Tiny Medical Apps Ltd

Digital Health Passport

Our core service is a self-management and personal health record (PHR) app for children and young people with long term conditions called the Digital Health Passport. Our aim is to support the NHS in improving patient empowerment; providing patients with the skills and confidence to manage their long term conditions.

Features

  • Onboarding and screening module: safe app personalisation and user assessment.
  • Health tracker: Recording clinically validated patient focused and symptom measures
  • Health and Emergency Action Plan: clinician approved and shareable
  • Health Hacks: Health and wellbeing education resource videos and links
  • Air Quality, Pollution and weather alerts: Triggered by location services
  • Remote condition review: in advance medication use and health check
  • Training Modules: Structured content around condition reinforced by quiz questions
  • NHS App Library, Apple App Store, Google Play: Widely available
  • NHS and Social Login: Secure log in
  • Interoperable with FHIR based healthcare systems

Benefits

  • Improving patient understanding and patient self-management
  • Supports patient self-management
  • Increases patient activation
  • Minimising face-to-face and unnecessary appointments (follow-up management)
  • Improving facilitation of knowledge and training around condition and medication
  • Enhancing quality and efficiency of consultations and reviews
  • Validated Behavior Change
  • Moves from paper based action plans and records to digital
  • Reduces unplanned hospital attendance
  • Facilitates better population health management amongst Children and Young People

Pricing

£25,000 to £100,000 a licence a year

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Matt@tinymedicalapps.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

3 3 2 5 5 5 2 3 8 0 5 8 6 0 4

Contact

Tiny Medical Apps Ltd Matt Bourne
Telephone: 02078594169
Email: Matt@tinymedicalapps.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
NA
System requirements
None

User support

Email or online ticketing support
Email or online ticketing
Support response times
Incoming messages from users are responded to within one (1) business day.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
No
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
WCAG 2.1 AA or EN 301 549
Web chat accessibility testing
None.
Onsite support
Yes, at extra cost
Support levels
Please refer to service level agreement within the Service Definition
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provide 1-on-1 web based training and support on the DHP platform for clinical sponsor and champion and develop onboarding based on our standard onboarding workflow for the wider service. Typically we run an online webinar training session for the project sponsor, clinical sponsor and clinical champion which is recorded and made available to other team members. Links to documentation, how to’s and support are provided and linked during this session.
Patient Users are onboarded in app through an interactive module. Help and how to’s and support are accessed within the app.

The standard plan has these headings: Welcome Pack, Clinical Safety, Workshop, Information Governance Workflow, Deployment Plan, Reporting Schedule. Clinical sponsor and champion will be assigned a single point of contact within Tiny Medical Apps.
Service documentation
Yes
Documentation formats
  • HTML
  • Other
Other documentation formats
Video / MP4
End-of-contract data extraction
Users of the app will be notified in app that NHS supported features are to be terminated. Users can request to extract their data in line with GDPR in a portable format.
End-of-contract process
On receipt of termination request we will notify the project sponsor, clinical sponsor and clinical champion by email of the service end date and confirming that access and support will be withdrawn.
Users of the app will be notified in app that the NHS supported features are to be terminated and can request to extract their data in line with GDPR in a portable format.
Once the contract has ended unsupported app users will be logged out of NHS login and will be able to login using social login. Their data will still be accessible and users will no longer have access to NHS supported features within the app.

Using the service

Web browser interface
No
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The service is mobile only and not supported on desktop devices
Service interface
No
User support accessibility
WCAG 2.1 AAA
API
No
Customisation available
Yes
Description of customisation
Part of the Digital Health Passport is a section that ICS or other healthcare bodies can use to deliver their own custom content. Such as links and news about local services. We also can work with customers to deliver support for new health conditions and transitions.

Scaling

Independence of resources
Our backend infrastructure is built on public cloud technology which has the capacity to scale automatically. Tiny Medical Apps can flexibly upgrade instances if required.

Analytics

Service usage metrics
Yes
Metrics types
Downloads; Users numbers; Active monthly users; Training module activity
Reporting types
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Google Cloud Platform layers encryption at a application, platform, infrastructure and hardware level.
https://cloud.google.com/docs/security/encryption/default-encryption
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can request export of data using support functions within the app. This is detailed in our privacy policy.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Our SLA available on request covers availability of the service.

A "Downtime Period" means a period of 120 consecutive seconds of Downtime. Intermittent Downtime for a period of less than 120 consecutive seconds will not be counted towards any Downtime Periods.

A Financial Credit is available where in a given calendar month service availability falls between 1. 99% and 99.99% - at 10% of monthly service costs.
2. Below 99% - at 25% of monthly service costs.

Customer Must Request Financial Credit
In order to receive any of the Financial Credits described above, Customer must notify TMA support within thirty days from the time Customer becomes eligible to receive a Financial Credit.

Maximum Financial Credit
The aggregate maximum number of Financial Credits to be issued will not exceed 50% of the amount due from the Customer for the Covered Service for the applicable month. Financial Credits will be made in the form of a monetary credit applied to future use of the Covered Service and will be applied within 60 days after the Financial Credit was requested.

SLA Exclusions
The SLA does not apply to any features designated Alpha or Beta (unless otherwise stated in the associated Contract).
Approach to resilience
Available on request
Outage reporting
When an estimated prolonged outrage is detected we will communicate directly via an email alert to our customers with details of downtime and when the issue is resolved. This is documented in our Service Level Agreement standard operating procedure available on request.

Identity and authentication

User authentication needed
Yes
User authentication
2-factor authentication
Access restrictions in management interfaces and support channels
Only designated users can access management interfaces in line and ISO27001 (standard operating procedure cover user access control and staff training)
Access restriction testing frequency
At least every 6 months
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus ISOQAR (UKAS)
ISO/IEC 27001 accreditation date
21/04/2022
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
Yes
Cyber essentials plus
Yes
Other security certifications
Yes
Any other security certifications
  • Supplier Conformance Assessment List / NHS Login (SCAL)
  • Data Security and Protection Toolkit (DSPT)
  • Clinical Risk Management (DCB 0129)

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Our security policy and processes are internally and externally ISMS ISO27001 auditor. We follow the Data Security and Protection Toolkit to provide assurance that we are practising good information security and that personal information is handled correctly.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Operations Security Change Management is governed by our ISO 27001 accredited SOP (TMA-SOP-GA12-CMP - Operations Security - Change Management Procedure).
Request For Changes (RFCs) are routed to the SIRO who acts as the first filter looking at impacts to information security and other business impacts. After that our Clinical Director or Clinical Safety Officer will assess clinical impacts and impacts on clients and end-users. Finally our Product Owner will assess the RFC’s impact on the product and roadmap. If approved these changes are scored using ICE and added to JIRA with a priority.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Operations Security Management is governed by our ISO 27001 accredited SOP (TMA-SOP-GA12 - Operational Security).
We take a number of approaches to mitigate threats. These approaches are documented, monitored and audited.
All assets and services are managed in the cloud using providers that meet ISO27001. These platforms are automatically patched.
We perform regular penetration tests on all our APIs.
TMA automate vulnerability scanning across their internet-facing APIs.
During our Cyber Essentials + accreditation we check that Operating Systems are configured to automatically patch all vulnerabilities.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Our cloud-only approach facilitates a zero-trust architecture which significantly mitigates the issues of traditional ICT. Access to secure platforms is enforced with 2FA and Access Controls are backed up with fully featured auditing and monitoring baked into Google Cloud Platform. Sensitive data is encrypted at rest and cannot be viewed without authenticating via audited APIs. We use honeypot emails and a subscription to a breach alert system to further alert us of a potential incident. How we respond, how we communicate is governed by our TMA-SOP-E011+-+Incident+Management and TMA-SOP-G004+-+Business+Continuity SOPs.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Our IM process is governed by
TMA-SOP-GA16 - Information-Security-Incident-Management and TMA-SOP-GA17 - Information-Security-Aspects-of-Business-Continuity-Management SOPs.
The stages are: Logging & Triage, Engagement, Risk Assessment, Replication, Root Cause Analysis & CAPA, Risk Management, Delivery, Closure.
Our Business Continuity Plans guide us through the most common scenarios and are tested annually. Users can report incidents by email, through the chat form on our website and portal or by phone.
Our SOPs outline requirements in terms of reporting to ICO and requirements to customers.
The incident owner will provide tactical calls to impacted stakeholders (engagement phase) followed by a full report (closure phase).

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Fighting climate change

Fighting climate change

The environment and net zero

This service will help meet targets for net zero by supporting several vital areas identified in the report.

Digital care pathway redesign
Low-carbon models of care
Preventative medicine and reduced health inequalities
Shift to low carbon inhalers
Digital care pathway redesign

Sustainable care pathway calculators are increasingly being used to analyse existing care pathways and compare the impact of making changes. Such as bringing services closer to home (including remote) and a greater focus on prevention. A Level 3 Digital Health Passport implementation can bring all of this together via digital care pathway redesign.

Low-carbon models of care
4% of the NHS carbon footprint is accounted for by road travel by patients. In many cases remote monitoring and virtual consultations can replace location-based appointments. 5.4 million patients in the UK should be receiving an annual asthma review. A significant number of these can be replaced with a digital questionnaire and (if required) remote follow-up.

Preventative medicine and reduced health inequalities
An increased focus on prevention not only provides a way to combat distressingly poor outcomes in CYP asthma care (where most asthma exacerbations and deaths are preventable). It is also a way to reduce demand on primary care and emergency care services in a system already stretched by Covid.

Shift to low carbon inhalers
The NHS Long Term Plan set targets to deliver significant and accelerated reductions in the total emissions from the NHS by moving to lower carbon inhalers, such as dry powder inhalers (DPIs). This move will need buy-in from clinical leads, frontline clinicians and patients. In working with the NHS England and NHS Improvement Children and Young People’s Transformation Programme this service will improve knowledge in how this can be achieved.
Covid-19 recovery

Covid-19 recovery

Covid-19 recovery - reducing the backlog

Asthma UK estimated over 650,000 asthma reviews were missed in the first 3 months of the lockdown and there remains significant pressure on primary care.
A level 3 Digital Health Passport service can improve efficiency and effectiveness of the review process by the following means.
Time is saved by allowing patients to complete core data collection in advance of the annual review appointment (for example Asthma Control Test scores).
Patient data can be fed into the clinical workstream using established methods (eg DocMan).
Some patients can avoid reviews altogether if their symptoms are under control and reported as such to GPs using validated scores.
Pre-review questionnaires mean the primary care services can triage face to face appointments for those who need it most. Remote review has been demonstrated to be an effective intervention in studies to date. https://www.ed.ac.uk/usher/aukcar/news/news-stories/2022/remote-support-asthma-self-management-acceptable
Positive benefits associated with remote asthma consultations include:
increased convenience
improved access (including for some vulnerable groups) and attendance at reviews,
ability to assess the core content of asthma remotely (especially video reviews that enabled practical tasks such as checking inhaler technique),
completion of asthma action plans (screen sharing or discussed with documents sent post consultation)
continuity of care
Tackling economic inequality

Tackling economic inequality

Digital inclusion and health inequality
TMA’s definition of digital inclusion is as broad as possible and is a primary focus of this service. TMA are interested in anything that might be a barrier to access and engagement for our diverse asthma population.
It is listed at the top of the risk register as “Failure to provide equitable delivery to underserved communities.”
It is a key dimension of the evaluation when looking at patient activation.
TMA starts from the premise that asthma disproportionately impacts communities suffering high levels of deprivation and simply offering access to a platform equally will not deliver equal uptake and engagement.
TMA uses deprived interchangeably with the CORE20Plus definition (NHSE, 2021). As with the rest of the project we approach it through the lens of the NASSS Framework. In particular the domains:
Condition - Asthma impacts high density urban and deprived communities disproportionately.
Adopters - Children and young people from deprived communities will need to see greater engagement by NHS organisations to see the same levels of uptake.
Organisations - Will be challenged to provide targeted engagement to help tackle digital inclusion. For example organising one-to-one onboarding in targeted GP practices.
Technology - The Digital Health Passport has a small download size and requires limited data access.
Removing obstacles to digital inclusion are essential to a number of core ICS priorities including:
prevention
self care
shared care and shared decision making
long term condition management
appropriate use of urgent and emergency care
Equal opportunity

Equal opportunity

Digital inclusion and health inequality
TMA’s definition of digital inclusion is as broad as possible and is a primary focus of this service. TMA are interested in anything that might be a barrier to access and engagement for our diverse asthma population.
It is listed at the top of the risk register as “Failure to provide equitable delivery to underserved communities.”
It is a key dimension of the evaluation when looking at patient activation.
TMA starts from the premise that asthma disproportionately impacts communities suffering high levels of deprivation and simply offering access to a platform equally will not deliver equal uptake and engagement.
TMA uses deprived interchangeably with the CORE20Plus definition (NHSE, 2021). As with the rest of the project we approach it through the lens of the NASSS Framework. In particular the domains:
Condition - Asthma impacts high density urban and deprived communities disproportionately.
Adopters - Children and young people from deprived communities will need to see greater engagement by NHS organisations to see the same levels of uptake.
Organisations - Will be challenged to provide targeted engagement to help tackle digital inclusion. For example organising one-to-one onboarding in targeted GP practices.
Technology - The Digital Health Passport has a small download size and requires limited data access.
Removing obstacles to digital inclusion are essential to a number of core ICS priorities including:
prevention
self care
shared care and shared decision making
long term condition management
appropriate use of urgent and emergency care
Wellbeing

Wellbeing

Improving health outcomes is core to the service

Pricing

Price
£25,000 to £100,000 a licence a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
The Digital Health Passport is available to download from the Apple App Store and Google Play. The free version does not have interoperability with clinical systems or care plans but does show the range of functionality including pollution and weather alerts, health hacks and health trackers.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Matt@tinymedicalapps.com. Tell them what format you need. It will help if you say what assistive technology you use.