Promptly Health

Promptly Collect - Patient Reported Outcome Measures (PROMs) Solution

Promptly Collect offers an intelligent patient-centric platform to capture patient data at scale, by leveraging an omnichannel patient engagement approach. With built-in mechanisms to drive engagement and increase patient participation, supported by an extensive library of Clinical Outcomes Assessments tools, it can start data collection programs with minimum deployment time.

Features

• Cloud on-premise
• ePROM questionnaire collection service
• Patient consent management
• Patient data pseudonymisation
• Multi-factor authentication support
• Ominchannel Engagement (SMS, Email, WhatsApp, IVR)
• Data-driven automatic reminders
• Results visualization and outcomes analytics
• Tablet and kiosk support

Benefits

• Build trust and transparency into an healthcare system
• Remote patient outcomes monitoring equalizing access to quality healthcare
• Frequent reporting facilitate early detection and intervention for better outcomes
• Promotes patient empowerment through active participation in healthcare management
• Optimizes healthcare resources allocation, improving efficiency and effectiveness
• System conceived on a privacy-by-design model
• GDPR-compliant system
• Fully-auditable system
• Seamless setup with a clear activation package

£5,000 a licence a month

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michelle.waddell@promptlyhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

732244505604201

Contact

Michelle Waddell
+447826726323
michelle.waddell@promptlyhealth.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Based on developing a seamless experience for patients using NHS Applications, our ePROMs service also provides an SDK that may include the PROMs service directly in the NHS Application environment. Promptly’s Collect SDK has been designed seamlessly embed into a third-party application by adhering to communication, branding & legal guidelines.
• Cloud deployment model: Private cloud
• Service constraints: As far as we are concerned, no.
• System requirements: Not applicable

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support is conducted through a helpdesk service (in-app service + email). All incidents should be recorded in the Helpscout support tool which will include information on the affected assets, the classification based on urgency level, service impact, and on the priority for incident resolution.; ; SLAs: First Reply Time –Critical Failures <4h (BH*); Non-critical failures <8h (BH); Configurations and Service definition and features improvement/suggestions <24h (BH); Time to recovery –Critical failures <20h (BH); Non-critical failures <16h (BH); ; *BH = Business Hours
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: In order to communicate with our end-user, we offer an in-app internal chat in real-time, as a channel. ; ; In Promptly Collect platform, the customer support service can be triggered from the “Help and support” menu. Once the end-user clicks on the “Help and support” menu, he will be taken to an area of frequently asked questions and answers (FAQs), organized and searchable by topic. In case the end-user still does not find the answers to her/his questions, she/he can contact Promptly's support team directly through the same menu, requesting an internal request in the application (email or conversation with a support agent). ; ; In order to guarantee a quality support service and with the possibility of complete analysis of the reported problem and due feedback, it is important to provide an email address when requesting the application's internal support request.
• Onsite support: Onsite support
• Support levels: Onsite support is guaranteed and provided in the most critical phases of the Promptly Collect Activation:; (1) Preparation for Go-Live: Setup of the solution to align and prepare the go-live; the setup ends with the onsite training sessions and adjustments of the system in preparation for the patient enrolment process (Go-Live). ; (2) Go-Live: the platform is tested and ready to be used by the trust. ; Also Maintenance and Ongoing support is a critical milestone of our implementation process. This phase involves the follow-up of the project after de go-live. In addition to field follow-up (onsite support, to be agreed with the trust), monitoring, and remote support, the first data analysis sessions and improvement cycles will be held together.; The role of the technical team is to analyze and solve any problem, incident, or request raised by the end user.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Proper training is be given to all the healthcare professionals and managers, intervening in the program. The training session contains a theoretical part explaining the context of the project and the benefits of using a system like Promptly Collect; and a practical part where the end-users can get in touch and experiment with the application, having to complete a set of use cases that go over the most important components of the system. This training session is performed on-site, during the preparation stage for Go-live. Also digital tutorials and training material is provided to the end-users.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: This is discussed with clients at contract signature.
• End-of-contract process: PROMPTLY commits to designing and executing an exit management plan when issued a formal termination under the agreement and commits to provide it at least four months prior to end of the contract term. The principle of the exit plan will be to facilitate an effective and smooth transition of the services from PROMPTLY to the Buyer, assuring minimum disruption of the services and completion of all agreement obligations. ; ; All procedures related to data transfer and deletion are included in this service offer. Having a glance at a technical perspective, PROMPTLY agrees to transfer all data, the configurations and settings used during the period of the contract. Data can be delivered in different possible formats: CSV, Parquet (https://parquet.apache.org/) or even in FHIR using the FHIR Bulk API. The data will be provided with good documentation to the Buyer. The same data channels used during the contract will be available for data exchange process. ; Also, data destruction is performed by PROMPTLY. Media storage devices used to store customer data are classified by AWS as Critical and treated accordingly, as high impact, throughout their life-cycles. AWS has standards on how to install, service, and destroy devices when they are no longer useful.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: A simple reduction of spacing and removal of features considered non-essential is carried out. The purpose of our product is to respond to questionnaires and the purpose remains unchanged in terms of functionalities, whether on the desktop or on the mobile phone.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: "This API is REST based and required source system to authenticate prior to use.; API supports:; * Create patient; * List available PROMS; * Send PROMS to patient; * Get all QuestionnaireResponses from a patient."
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Promptly Collect is fully modular and customizable to fit each partner-specific needs - branding, reminders, communications copy, questionnaires content, and follow-up timelines.; Promptly commits to maintain and manage the customisations required by the buyer according to the defined scopes and requirements.; Promptly Collect has a full-fledged back office (Promptly Flex) that allows to perform all the mentioned customisable modules. This back office is managed and operated by the Promptly team, owner of the requested customisations.

Scaling

• Independence of resources: The service provides automatic scaling to accommodate demand.

Analytics

• Service usage metrics: Yes
• Metrics types: "2 dashboards:; - Engagement dashboard (Volume of patients, PROMs completed, Response rates, Clinical Outcomes Assessments, Communication channels effectiveness - SMS sent, Emails sent, etc); - System performance and monitoring dashboard (Uptime, Response time, Latency, Availability, Security incidents reporting)"
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Other
• Other data at rest protection approach: To maintain data security, Promptly uses encryption at rest in all AWS services that storage data. ; Data encryption is enabled for physical disks on AWS EBS, databases on AWS RDS, S3 object storage, on AWS Backups.; All data is encrypted before stored. This ensures that even if someone gains unauthorized access to our storage, they won't be able to read the data. We use strong encryption methods like AES and secure key management to keep the data confidential and intact. Encrypting data at rest helps us prevent data breaches and stay compliant with security standards.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users contact the support team to get data exported
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Excel
  • Database
  • FHIR
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • HL7
  • FHIR
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Availability is 99.8%.; Allowable downtime is less than 1hr 27 minutes in any given month with no roll over.
• Approach to resilience: Our solution is architected with high availability architecture practices with redundant services across multiple availability zones. Nevertheless, Promptly has a comprehensive disaster recovery (DR) plan in place to ensure that all its systems can continue operating in the event of a major outage or other disruptive event. This is included in our ISO27001 certification. AWS operate independently with robust infrastructure and fast, private networking between them. Promptly deploys all services across multiple Availability Zones for fault tolerance and low latency.
• Outage reporting: Yes, a public dashboard

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: On Promptly SaaS products, we enforce a limit of 10 failed login attempts before temporarily blocking the account to prevent brute force attacks. We empower our clients to integrate their own Identity Provider (IDP) for authentication, thereby enhancing system security. In cases where clients do not provide an IDP, we offer a username and password login system, ensuring password strength in compliance with the NIST 800-63b standard.
• Access restrictions in management interfaces and support channels: Promptly adheres to the "principle of the least privilege," ensuring users access only necessary resources for their roles, minimizing unauthorized access and data breaches. Ungranted permissions are prohibited. RBAC (Role-Based Access Control) is the primary method for assigning and maintaining access, with rights allocated primarily to groups for role-specific access. Individual accounts may receive additional permissions with authorized approval. All privileged access to production systems requires Multi-Factor Authentication (MFA).
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Proks Certification - https://proks.co/en
• ISO/IEC 27001 accreditation date: 15/09/2023
• What the ISO/IEC 27001 doesn’t cover: "We have a group of 19 policies that covers all the iso 27001 topics:; - Information Security Policy; - Risk Assessment and Management; - Access Control; - Physical Security; - Information Security Awareness and Training; - Incident Management and Response; - Business Continuity and Disaster Recovery; - Compliance"
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO27001
  • CE+
  • DTAC

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: CE+
• Information security policies and processes: We have a group of 19 policies that covers all the iso 27001 topics:; - Information Security Policy; - Risk Assessment and Management; - Access Control; - Physical Security; - Information Security Awareness and Training; - Incident Management and Response; - Business Continuity and Disaster Recovery; - Compliance; We have an web application that allows to manage all the policies and all the employees needed to agree with them. We have a Governance council responsible to keep track on security needs and provide guidance and information when needed. We have formal meetings that we call management reviews that we use to understand improvement needs and mitigation actions. We give security training every year to our employees as standard.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: The Change Management process ensures all project changes are controlled and systematic, covering recording, evaluating, and authorizing through to implementation and review. Managed by the Customer Success Manager, it addresses project risks. Changes originate either from client requests or are identified during system design, development, or testing. They are categorized as:; ; 1. Standard Changes: Common, low-risk, pre-authorized.; 2. Normal Changes: High-priority, requiring full evaluation and approval.; 3. Emergency Changes: Immediate responses to unexpected threats.; ; The process ends with a formal sign-off, concluding with the contract's termination.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerability management process consists of Access review, Risk Assessment, Vulnerability test and Penetration test. Findings out of these assessments are prioritised and addressed. Change, Patch and Asset management processes helps in identifying and mitigating the vulnerabilities and the associated risks. We follow ISO 27001 standard and best practices.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: "Promptly employs the AWS recommend services for monitoring, identify and block attacks. AWS WAF on AWS ALB and AWS Cloudfront to control and absorb traffic and deflect unwanted requests.; Amazon Guardyty, a managed service that continuously monitor for malicious or unauthorised behavior is also enabled. It monitors for activity such as unusual API calls or potentially unauthorised deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers."
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Add as an annex our Incident Management Policy POL-17; ; https://proefgroup.sharepoint.com/:b:/r/sites/promptlyhealth/Documentos%20Partilhados/Promptly%20Compliance/ISO%2027001/Policies%20pdf/POL-17%20Incident%20Management.pdf?csf=1&web=1&e=uGzQXi

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Patients with a specific clinical condition reporting their status remotely will reduce the need to frequently go to healthcare facilities to encounter medical teams and report their disease status. Millions of travels will be saved, many from far distant locations, which will considerably reduce carbon emissions without compromising the quality of care delivered to these patients.

  Covid-19 recovery

  By enabling patients to report their clinical outcomes remotely, the platform minimizes the need for in-person visits to healthcare facilities. This reduces the risk of exposure to infectious diseases like Covid-19. Also, patients recovering from Covid-19 can provide regular updates on their symptoms and recovery progress, allowing healthcare providers to intervene promptly if any concerning trends emerge. With remote reporting, healthcare resources can be allocated more efficiently, focusing on critical cases or areas with higher transmission rates.

  Tackling economic inequality

  Remote outcomes reporting eliminates the need for frequent travel to healthcare facilities, which can be costly for patients, particularly those from low-income backgrounds or living in remote areas. By lowering transportation expenses, the platform helps alleviate the financial burden associated with accessing healthcare, promoting economic equity and equal access to care.

  Equal opportunity

  Patients will feel heard and accompanied from afar which from a social perspective is important and will leave them with the sense that they matter. It will promote equal opportunities, allowing more people to reap the potential benefits of AI in Medicine, while reducing disparities in healthcare.

  Wellbeing

  Continuous remote reporting empowers patients to actively participate in their healthcare management, fostering a sense of control and autonomy over their health outcomes. Feeling actively engaged in the monitoring process can enhance patient satisfaction and overall wellbeing.

Pricing

• Price: £5,000 a licence a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Upon request and according to customer's customization wishes

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michelle.waddell@promptlyhealth.com. Tell them what format you need. It will help if you say what assistive technology you use.