Freetest.me - Online STI Screening
Freetest.me is a fully integrated self-sampling online sexual health platform focusing on remote screening for sexually transmitted infections. The service includes cloud-based intervention with postal sample collection kits backed up by integrated laboratory Services.
Features
- Simple patient pathway and secure cloud-based clinical record system
- Service user registration and postcode geo-location eligibility look up
- Flexible web-based kit and test selection triage with safeguarding
- Customers provide their own in-house clinical support/patient management
- In-house laboratory testing service accredited to ISO 15189
- Secure web-based reporting hub for reporting / live service information
- National datasets (such as CTAD) automatically submitted
- Automated patient notifications for kit completion, results ect (email/SMS)
- Flexible and integrated fully offline kit model for local services/venues
Benefits
- Highly cost-effective cost-per-screen and cost-per-positive
- Intuitive cloud-based clinical record system with training available for clinics
- Automated processes reduce workload for local services and overheads
- Simple triage process allows alignment with local service requirements
- Secure web-based reporting hub for reporting / live service information
- Live service information/reports available via secure cloud-based reporting hub
- In-house laboratory testing service accredited to ISO 15189
- Flexible and integrated fully offline kit model for local services/venues
Pricing
£6.25 to £80.50 a transaction
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
1 7 8 8 3 3 3 9 3 2 5 2 7 6 5
Contact
Preventx Limited
Mark Clune
Telephone: 07812731315
Email: mark.clune@preventx.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- None.
- System requirements
-
- Access to internet connection
- Access to HSCN network (Optional)
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- We operate support during business hours (8:00 - 17:00) and working days (Mon - Fri). However, the ability to add support tickets is always available to users. Given the nature of the service we provide we find this currently works for the users. However, we continuously assess this.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
- Because of the nature of the service we provide we have no defined service levels. All users are provided with same level of support.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Preventx has over 14 years of experience at onboarding new users of their services, which has allowed us to develop a tried and tested mobilisation approach. Onboarding requirements of customers are varied; therefore we work with them to understand their requirements and develop a bespoke a bespoke mobilisation package.
Onboarding of new customers can include the following training;
Remote and/or online training for clinicians who will be using the SH.UK secure cloud based clinical record system to manage patients.
Remote and/or online training for clinicians who will be using the SH.UK secure cloud based clinical record system to access reporting tools.
Remote and/or online training for clinicians who will be using the SH.UK secure cloud based portal to access reporting tools.
Remote and/or online system training for all commissioners requiring aggregate data reporting access through the SH.UK secure cloud based portal.
Top up training / support for all local clinicians managing onward care of positive patients in local services.
All training is supplemented by key FAQ training documentation, allowing staff to have a key reference guide for their development. Throughout the contract cycle, customers can access the Preventx service development manager, who is available to support, re-train and advise. - Service documentation
- Yes
- Documentation formats
-
- ODF
- End-of-contract data extraction
- Throughout the life of the contract, users are able to export various (anonymised) data from the platform in order to fulfil their specific internal reporting obligations. Also during the time of the contract, users with the appropriate role-based access are able (with suitable DPIA in place) to access service user (patient records) which they are able to transpose information from into their own Electronic Patient Record (EPR) systems. At contract termination the Preventx becomes sole Data Controller for the data generated as part of the contract and as such cannot transfer / extract this data in line with EU GDPR. All data will then be managed in line with guidelines set out in the Records Management Code of Practice for Health and Social Care 2021 and where data is stored that falls outside of this Code, we have internal processes to ensure that the subject rights under article 17 of the GDPR are met.
- End-of-contract process
-
At the end of a contract the following processes are implemented with the supplier;
- Set date for closure of kit request service.
- Set date for closure of kit receipt and laboratory testing services (usually within 1-3 months of the kit request closure).
- Set date for data management access closure (this is agreed with the supplier).
- Set agreed data retention period, Preventx deletion policy anonymises all PID.
- Provision made to return the patient record and this data to the customer as requested by them.
- Final invoice generation.
There are no additional costs for these end of contract services.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- None.
- Service interface
- No
- User support accessibility
- WCAG 2.1 A
- API
- No
- Customisation available
- Yes
- Description of customisation
- Users have the ability to customise significant parts of the service user consultation journey and various branding options. These are implemented during the onboarding process for the service using internal technology resource.
Scaling
- Independence of resources
- We continually monitor resource utilisation across our hosting estate and ensure that all our servers are 'right-sized' to accommodate the fairly well-defined, well understood demand placed upon them by existing clients and the additional demand placed upon them by new clients.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
Preventx’s services are data-rich, we provide a wide range of real-time reporting tools that provide access to a number of key service metrics:
-Gender
-Age
-Ethnicity
-Positivity rate by STI
-Return Rate
-Service Lookups
-Offline test kit reports
-Positivity rate by kit distribution channel
-Activity rate by channel
-Activity tracker
-Lab outcomes report
-Average cost per screen
-Average cost per diagnosis
-Spend tracker
-Spend tracker by channel/site
-User feedback survey report
-Local Authority ward report
-Local Authority LSOA report
-Local Authority Population Report
-Offline Kit expiry report
-Custom report generation - Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Physical access control, complying with SSAE-16 / ISAE 3402
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
-
Customers/local providers are able to export data from the Preventx system in a number of ways:
Raw data export (enables local data analysis).
Custom report downloads (custom report design and implementation is provided as part of ongoing consultancy services).
CTAD/GUMAD data download (all CTAD/GUMCAD data is submitted by Preventx, however downloads of these submissions are available to customers/local providers). - Data export formats
-
- CSV
- Other
- Other data export formats
- XML
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- Given the nature of the service we don't provide (or are required to provide) SLAs for availability. However, we generally strive for 99.9% uptime and historically we have generally met this. We generally don't (and are not required) to provide users with refunds if we don't meet availability levels.
- Approach to resilience
- Available on request.
- Outage reporting
- We report significant planned / unplanned outages to clients via email alerts and through our account management team.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Username or password
- Access restrictions in management interfaces and support channels
-
Areas of the public facing Preventx platform that will access and display patient data (for example account areas, online test results, etc.) will follow strict rules around the authentication of the user, including the use / option of 2 factor authentication (2FA).
Clinician access for result management and advisory services is managed via our clinician portal, which is secured via industry standard TLS/HTTPS encryption. In addition to mitigating risk using IP whitelisting and encryption we can enforce the use of One Time Password (OTP) devices or 2FA applications. - Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Limited access network (for example PSN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- Yes
- Any other security certifications
- NHS DSP Toolkit
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- We are Cyber Essentials Plus certified. As an provider to NHS we also complete the Data Security Protection Toolkit assessment that allows us to measure our performance against the National Data Guardian’s 10 data security standards. All new services are required to be GDPR compliant with Data Protection Impact Assessments and Data Sharing Agreements required to be in place before commencement. We are working towards ISO27001 certification.
- Information security policies and processes
-
We have a board-level responsibility around information security where the Chief Technology Officer acts a the Information Governance Lead and Chief Information Security Officer for the business. Information security risks are monitored through a corporate risk register which are also reviewed at each monthly board meeting.
We have a Data Protection Officer (DPO) who is responsible for ensuring compliance to the EU GDPR and again our compliance is regularly monitored and reported on at the monthly board meetings.
We have a number of policies around information security (mobile device policy, remote working policy, etc.) that are included as part our employee handbook and a corporate IT Security policy that has been adopted at board level.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- We have a well-defined change management process and mechanisms in place as part of our software development process to assess the security impacts of any change. We have a clearly defined and documented process around code review and code release that ensures full traceability and auditing of any change. We implement annual web application penetration tests to confirm overall security conformance.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- We subscribe to NHS Cyber Security Batsignal to provide early warning of significant vulnerabilities and also regularly scan security alert newsletters and cyber alerts posted on the NHS Digital site. Once a vulnerability is identified we assess the risk to our internal network within 8 hours and try to implement patches as soon as possible after that.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Available upon request.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- We have pre-defined processes for common events and users report incidents via our online support portal. For most incidents these tickets and the responses form part of the incident reports.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
- Health and Social Care Network (HSCN)
Social Value
- Fighting climate change
-
Fighting climate change
Preventx’s HR and environmental policies outline the company’s commitment and compliance to labour rights and ethical
issues and how we consider and reduce the carbon impact of activities on the environment directly, and in-directly
through our supply chain, demonstrating how we would deliver the contract to generate social value out of the health
pound.
To encourage staff to reduce their carbon impact on the environment whilst travelling to the office Preventx offers a cycle to work scheme with showering facilities available on site. All staff are encouraged to use public transport to commute to the office or to car share. For external off-site meetings, Preventx has implemented a ‘train first’ policy to further reduce carbon impact on the environment.
Preventx installed Electric Vehicle charging points for the use of employees who commute via electric vehicles.
Preventx operates from several sites which are located on the Meadowhall business park in Sheffield, the business purchased an electric van which is used solely to travel between the sites. The company has committed to only purchasing electric business vehicles in the future.
Preventx has completed installation of a combined heat and power system, which will further reduce energy waste and has upgraded all laboratory lighting to an LED system.
We source our packaging via Greenshires who have Forest Stewardship
Council certification and are certified with the ISO 14001:2004
Environmental Standard.
Cardboard waste from test kits received back at the Preventx laboratory is recycled and service users are asked to return unused parts from testing kits for reuse or recycling. Plastic packaging is common for similar services and can only be
disposed of in landfill. - Covid-19 recovery
-
Covid-19 recovery
The FTM service supports people to self-care and self-manage at home through the self-sampling for STIs.
This in turn has helped to reduce demand on face-to-face health and care services and also supports those who are worse affected, or shielding to access services remotely without having to visit a healthcare setting.
The FTM service involves the training of sexual health clinicians on how to use the FTM clinical record system, which can allow staff who are shielding or having to work remotely to be able to provide services to users.
Pricing
- Price
- £6.25 to £80.50 a transaction
- Discount for educational organisations
- No
- Free trial available
- No