Tiny Medical Apps Ltd

Digital Health Passport

We offer a digitally supported self-management service for young people with Asthma, Epilepsy, Allergies, and Sickle Cell. Our Digital Health Passport is co-designed with young patients, aligns with clinical guidelines, and delivers behaviour change. Live in 10 ICB regions, it supports NHS standards, Core20PLUS5 objectives and NHS Login.

Features

• Onboarding & Screening: safe app personalisation and user assessment.
• NHS Login: Access to enhanced medicines functionality
• Emergency & Health Action Plan: clinician approved and shareable
• Health Tracker: Recording clinically validated patient focused and symptom measures
• Localised Health Hacks: Education resources from ICB and national organisations
• My Journey: Structured coaching around condition reinforced by quizzes
• Air Quality, Pollen and Weather Alerts: Triggered by location services
• My NHS: Local ICB signposting, events and information
• My Medicines: Complete medicines list, in-app reordering and guided reminders
• Deploy Dashboard: ICB impact tracking analytics platform

Benefits

• Improves patient understanding and patient self-management
• Supports patient self-management
• Increases patient activation
• Minimises face-to-face and unnecessary appointments (follow-up management)
• Improves facilitation of knowledge and training around condition and medication
• Enhances quality and efficiency of consultations and reviews
• Addresses inequality: Self-management programmes direct to hard-to-reach groups
• Improves Asthma Control (UCLP Study)
• Facilitates better population health management amongst Children and Young People
• Enhances clinical knowledge and skills in use of digital self-management

£77,000 to £157,500 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Matt@tinymedicalapps.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

100707645826777

Contact

Matt Bourne
02078594169
Matt@tinymedicalapps.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Access to a mobile app
  • Internet access.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: User support is available by email and ticketed web chat support between 9am - 5pm (UK time) Monday to Friday. Incoming messages from users are responded to within one (1) business day.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: https://www.intercom.com/blog/messenger-accessibility/
• Onsite support: No
• Support levels: The Digital Health Passport platform is deployed as a patient-facing mobile app download. As such no technical support is required by NHS commissioners. We do provide account managers and dedicated customer support.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide 1-on-1 web based training and support on the DHP platform for clinical sponsors and clinical champions and develop onboarding based on our standard workflow for the wider service.; The standard plan has these headings: Welcome Pack; Clinical Safety Workshop;Information Governance Workflow; Deployment Plan; Reporting Schedule. Clinical sponsor and clinical champion will be assigned a single point of contact within Tiny Medical Apps.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Once the contract has ended unsupported app users will be logged out of NHS login and will be able to login using social login. Their data will still be accessible and users will no longer have access to NHS supported features within the app. Users can request their using support contacts at any time.
• End-of-contract process: On receipt of termination request we will notify the project sponsor, clinical sponsor and clinical champion by email of the service end date and confirming that access and support will be withdrawn. ; Users of the app will be notified in app that the NHS supported features are to be terminated and can request to extract their data in line with GDPR in a portable format.

Using the service

• Web browser interface: No
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The Digital Health Passport is a native mobile app only available on mobile devices (Android and iOS)
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: No

Scaling

• Independence of resources: As a standalone mobile app individual users are limited to the impact they can have on resources.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide a delivery portal for customers where they can see near real-time data from users, including aggregated user activity broken down each month. Reports can be exported in MS Word and PDF formats.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data belongs to end users (patients) not customers (NHS commissioners) . Accept for medication reordering where NHSE is Data Controller. ; Users can export all their data by making a request in app. This is an automated process delivering a time limited link to a password protected folder with the users data.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • Image
• Data import formats: Other
• Other data import formats:
  • PDF
  • Image

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: A Financial Credit is available where in a given calendar month service availability falls between ; 1. 99% and 99.99% - at 10% of monthly service costs. ; 2. Below 99% - at 25% of monthly service costs.
• Approach to resilience: The resilience of the Digital Health Passport is underpinned by it's deployment on Cloud Run, a core component of Google Cloud Platform. ; ; This leverages several features designed to ensure robust resilience:; ; Fully Managed Infrastructure: Cloud Run provides a managed environment where Google handles all infrastructure maintenance, including servers and networking equipment. Regular updates and patches are applied swiftly to mitigate vulnerabilities, ensuring consistent service availability.; ; Automatic Scaling: Cloud Run's dynamic scaling capability adjusts resource allocation in real time based on incoming traffic. This feature efficiently manages demand spikes and minimizes resources during lower traffic periods, optimizing performance and cost-effectiveness without sacrificing service quality.; ; Containerization: Using Docker container technology, Cloud Run ensures the Digital Health Passport operates in a controlled setting. This approach encapsulates the application and its dependencies, minimizing potential discrepancies and conflicts from diverse operational environments.; ; Monitoring and Alerts: Comprehensive monitoring tools on Cloud Run track resource usage and system health. Real-time insights and automated alerts identify and address issues promptly, ensuring continuous service availability and reliability.; ; These features collectively enhance the resilience of the Digital Health Passport, maintaining its reliability, security, and continuous availability.
• Outage reporting: The Digital Heath Passport service is closely monitored in several ways.; ; Betterstack provides sophisticated API monitoring linked to email, slack and phone.; ; GCP Cloud Monitoring has alerts when resource usage passes defined thresholds.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Access Control is covered by an ISO 27001 certified SOP. It relies on technical controls such as RBAC and MFA
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus Isoqar (UKAS)
• ISO/IEC 27001 accreditation date: 26/03/24
• What the ISO/IEC 27001 doesn’t cover: TMA's scope is deliberately broad to cover the organisation and its platforms. See below.; ; Information Security as applied to Tiny Medical Apps and the management and delivery of our software platforms and supporting infrastructure, in line with the Statement of Applicability version 2.10 dated 18 Mar 2024
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: TMA are an ISO 27001 certified organisation. The Digital Health Platform is within scope. ; A summary information security policy is available in an easy read form. ; Detailed security policies cover all the clauses and controls of ISO 27001, such as:; Human Resource Security, Access Control, Incident Management and Business Continuity. Operational and Communication Security, Supplier Relationships and System Acquisition and Development.; Internal Audits report to management meetings with external audits annually from UKAS certified auditors.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: TMA Quality Management System is compliant to ISO 13485 (quality management systems of medical devices), ISO 14971 (risk management of medical devices) and DCB0129 (clinical safety risk management of health IT).; ; All 3 standards have an element of change control as part of the quality and risk management process. The procedure in the TMA QMS which governs change control is TMA-SOP-D009 (Control of Software Design Changes). Change control is a Gateway 1 activity in the TMA software development lifecycle, where proposed changes are assessed for impact to regulations and safety/security risk to determine the validation required prior to release.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerabilities are managed in multiple ways.; ; A weekly vulnerability test (on staging) is performed as part of TMA's automated vulnerability scanning (Beagle Security).; ; Github has dependabots alerting enabled to notify TMA of vulnerabilities in any dependency.; ; We subscribe to National Cyber Security Centre's Threat Reports and Advisories as well as other security industry newsletters.; ; TMA has the capability to deploy urgent patches within 1 business day.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: High level protective monitoring is built in at a high level to the Google Cloud Platform. ; ; Additionally this is covered by a number of IS27001 SOPs.; Operational Security, Information Security Incident Management and Compliance.; ; TMA’s response and fix times are in line with those established in the HSCN Consumer Handbook (Service levels and incident severity classification).; ; There are two levels of severity.; ; Severity 1 - Critical Impact.; 3 hours response, 24 hours fix.; ; Severity 2 - Adverse impact.; 3 hours response, 48 hours fix.; ; These are in line with the non-business critical nature of our service.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Tiny Medical Apps Incident Management (Security and Critical) procedure is triggered in the event of identification of an incident which has been detected by or reported to Tiny Medical Apps through any route. ; ; There are 8 stages in the Tiny Medical Apps Incident Management procedure:; ; 1. Logging and Triage; 2. Engagement; 3. Risk Assessment; 4. Replication; 5. Root Cause Analysis; 6. Risk Management / Nonconforming Product Control; 7. Delivery; 8. Closure

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Tiny Medical Apps is at the forefront of integrating healthcare innovation with environmental stewardship through its Patient Led Asthma Inhaler Net Zero Initiative (PLAIN I). This pioneering project aligns perfectly with the NHS's commitment to achieving net zero carbon emissions, demonstrating significant social value in tackling one of the most pressing global issues—climate change.; Asthma treatment in the UK has been identified as a notable contributor to carbon emissions, primarily due to the widespread use of metered-dose inhalers (MDIs). These devices, essential for many asthma sufferers, depend on hydrofluorocarbon propellants, potent greenhouse gases. PLAIN I aims to mitigate this impact by empowering asthma patients to transition to lower-carbon alternatives where clinically appropriate.; The initiative utilises the already successful Digital Health Passport (DHP), a platform that enhances patient engagement and asthma management. PLAIN I leverages this technology to educate users about the environmental impact of their inhaler choices. By integrating a feature that identifies patients using high-carbon inhalers and suggesting greener alternatives, the initiative facilitates informed decision-making that aligns personal health management with environmental consciousness.; The expected outcome of PLAIN I is a significant reduction in the carbon footprint of asthma treatments. By shifting to inhalers with a lower environmental impact, the project not only advances the sustainability goals of the NHS but also contributes to broader efforts to combat climate change. The real-time tracking capability of the DHP allows for the monitoring of prescription changes and the quantification of carbon savings, offering a transparent and measurable impact.; Tiny Medical Apps is setting a new standard in healthcare by merging patient care with ecological responsibility. Through PLAIN I, the company demonstrates how digital health solutions can serve a dual purpose: improving patient outcomes and fostering a sustainable future.

  Equal opportunity

  Our approach to equal opportunity is addressed from a health equality perspective. We believe in democratising healthcare by empowering patients to actively manage their own health conditions. This empowerment is especially crucial in bridging health disparities that often exist due to socioeconomic, geographical, or cultural differences. By placing control directly into the hands of patients through the Digital Health Passport (DHP), we can help ensure that everyone, regardless of background, has equal access to healthcare resources and support.; The DHP exemplifies how technology can be leveraged to equalise patient care. The DHP provides patients with the ability to track their symptoms and access expert advice. This level of engagement helps patients understand their health conditions better and fosters a sense of community and support, which are vital for effective disease management.; Ultimately, the goal of equal opportunity in healthcare is to provide every individual with the tools and information necessary to manage their health effectively. By democratising access to healthcare resources through digital tools, we are making significant strides towards achieving health equality. These innovations ensure that all patients, irrespective of their economic or social status, have the knowledge and support needed to lead healthier lives.

  Wellbeing

  Use of the Digital Health Passport (DHP) to help children and young people manage chronic conditions like asthma, sickle cell disease, or epilepsy can profoundly enhance their wellbeing and mental health. Chronic conditions can contribute to uncertainty and anxiety, significantly affecting a young person's daily life. However providing robust digital programmes that deliver vital knowledge and support we can enhance overall wellbeing.; The DHP, empowers young users by providing them with real-time data about environmental factors that could impact their conditions, such as air quality, weather, and pollen levels. By understanding what might trigger an episode or exacerbate symptoms, they can better prepare for or even avoid certain situations, reducing the likelihood of an attack and the associated anxiety.; The DHP offers medication reminders , ensuring that young people can maintain their treatment without relying on memory. Consistent medication use is often vital for keeping chronic conditions like asthma or epilepsy under control. Regular reminders help inculcate a routine, decrease the chances of an acute episode, and by extension, reduce the fear and anxiety related to potential attacks.; Educational resources integrated into these apps, including videos on how to correctly use medical devices like inhalers, further enhance self-confidence and competence in managing their conditions. These resources ensure that young people are not only following their medical protocols but are also using their tools effectively, maximising the benefit of their treatments.; Well-designed digital health tools offer more than just medical benefits; they provide a framework of support that fosters independence, reduces anxiety associated with managing a chronic condition, and significantly enhances mental and emotional wellbeing. By keeping young individuals informed, prepared, and engaged, these tools help transform them from passive patients into active participants in their health management, promoting a healthier, more confident approach to living with chronic conditions.

Pricing

• Price: £77,000 to £157,500 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: The Digital Health Passport is freely available to download and use from app stores. This version does not include NHS login, medicines support or localised information or content. There is no access to analytics dashboards.
• Link to free trial: https://getdhp.link

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Matt@tinymedicalapps.com. Tell them what format you need. It will help if you say what assistive technology you use.