  • Administration interface to manage users, review usage and feedback
  • Audit trail of all user actions


£25,000 a licence a year

  • Free trial available

Service documents


G-Cloud 12

Service ID

6 6 8 7 0 9 6 1 1 3 9 9 1 4 8


EMIS Ltd Bid Team
Telephone: 0113 380 3000
Email: bids@emishealth.com

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Planned maintenance will be notified in advance.
System requirements
Modern web browser with javascript and cookies enabled

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response time for acknowledgement of a new Incident is immediate

Resolution times vary based upon severity, which are set at Severities 1 (very high) to 5 (very low).
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 A
Web chat accessibility testing
We use ServiceNow for our support platform. The assistive technologies JAWS, NVDA, and VoiceOver are used to test ServiceNow products.
Onsite support
Support levels
Support cases are prioritised as severity 1 to severity 5 (provided to the Customer)

Support documentation is available on our support system, EMISNow, and is available to the Customer or third parties authorised by the Customer.
Support available to third parties

Onboarding and offboarding

Getting started
Online training and user documentation
Service documentation
Documentation formats
End-of-contract data extraction
Data is provided to the user at the end of the contract via PDF exports of each consent form accompanied with metadata for each episode.
End-of-contract process
There is no additional fee for a standard data extract. Where required, other extracts are chargeable at commercial rates.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
All functionality is available across mobile and desktop with responsive web design.
Service interface
Description of service interface
Web based front-end
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
1. Routine audit of compliance with WCAG standards
2. Service evaluations undertaken within NHS organisations including accessibility assessment.
Customisation available
Description of customisation
Through administration and management interfaces, the following areas can be customised by or on behalf of the buyer:

1. Healthcare organisation's branding
2. Clinical content modifications to meet local requirements
3. Domain name


Independence of resources
Monitoring data is collected for early warning of increased demand and the system is designed to scale horizontally. The system operates with significant headroom and demand for this service in inherently predictable.


Service usage metrics
Metrics types
Consent episodes completed, number of active clinicians, patient access to information. Metrics can be explored by specialty and timeframe.
Reporting types
Real-time dashboards


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Concentric Health

Staff security

Staff security clearance
Staff screening not performed
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Consent form PDF's can be downloaded by users from within the application. Episode data can be requested, and provided as PDF documents with accompanying metadata.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Approach to resilience
Automatic failover configured to handle all server failure, which is designed to cause less than 5 minutes of unavailability. System is designed to not need any scheduled maintenance. Zero downtime deployments of new application code. Designed to be resilient to a single datacenter failure within a region.

Data recovery processes are in place, in the unlikely event of total system failure:
- Database backups can be used in the case of total system failure. This scenario is not anticipated and would be a manual operation taken as a last resort.
- Configuration management system is used to configure all cloud services and hosts, allowing rapid total replacement of cloud infrastructure in the case of total failure.

Database backups are taken daily and stored for 7 days.
Outage reporting
Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability. Tenants are provided a company operational and technical contact for use in an emergency, with emergency support available 24/7.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Role-based administration access to administration interface, with 2-factor authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The Information Security Management in relation to the provision and subsequent support of information and management systems to healthcare and non healthcare professionals. Information Security Management within the supply and deployment of ICT infrastructure and support services. Both in accordance with the Statement of Applicability version 21 dated 13/04/2018.

The sub contractor, Concentric Health, is not covered by this certification.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials Plus. NHS Digital Data Security and Protection Toolkit.
Information security policies and processes
Healthcare professional access: Best practice for password creation and management are enforced, as per Cyber Essentials recommendations.

Patient access: Patients receive an unguessable URL (generated using a secure random generator with in excess of 10 quadrillion possible combinations) via their email address. The email contains no special category data. When patients access this link within the email, they need to enter their date of birth before a consent record may be viewed. In order to ensure that the URL and consent details are kept secure: the URL will be limited to TLS connections, browsers and intermediaries will be prevented from caching, and outbound links will not reveal the full referrer URL.

A security incident reporting procedure is in place, alongside confidentiality and data protection, and data security incident monitoring. Incidents are reported to the Chief Technical Officer.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Release notes are made available to each customer at each release. Unit testing and both manual and automatic end-to-end testing is undertaken at each release. Clinical safety and security impacts are considered as part of any release to ensure ongoing compliance with NHS Digital DSPT and Cyber Essentials Plus standards.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Systems run with up to date dependencies. LTS operating system releases used with automatic updates enabled. We subscribe to automatic security vulnerability alerts for all our code dependencies, which are sent to designated individuals. Our policy is to deploy updated dependency versions within 2 weeks, or sooner if deemed necessary by our CTO.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Log data is collected centrally and monitored for signs of unusual activity.

Application logging is carefully designed so that unusual activity is logged at warn level or above. The rate of such logs is monitored to provide an early warning signal.

Internally services are designed along zero-trust principles. This prevents a single compromised component from allowing access to other information.

Internal authentication is by way of signed authentication tokens. The private keys underlying these tokens can be replaced in case of a suspected breach which will invalidate all existing tokens and cause all users to become immediately logged out.
Incident management type
Supplier-defined controls
Incident management approach
Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability.
Tenants are provided a company operational and technical contact for use in an emergency, with emergency support available 24/7. Root cause analysis investigations are undertaken in response to failure.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£25,000 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
Potential options available on request.

Service documents