Patient Link

Patient Link is a highly flexible, scalable and intelligent online platform engineered for GP Practices and Primary Care Networks (PCNs) to share information with patients and optimise their health-seeking behaviour.

We use the latest cloud-based frameworks and technologies to support the Total Triage model to power GP Practice Websites.


  • Mobile-responsive layouts for compatibility with mobile and tablet devices
  • Federated working to support Primary Care Networks
  • Patient News & Updates and Multiple Language Support
  • Full GDPR, web accessibility and security compliance
  • Integration with leading Online Consultation and Video Consultation platforms
  • Integration with nhs.uk, NHS 111 Online and online services
  • Personalised Patient Pathways for Chronic Disease Management
  • Artificial Intelligence for Decision Support
  • Self-help, Pharmacy Support, Digital and Social prescribing
  • Online Patient Registration & Web Forms


  • Total triage model to manage patients remotely
  • Centralised management for PCN and/or CCG staff
  • Data collection support to help meet QoF targets
  • Reduced clinical and admin workload
  • Reduced telephone call volumes for reception staff
  • Reduced need for appointments by patients
  • Optimised use of eConsult and eHub
  • Ordering of repeat prescriptions online by patients
  • Predict demand for online services based on historical trends
  • Reduced practice footfall


£700 an instance a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@cenigma.net. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

8 3 5 6 1 8 1 0 1 7 6 8 4 3 7


CENIGMA Ahmad Chughtai
Telephone: 07572602121
Email: sales@cenigma.net

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Compliant browser technology (we support all supported browsers that hold a market share of over 1%).

Scheduled software updates every 2 to 4 weeks (approx. 15mins planned down time outside of office hours).
System requirements
Supported web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
We work on three severity levels as follows:

- P1 (total/severe loss of Patient Link functionality) - 24/7 - 8hr target resolution
- P2 (partial loss of Patient Link functionality) - 24/7 - 16hr target resolution
- P3 (minor issues that do not have a material impact on the customers ability to function) - Mon-Fri (8:00 - 18:30), Sat (9:00 - 13:00), target resolution subject to severity and also P1 and P2 issues presently being handled

Our average response time is less than one hour and average resolution time (with the exception of enhancement requests) is under 4 hours.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
We have not carried out any direct testing ourselves. This is managed by our partner organisation.
Onsite support
Yes, at extra cost
Support levels
- Operations Support: An inbound and outbound office based team available as front line support for practices.
- Account Management Team: Field based team that support CCGs/STPs/ICSs/GP Practices who have commissioned the service.
- Transformation Team: Field based team that work with selected practices to create exemplar sites
- Technical Team: Specialist second line support team to support with specifics on integration, APIs, web site configurations
- Commercial Director: Available for any required escalations.
- ICE (incase of emergency) Line: Managed 24/7

All services noted above are provided within the licence fee.
Support available to third parties

Onboarding and offboarding

Getting started
We follow the following process to onboard each new practice,

1. Analysis of existing website, content curation and synthesis and migration to the practice's unique instance on our staging environment
2. Quality assurance review
3. Link to staging environment shared with the practice for review and feedback
4. Meeting arranged to do a conduct a facilitated walk-through and gather feedback
5. Final updates made based on practice feedback
6. Go-Live
7. Training, ongoing maintenace and support

Our team does all the work with regards to content migration from the existing website to reduce effort for practices and provide comprehensive maintenance and support throughout the contract period.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Upon contract end, customers can place a request with our operations team for all data held pertaining to the account/practice. This request is actioned within 24 hours (Mon-Fri, 8am-6:30pm).

We do not retain any patient data in our platform once it has been fully processed. The only data retained are activity logs and aggregated data in terms of patient utilisation and analytics.
End-of-contract process
The pricing model is all-inclusive. There are no further applicable fees during the contract term, nor post-contract end.

The notice period required is 30 days prior to the annual contract renewal date. Should notice not be served the agreement will auto-renew for a further 12 months. The contract may also be terminated at any point during the contract period subject to a 90 day notice.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The platform is designed to be mobile-responsive and adjusts its layouts for optimal display on mobile and tablet devices.
Service interface
Description of service interface
Patient Link is supported by a modern admin interface to manage its feature and contents. This is protected by multi-factor authentication and role-based access control allowing the possiblility to assign variable levels of access to service users.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
We have tested our platform directly with patients that use assistive technology. Our platform is compatible with most standard screen readers.

Our accessible design has been evaluated by patients from diverse backgrounds and demonstrated social inclusion for people with disabilities as well as isolated groups including ethnic minorities.

We have an in-house Web Accessibility Specialist who works closely with our design team and evaluates all features against the above guidelines before approving the designs for implementation. We avoid the use of any design components that may have a negative impact on patient health. e.g. we do not use parallax to avoid any risk of seizures amongst vulnerable patients.
Customisation available
Description of customisation
Patient Link has been engineered to be highly scalable and to allow ease of customisation. Configurable options for users include,
- Branding
- Online & Video consultation solutions
- Choice of online services apps e.g. NHS app, Patient Access, iPlato, Evergreen Life etc.
- Look and feel of the eConsult website banner
- Selection of specific local healthcare services
- Selection of select patient-facing templates
- Timelines for processing of responses to patients
- Chronic Disease management reviews
- Online web-forms, input fields, mandatory selections etc.
- Single / multiple site configuration
- GP & Nurse availability
- Practice team photos and profiles
- Contact number / email
- Holidays / practice closure dates

All configurations can be selected by the customer at anytime during their licence period.


Independence of resources
Our platform is hosted on a fault-tolerant, load-balanced public-cloud with the ability to scale performance as required. Our server is sized to handle twice the peak-load at any given time. We have continuously achieved 99.9% service uptime and have multiple levels of monitoring in place to detect infrastructure outages (via an automated alert system provided by our infrastructure provider), system-level issues (e.g. high memory usage), and application-level issues (e.g. problems with the delivery of data). We have support staff on standby for urgent system problem resolution.


Service usage metrics
Metrics types
We provide comprehensive reports on patient utilisation which can be accessed directly in real-time or configured to be shared as per a defined schedule.

This includes,
- Total visits
- Unique visits
- Average session duration
- Bounce rate
- Online consultation visits
- Online consultation visits as a % of total visits
- Patient demographics (age bracket, gender)
- Pages visited
- Source of referral (direct, search engine, social media etc.)
- Visits by country
- Most frequently accessed services
- Mobile, Tablet or Desktop users
- Device type e.g. iPhone, Samsung Galaxy Note etc.
- Web Browser
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
We do not retain any patient data in our platform once it has been fully processed. The only data retained are activity logs and aggregated data in terms of patient utilisation and analytics.

Customers are provided with regular analytics data as part of their service agreement. This is provided on a weekly and monthly basis. Ad-hoc data requests can be made via the service desk. We are also able to share this directly with the PCN and/or CCG subject to practice approval.

All submitted web-forms are transmitted to the respective practice for processing and management.
Data export formats
Data import formats
  • CSV
  • Other
Other data import formats
  • CDA
  • JSON
  • PDF

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Availability - 99.9%
Excludes downtime for scheduled maintenance
Approach to resilience
Datacentre information including resilience and security is available upon request.
Outage reporting
Outages would be reported via email alerts.

For reporting of known issues, we are able to set an alert message to notify the end-user.

Identity and authentication

User authentication needed
Access restrictions in management interfaces and support channels
Access is restricted to backend admin panel via multi-factor authentication and restricted role-based access control.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials
  • DSP Toolkit (In progress)

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
DSP Toolkit (In progress)
Note: ISO 27001 relates to our hosted data centre only
Information security policies and processes
An Information Governance team has been defined, and meets regularly. All staff are required to undertake basic Information Governance training.

Defined procedures are in place for data sharing & confidentiality, the handling of sensitive data, and information asset security. These procedures are detailed in the organisation's DSP Toolkit documentation.

A Change Control team is assembled when required and is responsible for producing Privacy Impact Assessments of any changes that relate to information security.

Penetration tests are carried out regularly by an accredited, external organisation.

An escalation/notification process exists, detailing 5 levels of risk and an associated chain of responsibility and the procedures that must be followed accordingly.

The Chief Technology Officer is responsible for ensuring the above policies are adhered to.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Requested changes are managed by the Product Owner and reviewed at monthly roadmap meetings. Once approved, they are added to the product backlog and assigned a priority. Request planning includes,

a. accessibility requirements
b. teams involved
c. clinical and information governance
d. beta testing
e. customer updates
f. training needs
g. documentation updates
h. evaluation needs

Features are reviewed at at a minimum of 12 month intervals. New features are deployed on a fortnightly release cycle with updates performed out of hours. Internal metrics are used to analyse the performance of the product and features.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Threat management - using our network of specialist cyber security suppliers and contacts we continually monitor potential security threats. We also only use specialist software tools and products to monitor all security elements of the service.

Patches - server patching is managed by our specialist data centre provider.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Alerts system - the platform has an inbuilt alerting system.

Hosting supplier - our specialist hosting supplier also continually monitors the platform.

Issue Resolution - patches and updates can be implemented on a same day basis where required.
Incident management type
Supplier-defined controls
Incident management approach
Incident Reporting - we have pre-defined process for as many common events as possible.

We have a defined notification/escalation process in place. This details 5 levels of risk, and the escalation procedures for each.

A number of potential risks have been highlighted, and detailed processes to follow in the event of such an incident have been defined for each.

A standardised form is used to document any event, including unscheduled service outages, and a defined process is in place to follow-up on any such event.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£700 an instance a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@cenigma.net. Tell them what format you need. It will help if you say what assistive technology you use.