Digital Health Passport
Our core service is a self-management and personal health record (PHR) app for children and young people with long term conditions called the Digital Health Passport. Our aim is to support the NHS in improving patient empowerment; providing patients with the skills and confidence to manage their long term conditions.
Features
- Onboarding and screening module: safe app personalisation and user assessment.
- Health tracker: Recording clinically validated patient focused and symptom measures
- Health and Emergency Action Plan: clinician approved and shareable
- Health Hacks: Health and wellbeing education resource videos and links
- Air Quality, Pollution and weather alerts: Triggered by location services
- Remote condition review: in advance medication use and health check
- Training Modules: Structured content around condition reinforced by quiz questions
- NHS App Library, Apple App Store, Google Play: Widely available
- NHS and Social Login: Secure log in
- Interoperable with FHIR based healthcare systems
Benefits
- Improving patient understanding and patient self-management
- Supports patient self-management
- Increases patient activation
- Minimising face-to-face and unnecessary appointments (follow-up management)
- Improving facilitation of knowledge and training around condition and medication
- Enhancing quality and efficiency of consultations and reviews
- Validated Behavior Change
- Moves from paper based action plans and records to digital
- Reduces unplanned hospital attendance
- Facilitates better population health management amongst Children and Young People
Pricing
£25,000 to £100,000 a licence a year
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
3 3 2 5 5 5 2 3 8 0 5 8 6 0 4
Contact
Tiny Medical Apps Ltd
Matt Bourne
Telephone: 02078594169
Email: Matt@tinymedicalapps.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- NA
- System requirements
- None
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Incoming messages from users are responded to within one (1) business day.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- No
- Web chat support
- Web chat
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 AA or EN 301 549
- Web chat accessibility testing
- None.
- Onsite support
- Yes, at extra cost
- Support levels
- Please refer to service level agreement within the Service Definition
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
We provide 1-on-1 web based training and support on the DHP platform for clinical sponsor and champion and develop onboarding based on our standard onboarding workflow for the wider service. Typically we run an online webinar training session for the project sponsor, clinical sponsor and clinical champion which is recorded and made available to other team members. Links to documentation, how to’s and support are provided and linked during this session.
Patient Users are onboarded in app through an interactive module. Help and how to’s and support are accessed within the app.
The standard plan has these headings: Welcome Pack, Clinical Safety, Workshop, Information Governance Workflow, Deployment Plan, Reporting Schedule. Clinical sponsor and champion will be assigned a single point of contact within Tiny Medical Apps. - Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Video / MP4
- End-of-contract data extraction
- Users of the app will be notified in app that NHS supported features are to be terminated. Users can request to extract their data in line with GDPR in a portable format.
- End-of-contract process
-
On receipt of termination request we will notify the project sponsor, clinical sponsor and clinical champion by email of the service end date and confirming that access and support will be withdrawn.
Users of the app will be notified in app that the NHS supported features are to be terminated and can request to extract their data in line with GDPR in a portable format.
Once the contract has ended unsupported app users will be logged out of NHS login and will be able to login using social login. Their data will still be accessible and users will no longer have access to NHS supported features within the app.
Using the service
- Web browser interface
- No
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- The service is mobile only and not supported on desktop devices
- Service interface
- No
- User support accessibility
- WCAG 2.1 AAA
- API
- No
- Customisation available
- Yes
- Description of customisation
- Part of the Digital Health Passport is a section that ICS or other healthcare bodies can use to deliver their own custom content. Such as links and news about local services. We also can work with customers to deliver support for new health conditions and transitions.
Scaling
- Independence of resources
- Our backend infrastructure is built on public cloud technology which has the capacity to scale automatically. Tiny Medical Apps can flexibly upgrade instances if required.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Downloads; Users numbers; Active monthly users; Training module activity
- Reporting types
-
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Physical access control, complying with another standard
- Encryption of all physical media
- Scale, obfuscating techniques, or data storage sharding
- Other
- Other data at rest protection approach
-
Google Cloud Platform layers encryption at a application, platform, infrastructure and hardware level.
https://cloud.google.com/docs/security/encryption/default-encryption - Data sanitisation process
- Yes
- Data sanitisation type
- Explicit overwriting of storage before reallocation
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users can request export of data using support functions within the app. This is detailed in our privacy policy.
- Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
-
Our SLA available on request covers availability of the service.
A "Downtime Period" means a period of 120 consecutive seconds of Downtime. Intermittent Downtime for a period of less than 120 consecutive seconds will not be counted towards any Downtime Periods.
A Financial Credit is available where in a given calendar month service availability falls between 1. 99% and 99.99% - at 10% of monthly service costs.
2. Below 99% - at 25% of monthly service costs.
Customer Must Request Financial Credit
In order to receive any of the Financial Credits described above, Customer must notify TMA support within thirty days from the time Customer becomes eligible to receive a Financial Credit.
Maximum Financial Credit
The aggregate maximum number of Financial Credits to be issued will not exceed 50% of the amount due from the Customer for the Covered Service for the applicable month. Financial Credits will be made in the form of a monetary credit applied to future use of the Covered Service and will be applied within 60 days after the Financial Credit was requested.
SLA Exclusions
The SLA does not apply to any features designated Alpha or Beta (unless otherwise stated in the associated Contract). - Approach to resilience
- Available on request
- Outage reporting
- When an estimated prolonged outrage is detected we will communicate directly via an email alert to our customers with details of downtime and when the issue is resolved. This is documented in our Service Level Agreement standard operating procedure available on request.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- 2-factor authentication
- Access restrictions in management interfaces and support channels
- Only designated users can access management interfaces in line and ISO27001 (standard operating procedure cover user access control and staff training)
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
- 2-factor authentication
Audit information for users
- Access to user activity audit information
- You control when users can access audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- You control when users can access audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Alcumus ISOQAR (UKAS)
- ISO/IEC 27001 accreditation date
- 21/04/2022
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- Yes
- Any other security certifications
-
- Supplier Conformance Assessment List / NHS Login (SCAL)
- Data Security and Protection Toolkit (DSPT)
- Clinical Risk Management (DCB 0129)
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- Our security policy and processes are internally and externally ISMS ISO27001 auditor. We follow the Data Security and Protection Toolkit to provide assurance that we are practising good information security and that personal information is handled correctly.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
Operations Security Change Management is governed by our ISO 27001 accredited SOP (TMA-SOP-GA12-CMP - Operations Security - Change Management Procedure).
Request For Changes (RFCs) are routed to the SIRO who acts as the first filter looking at impacts to information security and other business impacts. After that our Clinical Director or Clinical Safety Officer will assess clinical impacts and impacts on clients and end-users. Finally our Product Owner will assess the RFC’s impact on the product and roadmap. If approved these changes are scored using ICE and added to JIRA with a priority. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
Operations Security Management is governed by our ISO 27001 accredited SOP (TMA-SOP-GA12 - Operational Security).
We take a number of approaches to mitigate threats. These approaches are documented, monitored and audited.
All assets and services are managed in the cloud using providers that meet ISO27001. These platforms are automatically patched.
We perform regular penetration tests on all our APIs.
TMA automate vulnerability scanning across their internet-facing APIs.
During our Cyber Essentials + accreditation we check that Operating Systems are configured to automatically patch all vulnerabilities. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- Our cloud-only approach facilitates a zero-trust architecture which significantly mitigates the issues of traditional ICT. Access to secure platforms is enforced with 2FA and Access Controls are backed up with fully featured auditing and monitoring baked into Google Cloud Platform. Sensitive data is encrypted at rest and cannot be viewed without authenticating via audited APIs. We use honeypot emails and a subscription to a breach alert system to further alert us of a potential incident. How we respond, how we communicate is governed by our TMA-SOP-E011+-+Incident+Management and TMA-SOP-G004+-+Business+Continuity SOPs.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
Our IM process is governed by
TMA-SOP-GA16 - Information-Security-Incident-Management and TMA-SOP-GA17 - Information-Security-Aspects-of-Business-Continuity-Management SOPs.
The stages are: Logging & Triage, Engagement, Risk Assessment, Replication, Root Cause Analysis & CAPA, Risk Management, Delivery, Closure.
Our Business Continuity Plans guide us through the most common scenarios and are tested annually. Users can report incidents by email, through the chat form on our website and portal or by phone.
Our SOPs outline requirements in terms of reporting to ICO and requirements to customers.
The incident owner will provide tactical calls to impacted stakeholders (engagement phase) followed by a full report (closure phase).
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Fighting climate change
-
Fighting climate change
The environment and net zero
This service will help meet targets for net zero by supporting several vital areas identified in the report.
Digital care pathway redesign
Low-carbon models of care
Preventative medicine and reduced health inequalities
Shift to low carbon inhalers
Digital care pathway redesign
Sustainable care pathway calculators are increasingly being used to analyse existing care pathways and compare the impact of making changes. Such as bringing services closer to home (including remote) and a greater focus on prevention. A Level 3 Digital Health Passport implementation can bring all of this together via digital care pathway redesign.
Low-carbon models of care
4% of the NHS carbon footprint is accounted for by road travel by patients. In many cases remote monitoring and virtual consultations can replace location-based appointments. 5.4 million patients in the UK should be receiving an annual asthma review. A significant number of these can be replaced with a digital questionnaire and (if required) remote follow-up.
Preventative medicine and reduced health inequalities
An increased focus on prevention not only provides a way to combat distressingly poor outcomes in CYP asthma care (where most asthma exacerbations and deaths are preventable). It is also a way to reduce demand on primary care and emergency care services in a system already stretched by Covid.
Shift to low carbon inhalers
The NHS Long Term Plan set targets to deliver significant and accelerated reductions in the total emissions from the NHS by moving to lower carbon inhalers, such as dry powder inhalers (DPIs). This move will need buy-in from clinical leads, frontline clinicians and patients. In working with the NHS England and NHS Improvement Children and Young People’s Transformation Programme this service will improve knowledge in how this can be achieved. - Covid-19 recovery
-
Covid-19 recovery
Covid-19 recovery - reducing the backlog
Asthma UK estimated over 650,000 asthma reviews were missed in the first 3 months of the lockdown and there remains significant pressure on primary care.
A level 3 Digital Health Passport service can improve efficiency and effectiveness of the review process by the following means.
Time is saved by allowing patients to complete core data collection in advance of the annual review appointment (for example Asthma Control Test scores).
Patient data can be fed into the clinical workstream using established methods (eg DocMan).
Some patients can avoid reviews altogether if their symptoms are under control and reported as such to GPs using validated scores.
Pre-review questionnaires mean the primary care services can triage face to face appointments for those who need it most. Remote review has been demonstrated to be an effective intervention in studies to date. https://www.ed.ac.uk/usher/aukcar/news/news-stories/2022/remote-support-asthma-self-management-acceptable
Positive benefits associated with remote asthma consultations include:
increased convenience
improved access (including for some vulnerable groups) and attendance at reviews,
ability to assess the core content of asthma remotely (especially video reviews that enabled practical tasks such as checking inhaler technique),
completion of asthma action plans (screen sharing or discussed with documents sent post consultation)
continuity of care - Tackling economic inequality
-
Tackling economic inequality
Digital inclusion and health inequality
TMA’s definition of digital inclusion is as broad as possible and is a primary focus of this service. TMA are interested in anything that might be a barrier to access and engagement for our diverse asthma population.
It is listed at the top of the risk register as “Failure to provide equitable delivery to underserved communities.”
It is a key dimension of the evaluation when looking at patient activation.
TMA starts from the premise that asthma disproportionately impacts communities suffering high levels of deprivation and simply offering access to a platform equally will not deliver equal uptake and engagement.
TMA uses deprived interchangeably with the CORE20Plus definition (NHSE, 2021). As with the rest of the project we approach it through the lens of the NASSS Framework. In particular the domains:
Condition - Asthma impacts high density urban and deprived communities disproportionately.
Adopters - Children and young people from deprived communities will need to see greater engagement by NHS organisations to see the same levels of uptake.
Organisations - Will be challenged to provide targeted engagement to help tackle digital inclusion. For example organising one-to-one onboarding in targeted GP practices.
Technology - The Digital Health Passport has a small download size and requires limited data access.
Removing obstacles to digital inclusion are essential to a number of core ICS priorities including:
prevention
self care
shared care and shared decision making
long term condition management
appropriate use of urgent and emergency care - Equal opportunity
-
Equal opportunity
Digital inclusion and health inequality
TMA’s definition of digital inclusion is as broad as possible and is a primary focus of this service. TMA are interested in anything that might be a barrier to access and engagement for our diverse asthma population.
It is listed at the top of the risk register as “Failure to provide equitable delivery to underserved communities.”
It is a key dimension of the evaluation when looking at patient activation.
TMA starts from the premise that asthma disproportionately impacts communities suffering high levels of deprivation and simply offering access to a platform equally will not deliver equal uptake and engagement.
TMA uses deprived interchangeably with the CORE20Plus definition (NHSE, 2021). As with the rest of the project we approach it through the lens of the NASSS Framework. In particular the domains:
Condition - Asthma impacts high density urban and deprived communities disproportionately.
Adopters - Children and young people from deprived communities will need to see greater engagement by NHS organisations to see the same levels of uptake.
Organisations - Will be challenged to provide targeted engagement to help tackle digital inclusion. For example organising one-to-one onboarding in targeted GP practices.
Technology - The Digital Health Passport has a small download size and requires limited data access.
Removing obstacles to digital inclusion are essential to a number of core ICS priorities including:
prevention
self care
shared care and shared decision making
long term condition management
appropriate use of urgent and emergency care - Wellbeing
-
Wellbeing
Improving health outcomes is core to the service
Pricing
- Price
- £25,000 to £100,000 a licence a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- The Digital Health Passport is available to download from the Apple App Store and Google Play. The free version does not have interoperability with clinical systems or care plans but does show the range of functionality including pollution and weather alerts, health hacks and health trackers.