MD CONSENTS LIMITED

Fertility Consent

Fertility Consent is a secure, online platform for fertility clinics to deliver a robust and efficient informed consent process to patients. By automating manual, paper-based systems clinic efficiency is improved and staff time freed up. Online forms, educational videos and a full audit trail meet the requirements of the HFEA.

Features

• All data is managed by servers hosted on Microsoft Azure
• User identity is authenticated during the electronic signing process
• Electronic signatures cryptographically sealed for over 50 years
• Electronic signatures are permanently bound to documents
• Documents cannot be modified without visible detection
• Documents can be securely processed and stored
• Documents can be securely viewed from any location
• Real time interface between clinic and patient portals
• Specific algorithms automatically allocate the correct consent forms
• Compatible with ‘plug-ins’ for visually and hearing impaired people

Benefits

• Digital process supports NHS strategy of achieving a paperless system
• Automated process reduces staff time spent on administrative tasks
• A robust detailed audit log of the complete consenting process
• Unique user credentials protect the integrity of consents given
• Built-in ID check becomes part of the patient audit log
• Intelligent form technology reduces the potential for errors
• Access to information and consent forms from multiple devices
• Engaging and consistent medical and legal information for patients
• Complete set of HFEA consent forms and video explainers
• Clinic dashboard improves visibility and efficiency of clinic

£8 to £14 a unit

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at doug@engagedmd.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

528307890979018

Contact

Doug Zimmer
020 3925 4911
doug@engagedmd.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Clinic data management systems/Electronic patient records such as IDEAs, MediTEX IVF, and BabySentry.
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements:
  • Internet connection
  • Modern internet browser (HTML5)
  • Adobe Acrobat Reader (free version)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: A help-desk and support portal is available for clinic staff.; Support is available Monday to Friday 8am – 6pm.; Tickets are prioritised:; Urgent (response:30 mins / fix: 4 hours); High (r: 90 mins / f: 6 hours); Medium (r: 120 mins / f: 8 hours); Low (r: 8 hours / f: 5 days)
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We support users with all aspects of functionality, technical information and training to ensure user competence. This support is provided by our cloud support/technical team, design or training team as appropriate. Support is delivered on-site, tele-conferencing, a support portal and help-desk which is included in the annual service fee. Extra support services may be provided at an additional charge as agreed with the customer
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We have a fully documented on-boarding process that provides users with a detailed operating procedure for the platform, on-site and tele-conferencing training, access to a demonstration platform for familiarisation and practice. We also publish 'how to' guides and update FAQs on our clinic portal to support users when they implement the service. We offer continuous support through regular service review on-site and tele-conferences.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Microsoft word
  • Microsoft excel
  • Microsoft powerpoint
• End-of-contract data extraction: Data is extracted by the user when the consenting process for a medical procedure is complete and stored in their data management systems and/or their cloud storage. This process is followed throughout the duration of the contract.
• End-of-contract process: Set up, hosting and use of the Service is included in the contract price. Extra services such as bespoke integrations with other programmes may be provided at an additional cost agreed with the user.; At the end of the contract, all licences granted by the service provider shall terminate immediately. The service provider shall provide such assistance as is reasonably requested by the user to transfer data and content in which the user has proprietary rights or control to the user or another service provider, subject to payment of the service provider's expenses reasonably incurred.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Operating systems and types of devices may impact display of information, but all modern phones and browsers have been tested and work well.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: There is an administrative interface to configure organisational level branding, policies, documents, content and user management.; There is also an operational interface for clinic staff to create and manage consent cases for patients / partners.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We have tested all clinic and patient facing interfaces for text size, color and contrast on different devices and browsers using WCAG tools from EqualWeb
• API: Yes
• What users can and can't do using the API: There is a public API available for exchanging data with Electronic Medical Record (EMR) systems; existing systems include: IDEAs, MediTex IVF and customer specific EMRs. Access is via a unique set of credentials.; ; The API is designed to automate the creation of consent forms with information from the EMR; once the consent forms are complete they can be exported back to the patient/partner record in the EMR
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: As standard our service is tailored to create a bespoke branded platform for individual clinics. Each clinic has a staff portal and patient portal branded with the clinic logo, healthcare professional details and clinic contacts details such as email addresses, telephone numbers and address.; Many aspects of the platform design can be customised e.g. clinic dashboard calendar, the time-frame in which consent material and consent forms should be completed and welcome messages patients see from their portal dashboard.; Clinic specific information can be added to the platform as required e.g. clinic privacy policy, information on research programmes conducted by the clinic, treatment price lists for access by patients.; Patients are provided with the educational materials and relevant consent forms that are required for their specific treatment this can be customised by clinic staff if needed.; The platform content may be customised and edited by Fertility Consent or clinic staff.

Scaling

• Independence of resources: Independence of resources; Azure Resource Manager and Monitoring within the Azure Portal, enables us to keep track of demand

Analytics

• Service usage metrics: Yes
• Metrics types: Usage metrics provided include:; ; Number of treatments carried out in a particular time-frame; Type of treatments carried out; Patient demographics; Status of consent programme completion
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data is exported automatically to a data management system and or cloud store dependant on the user's requirements.
• Data export formats: Other
• Other data export formats: JSON
• Data import formats: Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Guaranteed availability; The Service is online 24 hours a day, 7 days a week, 52 weeks of the year with 99.9% availability, with the exclusion of planned and emergency system maintenance.; We will use reasonable endeavours to ensure that such maintenance is carried out during off peak hours to minimise user inconvenience.; We will communicate in advance any maintenance activity and estimated down time to the Customer’s contract manager.; The hosting infrastructure and application are monitored in real-time with alerts and detailed email reports sent to our Development Team who will assess the impact and notify the Customer’s contract manager.; Service reviews are conducted three monthly and adjustment to service fees may be made should any significant service disruption occur that is the Service Provider’s responsibility.
• Approach to resilience: At a network and application level we use Azure's Availability Zones and Availability Sets. This ensures the VMs are distributed across multiple isolated hardware nodes and data distributed across multiple data centres in the UK.
• Outage reporting: The hosting infrastructure and application are monitored in real-time with alerts and detailed email reports sent to our development team who will assess the impact and notify the user of any outages lasting more than 15 minutes by email or telephone

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: Users are issued with a system generated 'key phrase' which they use along with their unique user ID to create their own password. In this way only the person who authenticated themselves knows the access password
• Access restrictions in management interfaces and support channels: Access to services is on a role based policy. Only users with appropriate authority can access services.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: IASME Governance
• ISO/IEC 27001 accreditation date: 21/11/2023
• What the ISO/IEC 27001 doesn’t cover: IASME Governance certification is aligned to the Government’s Ten Steps to Cyber Security and includes Cyber Essentials certification as well as controls around people and processes. It also covers the General Data Protection Regulation (GDPR) requirements. IASME Governance is aligned to a similar set of controls to ISO 27001
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our infrastructure is part of the Microsoft Azure EU region using data centres in London and Newcastle. These data centres comply with, and have been audited to, the following UK standards:; ; ISO 9001:2008 is a global standard (published certificate) for managing the quality of products and services.; ; ISO 27001:2013 is a widely-adopted global security standard that outlines the requirements for information security management systems.; ; ISO 27002: 2015 which gives cloud service providers and Clients secure and specific implementation guidance for ISO 27002 security controls, as well as provides additional security controls specific to cloud services.; ; ISO 27018:2014 provides additional security controls not covered in ISO 27002 to give cloud service providers security control for Personally Identifiable Information (PII).

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have a documented Change Control Procedure. An initial discussion of any change proposed by either the Customer or ourselves takes place and if feasible and acceptable to both parties will result in either:; - a written request for a Change by the Customer; or; - a written recommendation for a Change by ourselves
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our core network and hosting infrastructure is provided by Microsoft Azure who monitor all threats and apply patches and upgrades when needed. Microsoft also provide regular updates on all aspects of infrastructure availability and security.; ; We also run a software based virus and malware scanner on our servers, which runs in realtime.; ; Every year we have an independent penetration test carried out which does application level testing across all user roles and workflows.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use the standard Security Centre tier within Microsoft Azure which monitors the following our Windows servers, and deploy Just-in-Time VM Access to mitigate against brute-force attacks. There are built in capabilities to address other vulnerabilities, such as exposed web pages and plug-ins. Security Center also detects anomalous database access and query patterns, SQL injection attacks, and other threats targeting SQL databases in Azure. Any suspicious activity results in an alert and recommended actions for investigating and mitigating any threat.
• Incident management type: Supplier-defined controls
• Incident management approach: Incidents are reported by ourselves and users and through an online help-desk, email or telephone. Incidents are managed according to priority.; ; Priority 1 - incidents that compromise the portal’s integrity where an immediate resolution is required.; ; Priority 2 - incidents affecting more than one user that are not critical and will not seriously disrupt the learning portal’s operation if the incident is not resolved as soon as possible.; ; Priority 3 - incidents affecting a single user that are not critical and will not seriously disrupt their use of the portal if the incident is not resolved as soon as possible.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Covid-19 recovery

  Covid-19 recovery

  Fertility Consent is a secure, cloud based, electronic platform which provides clinics with a new way of communicating the required information, clinic and regulatory consent forms for fertility treatment to commence. Clinic staff create bespoke cases on the clinic dashboard that patients complete remotely via the patient portal which clinic staff can access in real time. Fertility Consent allows clinics to continue providing their services during Covid-19 reducing the need for in clinic visits and protect staff and patient safety.

Pricing

• Price: £8 to £14 a unit
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at doug@engagedmd.com. Tell them what format you need. It will help if you say what assistive technology you use.