CONCENTRIC HEALTH LTD

Concentric

Concentric is a digital consent to treatment application (also known as patient econsent) widely trusted by the NHS and proven to transform the informed consent process for patients and clinicians.

It's time for digital consent, with Concentric. Available via G-Cloud 13 for contracts commencing from the 1st February 2023.

Features

  • Digital consent (econsent) to treatment
  • Remote consent by patient where appropriate
  • Demographics, documents, EHR, active directory and ePOA integration
  • Cross-specialty ontology coverage across 5000+ SNOMED-CT treatments and concepts
  • Powerful combined treatment functionality to support digital consent by default
  • Montgomery-compliant personalisation with demonstrated improvement in SDM
  • NHS DTAC (Digital Technology Assessment Criteria) and DSPT compliant
  • Compliant with DCB0129 clinical safety standard
  • Comprehensive implementation playbook based on 20 existing NHS Trust deployments
  • Real-time user dashboards and admin application

Benefits

  • Proven to improve informed consent and shared decision making quality
  • Reduce 'failure to warn' medicolegal costs (errors, omissions, lost forms)
  • Up to 10% reduction in day-of-surgery cancellations / delays
  • Improved patient and clinician experience of the consent process
  • Remote consent reduces the need for in-person outpatient consultations
  • Reduced costs - paper costs and patient information leaflet/scanning processes
  • Reduced carbon impact - remote consultations and reduced paper use
  • Release clinician time due to faster consent administrative processes
  • Process flexibility supports move away from day-of-surgery consent
  • Audit trail of user actions provides visibility of consent process

Pricing

£0.50 to £2.25 a transaction

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at daf@concentric.health. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

2 8 6 5 7 7 6 7 2 4 3 6 7 6 6

Contact

CONCENTRIC HEALTH LTD Dr Dafydd Loughran
Telephone: 07885984495
Email: daf@concentric.health

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
We perform near-zero downtime deployments, and therefore you should not expect scheduled maintenance downtime except on the rare occasions that a near-zero downtime deployment is not possible. There are no service constraints beyond those outlined in the system requirements.
System requirements
Modern web browser (e.g. Edge, Chrome, Safari, or Firefox)

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response from Concentric support team within one working day.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We aim for 99.9% uptime, which equals less than 8 hours and 45 minutes of downtime per year. We perform near-zero downtime deployments, and therefore you should not expect to hear from us regarding scheduled maintenance downtime except on the rare occasions that a near-zero downtime deployment is not possible.

Any downtime is documented in real-time at https://concentric.statuspage.io/. Deploying organisations should ensure that any individuals or group mailboxes that require automated email alerting regarding Concentric issues are subscribed to updates via that page.

Where there is an issue with the Concentric application or an integration issue that is within our control, the following issue resolution time targets (working hours) are used: P1 (System is down) = 2. P2 (Critical path blocked) = 8. P3 (Major functionality issue) = 48. P4 (Minor functionality issue or feature request) = Backlog item for internal prioritisation.

Organisations can contact us at support@concentric.health to inform us of an issue. Priority will be assigned by the Concentric team and communicated to the individual reporting the problem.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Having introduced Concentric into several organisations, we have experience supporting a safe, efficient and effective implementation of Concentric as the default consent method. This includes a comprehensive delivery playbook with project management and clinical engagement session resources, technical and integration documentation, testing scripts, clinician and admin user guides, and impact measurement tools and strategies.

A train-the-trainer model is used for clinician onboarding, alongside user guides, videos, and process flows for each user. Train-the-trainer sessions are delivered by the Concentric team and are supplemented by 6-monthly update sessions to trainers due to the continuous improvement of the product.

An onboarding guide is shared with each clinical user at account setup and can be hosted by Concentric or locally. These are made bespoke for each deployment, including any local considerations, such as the integrations in place, support details, test patient details, relevant policies, and business continuity processes.

In addition to training materials, project management teams and clinicians have access to the Concentric support team to aid with onboarding queries and ongoing support.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The buyer is the data controller and therefore has the right to access to all data at contract end. Data is transferred securely to the buyer as both consent episode metadata and the associated consent form PDFs.

Following data extraction, a process of data deletion occurs. At a high level, the approach taken is that all data is stored encrypted at rest and that on deletion encryption keys are first deleted ensuring that data is unreadable (cryptographic erasure), with the physical data later deleted and over time expired from backup systems. Additionally at end of life drives are securely sanitised.
End-of-contract process
There is no additional fee for a standard data extract. Where required, other extracts are chargeable at commercial rates.

Using the service

Web browser interface
Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
All functionality is available across mobile and desktop with responsive web design.
Service interface
No
User support accessibility
WCAG 2.1 AA or EN 301 549
API
Yes
What users can and can't do using the API
As part of all G Cloud 13 deployments, Concentric Health will support the buyer to put in place the following integrations: patient demographic query, document ingestion, active directory login / single sign-on, and launch in the patient context from EHR.

Integration documentation and support are provided by Concentric Health.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Buyers can customise the service in the following areas: white-labelling, integration metadata passed, content and patient information links customisation, additional consent modules, and reporting dashboard queries.

White-labelling: The organisation name and branding are used across key areas of the application and email/SMS notifications.

Integration metadata: The organisation can state which patient identifier(s) they wish to use and show in the UI, and can state what metadata to pass with the document integration so that key information (e.g treatment name) can be shown at a glance.

Content and patient information link customisation: Where local updates are required to the Concentric ontology these can be requested and are done in collaboration with the Concentric team with target delivery timeframes based on size and priority.

Reporting dashboard queries: If there are queries that would be useful to present within the admin dashboard area these can be requested.

Scaling

Independence of resources
Monitoring data is collected for early warning of increased demand and the system is designed to scale horizontally. The system operates with significant headroom and demand for this service is inherently predictable.

Analytics

Service usage metrics
Yes
Metrics types
The Concentric Admin application, protected by 2-factor authentication allows access to reporting dashboards and exporting of metrics data. These demonstrate the volume of use (active clinicians and consent episodes), use of remote consent, use of on-the-day consent, rate of sharing information digitally with patients, common treatments consented, and patient feedback received. All elements can be explored for specific periods and by specialty. An integration status dashboard is also available, demonstrating current system status, recent or ongoing incidents, and uptime %.
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Consent form PDF's can be downloaded by users from within the application. Raw data for all reporting dashboards can be exported by admin users. Individual episode audit trail can be requested by admin users.
Data export formats
  • CSV
  • Other
Other data export formats
  • XLSX
  • JSON
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We aim for 99.9% uptime, which equals less than 8 hours and 45 minutes of downtime per year.

We perform near-zero downtime deployments, and therefore you should not expect to hear from us regarding scheduled maintenance downtime except on the rare occasions that a near-zero downtime deployment is not possible.

Any downtime is documented and monitored in real-time on our status page.
Approach to resilience
Automatic failover is configured to handle all server failures, which is designed to cause less than 5 minutes of unavailability. The system is designed to not need any scheduled maintenance. Near-zero downtime deployments of new application code are done. Concentric is designed to be resilient to a single data center failure within a region.

Data recovery processes are in place, in the unlikely event of total system failure:
- Database backups can be used in the case of total system failure. This scenario is not anticipated and would be a manual operation taken as a last resort.
- Configuration management system is used to configure all cloud services and hosts, allowing rapid total replacement of cloud infrastructure in the case of total failure.

Database backups are taken daily and stored for 30 days.
Outage reporting
A public statuspage is maintained to report any incidents. Email alerts can be subscribed to for any incident updates posted to the statuspage.

Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability. Tenants are provided with a company operational and technical contact for use in an emergency, with emergency support available 24/7/365.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Concentric infrastructure: Security critical services are only accessible to a subset of the engineering team, at the CTO's discretion. Access is protected by cryptographic controls.

Tenant administration interface: Role-based administration access with 2-factor authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
  • NHS Digital - Data Security and Protection Toolkit
  • NHS Digital Technology Assessment Criteria (DTAC)
  • NHS Digital DCB0129 clinical safety standard

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
Cyber Essentials Plus
NHS Digital Data Security and Protection Toolkit
Information security policies and processes
The Chief Technical Officer and Data Protection Officer have overall responsibility for information security at Concentric Health.

Concentric is compliant and undertakes annual recertification with NHS Digital's Data Security and Protection Toolkit (DSPT) and Cyber Essentials Plus. In addition, independent penetration testing is done annually. Covering both clinical safety and elements of information security, Concentric Health also maintains compliance with NHS Digital DCB0129 clinical safety standards.

Policies and documentation include all those required as part of the Information Security Management System for ISO27001 certification.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Software releases are done every two weeks, and release notes are made available to buyers at each release. Before each release, both manual and automated end-to-end quality assurance testing is undertaken. Before a release is deployed, the Chief Technical Officer and Clinical Safety Officer must approve the release. Clinical safety and security impacts are considered as part of any release to ensure ongoing compliance with NHS Digital DSPT, NHS Digital DCB0129, and Cyber Essentials Plus standards.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Concentric is hosted on Linux VMs which receive automatic patch updates.

Application code runs within containers which depend upon a small number of official base images. As part of our regular release process, containers are continually rebuilt using updated base images.

Automatic pull requests are created and reviewed for all application code dependency updates. Security updates are sent to designated individuals. Our policy is to deploy security-related updates within 2 weeks, or sooner if deemed necessary by our Chief Technical Officer.

Security vulnerabilities may be responsibly disclosed to security@concentric.health.

Independent penetration testing is done annually to assess for potential threats.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Log data is collected centrally and monitored for signs of unusual activity.

Application logging is carefully designed to log unusual activity at warn level or above. The rate of such logs is monitored to provide an early warning signal.

Internally services are designed along zero-trust principles. This prevents a single compromised component from allowing access to other information.

Internal authentication is by way of signed authentication tokens. The private keys underlying these tokens can be replaced in case of a suspected breach which will invalidate all existing tokens and cause all users to become immediately logged out.
Incident management type
Supplier-defined controls
Incident management approach
Concentric Health is committed to managing and reporting incidents in a transparent and robust way.

Periodic monitoring of the system results in automatic notification to a human in the case of over 5 minutes of system unavailability. System status is reported in real-time and notification of any status updates is sent to all subscribers with incident details.

Tenants are provided with a company operational and technical contact for use in an emergency, with emergency support available 24/7. Root cause analysis investigations are undertaken in response to failure.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Fighting climate change

Fighting climate change

As an organisation, we are committed to supporting net-zero efforts both in our activities as a company and through the impact of the products we develop.

We are involved in a specific project to support the NHS to reach net-zero by 2040 (with an ambition to reach an 80% reduction by 2028 to 2032). The project explores the feasibility of introducing carbon data to support patient-clinician shared decision making conversations. It is one of 10 NHS/SBRI backed net-zero projects for 2022.

The core Concentric product reduces the carbon impact of healthcare, both by remote consent functionality reducing the number of in-person outpatient appointments required and the removal of paper use in the consent process.

Where possible, we use carbon neutral providers in our supply chain, such as Google, for our cloud hosting. Google is carbon neutral today, but aiming higher: their goal is to run on carbon-free energy, 24/7, at all their data centres by 2030.
Covid-19 recovery

Covid-19 recovery

Digital-first elective care pathways are crucial for healthcare organisations recovering from the COVID-19 pandemic, particularly concerning the surgical backlog. Concentric and other digital consent / econsent applications are vital in enabling digital-first elective care pathways, particularly with remote consent. The NHS features Concentric as a tool to support COVID-19 recovery.

We have been responsive to the needs of our partner organisations during the pandemic and secured Welsh Government and Innovate UK grant funding to deliver projects to support the initial response to and recovery from the pandemic.

In response to the pandemic, employees have mainly worked remotely and flexibly.
Tackling economic inequality

Tackling economic inequality

Concentric Health is a health technology startup / SME (small/medium-sized enterprise) based in Wales. Founded and based in Wales, the Company has created job opportunities in Wales and has led to international inward investment.

Since 2019, Concentric Health has been hiring team members in the high-growth digital health sector. Our recruitment practices and employment conditions aim to follow the Good Work Plan’s foundational principles of quality work: fair pay, participation and progression, voice and autonomy. We support workforce development by training existing employees and medical and technical student placements with Cardiff University.

We aim to support other SME’s across the UK and, by doing so, increase supply chain resilience and capacity. Examples include our use of co-working spaces such as Tramshed Tech and Desg in Cardiff and our Cyber security partner Sapphire.

We are willing to commit 1% of any Concentric Health contract revenue to support local communities supported by the contracting healthcare organisation. Support decisions will be made collaboratively with the healthcare organisation.
Equal opportunity

Equal opportunity

Concentric Health is committed to encouraging equality, diversity and inclusion among our workforce, and eliminating unlawful discrimination. The aim is for our workforce to be truly representative of all sections of society and our customers, and for each employee to feel respected and able to give their best. The organisation - in providing goods and/or services and/or facilities - is also committed against unlawful discrimination of customers or the public.

We publicly commit to:

- Encourage equality, diversity and inclusion in the workplace as they are good practice and make business sense
- Create a working environment free of bullying, harassment, victimisation and unlawful discrimination, promoting dignity and respect for all, and where individual differences and the contributions of all staff are recognised and valued.
- Take seriously complaints of bullying, harassment, victimisation and unlawful discrimination by fellow employees, customers, suppliers, visitors, the public and any others in the course of the organisation’s work activities.
- Make opportunities for training, development and progress available to all staff, who will be helped and encouraged to develop their full potential, so their talents and resources can be fully utilised to maximise the efficiency of the organisation.
- Make decisions concerning staff being based on merit (apart from in any necessary and limited exemptions and exceptions allowed under the Equality Act).
- Review employment practices and procedures when necessary to ensure fairness, and also update them and the policy to take account of changes in the law.
- Monitor the make-up of the workforce regarding information such as age, sex, ethnic background, sexual orientation, religion or belief, and disability in encouraging equality, diversity and inclusion, and in meeting the aims and commitments set out in the equality, diversity and inclusion policy.
Wellbeing

Wellbeing

We are committed to supporting mental health in the workplace, implementing the six standards of the ‘Mental Health at Work commitment’:

- Prioritise mental health in the workplace by developing and delivering a systematic programme of activity
- Proactively ensure work design and organisational culture drive positive mental health outcomes
- Promote an open culture around mental health
- Increase organisational confidence and capability
- Provide mental health tools and support
- Increase transparency and accountability through internal and external reporting

In 2022 we commit to providing paid-for volunteering time for all staff, to support community-led initiatives or good causes of significance to the individual.

Pricing

Price
£0.50 to £2.25 a transaction
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
A free trial is offered to any NHS Trust or Health Board for up to 6 months. Where demographic integrations can be completed using modern standards, demographic integration is included at no cost.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at daf@concentric.health. Tell them what format you need. It will help if you say what assistive technology you use.