Integrating a secondary care booking system with the Patient Care Aggregator

Before you can integrate with the Patient Care Aggregator, you must meet the minimum eligibility criteria and receive confirmation from the Partner Gateway team that you can commence the onboarding process..

To qualify, a secondary care booking system should represent at least one eligible NHS trust and you will need to meet the entry criteria.

An eligible trust is:

• an acute trust, community health trust or mental health trust that handles outpatient appointments 
• some specialist acute trusts are eligible and will be reviewed in the next step

You'll also need to confirm you understand that:

• you'll need to integrate your software with NHS login and the NHS App

• your solution must meet the architecture requirements outlined in Building a patient portal for secondary care bookings. This includes providing a single technical integration with NHS login, NHS App, and the Patient Care Aggregator as a single endpoint, rather than offering an endpoint for each trust represented.

• your solution must meet our service design requirements, including 'deep linking' from within the NHS App user experience and implementing the look and feel guidelines as demonstrated in our Phase 1 Figma prototype.

• you'll need to conform to the DCB0129 clinical risk management standard for healthcare software suppliers
• your customers will need to conform to DCB0160 clinical safety standards for healthcare settings
• your customers will need to have Data Protection Impact Assessments (DPIA) in place to cover this integration
• you'll need to complete an Equality and Health Inequalities Assessment (EHIA)

Whilst we aim to support all suppliers that meet the eligibility criteria, at times there may be scenarios where we need to prioritise suppliers due to demand on the assurance teams.

Eligible suppliers who wish to onboard to the Patient Care Aggregator to surface secondary care patient information in the NHS App will require an introductory meeting and approval before they can begin the onboarding process. Any work done prior to this process is done at the suppliers own risk.

On the occasions where prioritisation is required, the prioritisation process is determined by the following criteria:

• Meet the minimal capability specifications for a live PEP in Wayfinder
• View appointments, amend/cancel appointments, provide advice and guidance and providing a single point of contact
• The benefits expected to be realised by client NHS trusts following integration 
• An NHS England assessment of risk associated with the supplier’s delivery

Following assessment of your application which includes the eligibility criteria and, where required, the prioritisation criteria, the supplier will be informed whether they are approved for onboarding. If they are, they will be added to the onboarding timeline and informed of timelines. This assessment may require some discussions with the supplier.

As the supplier slot in the pipeline approaches, we will reach out to the supplier to agree specific next steps.

Once its been confirmed that you have met the criteria and received approval the onboarding process can begin. To begin the process, use the digital onboarding, page as follows: 

1. Sign in or create a developer account.
2. Select ‘Product onboarding’. 
3. Enter details of your organisation and product, and say you want to onboard to the ‘Patient Care Aggregator’ API. 
4. If you have previously registered your product, select it, then select ‘Add API’, then select ‘Patient Care Aggregator’. 
5. Answer all the questions in the ‘Setup and eligibility’ section and submit them for review.

If you need any help at this point, contact us.

Once you've confirmed you're eligible and been approved for onboarding, we contact you to arrange a kick-off session. 

On the call, we: 

• go through the process with you, to double-check that you meet the entry criteria and you know what you're doing 
• answer any questions you have 
• provide you with a point of contact for any further queries

To integrate with the Patient Care Aggregator, you need to: 

1. Build a Get Appointments API that the Patient Care Aggregator API can use to get a summary of a patient’s bookings from your system. This might also include details of documents and questionnaires.

2. Integrate with our Record Service API to let the Patient Care Aggregator know which patients you have bookings for. 

3. Build an NHS-styled, standardised 'patient portal' web application that the patient can access via a hyperlink from the NHS App. 

4. (optional) Integrate your system with the NHS App API to send patient notifications.

For items 1 and 3 above, you also need to integrate your software with NHS login for security.

For items 3 and 4, you also need to integrate your software with the NHS App.

The steps are explained in more detail below.

Use our Patient Care Aggregator Get Appointments API standard to build an API that returns a summary of the patient’s bookings in your system.

Optionally, add endpoints to your API to return details of documents and questionnaires.

As part of this work, you need to integrate with NHS login to ensure that calls to the API have been triggered by the appropriate patient.

Integrate your system with our Patient Care Aggregator Record Service API to let the Patient Care Aggregator know which patients you have bookings for.

Build an NHS-styled, standardised 'patient portal' web application that the patient can access via a hyperlink from the NHS App. 

Your portal must: 

• integrate with NHS login to authenticate the patient 

• follow all the rules for integrating with the NHS App

• provide a 'deep link' URL that the NHS App can use as a hyperlink to a specific booking 

• allow the patient to view, book, amend and cancel bookings

• follow the look and feel guidelines in the NHS digital design system

For more details, see Building a patient portal for secondary care bookings.

Optionally, integrate your system with the NHS App API to send patient notifications.

For details, contact us.

The following diagram shows the various testing phases:

The phases are explained in more detail below.

6.1 API sandbox testing

Our sandbox environment is for early API testing. You can use it to test:

• your Get Appointments API
• your use of our Record Service API

The following diagram shows the test environment:

You need to:

1. import our pre-defined test data into your system
2. call our Record Service API to register the NHS numbers for the test data
3. use our 'expected versus actual' (EVA) tool to test that your Get Appointments API is working as expected
4. show us your test results

You do not need to have implemented NHS login authentication on your Get Appointments API to use the sandbox.

To get access to the sandbox environment, contact us.

6.2 API integration testing

Our integration testing environment is for formal API integration testing. You can use it to test:

• your get Appointments API - including NHS login for API security
• your use of our Record Service API

We co-ordinate integration testing. When you are ready to get started, contact us.

6.3 API performance testing

You need to show that your system can meet our performance requirements, including:

• a load test of your Get Appointments API
• a bulk upload of patient data to our Record Service API

For more details, contact us.

6.4 Portal system testing

You need to test that your patient portal is working as expected.

For more details, contact us.

6.5 End-to-end testing

Our end-to-end test environment allows you to test that your APIs and your patient portal all work together.

You need to contact us to get access to the environment, but you do the testing yourself.

You use a test version of the NHS App to access patient booking data via your Get Appointments API and then trigger a hyperlink through to your portal.

When you are ready to get started with end-to-end testing, contact us.

Live proving

This is covered in step 8 - go live.

Before you can go live, you need to complete the digital onboarding you started in step 1 - confirm you are eligible.

This covers things like: 

• clinical safety 

• information governance 

• security 

• technical conformance 

• legal agreements 

Onboarding can take some time, and we recommend you get started as soon as you can. 

7.1 Getting started

To get started with onboarding, see digital onboarding.

For the specific documents you need to complete and submit to us as part of onboarding, see onboarding support information.

7.2 Non-functional requirements

Data and information security

You'll need to:

• complete the Data Security and Protection Toolkit (DSPT) - this shows you what you need to do to keep patient data safe, and to protect your business from the risk of a data breach or a cyber-attack
• confirm you have a formal Information Security Management System (ISMS) in place that is in line with ISO / IEC 27001

Clinical safety

You'll need to confirm that:

• you have a Clinical Safety Officer (CSO)
• you have undertaken clinical risk analysis and prepared a hazard log and a clinical safety case report in line with DCB0129 clinical risk management standard for healthcare software suppliers
• you have incorporated our pre-defined hazards into your hazard log
• your customers are compliant with DCB0160 clinical safety standards for healthcare settings

Service and incident management

You'll need to

• provide details of your service and incident management processes
• work with us to conduct incident management rehearsals

Product demonstration

You'll need to demonstrate how your product integrates with NHS login.

7.3 Technical conformance

You'll need to:

• show that you conform with the technical requirements for integration with Patient Care Aggregator, NHS App and NHS login
• confirm you have implemented processes and understood your responsibilities for managing and storing data
• confirm you have completed appropriate penetration testing
• complete the connecting systems risk log and demonstrate your mitigating actions to us

7.4 Connection Agreement

Once we have approved your non-functional and technical conformance responses, we'll send you a customised copy of our Connection Agreement for you to sign and return.

Prior to that you can review a sample agreement.

When we have reviewed and accepted the returned document, we will upload this to your digital onboarding record.

7.5 Approval to go live

Once you have signed the Connection Agreement, we have an internal process to get you approved and enabled in the production environment.

8.1 Live proving

After you have completed onboarding, and your system is up and running in production, we work with you to do a 'smoke test' using a synthetic patient.

This makes sure that the production system is configured correctly, on our side and on yours.

You need to be able to set up the synthetic patient in your production system.

For more details, contact us.

8.2 Controlled rollout

Perform a controlled rollout to your estate.

Monitor performance and report any issues to our service desk.

We'll ask you to complete an annual compliance check.

You'll need to:

• confirm that the details you provided during onboarding are still the same
• confirm you have done annual penetration testing
• confirm you have completed an annual update of the Data Security Protection Toolkit

If you need any help or support at any point, either during development or after you're live, contact us via our enquiry form.

To access the portal you need to create a 'customer portal account' (this is different from your developer account).