Ampersand Health

My Arthritis

My Arthritis is a remote patient monitoring platform for rheumatology departments. It combines a digital app for patients and a fully integrated clinician service, supporting the collection of PROMs, bloods and other data to support safer out of hospital care (e.g. PIFU, See-on-Symptoms).

Features

• Care plan management and monitoring
• Patient Reported Outcome Measures
• At home faecal calprotectin testing
• At home blood testing
• FHIR and HL7.2 based integration engine
• Wearable and connected device integrations
• Secure clinical messaging
• Patient self management app
• Medically reviewed educational content
• Fully evidenced business case

Benefits

• Safely reduce clinic burden by 33-47%
• Effectively reduce A&E visits by 50-89%
• Shift management from nurses (band 7/8) to administrators (band 3/4)
• Support improved mental health for patients
• Support improved self management for patients
• Identify patients who qualify for / require scoping
• Identify patients who qualify for clinical trials
• Reduce helpline noise through automated clinical messaging
• Enable group messaging for more efficient comms
• Data and reporting to support quality improvement

£18,000 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nader@ampersand.health. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

380505577624929

Contact

Nader Alaghband
02071127100
nader@ampersand.health

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Cerner, Patient Knows Best, Apple Health, Google Fit and other third party patient records.
• Cloud deployment model: Public cloud
• Service constraints: There are no such constraints.
• System requirements:
  • Operates in the latest version of all widely used browsers
  • Operates on Android 6+
  • Operates on iOS 11+

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 hours in working hours (M-F 8-8). ; ; Within 24 hours on weekends.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our standard support package includes online training and phone and email support. Additional, bespoke options, including onsite training are available on a negotiated basis.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Ampersand Health has developed a comprehensive Deployment Guide that we share with our customers and which forms the basis of a shared Implementation/Project Plan.; ; The customer will be provided with a designated Account Manager who will be their primary point of contact.; ; Online training is provided with all clinical stakeholders, particularly Clinical Nurse Specialists and Digital Health Navigators. This is emphasised in the first 3 months of the contract start and includes training on the clinical platform as well as how to ensure embeddedness, routinisation and patient adoption. ; ; Quarterly, refresher online training is provided following the initial 3 months. Recorded webinars are also available. A Quick Start Guide and workflow diagrams are also provided, so Clinical Nurse Specialists and other users are clear when they should be responding to patient data submissions and how this is incorporated into their workflow.; ; We offer in person training if required at an additional cost.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Trusts request a data extract, which Ampersand can provide in Json, CSV and other formats as required. The data extract can be downloaded by the trust via SFTP or our secure cloud.
• End-of-contract process: At the end of the contract, the trust can obtain its data on demand. Trust staff logins are decommissioned and access is withdrawn.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: For clinicians, the mobile app allows access to the patient record and messaging tools, but not the cohorting and to-do list features.; ; For patients, the mobile app is the primary means of accessing the service but very limited services (password reset, support tickets) can be raised on the web.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: All functionality is available via APIs and an integration layer that uses HL7.2 and FHIR to enable EPR and PBI integrations.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: All data collection can be customised including questionnaires, POC test requests, and lifestyle trackers.; ; Care plans can be customised to reflect each trust's specific situation.; ; Custom lists can be created using any data-type in the system.; ; All these customisations are available to trusts through config tools and interfaces in the product, but which are typically implemented by Ampersand in our administrator portal at clinical teams' request.

Scaling

• Independence of resources: We use Microsoft Azure with autoscaling and load balancing capabilities.

Analytics

• Service usage metrics: Yes
• Metrics types: Standard reporting is available to all trusts. This includes information about patient sign up, patient demographics, survey results, care plan compliance, engagement with PROMs, engagement with POC tests and other information.
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: Sensitive data is anonymised and identifiers are encrypted.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Trusts can export patient data on a per-patient basis using our self service tools. We can supply data for BI teams via secure transfer and APIs.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Json
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: 99.95%, aligned with Microsoft Azure SLA.
• Approach to resilience: Microsoft Azure is designed for resilience and high availability through a combination of infrastructure design, redundancy, and disaster recovery strategies.
• Outage reporting: Email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Access Control Layer in place; Username and password plus 2FA to login; IP Whitelisting
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: IP Whitelisting

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO 13485
  • Digital Technology Assessment Criteria (DTAC)
  • Data Security and Protection Toolkit (DSPT)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Microsoft Azure SLA applies.
• Information security policies and processes: Our information security policies and processes emphasise stringent compliance and robust data protection in a cloud environment. ; ; ISO 13485, focusing on medical devices' quality management systems, requires systematic risk management and strict data controls. Our ISMS standard operating procedures are managed within our QMS as controlled documents. All operating procedures and policies are signed off at the executive level and training is managed and documented through our QMS. The ISMS SOP and policy documents are reviewed and revised quarterly. Operating procedure documents include the following: - Software configuration management - Server security and hardening standards - Security incident management - Implementing and managing audit trails - Business continuity - Server decommissioning - Network creation and secure access - Authorised access and controls to secured data assets.; ; Moreover, we use Azure's advanced security features, adherence to global standards, and resilient infrastructure to ensure secure data handling, protect sensitive health information, and maintain high availability, while also facilitating continuous improvement and compliance with regulatory requirements.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our ISO 13485 QMS enables the registration and full lifecycle tracking of components in-house. The sections of the policy include ; ; (a) Identify & Justify; (b) Review; (c) Finalise; (d) Document; (e) Communicate; ; (Please request to see AP425, EP739 for policy detail).; ; Server-side, Azure reviews and updates configuration settings and baseline configurations of hardware, software, and network devices annually. Changes are developed, tested, and approved prior to entering the production environment from a development and/or test environment.; The baseline configurations that are required for Azure-based services are reviewed by the Azure security and compliance team and by service teams.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Microsoft Azure's vulnerability management process is a comprehensive approach to protect its services from potential threats. This process involves several key steps described here and elsewhere: https://azure.microsoft.com/en-us/products/defender-for-cloud/
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We use Azure's active monitoring tools, including MS Monitoring Agent and System Center Operations Manager. These tools are configured to provide time alerts to Azure security personnel in situations that require immediate action.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Microsoft implements a security incident management process to facilitate a coordinated response to incidents, should one occur.; ; If Microsoft becomes aware of unauthorized access to customer data that's stored on its equipment or in its facilities, Microsoft takes the following actions:; Promptly notifies the customer of the security incident.; Promptly investigates the security incident and provides customers detailed information about the security incident.; Takes reasonable and prompt steps to mitigate the effects and minimize any damage resulting from the security incident.; An incident management framework has been established that defines roles and allocates responsibilities.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  The model of PIFU that we support results in significant reductions in travel and reduced estate emissions, both of which contribute to the NHS's Net Zero objectives. ; ; Our environmental impact is quantified and published in line with NHS Outpatient Transformation modelling.

  Covid-19 recovery

  Our software / pathways are designed to address Elective Recovery directly by helping free up capacity to see more new patients. ; ; Our impact on elective recovery is quantified and published.

  Tackling economic inequality

  The cost of time taken off work to visit hospital disproportionately affects lower SES groups. Our pathways enable patients to receive care outside a hospital setting, which means taking less time off work.

  Equal opportunity

  Our system makes access to healthcare fairer, ensuring that people are prioritised and seen in line with their clinical needs, instead of based on other non-objective criteria.

  Wellbeing

  Our platform supports improved patient self management and activation in their healthcare. ; ; Our outcomes are quantified and published across numerous studies.

Pricing

• Price: £18,000 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nader@ampersand.health. Tell them what format you need. It will help if you say what assistive technology you use.