My Medical Record
My Medical Record is a patient online service predicated on an open personal health record platform. It provides NHS patients with access to their data and information to support remote or virtual follow-up, improving patient experience and delivering service efficiencies.
Features
- Remote access via any internet enabled browser
- Able to link to hospital systems for data integrity
- Automated backup service
- Scheduled automated reporting
- One system accessible by both clinicians and patients
- Scalable solution able to handle high volumes of patients
- Two way secure messaging built into the system
- Easy integration with other systems
- Secure multifactor authentication for sign up
- System develop using industry standard tools
Benefits
- Available from any internet connected browser
- Allows real time communication between clinicians and patients
- Easy to use system for patients
- Ensures patients are put on treatment and not missed
- Easy access to patients lab and radiology results
- Easy access to information about patients condition
- Secure messaging between clinicians and patients
- Single easy to use portal holding all patient information
- Health surveys reduce unnecessary visits to hospital
- Automation of results reduces manual tasks
Pricing
£10,000 to £20,000 an instance a year
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
3 5 7 3 4 9 0 5 8 6 4 0 6 5 6
Contact
University Hospital Southampton NHS Foundation Trust
Carl Maskelyne
Telephone: 07387076076
Email: mymrenquiries@uhs.nhs.uk
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Public cloud
- Service constraints
- None
- System requirements
-
- Internet access (wi-fi or 3G or above) from your device
- Microsoft Internet Explorer 11 or above
- Microsoft Edge
- Apple Safari version 10.15 for Mac or3.2.1 for Windows
- Google Chrome version 100.0.4896 or above
- Firefox version version 99.0 or above
- Opera Mobile version 1.4.0 iOS and version 1.4.11 Android
- Opera Desktop version 83.0.4254.70 for Windows or Mac
- Available from laptop, desktop, tablet or mobile device
- Mobile phone number for authentication purposes (advisable)
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Response times are typically within an hour during normal office hours (Monday-Friday 9am-5pm) excluding bank holidays.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
My Medical Record has three levels of support.
There are no additional costs for accessing different levels of support as this access is provided as part of the ongoing maintenance agreement. This also includes hosting and access to any technical resources.
All customers have an account manager who can call upon product support specialists and developers as required.
Level one support can handle basic support queries and fixes.
Level two support is provided by our technical team for issues that may require some form of development or a technical change.
Level three support is provided by our senior team of product managers and developers. These support issues can be more complex or require developers to implement. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
Upon contract award we set up a formal project plan with the customer.
We have a fully documented implementation process which we go through with all new customers including development of a user requirement document detailing all development requirements for the system. Where integration is required to populate either patient demographics or results a sub-project team is set up with required personnel both at My Medical Record and the customers. Once all documentation is complete the system will be developed in line with the specification following a robust quality assurance process and extensive internal acceptance before passing the system to the user for final testing.
As part of this plan we provide users with full training to use the system. The system is relatively intuitive so online training is typically 2 hours and in undertaken in small groups of users on Teams or Zoom conference calls. Prior to COVID we visited sites to train users but as most of our customers are NHS hospitals most prefer us not to visit unnecessarily. - Service documentation
- Yes
- Documentation formats
-
- HTML
- ODF
- End-of-contract data extraction
- At the end of the contract if the customer wishes to move to another supplier we will work with the customer and new supplier to migrate all data in a safe and efficient manner as required. This will be in a structured format for import into any future systems.
- End-of-contract process
- At the end of any contract we recognise that the data held is owned by the customer. As such we undertake an export of all key patient information and provide this securely to the NHS trust in question as required. Once this is completed and accepted as valid by the customer we would delete all data in line with requirements under the data protection act. There are no additional charges for this work unless the data is to be supplied in a specific format. This would incur costs based on the time needed to complete this.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- The system includes all of the same functionality but is responsive to the device accessing the service. My Medical Record has a 'mobile first' design and so automatically optimises when mobile devices are used to access the service.
- Service interface
- No
- User support accessibility
- WCAG 2.1 AAA
- API
- Yes
- What users can and can't do using the API
-
My Medical Record have a team dedicated to integration with other systems. We are able to integrate through SDK/HL7/FHIR API.
Our open APIs enable pull/push with third party systems for all patient data, including dedicate APIs for checking if patients exist on the platform and registering new patients.
All integration work is managed by a dedicated team that work in conjunction with the customers technical team.
Subsequent changes to these links should be raised formally through a change request document. This work will then be completed working closely to the customers technical team. - API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
All aspects of the content and layout are configurable and we work with our customers to define what is best for them.
Additionally, protocols for healthcare professionals to follow in the treatment of patients can be configured as per local clinical guidelines. There are also templates that can be customised as required and this includes customisation of letter templates for patients.
The front page can be updated with the customers imagery, logo's and colour scheme.
All of these changes are made by the My Medical Record team at the request of the customer, typically at no additional cost.
Scaling
- Independence of resources
-
Our service runs on the Microsoft Azure platform. This enables us to easily and quickly scale up the service to meet any unexpected demand. We are able to dynamically increase bandwidth, storage space, memory allocation and processor power.
The applications have been load tested to handle millions of patient records.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
The system has real-time metrics showing number of users, this includes usage/activity, active users, suspended, recalled, discharged and deceased patients.
There are many automated reports generated on a monthly basis showing system information and patients who have red flags indicating they have outstanding actions for their treatments. Where customers have a need for further bespoke reporting we can generate these reports either as one off ad hoc reports or automated monthly/weekly reports. Any data held within the system can be reported on. - Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- In-house
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Physical access control, complying with SSAE-16 / ISAE 3402
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
-
Currently no users have moved from our system but the process should anyone wish to move is as follows:
1. Provide a minimum of 1 month notice requesting a copy of the data.
2. If data is required in a bespoke format a quote and timeline will be sent to the customer.
3. If the data is to be provided the My Medical Record Team will process this within a month and supply this in a secure manner to the customer. - Data export formats
-
- CSV
- ODF
- Data import formats
-
- CSV
- ODF
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- The My Medical Record is hosted on the Microsoft Azure platform which guarantees 99.9% availability. The application itself it supported by a dedicated team who manage availability with the customer based on an agreed SLA.
- Approach to resilience
- My Medical Record is professionally hosted in the Microsoft Azure platform, offering very high levels of resilience. The failover and backup plans inherent within the cloud platform reduce the risk of significant/prolonged outage. Where additional resources are needed the team in Southampton are able to increase allocated memory, storage space, processing power or bandwidth. This can be done instantly through the online Azure portal.
- Outage reporting
- All outages are reported directly to customers via email with regular updates throughout any breaks in service. Additional information about the outage and expected resolution times are supplied once they can be ascertained.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Limited access network (for example PSN)
- Username or password
- Access restrictions in management interfaces and support channels
- There is only limited management functionality but where this exists this is done via user permissions. All users access is via a username and password.
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- Limited access network (for example PSN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- Between 1 month and 6 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- Yes
- Any other security certifications
- NHS DSPT toolkit
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
We have been assessed by NHS Digital as conforming to the Interoperability Toolkit (ITK) and are connected for MESH.
We have self-assessed against the NHS Digital Data Security and Protection Toolkit Standard - standards met.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
All changes to the system are tracked through a change control process. Changes to the system are undertaken in a development environment before being applied to a pre-production system for testing. Once fully tested for any potential security impact these are then deployed to the live server. At all times the servers are monitored for any suspicious activity.
Customers are engaged in QA processes and testing where relevant and our entire system is subject to regular penetration testing. - Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
The team at My Medical Record have access to full audit logs at both server and application level and we have proactive monitoring processing this data and alerting as required. Where there any potential threat is identified via the support team address such threats. All server level security threats are patched immediately by Microsoft through the Azure Platform.
Our entire system is subjected to regular penetration testing. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
-
Monitoring of the My Medical Record system is predominantly undertaken through the Microsoft Azure platform dashboard. Here we are able to identify any unusual or suspicious activity. If a security concern is identified this is investigated immediately. Where the threat is of particular concern we would take systems offline temporarily whilst the risk is eliminated.
The entire systems is subjected to regular penetration testing. - Incident management type
- Supplier-defined controls
- Incident management approach
- All incidents reported to the My Medical Team are fully investigated. Customers are given clear timelines for the investigation and at this point a full detailed report on the incident is provided to the customer along with recommendations for resolutions as needed.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
- NHS Network (N3)
Social Value
- Fighting climate change
-
Fighting climate change
University Hospitals Southampton have a three year Green Plan which can be viewed here: https://www.uhs.nhs.uk/about-the-trust/about-uhs/sustainable-uhs - Covid-19 recovery
-
Covid-19 recovery
As an organisation Southampton University Hospitals NHS Foundation Trust has been at the forefront of the fight against COVID-19. In particular the My Medical Record application has enabled patients receiving many different forms of treatment to be managed without the need to visit hospitals and see consultants. This has enabled clinicians to focus on supporting patients with the greatest need during the pandemic. - Tackling economic inequality
-
Tackling economic inequality
As an NHS organisation we provide free healthcare to all irrespective of financial status. As a supplier of software to other NHS trusts we can ensure that we keep costs to a minimum allowing these organisations to channel more funds back into direct healthcare provision in their localities. - Equal opportunity
-
Equal opportunity
UHS is committed to developing a culture that embeds the effective management of equality, diversity and inclusivity in all that we do; providing the necessary resources and leadership to make this happen.
By commissioning annual reports on our workforce we can ensure that this object in not merely a paper exercise but is actually enforced. - Wellbeing
-
Wellbeing
As an organisation we promote wellbeing to both our patients and our staff. Internally there is a team of people and online resources available to ensure that all staff have access to any support they need easily and quickly.
Pricing
- Price
- £10,000 to £20,000 an instance a year
- Discount for educational organisations
- No
- Free trial available
- No