Design principles
Clinical Safety Principles
Clinical safety is about promoting, and helping embed, clinically safer working practice methods and proactive risk management for patient safety enabled by IT, with consistent application across the NHS.
GP Connect FoT Clinical Safety Principles
The following principles and underlying detailed requirements are currently undergoing review by the NHS Digital Clinical Safety team, so may be subject to change.
Information Standards for Clinical Risk Management
The GP Connect API is underpinned by the information standards for clinical risk management, which describes a framework for national healthcare initiatives that has been created by the Department of Health, NHS England, the Care Quality Commission and other national health organisations. The information standards for clinical risk management also describe a mechanism for introducing requirements to which the NHS, those with whom it commissions services, and its IT system suppliers, must conform.
Commissioning Organisation
Commissioning organisations for GP Connect: must have a clinical safety framework compliant with Information Standard: (SCCI0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems). are responsible for assuring that deployment and implementation of consumer applications using the GP Connect APIs comply with this framework.
Consumer & Provider Systems
Consumer and provider systems using the GP Connect API must comply with the requirements of the SCCI0129 standard, promoting and ensuring the effective application of clinical risk management by suppliers developing and maintaining health IT systems: (SCCI0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems) Additionally, the GP Foundation System providers must also carry through the clinical safety requirements of the GPSoC framework into any GP Connect functionality.
Assurance & Deployment
Confirmation of compliance with the clinical safety standards as above will be specified as part of the GP Connect (SCAL) against which the consumer supplier will need to assure. The SCAL is managed and administered by the NHS Live Services Team.
Commissioning clinical safety approval of the consumer system forms part of the NHS Digital requirements for deployment into live operation.
Provider systems must also demonstrate standards compliance as part of the NHS Digital assurance processes.
Assurance Principles
- Assurance will use a risk-based approach
- Testing should be automated where possible to establish technical conformance
- All artefacts related to assurance and testing should be made available as part of the ecosystem (public domain) prior to engaging in a formal NHS Digital assurance process
Information Governance Principles
Your organisation must complete the Data Security and Protection Toolkit (DSPT) for each NHS England Service being integrated and obtain at least a 'Minimum Standards Met' rating.
Each time a new NHS England Service is integrated, a check is made that the connecting organisation is registered and active with DSPT.
All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
API scope
The scope of the API is to deliver functionality that will enable a patient facing application e.g. the NHS App to:
- display to the patient only features and functionality the patient has access to
- show the patient the permissions they have to their medical record and a selection of services provided at their GP practice
- provide the ability for the patient to request changes to the permissions they have to their medical record and a selection of services provided at their GP practice
This functionality is provided by a single endpoint (/Patient/{id}) and two HTTP request methods i.e. GET and POST. Additional information is available on NHS Digital's API catalogue and within this guide for both How to get a patient's permissions and How to request a change to a patient's permissions.