Historical Supplier Conformance Assessment List (SCAL) changes

This version introduces:

• new capability to use two additional API endpoints through the application-restricted, unattended access mode
• deprecation of the existing retrieve attachment endpoint, including a new FHIR R4 download endpoint

The following changes have been made.

Overarching requirements

Endpoints updated: 

• Record triage outcome (A028)
• Available actions for user (A029)

Endpoint:

• deprecated, Retrieve attachment (A006)
• added, Retrieve attachment (A042)

Functional requirements

New requirements added: A028-01/02/03, A042-01/02/03/04/05/06

This version introduces the ability to retrieve information for additional endpoints, via an application-restricted access mode.

Overarching requirements

Endpoints updated: 

• Retrieve referral worklist (A008)
• Retrieve healthcare service (A033)
• Search for healthcare services (A035)
• Retrieve healthcare service version (A037)

Functional requirements

Added new requirements: A008-06, A011-05. A008-03 renamed.

This version introduces a new referrer endpoint which allows the creation of advice and guidance requests via the API.

Overarching requirements

New endpoint added: A044 - Create advice and guidance request

A number of key updates have been made following the functional release of mixed shortlist and the deprecation of our HSCN API.

Overarching requirements

References to the following have been removed:

• A021 - Create referral and send for triage
• A032 - Change shortlist and send for triage
• HSCN

The following sections and requirements have been removed: 

• HSCN CIS1 - Healthcare worker (User-restricted)
• HSCN Security Artefacts (SEC-001a)
• Legacy (HSCN) API endpoints: A001, A002, A003

Functional requirements

References to the following have been removed:

• A021 - Create referral and send for triage
• A032 - Change shortlist and send for triage
• CIS1 checks
• Legacy API endpoints

The 'Integration Type' column has been removed.

A new requirement (A016-06) has been added.

A number of updates have been made to align requirements across NHS England programmes.

These changes have been made in conjunction with the NHS England Live Service Onboarding (LSOB) and the Onboarding Governance Group.

Overarching requirements

A new 'Declaration of Usage' section has been added.

Updates have been made to the Data Security and Protection Toolkit (DSPT) in the 'Information Governance' section.

An additional question has been added to the 'Controller/Processor' section.

The 'Security' section now includes both CHECK and CREST standards with a requirement to provide additional evidence.

Updates to the 'Clinical Safety' section with addition questions.

An additional question has been added to the 'End User Organisations' section regarding the DSPT status.

The AC-01 Throttling requirement has moved from the 'Architecture Collateral' section to the 'Security' section as SEC-009.

Overarching requirements

The URL for the 'Service Management' registration form has been updated.

NHS Digital references replaced with NHS England.

Overarching requirements

The declaration of usage, standard requirement dataset and authority to connect to INT sections have all been removed.

Additional URLs have been added which reference future changes and SCAL amendments on GR-002.

The sunsetting policy guidance and URL link has been added to GR-005.

The service management section now points to the Service Now registration.

Audit log requirement points to the new webpage.

Functional requirements

Mandatory linkage of endpoints added:

• A012/20
• A033/35/37

Overarching requirements

Web links in the error messaging and application-restricted, unattended sections have been updated:

• AUT-010    Written Authority Provided by the End User Organisation for the Connection 
• AUT-011    End User Organisation Nominated Senior Responsible Person 
• AUT-012    Documented process to manage requests to change the Senior Responsible Person
• ERR-000     Error Messaging

Overarching requirements

The API endpoints list has been updated.

Partners can now select application restricted - unattended for the following advice and guidance endpoints: A024, A025 and A043.

Overarching requirements

An access mode column was added to the table. A list of API endpoints now appears at the bottom of the tab.

Functional requirements

For the reference data requirements (A004-05 & A004-06), we:

• added clarity about which endpoints reference data would be required for
• agreed this is not mandated as part of application-restricted, unattended access

Overarching requirements

Requirements AUT-010, AUT-011 and AUT-012 were updated with live web page links.

There were several review rounds between v9.0 and v9.5.

Overarching requirements

Session timeout details were added and merged into one requirement (AUT-013).

Requirements were added for application-restricted, unattended access, specifically AUT-009, AUT-010, AUT-011 and AUT-012.

A new scope of use requirement was added (GR-004).

In the security section, we added a new server side requirement (SEC-008)

Functional requirements

Several requirements in this section contained the words 'should' and 'could'. These were not suitable for the SCAL format. Some requirement changed to 'musts' and some were removed as they were for guidance.

The requirements which were updated included: A010-08, A010-10, A011-03, A011-04, A021-03, A008-01, A008-05, A031/32-07, A013-02, A013-05, A014-02, A014-03, A014-05, A008-04, A008-06, A031/32-03, A031/32-04, A031/32-05, A031/32-06, A033/35/37-02

The title of the A021-03 requirement was amended from 'Printing appointment' to 'Printing triage summary'

Clinical context in the A013-05 requirement is not covered under A005, A006 and A007-01

A duplicate requirement was removed (A005-01).

We added in clarity about which API endpoints must be implemented together. This created two sets of requirement groupings. The first group included A005, A006 and A007. The second group included A024, A025, A043 and A006.

Overarching requirements

Changes were made to requirements for:

• session timeout
• application-restricted, unattended-access
• server side calls

Functional requirements

To ensure partners fetch all relevant clinical information, we created two endpoint groupings. All the endpoints must be implemented in each group. For referrals, the group includes endpoints A005, A006 and A007, A024 and A025. For advice and guidance requests, the group includes endpoint A024, A025, A043 and A006.

General tweaks were made to document references throughout the two tabs.

Functional requirements

We added compliance steps for the A023 advice and guidance worklist endpoint.

Functional requirements

We introduced new referrer functionality in the API space. These new endpoints were added to the functional list: A031, A032, A033, A034, A035, A036, A037, A038

A new advice and guidance endpoint (A043) was also added.

Clarity was added to the A008 worklist endpoint requirement.

Additional guidance was added to mitigate the API-M worklist limit risk.

As well as a routine tidy-up of the document, API-M was introduced into the document for general awareness.

Functional requirements

Clarity about the use of the A030 'Retrieve e-RS business functions' endpoint was added.

There was a consolidation exercise to simplify the SCAL as part of this version.

A review was conducted with clinical and subject matter experts from the team. Updates were added to v6.2.x

Functional requirements

We introduced additional functionality into the API. The following endpoints were added to the functional list: A028 Record review outcome and A029 Available actions for user list.

Overarching requirements

The security section was updated with additional information.

Functional requirements

With the introduction of referral assessment services (RAS), we updated the list with the RAS endpoints.

Functional requirements

We introduced additional referrer functionality in the API. It allowed partners to retrieve appointment slots, book and defer appointment bookings.

There was also an addition to the provider space, with an additional review action added - Cancel appointment, action later.

All these endpoints were added to the functional list.

Overarching requirements

Multiple requirements in the 'error handling' section have been removed and replaced by one single requirement. These requirements listed generic error codes. A link was added to the developer site where the codes are easily available.

The audit log attachment has been removed, as there is now a web page with the same information. A link in this section now points to the site.

Functional requirements

The referrer and provider tabs were merged.

All endpoint references were aligned to the naming convention used on the developer website. This allows partners to easily filter on the functional requirements tab.

The same naming convention was updated on the 'supplier product information' tab. Making it simpler for assurance checks and endpoint set up.

Each endpoint in the functional tab now guides partners to the endpoint catalogue so they can review the description and behaviour in detail. Rather than it being described on the SCAL.

Accept and reject endpoints have been added to allow providers to carry out vital triage workflows.