EMIS Ltd

EMIS Health - PharmOutcomes

PharmOutcome is is as a web-based service management solution offering commissioners the ability to develop custom templates to record service deliveries whether these be local, regional or national. As a web based platform it offers a secure service management solution, using structured templates used by clinicians whilst patient facing.

Features

• Real time reporting
• Flexibility with service design
• Core PharmOutcomes System
• Automatic service claims management
• Interoperability with other management systems
• Messaging function from commissioner provided with read receipt
• PharmAlarm

Benefits

• Ability to set permission profiles for users to restrict/allow access
• FHIR egress and ingress functionality
• HL7 ingress functionality
• Links to national management systems via APIs
• Access to key system features and functions
• Secure Messaging Function
• Ability to create bespoke templates
• Data interoperability from system to system

£2,201 a licence a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@emishealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

234550490248436

Contact

Bid Team
0113 380 3000
bids@emishealth.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: The system differentiates between commissioners and providers in what data they can see. Unless consent is explicitly given, commissioners will only be able to see anonymised data whereas providers can see the full patient details.; ; Organisations which wish to share data will need appropriate data sharing agreements in place.
• System requirements:
  • Access to internet running on any currently supported browser
  • JavaScript enabled
  • Commissioners must purchase a licence prior to use
  • Browser requirements as detailed in the Technical Specification
  • Windows version requirements as detailed in the Technical Specification

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times as detailed in MSA depending on incident level. Help Desk available 9am to 6pm Mon to Fri. Help desk remotely monitored at the weekend.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: When accessing the EMIS Now support portal, Live Chat is an option to speak to a member of the support team and log a ticket if necessary through this function.
• Web chat accessibility testing: None or don't know.
• Onsite support: Yes, at extra cost
• Support levels: Service design and system training support is provided by the Professional Services Team. Commissioners can attend free masterclass sessions held at multiple venues that cover use of the platform but onsite training and support can be provided at a day rate cost of £495.00 plus VAT. Technical support is provided by the technical team. This support type is usually to investigate interoperability using APIs, creating bespoke reports etc. The rate for technical support is £895.00 plus VAT per day. Commissioners can purchase support packs. A three day support pack is available to cover training and service design at a rate of £1200.00 plus VAT .
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Once a licence area has been set up , the team at EMIS will work with the commissioner to support a launch event. This is typically delivered over Microsoft teams and covers accessing the system, all system functionality and the use of service templates. Additionally, video guides can be agreed and produced to support aspects of the system (additional cost attached to video production - see day rate costs). face to face training can be delivered if required on site but day rates apply.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Managed by Professional Services Team
• End-of-contract process: At end of contract users are allowed access to the reporting function within the system for an agreed time period. This supports download of service data in a number of formats but CSV is the usual file type required on closing an account. Commissioners can download their own service data at the end of contract however support is available to help with this if they require it

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Users access the system via the URL https://pharmoutcomes.org through input of multiple single factor authentication. Once in the system users can access service templates from a "Services" tab. The only templates accessible at a site are those that relate to services the site has been commissioned to deliver. Templates are designed to used whilst patient facing and are structured to ensure the capture of relevant KPIs and to meet the data capture requirements of the relevant service specification. Practitioners work through a structured question template when offering any service. Once saved, all information is passed into a commissioner accessed audit.
• Accessibility standards: None or don’t know
• Description of accessibility: All screens can be sized meaning templates can be made bigger if this helps the completion for those with impaired vision.
• Accessibility testing: None to date.
• API: Yes
• What users can and can't do using the API: Ingress of clinical records using non-coded CDA messages; Additional APIs for supporting tools but not for service access; ; Users cannot set up services via the API; Users cannot make changes via the API
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: PharmOutcomes provides a templating system which commissioners can use to design the services they want health and care providers to deliver. The resulting service then appears as a guided workflow for the care provider to follow when providing the service. This approach means that commissioners can customise services as they wish.

Scaling

• Independence of resources: Continuous monitoring and check on volume of providers. Also for larger national services, dedicated servers.

Analytics

• Service usage metrics: Yes
• Metrics types: Activity levels.; Financial reporting.; Tracker reports.; Standard audit reports.; ; Users are able to build their own reports and data extracts as required within PharmOutcomes.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users export data directly from the user interface. With appropriate permission settings users can access a "Reports" page. From this page, data for any service commissioned can be extracted across any specified time period in a variety of formats including CSV.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Service availability over the last 12 months has been running at 99.92%
• Approach to resilience: Spread across multiple data centre's - procedures for fail over.
• Outage reporting: Messaging via system post event

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Access restrictions are controlled in the system through the ability to define a user permission profile. Users can be set up to access different parts of the system aligned with their role in an organisation.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 08/07/2004, last revised on 15/06/2021
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Data Security and Protection Toolkit (NHS Digital)
  • IG Toolkit

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: EMIS Group have a top level policy for Information Security, and supporting policies including (but not limited to): Acceptable Use, Security Incident Policy, Access to Buildings Policy, Network Security Policy, Information Governance Policy, Information Retention Handling and Classification Policy and supporting processes/procedures.; These are shared on a Group Document Management system which all employees have access to and these are communicated to staff where applicable, and they are included in training. ; These are reviewed at least annually and approved by senior management, with compliance reviews conducted annually.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The company operates a continuous development and improvement process with new functionality and features being released to all customers at the same time. New code is developed, peer assessed, tested via automated systems where possible and formally quality assured by a specialist software tester before being made live. All changes are tracked via an internal release control processes.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: EMIS Group perform targeted vulnerability scanning every two weeks, and full scans on all internal ip addresses are conducted quarterly. ; External IP addresses are scanned continuously. ; EMIS Group have processes in place to ensure that critical operating patches are applied to internal servers and machines within 14 days.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Compliance with an accreditation to ISO 27001 audited twice yearly by BSI
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: EMIS Group have an incident response process/plan in place with clearly defined roles and responsibilities, and there are run books available for common events. ; ; This is available to all employees on the Group Document Management system and is part of training and awareness for relevant employees, and all employees are advised how to report incidents. ; Reports are provided where applicable.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  EMIS employees are educated annually on environmental matters with an emphasis on personal responsibility regarding energy consumption and waste management. This is supported by relevant policies, such as EMIS’s Group Environmental Policy Statement and company benefits, e.g. during 2021 the Group launched a salary sacrifice scheme for employees to lease electric cars and for individuals to fund tree planting with Ecologi, who provide a route for organisations and individuals to fund climate action projects.; Through Ecologi, EMIS planted 25 saplings for each new employee who joined the business during the previous twelve months, resulting in approx. 7,300 new saplings planted in countries badly affected by deforestation.

Pricing

• Price: £2,201 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@emishealth.com. Tell them what format you need. It will help if you say what assistive technology you use.