Appendix A – Schedule of GP digital requirements and capabilities
- Essential clinical system capabilities – foundation capabilities
- Essential clinical system capabilities – non-foundation capabilities
- Patient facing capabilities
- National digital services
- GP IT enabling requirements
- Enhanced requirements
- General practice business requirements
Essential clinical system capabilities – foundation capabilities
Six clinical digital capabilities enabled through software (and data) solutions which under the GP Contract are necessary to deliver primary care services and must be accredited through the GP IT Futures Framework. These are sourced through the GP IT Futures Framework.
For these capabilities, where a signed CCG Practice Agreement is in place
- the solutions are funded by the NHS for GP Contract holders
- the solution must be accredited through the GP IT Futures Framework
- the Foundation Solutions for those capabilities described as GP IT Futures Foundation Capabilities will be determined by individual practice from the accredited systems available through the GP IT Futures Framework
Note: Non-Foundation Capabilities may be provided as an embedded part of the procured Foundation Solution at the supplier’s discretion. CCGs should determine which non-Foundation Capabilities are still required once the Foundation Solutions have been procured. Additional solutions for these capabilities may still be available and may be selected as enhanced items if they offer a greater level of functionality and more appropriately meet local needs.
Foundation Capabilities available through GP IT futures framework
Capability | Description |
GP Referral Management | Supports recording, reviewing, sending, and reporting of patient referrals. Enables referral information to be included in the Patient Record. |
Prescribing | Supports the effective and safe prescribing of medical products and appliances to Patients. Information to support prescribing will be available. |
Recording Consultations | Supports the standardised recording of consultations and other General Practice activities. |
Patient Information Maintenance | Supports the registration of patients and the maintenance of all patient personal information.
Supports the organisation and presentation of a comprehensive Patient Record. Also supports the management of related persons and configuring access to citizen services. |
GP Resource Management | Supports the management and reporting of Practice information, resources, staff members and related organisations. Also enables management of staff member availability and inactivity. |
Appointments management – GP | Supports the administration, scheduling, resourcing and reporting of appointments. |
Essential clinical system capabilities – Non-foundation capabilities
Clinical digital capabilities enabled through software (and data) solutions which are necessary to deliver primary care services under the GP Contract or as otherwise nationally mandated in addition to the six Foundation Capabilities.
These are sourced through the Digital Care Services (DCS) Catalogue or an applicable Framework (see table below and Appendix C).
For these capabilities, where a signed CCG Practice Agreement is in place:
- the solutions are funded by the NHS for GP Contract holders
- solutions will be determined by the commissioning CCG in collaboration with local practices from systems offered on frameworks in the DCS Catalogue or other applicable frameworks
- non-Foundation Capabilities may be provided as an embedded part of the procured Foundation Solution at the supplier’s discretion. CCGs should determine which non-Foundation Capabilities are still required once the Foundation Solutions have been procured. Additional solutions for these capabilities may still be available and may be selected as enhanced items if they offer a greater level of functionality and more appropriately meet local need.
Accredited solutions are not contractually mandated for non-Foundation Capabilities but compliance with any standards attributed to the capability in this document should be considered essential.
Non-foundation capabilities available through applicable frameworks
Capability | Description | Applicable Framework(s) | |
Digital Diagnostics | Supports electronic requesting with other healthcare organisations. Test results can be received, reviewed and stored against the patient record. NB: this is additional to the pathology messaging already available through Foundation Capabilities. | GP IT Futures or other applicable framework. | |
Document Management | Supports the secure management and classification of all forms unstructured electronic documents including those created by scanning paper documents. Also enables processing of documents and matching documents with patients. | GP IT Futures or other applicable framework. | |
GP Extracts Verification | Aggregated data is extracted from practice Clinical Systems via the General Practice Extraction Service (GPES) and sent to the Calculating Quality Reporting Service (CQRS). Calculations performed by the CQRS determine how much money a general practice should be paid for National Services.
The data extracted in this process is based on information recorded in individual patient records. The GP Extracts Verification Capability provides practices with reports and search tools to establish which patients will be or have/have not been included in these payment extracts and calculations. These reports and tools will ultimately support data quality investigations and improvements. |
GP IT Futures or other applicable framework. | |
Scanning | Support the conversion of paper documentation into digital format preserving the document quality and structure.
Note: Requires as an enabler compatible scanning hardware. |
GP IT Futures or other applicable framework. | |
Communication Management (patient-practice) | Supports the delivery and management of (two way written) communications between patients and practice staff.
Note: May require as an enabler electronic messaging for direct patient communication (for example SMS) or NHS Mail. |
GP IT Futures or other applicable framework. | |
Online-consultations (patient-practice) | Enables patients to access support from health and care professionals, across a range of settings online without the need for a face to face encounter. Includes triage and consultations.
Note: This may also fulfil the above requirement for communications. |
DFOCVC framework. | |
Video consultations (patient-practice) | Enables patients to access support from health and care professionals, across a range of settings using video conferencing. Includes triage and consultations. | DFOCVC framework. |
Patient facing capabilities
These must be available to patients through accredited solutions from the GP IT Futures Framework and through the NHS App. Foundation Solution suppliers may choose to embed these capabilities in their Foundation Solution.
Additional accredited solutions to meet these capabilities may also be commissioned centrally and made available directly to practice patients or commissioned locally.
Capability | Description |
Appointments management
|
Enables patients to manage their appointments online. Supports the use of Appointment slots that have been configured in the GP appointments management system |
Prescription ordering
|
Enables patients to request medication online and to manage their preferred and nominated pharmacy. |
View record | Enables patients to view their patient record online. Includes viewing of full record, clinical and administrative documents and pathology and radiology test results by patients and patient proxy. |
Update details | Enables patients to use an online method to inform their practice of a change of address, contact details or of their demographic information, including ethnicity |
Update record | Shared record access, including patients being able to add to their record |
These capabilities are in addition to the online and video consultation and the two way secure communication capabilities described previously.
National digital services
Digital services and systems commissioned and provided nationally and available at no local cost to all NHS commissioned providers (where functionally appropriate). These are standard solutions with no element of local choice, the rationale for a national solution being based on a requirement for standardisation and consistency. Local alternatives should not be provided or used.
Responsibilities:
- NHS Digital commissions and provides a number of National Digital Services.
- CCGs will ensure availability of enablers namely infrastructure, equipment, training and deployment support for practices.
- alternatives including local solutions should not be used and should not be funded by CCGs. In particular local solutions which do not meet the same security, safety and data quality standards must not be supported.
- through the CCG Practice Agreement practices are required to comply with the supplier’s end-user terms and conditions accepted by the contract holder (for example NHS Digital).
- practices will use either as discrete systems or integrated with clinical systems as appropriate
Accredited clinical system developers will integrate with these as specified through the Digital Care Services (DCS) Catalogue.
Service | Description | Notes |
Personal Demographics Service (PDS) | The Personal Demographic Service (PDS) holds the demographic details of users of health and care services in England, including name, address and NHS number. It is used to confirm the identity of patients, link care records, support communications with patients and support management of NHS Services. | Accessed through accredited Clinical System Capabilities. |
Care Identity Service – (CIS) | CIS is a national electronic system that supports the identity verification of users, registering and issuing of NHS Smartcards and authentication when using national services such as PDS or SCR. Registration Authorities use the service to manage identities, Role-based access control (RBAC) and smartcard or other authenticator access to services. | Through NHS Spine Portal using Registration Authority issued NHS Smartcards. |
NHS Care Identity Service 2 – (CIS2) | The evolution of the Care Identity Service. It will support international standards for authentication and access (including authentication over the internet and new authenticator types). Users will be able to undertake self-service registration to aid new user onboarding journeys.
CIS2 is a national electronic system that supports the identity verification of users, registering and issuing of NHS Smartcards and other authenticators Registration Authorities use the service to manage identities, RBAC and smartcard or other authenticator access to services. |
Through NHS Spine Portal using Registration Authority issued NHS Smartcards. |
Summary Care Record
(SCR) |
An electronic record created from GP medical records. It can be seen and used by authorised staff in other areas of the health and care system involved in the patient’s direct care. There is a minimum core data set (medications, allergies and adverse reactions) but with patient consent, an enhanced SCR can now be created automatically to include additional patient data (for example significant medical history, immunisations, etc.). | Accessed through accredited Clinical System Capabilities. |
GP2GP | This service allows patient electronic health records to be transferred directly, securely, and quickly between their old and new practices when they change GPs. This improves patient care by making full and detailed medical records available to practices, for a new patient’s first and later consultations and significantly reduces the need to print records. | Accessed through accredited Clinical System Capabilities. |
Electronic Prescribing Service (EPS) | Enables the electronic transmission of prescriptions to community pharmacies. | Accessed through accredited Clinical System Capabilities. |
NHS Mail | NHS Mail is the secure email service approved by the Department of Health and Social Care for sharing patient identifiable and sensitive information. NHS Mail, messaging, and sharing can be accessed by any organisation commissioned to deliver NHS healthcare or related activities. Instant messaging and presence are part of core functionality. | Directly by individual practice staff members through the NHS Mail portal or MS Outlook configured to access NHS Mail. |
NHS E-Referral Service (e-RS) | The e-RS combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online. | Accessed through accredited Clinical System Capabilities or directly. |
Calculating Quality Reporting Service (CQRS) and GP Extraction Service (GPES) | The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the CQRS and GP clinical systems as part of the GP Collections service. | Accessed through accredited Clinical System Capabilities. |
Spine | The spine allows information to be stored and shared securely through national services such as the EPS, SCR and the eRS. This is done through integrated clinical system or through the spine portal.
The Spine supports high number of registered users and can handle large volume messaging rates with fast response times. |
Accessed through accredited Clinical System Capabilities. |
Message Exchange for Social and Health Care (MESH) | The service supports both clinical and business encrypted data flows in supplier applications via a central MESH server located within the Spine Core Messaging Service. | Accessed through accredited Clinical System Capabilities. |
GP Connect Products
(delivered by Direct Care APIs Programme) |
GP Connect products are a series of APIs which allow authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently. | Accessed through GP IT Futures accredited clinical system capabilities and other third-party clinical systems |
Interface Mechanism (IM1) Pairing | Pairing integration is the process that allows suppliers to integrate their system with any principal GP clinical system through an interface mechanism. | Accessed through GP IT Futures accredited clinical system capabilities and other third-party clinical systems |
NHS App | The NHS App provides a simple and secure way for people to access a range of NHS services on their smartphone or tablet including:
|
Directly by patient. If their GP practice is connected, patients can register and verify their identity. The NHS App is available to the public on Google Play and Apple app stores.
|
NHS Login | NHS login, a single, easy to use system for verifying the identity of people who request access to digital health records and services including NHS App. | Directly by patient. Most people aged 16 or over will be able to verify their identity and register through NHS login. |
Data Security and Protection Toolkit (DSPT) | The DSPT is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems. It replaced the previous Information Governance (IG) toolkit. An online self-assessment tool that enables practices to measure and publish their performance against the National Data Guardian’s (NDG) ten data security standards. | Directly by individual practices. |
Data Security Awareness Training | The topics covered are:
|
Directly online by individual practice staff members through e-learning for healthcare. |
GP IT enabling requirements
Digital technologies and services necessary to support (i.e. enable the use of) National Digital Services, Foundation Solutions and other solutions selected to meet the Essential Clinical System Capabilities as needed to deliver the primary care services under the GP Contract or as otherwise nationally mandated. Under the CCG Practice Agreement these are funded by NHS for eligible contractors.
Unless funded nationally, meeting these enabling requirements will be the first call on GP IT revenue funding within CCG primary care allocations, or for IT equipment and infrastructure assets on GP IT Capital funds. The scope of the enabling requirements required is determined by the solutions selected to meet the Essential Clinical System Capabilities and the National Digital Services.
Locally commissioned enabling requirements will be extended to include the support necessary to enable those Enhanced Requirements commissioned.
As commissioner the CCG is responsible for selecting these enabling requirements but is expected to work with local practices in doing this.
Accredited solutions are not contractually mandated but compliance with any standards attributed to the capability in this document should be considered essential. The use of an applicable national framework with underpinning standards such as Health Services Support Framework (HSSF) (see Appendix C) will assist CCGs in that compliance.
Effective commissioning of GP IT
Requirement | The commissioning of GP IT services by the CCG to meet GP IT Enabling Requirements. This is an internal CCG function, although CCGs may share or collaborate on this work. | |
Specialist Support Services | The CCG Practice Agreement:
GP IT commissioned (enabling) services:
CCGs will have a budgeted plan for annual investment meeting the Core and Mandated Requirements and the Enhanced Requirements for GP IT – this should include GP IT enabling services, infrastructure and equipment. |
|
Practice Responsibilities | To sign and comply with the CCG Practice Agreement | |
Applicable Standards | Where GP IT services are commissioned and contracted, there will be:
The use of a suitable framework with underpinning standards such as Health Services Support Framework (HSSF) (see Appendix C) is recommended. As required under the CCG Practice Agreement:
|
|
Applicable Guidance | CCGs are advised to use the GP IT Specification Commissioning Support Pack in the procurement of GP IT services and in the ongoing review of GP IT services with current GP IT Delivery Partners. | |
Other Controls | Where CCGs choose to provide some or all of these GP IT Enabling Requirements internally, whether solely, as a CCG consortium or as a local shared service, CCGs must enable sufficient arrangements and safeguards to ensure the services provided meet the range and standards described in this Operating Model. | |
Assurance | DPCMAT: IND20.0, IND21.1, IND24.0, IND150.1, IND150.2, IND155.0, IND157.0, IND174.1 |
GP IT support service desk
Requirement | GP IT support service desk for all users which provides:
|
|
Transactional Services | Service availability: Operational support hours
An ITIL aligned or equivalent, management process for:
Access channels – there must be at least TWO of the following access routes available:
It must be possible to log a call using at least one of these methods 24 hours a day, 7 days a week. Practices must be able to track the progress of logged calls/requests/incidents through any of these routes. To improve efficiency and responsiveness the service should include remote access in a secure manner subject to end user consent to desktop PCs for diagnostic and resolution purposes, including the management of remote working solutions. The service must have clear and agreed priority incident categories, with minimum response and target fix times to ensure the safe and effective operation of GP digital services.
Availability: High severity incident support Access must be available for out of hours High Severity Incident alerting, logging and escalation in accordance with the approved business continuity and disaster recovery plans. This may not operate in the same way as support during operational service hours and response will be appropriate to the impact of the incident and the GP IT Delivery Partner’s Business Continuity and Disaster Recovery Plans. |
|
Specialist support services | Service availability: Standard service hours
|
|
Applicable standards |
|
|
Applicable guidance |
|
|
Assurance | DPCMAT: IND28.0, IND26.0, IND90.1 |
GP IT equipment asset management
Requirement
|
The asset management and disposal of all NHS owned GP IT equipment. | |
Out of Scope | GP IT equipment not NHS owned. | |
Transactional Support Services | Availability: Standard Service Hours
All NHS Owned GP IT equipment:
|
|
Specialist Support Services | All disposal must be carried out by authorised contracted specialist IT hardware disposal organisations (meeting standards listed below).
Develop and maintain a local IT equipment reuse and disposal policy. |
|
Systems and applications | Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS owned GP IT equipment. | |
Practice Responsibilities | To provide consumables for example for printers and other operating requirements to any standard specified in the local Warranted Environment Specification or as otherwise specified by the manufacturer of the equipment.
NHS owned GP IT equipment does not require to be individually insured under practice policies (content insurance) however the practice should take reasonable steps to ensure the physical security of the equipment, protecting against loss, theft or damage. To ensure environmental requirements are met for example air-conditioning, fire suppression and power supply for NHS owned IT equipment on practice premises Practices are responsible for the secure disposal of any practice owned IT equipment. Practices are advised to seek specialist advice (from commissioned GP IT Delivery Partner) on secure disposal of such IT equipment. CCGs may at their discretion offer practices the use of their commissioned GP IT Equipment disposal services. |
|
Applicable Standards |
|
|
Other Controls | ||
Assurance | DPCMAT: IND36.0, IND38.0 |
Software licence management
Requirement | All software and operating systems installed and operated on managed GP IT equipment will be licensed and managed. | |
Transactional Support Services | Availability: Standard Service Hours:
|
|
Specialist Support Services | Availability: Standard Service Hours
|
|
Systems and applications | All software (including operating systems) used on Managed GP IT Infrastructure must be approved and recorded on a software licence register which must confirm that the software is appropriately and legally licenced for such use and does not present a cyber security risk.
Supported operating system and browser compliant with the local WES. Specific software requirements:
Microsoft Office will be provided on NHS owned devices through Microsoft Office 365 for the NHS licences until 31 March 2023. CCGs should make plans for office functionality after this date. NHS funded applications and software licences are provided for use on Managed GP IT Devices. Their use on other devices, including personal devices, must be approved by the CCG, or their commissioned GP IT Delivery Partner on the CCG behalf. Particular attention should be given to ensuring (i) patient identifiable data does not become accessible from unmanaged and potentially insecure IT infrastructure (ii) the end user conditions of use for the licence and/or application are complied with. |
|
Applicable Standards | NDG standard 8 | |
Applicable Guidance | Respond to an NHS cyber alert service (formerly Care CERT) | |
Assurance | DPCMAT: IND37.1 | |
Timescales | Participating CCGs must fully implement all elements of Microsoft Office 365 for the NHS licencing for general practices by no later than 13 October 2021 in accordance with the Microsoft Office 365 for the NHS Participation Agreement. The agreement will then run until 30 April 2023.
CCGs should start planning for the impact on Office application use in practices after 30 April 2023 when the current NHS participation Agreement ends. These plans should reflect NHS policy and guidance as it becomes available. |
Registration Authority
Requirement | A Registration Authority is a function, usually within an NHS organisation, that carries out the identity checks of prospective NHS Smartcard users and assigns an appropriate access profile to the health professional’s role as approved by the employing organisation.
NHS Smartcards or other approved authenticators are required to access NHS Spine information systems and registration authorities’ roles and responsibilities are defined by NHS policy. Where new authenticators are reviewed and approved the Registration Authority function will continue to support issuance of approved alternatives. Given the standards basis of these authenticators it is likely that they will place a greater emphasis on the user behaviour when using the authenticator, ie users will need to closely manage how they use their authenticator and log out of sessions when leaving a PC unattended. Ensure general practices are aware of their obligations under the Care Record Guarantee to protect patient data, and not leave sessions unattended. |
Transactional Support Services
|
Availability: Operational Support Hours:
Availability: Standard Service Hours:
|
Specialist Support Services | Availability: Standard Service Hours:
|
Systems and applications | Identity Agent. CIS. CIS2. |
Practice Responsibilities |
|
Applicable Standards |
|
Applicable Guidance |
NHS Mail administration and support
Requirement | The local administration of NHS Mail accounts. NHS Mail is provided to all practices as a National Digital Service. |
Out of Scope | National NHS Mail Service Desk. Support for email solutions other than NHS Mail. |
Transactional Support Services | Availability – Standard Service Hours:
|
Specialist Support Services | Availability – Standard Service Hours:
|
Practice Responsibilities | NHS Mail is the primary email system for practices.
Practices are responsible for authorising creation and removal of NHS mail accounts belonging to their practice organisation within NHS Mail. Practices are responsible for ensuring the security of any data held in practice staff NHS Mail accounts under the practice organisation, and for the correct removal or archiving of such data when any practice staff member leaves the practice. Practices will have at least one securely managed and frequently monitored (at least once daily) NHS Mail account to receive clinical documentation. Practices should ensure practice staff follow NHS Mail Acceptable use Policy and advice on cyber security in their use of NHS Mail e.g. phishing, spam etc. Practices must ensue personal, sensitive or confidential information is never sent by NHS Mail unless it is sent to another NHS Mail account or an email account with the same security accreditation standards OR as an encrypted email if sent to a non-secure email address. Where NHS Mail is used as part of two way written communications with patients encryption must be used. |
Applicable Standards | |
Applicable Guidance |
Essential infrastructure
Requirement | The provision, maintenance and technical support of the necessary infrastructure to deliver core and mandated GP IT services |
Out of Scope | HSCN-GP
WiFi-GP |
Transactional Support Services | Availability -Operational Support Hours:
|
Infrastructure | Availability – Standard Service Hours
Provision, maintenance and technical support of the necessary infrastructure to deliver core and mandated GP IT capabilities, to include:
|
Practice Responsibilities | See General Practice Business Requirements.
Appropriate use of the infrastructure in compliance with the CCG Practice Agreement. |
Applicable Standards |
|
Applicable Guidance | |
Other Controls |
|
Assurance | DPCMAT: IND39.2 |
HSCN-GP
Requirement | All practice premises are required to have appropriately sized HSCN connectivity capable of supporting their current and future business needs. Further information on connectivity types can be found on the NHS Digital website.
|
Out of Scope | Encryption and protection of patient and sensitive data at the application layer
Local network infrastructure |
Transactional Support Services | Availability: Operational Support Hours
|
Specialist Support Services | Availability: Standard Service Hours
|
Infrastructure |
|
Systems and applications |
|
Practice Responsibilities | Ensure their practice is covered by an HSCN Connection Agreement signed on their behalf by the appropriate CCG. |
Applicable Standards |
|
Applicable Guidance | |
Other Controls |
|
Service Availability | 99.95% minimum availability (as per ISO 27001) |
Assurance | Suppliers of HSCN services (Consumer Network Service Providers, CN-SP) are assured and accredited by NHS Digital as being compliant with HSCN standards.
The CN-SP has to demonstrate that the network solution provided to the consumer is correctly configured and allows the appropriate routing and to the agreed HSCN end points and supplies the agreed capacity to the HSCN Consumer. It is important that access to any national and local applications used by a site are identified and tested as part of migration. |
Desktop infrastructure
Requirement | A desktop device support service, which includes provision and maintenance of the Managed GP IT Device estate.
All practice staff, who require access to digital capabilities to carry out their role, will have access to a desktop or laptop computer at locations within the practice premises where they work with access to the Foundation Solutions Where practice staff access desktop computers and laptops in patient facing environments they will, as operationally required, have access to local and networked printing facilities within the practice premises. |
|
Transactional Support Services | Availability – Operational Service Hours:
|
|
Specialist Support Services | Availability – Standard Service Hours:
|
|
Infrastructure |
|
|
Systems and applications |
|
|
Practice Responsibilities |
|
|
Applicable Standards | ||
Applicable Guidance |
|
|
Assurance | DPCMAT: IND14.0, IND15.0, IND34.0, IND58.0 |
WiFi-GP
Requirement | Secure, stable, and reliable WiFi access for practice staff and patients in all supported practice premises.
WiFi-GP services is an overlay service which enables patients to access online services, including the internet (subject to filtration), free of charge within practice premises. Practice staff, together with other clinicians, can access the local NHS network. There is a capability for supporting roaming. |
|
Out of Scope | Any end user or patient chargeable services arising from the use of the service. | |
Transactional Support Services | Availability – Operational Service Hours:
|
|
Specialist Support Services | Availability – Standard Service Hours:
|
|
Infrastructure | Appropriate WiFi-GP services for practices ensuring:
There is compliance with NHS data security and protection requirements, including appropriate content filtering. |
|
Systems and applications |
|
|
Applicable Standards |
|
|
Applicable Guidance | ||
Other Controls |
|
|
Assurance | DPCMAT: IND171.0 |
Remote access
Requirement | Practice staff have secure access outside the practice premises to the Foundation Solution and other Essential Clinical System Capabilities as necessary to support clinical consultations and access to other core digital services for example email. This includes any necessary mobile and remote access IT infrastructure. The options for remote access are described below.
To support resilience and business continuity requirements the service(s) provided should be available to support at least 60% of normal operational capacity working remotely |
||
Out of Scope |
|
||
Transactional Support Services | Availability: Operational Service Hours
Provision, maintenance and technical support of the necessary technology and supporting infrastructure to deliver remote access to the clinical system for consultation purposes. Where Managed GP IT Devices are provided:
|
||
Infrastructure | Availability -Standard Service Hours
The Remote Access solution will be provided either of the following options, or a combination of both: Option 1 A Managed GP IT Device (for example laptop or desktop or other endpoint) with all software necessary for the role (as native application or in a Virtual Desktop Infrastructure (VDI) service) together with a means of secure VPN access and a smartcard reader. Where Managed GP IT Devices are provided
Refresh Programme (for Managed GP IT Devices)
Option 2 Using staff personal devices (also known as “Bring Your Own Device” – BYOD) Where personal devices/BYOD are used
Remote access solutions must not be used which bypass or otherwise reduce the effectiveness of the security measures provided within the Digital Care Services (DCS) Catalogue Solutions, the National Digital Services and the Managed GP IT Infrastructure (including authentication using NHS Smartcard or any approved alternative/replacement). Specifically, the following remote access solutions should not be provided or supported: Use of a personal device (laptop or desktop) accessing clinical systems using either:
or;
|
||
Systems and applications | Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure. | ||
Practice Responsibilities |
|
||
Applicable Standards |
|
||
Applicable Guidance | Recommendation: The local SLA is based upon an agreed mobile estate volume and/or number of remote access users. | ||
Assurance | DPCMAT: IND33.4, IND33.5, IND33.6, IND33.7, IND33.8, IND33.9 |
Electronic messaging for direct patient communication
Requirement | Electronic messaging (SMS or equivalent) for direct patient communication.
The ability for practices to communicate short messages to patients for example:
Can support two-way secure electronic written (text) communication between patients and practices |
|
Out of Scope | The use of electronic messaging for requirements other than above e.g. local surveys, is discretionary. | |
Transactional Support Services | Vendor via local helpdesk. | |
Systems and applications | Provision of electronic messaging functionality ie SMS messaging or equivalent, for direct individual patient communication, to be utilised for clinical and associated administrative purposes. | |
Specialist Support Services | Support for practices (through the IG and DPO service) for the preparation of DPIAs where required (see below) for electronic messaging. This may be provided as a shared activity across multiple practices. | |
Practice Responsibilities | Where electronic messaging is used to support the processing of Special Category (Sensitive) Data including two-way communications between patients and the practice a DPIA should be completed and regularly reviewed. | |
Other Controls |
|
|
Assurance | DPCMAT: IND9.1 |
Controlled Digital Environment
Requirement | The effective and secure management of the GP IT estate and GP digital services requires that there is an accurate and contemporaneous record of the digital environment and that the desktop estate can be updated and monitored centrally. |
Out of Scope | Practice Owned GP IT Equipment and Practice Managed GP IT Equipment which is not connected to the Managed GP IT Infrastructure e.g. photocopier, practice provided telephony system.
Personal devices. |
Transactional Support Services | Availability: Operational Service Hours
|
Specialist Support Services | Availability: Standard Service Hours
The CCG will ensure there is an accurate and contemporaneous record of the following:
All Managed GP IT Devices will be recorded individually on an electronic database. This will include a unique asset / serial number, location, date installed, planned replacement date. Low value accessory items (e.g. keyboard, mice etc) should be excluded. Where appropriate items can be aggregated for example mouse, keyboard, monitor to a single recordable asset. All IT equipment with data storage must be included. Managed GP IT Devices using Windows 10 operating system (see Desktop Infrastructure) will be managed through the Windows Managed Service which must include Advanced Threat Protection (ATP) installed, operational and attributed to the responsible organisation (CCG).. |
Applicable Guidance | Where centralised technologies are deployed assurances should be sought to ensure that the security, performance and resilience of GP Foundation Solutions, other DCS Catalogue solutions and National Digital Services are not compromised. |
Cyber Security
Requirement | Cyber security management and oversight, including configuration support, audit, investigation, incident management and routine monitoring, relevant to the services and Managed GP IT Infrastructure:
|
Out of Scope | Disaster Recovery and Business Continuity Plans for National Digital Services and for Digital Care Services (DCS) Catalogue Solutions will be managed nationally, although these should be referenced as third party services in plans produced under this requirement. |
Transactional Support Services | Availability – High Severity Incident Support:
|
Specialist Support Services | Availability: Standard Service Hours
Infrastructure A Cyber Security service will be available to all practices encompassing all Managed GP IT Infrastructure and systems to ensure:
Monitoring through Active Directory to identify dormant accounts for practice staff and operate a process to archive and disable these. Provide practices with a facility to notify the GP IT Delivery Partner when practice staff leave the practice organisation or no longer require IT access, and ensure access is removed within the performance standards for user account management (NDG Standard 4). CCGs must ensure there are appropriate governance arrangements for example policies, audits etc to provide assurance on the following:
Business continuity and Disaster Recovery Plans:
Practice Business Continuity Plans:
Cyber alert notifications CCGs must ensure:
Note: Action might include understanding that an alert is not relevant to your organisation’s systems and confirming that this is the case. On-Site Assessments CCGs will ensure the commissioned GP IT Delivery Partner(s) co-operate with any on-site data and cyber security assessment carried out under NHS Digital’s Data Security Assessment programme, or provide evidence of equivalent assessments or certification to a cyber security scheme approved within the Operating Model. Organisational Awareness:
Supporting Projects: Advice for practices and the appointed project teams on cyber security considerations where projects involve
|
Infrastructure |
|
Systems and applications |
|
Practice Responsibilities |
|
Applicable Standards |
|
Other Controls | |
Applicable Guidance |
|
Assurance | DPCMAT: IND2.0, IND181.0, IND182.0, IND183.1, IND176.0 |
Information Governance Support
Requirement | Information governance support, guidance and advice to support practice compliance with common-law duty of confidence, records management, information security, Data Security and Protection Toolkit (DSPT), Data Protection Act 2018, GDPR and Caldicott standards and to ensure all devices and systems are managed and used in a secure and confidential way. |
Out of Scope | Legal advice |
Transactional Support Services | Availability: Standard Service Hours
Data Breaches A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. Any data breach (or near miss) of practice patient personal information will require actions by one or more of the following:
CCGs will ensure practices are supported with:
CCGs will require commissioned GP IT Delivery Partners as data processors:
|
Specialist Support Services | Availability: Standard Service Hours
IG policy support Support for the production and maintenance of local information governance policies and procedures for practices. Provision of advice and support to practices on approval, ratification and adoption of the policies for their organisation. Support for Data Security and Protection Toolkit (DSPT) compliance Provide advice and guidance to practices on how to complete the DSPT, including the collection and collation of evidence in support of DSPT submissions. Provide practices with evidence required for DSPT where this is held by the CCG or its commissioned GP IT Delivery Partner(s). IG consultancy and support Provision of advice, guidance and support on IG related issues, including existing operational processes and procedures or new business initiatives. Advice and guidance on personal data access (but not extending to legal advice). IG advice and Data Protection Officer (DPO) Support Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. To include:
DPO Function Availability of a named DPO, in addition to DPO support and advice for practices to designate as their Data Protection Officer. Practices may choose to make their own DPO arrangements, but CCGs are not expected to fund these if a DPO service has been offered by the CCG. Reviews
Supporting Projects Advice for practices and the appointed project teams on IG/DSP, data sharing, Data Protection Impact Assessment (DPIA) completion and cyber security considerations where projects involve:
This is not an exclusive list. Specialist support for projects beyond general advice for example preparing Data Privacy Impact Assessments should be resourced as part of the project plan. Data Processing Activities Data processing activities using general practice controlled personal data carried out by local CCG commissioned data processors will be identified and recorded in a data processing agreement in accordance with the digital services acquired and will be regularly reviewed. Supporting local procurement
|
Practice responsibilities | Individual practices as contractors are responsible for:
Individual practices are responsible for sourcing any legal advice required to support these activities. |
Applicable Standards |
|
Applicable Guidance | |
Other Controls | |
Assurance | DPCMAT: IND158.0 |
Clinical Safety Assurance
Requirement | Clinical safety assurance advice and support |
Out of Scope | The responsibility and burden of effort for Clinical Safety Assessment and assurance under DCB0129 rests with the system developer. This includes any third party software incorporated into the system. The requirement for this service is to secure assurance from system suppliers that this has been met during procurement or contract review stages. |
Specialist Support Services | Availability – Standard Service Hours
Ensuring that the necessary standards are met for management of clinical risk in relation to the deployment and use of health software. Advice and Supporting Assurance Advise CCG and practices on compliance with:
Incident Management Support and advice for practices in the identification, reporting and responding to patient safety incidents (information system related) within practices. Supporting Projects Advice for practices and the appointed project teams on Clinical Safety (DCB0160) where projects involve:
This is not an exclusive list. Support for projects beyond general advice for example preparing Clinical Risk Management Plan, Clinical Safety Case Records and Hazard Reports and supporting procurement activities should be resourced as part of the project plan. Supporting Local Procurement The use of the Digital Technology Assurance Criteria (DTAC) may be helpful in local procurement activities |
Practice Responsibilities | Practices must report patient safety incidents in line with national guidance using the General Practice Patient Safety Incident Report Form provided by NHS Improvement.
Practices as independent contractors are responsible for sourcing any legal advice they may require supporting any of these activities. |
Applicable Standards |
|
Applicable Guidance | Introductory guide to the new MDR and IVDR (MHRA) |
Assurance | DPCMAT: IND11.0 |
Digital Services Procurement Support
Requirement | Supporting CCGs and practices with specialist procurement and technical advice on procuring services described in the Operating Model, including advice on the procurement of capabilities through the Digital Care Services (DCS) Catalogue. |
Out of Scope | Funding for the digital solution being procured and support for its deployment and implementation is not part of the procurement support service as this is an internal CCG (or general practice) responsibility. |
Specialist Support Services | Availability -Standard Service Hours
General Digital Procurement Support: • provide strategic procurement advice, recommending collaboration and standard specifications to optimise efficiency and support costs • advice and assistance in the development of outputs based specifications to support GP digital procurement projects • advice on procurement of GP IT enabling services using national frameworks as appropriate • advice on applicable standards and accreditations for procurement • ensure the obligations on the data processor to the individual practice(s) as data controller are reflected in the contract, in particular regarding reporting data breaches and near misses o accessing where applicable, the National Commercial and Procurement Hub to support CCG procurement • CCGs must ensure that any procurement activity in support of GP IT, when delegated to GP IT Delivery Partner(s), does not create conflicts of interest or potential procurement challenge. DCS Catalogue procurement support: • supporting mini-competition work for the procurement by CCGs from the DCS Catalogue • meeting practice capabilities within nominated CCG funding allocations whilst ensuring excellent value for money
Non-DCS Catalogue procurement support: • support Practices and CCGs purchasing non-DCS Catalogue clinical systems and digital technologies which include hosting patient identifiable information secure assurance against the standards below including the Digital Technology Assurance Criteria (DTAC) • Utilise as appropriate the Procurement Checklist provided in the document |
Other Controls | Procurement legislation. |
Applicable Standards | • NHS England Financial Guidance |
Applicable Guidance | • Digital Technology Assurance Criteria (DTAC) |
Digital Services Contract Support
Requirement | Facilitating CCG GP IT delivery with support for contract and supplier management and technical support.
Solutions procured through Digital Care Services (DCS) Catalogue Frameworks or directly by the CCG for use by its practices. As end users of services practices are required to comply with any end user terms and conditions of use but wherever the contract is held by the CCG or NHS Digital a support service is required to manage local technical and contractual issues on behalf of the practice with the supplier. |
Out of Scope | Support for contracts for practice business support systems
Support for contracts held by parties other than CCG or NHS Digital. Support for contracts directly held by the practice. Payments and invoice processing for the contracted digital solutions is not part of the contract support service as this is an internal CCG (or general practice) responsibility. |
Specialist Support Services | Availability – Standard Service Hours:
|
GP Estate Strategy
Requirement | Provision of advice and guidance to support the development of GP estate relevant to the provision of GP IT services and systems. |
Out of Scope | Funding and resourcing support for new estates developments should be provided through the relevant business case for that development. |
Specialist Support Services | Availability: Standard Service Hours
|
Practice Responsibilities | Practices should engage with CCGs at an early stage of planning any premises development or expansion which will impact on GP IT provision. |
Clinical Systems Training and Optimisation
Requirement | Training service for practice staff to support the safe and effective use and optimisation of clinical systems. | |
Out of Scope | Training in generic basic IT skills, business administration systems and office systems. | |
Specialist Support Services | Availability: Standard Service Hours
The service should include training for:
And will include training requirements arising from:
The CCG shall review the practice training plan and may request changes to the plan in line with local priorities and plans for the deployment of services. The CCG shall confirm its agreement to the training plan, amended as agreed by the parties. Training will be provided for practice staff in line with each agreed practice training plan. All end users in practices are trained in the use of the Foundation Solutions and that this is delivered in line with the GP IT Futures training standard. System Optimisation: Support practice optimisation of GP IT Futures Foundation Solutions, Digital Care Services (DCS) Catalogue solutions and National Digital Services, by providing support, guidance and advice, including user group facilitation to enable sharing of best practice. Training delivery should reflect:
|
|
Practice Responsibilities | Practices shall carry out a training needs analysis that identifies the practice staff that require training in the use of the core and mandated capabilities provided to the practice.
Practices shall ensure that new starters receive adequate training, either using the services provided under this requirement or at practice cost through another source, before they use the core and mandated capabilities provided to the practice. Using the output from the training needs analysis, practices shall prepare a training plan for the Practice which identifies the practice staff to be trained and the training to be provided by the CCG within a six months period or as agreed by both parties. Practices shall make their staff available for training in line with any timetable agreed with the CCG or its Supplier(s). Practices shall be responsible for the costs of making staff available for such training including backfill costs and travel costs. Practices shall maintain an up-to-date record of practice staff training. Practices can request and agree amendments to the training plan in line with new developments and the changing requirements of the CCG and the practice. Practices shall ensure that all end users are trained to a minimum entry level standard as per the NHS IT Skills Pathway including use of relevant operating systems and office productivity software. Training in generic basic IT skills, business administration systems and office systems is the responsibility of the practice. |
|
Applicable Standards | NHS IT Skills Pathway
GP IT Futures Framework Training Standard |
|
Applicable Guidance | Recommendation: The local SLA should quantify training resources based on either the number of practice staff or the number of practices (weighted by population where appropriate). | |
Assurance | DPCMAT: IND7.0 |
Data Quality Support
Requirement | Data quality training, advice and guidance. | |
Specialist support services | Availability -Standard Service Hours.
Comprehensive data quality advice and guidance service is available to all practices, including training in data quality, clinical coding and information management skills. Development and delivery of a practice data quality improvement plan, where necessary and supporting practice DSPT submission (data quality assertions). This may be carried out at individual or practice group level as appropriate. The service should include advice and guidance for:
|
|
Practice responsibilities | Individual practices are responsible for the quality of their patient records and the application and use of clinical terminology. | |
Applicable standards | SNOMED CT in General Practice / Standards Change Notice SCCI0034 Amd 35/2016
Data Security and Protection Toolkit (DSPT) (data quality assertions) |
|
Assurance | DPCMAT: IND30.0 |
Project and change management
Requirement | GP IT services include formal P3M (Project, Programme and Portfolio Management) methodologies which are recognised and used in the deployment of GP IT Futures Foundation Solutions, local implementation of national solutions and major GP IT infrastructure changes or upgrades. | |
Specialist support services | Availability: standard service hours
The CCG will ensure skilled project and programme management resources are available, to deliver the planned programme of work, both nationally and locally driven. This may be provisioned within current SLA support arrangements, or could be procured on an ‘as required’ basis. The service should include:
Technical and specialist expertise should also be available through the relevant requirement to support projects. Supporting significant deployments and developments through end to end project management of DCS Catalogue Solutions including:
This is not an exclusive list. |
|
Applicable standards | GP IT Futures Data Migration Standard.
GP IT Futures Training Standard. GP IT Delivery Partner staff should be appropriately trained and qualified to recognised industry standards such as APMG (equivalent level recognised industry standards) in:
|
|
Assurance | DPCMAT: IND32.0 |
Local digital strategy
Requirement | Strong local leadership to develop and deliver a local digital strategy and digital roadmap, including GP IT.
The CCGs should:
|
Specialist support services | This is a direct CCGs responsibility.
CCGs may wish to commission specialist skills and resources to assist in developing their digital strategy. |
Assurance | DPCMAT: IND12.0, IND153.0 |
National digital services implementation
Requirement | Local promotion, deployment/implementation and support of National Digital Services, including SCR, EPS2, e-RS, GP (Patient) Online and GP2GP services. |
Specialist support services | Availability – standard service hours:
|
Enhanced requirements
These are GP digital requirements which are agreed locally to support local strategic initiatives and commissioning strategies to improve service delivery. They should support the ICS and CCG local digital strategy and where possible, strategic rather than tactical solutions should be developed.
Enhanced Requirements include:
- Productive Digital Capabilities –digital technologies, systems and support services which enable and improve efficiency and effectiveness of practice contracted services including primary care at scale.
- Transformational Digital Capabilities -digital technologies, systems and support services which enable transformed care, often extending beyond the practice and its core GP Contract function. These may enable new models of care, service integration, wider GP functions, and models.
Where the practice is represented within an ICS, any decision to commission enhanced transformational requirements remains the responsibility of the CCG who has delegated responsibility for GP IT but would also be expected as local commissioner to work closely with the ICS.
CCGs may use local GP IT funds, subject to CCG Standing Financial Instructions (SFIs) and any other financial restrictions, and with the agreement of local practices to support to support community wide transformation digital initiatives which involve GP IT. GP IT funds should not be considered the sole source of funding in such cases and must not be at the expense of providing the Core and Mandated Requirements to practices.
- Additional GP Contract digital capabilities – required to deliver those elements of a GP Contract additional to providing Essential Services, for example a PMS or APMS contractor providing walk in services, minor injuries, GP out of hours etc.
- GP IT Enabling Requirements – any extension of the core and mandated GP IT Enabling Requirements necessary to support and enable those Enhanced Requirements commissioned locally.
Accredited solutions are not contractually mandated but compliance with any standards attributed to the capability in this document should be considered essential. CCGs are strongly advised to use the Digital Care Services (DCS) Catalogue, Health Services Support Framework (HSSF) or other applicable frameworks listed in Appendix C offering accredited solutions.
If GP IT Futures notional CCG funds are used then the solutions can only be sourced through the GP IT Futures Framework.
Provision of Enhanced Requirements through commissioner GP IT funding is secondary to funding Core and Mandated Requirements, but they should not be seen as less important as they underpin service improvement transformation in the locality. Compliance with CCG SFIs will require demonstration of value for money and product quality and safety.
As commissioner the CCG is responsible for selecting the solutions and services to meet Enhanced Requirements, but in doing so the CCG should collaborate with local practices.
Where Enhanced Capabilities are required which cannot be procured as an accredited solution local procurement or other frameworks may be used but solutions must still meet any standards attributed to the capability as defined in this Operating Model. The application of the procurement checklist in Appendix G and the Digital Technology Assessment Criteria (DTAC) will support this.
Listed below are some examples of enhanced capabilities which at local discretion may be provided.
Capability | Description |
Additional Patient Management Capabilities | Additional capabilities for patient management as available through Digital Care Services (DCS) catalogue and Health Services Support Framework (HSSF). |
Patient Facing Digital Services (local)
|
Locally commissioned patient facing digital services, where these capabilities are not provided through the NHS App, the DCS Catalogue or HSSF
Applicable Standards
|
GP Hubs and GP Collaborative enablement
|
Digital enablers required to support GP collaborative and at scale operations including, but not restricted to:
Tracking DPCMAT: IND 57.1, IND 57.2, IND 57.4, IND57.5 |
Practice Efficiency and Service Quality Enablers |
Tracking DPCMAT: IND46.1, IND46.2, IND46.3, IND48.2, IND48.3, IND48.4 |
Additional GP contract digital capabilities | Additional digital requirements needed to support those elements of a GP Contract additional to providing Essential Services – including but not limited to:
|
CQRS support | CQRS training, advice and guidance for practices.
Note: CQRS provides support for calculating approximately 12-14% of General Practice incentive-based payments (for example QOF). The service is business critical to general practice and to NHS England, as one of the primary mechanisms in place to support the GP Contract and to ensure that NHS England can meet its legal obligation to pay general practices. Calculating Quality Reporting Service (CQRS) advice and guidance service is available to all general practices, to include review, report management and remedial action planning, particularly around exception reporting, to ensure appropriate data quality within GP sites to enable effective Quality and Outcomes (QOF) reporting CQRS uses an Internet based payment calculation system: Management and support for provision payment calculation system services, supporting QOF and Enhanced Service payments. |
GP data quality accreditation service
|
A structured data quality accreditation programme is available for practices to ensure continuous review and improvement.
Formal data accreditation support programme that includes:
|
BYOD | Provision for practice staff to use their personally owned devices for work related purposes (also known as Bring Your Own Device – BYOD)
Because personal devices are not part of the Managed GP IT Infrastructure, they are assumed to be insecure. Where this service is offered the standards and requirements described under the Remote Access capability above will apply. |
Enhanced infrastructure | Infrastructure requirements which enable enhanced digital capabilities, or which support a more efficient, effective or secure means of GP IT provision in the locality.
Networking Services:
N.B. The cost of COINs which are cross care settings should be shared with those care settings. Local network services, including equipment, cabling and local COIN. Enhanced or alternative architectures including (but not limited to):
Applicable guidance: Where centralised infrastructure (for example but not limited to network infrastructure and virtual desktop infrastructure) is deployed particular attention should be given such that the security, end user performance and resilience of Digital Care Services (DCS) Catalogue solutions and National Digital Services is not compromised. |
Advanced telephony | An advanced cloud based Voice over Internet Protocol (VoIP) telephony solution offered to practices as a managed service (for example part of a community wide initiative). The solution will:
Individual practices remain responsible for telephony recurring operating costs, capital and revenue consequences including pro rata costs of shared/managed systems. Where possible HSCN connections to practice premises should be utilised to support the advanced telephony solution. See HSCN Requirement. The practice may choose, at their expense, to install and use a dedicated broadband connection in preference to HSCN. The capabilities required and applicable standards are described in the specification included in Appendix E. Tracking DPCMAT: IND193.0, IND193.1, IND193.2, IND193.3, IND193.4 |
General Practice business requirements
Digital systems, technologies and services necessary to run the internal practice business and organisational governance namely:
- general practice business support systems
- general practice legal and regulatory obligations
- general practice websites
- dispensing Practices
- general Practice Operating Costs
- general Practice Buildings and Estate
Notes:
- Although out of scope for commissioning and provision responsibilities these may be indirectly linked through the use of common infrastructure, standards, assurance, interoperability and security. In such cases practices are required to comply with any relevant technical and security standards.
- The infrastructure and general support required to operate these services (namely desktops, printers, network connectivity) can at the discretion of the CCG be funded and provided through “enhanced GP IT Enabling Requirements” where this allows the practice to operate more efficiently.
- Where there are elements of the requirements described below which are not solely a practice responsibility these are descried as “Exemptions”
The ‘Global Sum’ within the GP Contract makes provision for practice expenses including practice staff costs and general running costs of the practice (stationery, telephone, heating and lighting, repairs and maintenance).
CCGs have an obligation to ensure services already NHS funded, directly or indirectly, are not also funded as an enhanced GP IT service. Any changes to existing funded arrangements should be discussed with the practices and transition arrangements agreed.
Where there is a demonstrable benefit in incorporating elements of GP business support services for example advanced telephony as part of broader efficiency release and improved patient care initiatives, GP contributions are to be considered as part of local funding provision/business case arrangements. These services should routinely be assumed to be out of scope, unless local business cases can demonstrate patient benefit, in which case, when considering funding any of these services, CCGs should take account of whether this service is already funded via alternative routes for example global sum GP Contract.
General practice business support systems
Requirement | Systems and services which a practice may utilise for business purposes enabling the non-clinical business functions to operate and support the practice as a business organisation. GP IT funds must not be spent purchasing or supporting Systems not directly related to patient care.
N.B. The ‘Global Sum’ within the GP Contract makes provision for practice expenses including practice staff costs and general running costs of the practice (stationery, telephone, heating and lighting, repairs and maintenance). Practice estate infrastructure. |
Exemption | Where practices commission, procure and contract manage digital services directly they should have access to specialist advice and support where such services and systems will interface with NHS provided systems or operate on Managed GP IT Infrastructure. Although practices procuring business support systems are responsible for resourcing and managing their own procurement and any ongoing contract management they may seek advice where NHS systems or infrastructure may be integrated or impacted.
NHS owned equipment should be insured against loss or theft by the owners of the equipment. |
Services | Production of practice staff ID cards for new employees and changes to existing employees (name, role etc.).
Practice Intranet – hosting, maintenance and development. Insurance against loss or damage of practice owned IT equipment. Insurance against consequential losses, harm or damage arising from the failure of digital systems or equipment used by the practice to deliver their contractual obligations. With evolving primary care delivery models, local service/support arrangements may develop that incorporate aspects of service provision that would traditionally have been considered GP business support functions to be directly funded by the practice under GP Contract arrangements. Equipment which only supports the practice as a business for example photocopiers. (note faxes must not be used by practices for the processing/communication of patient identifiable information). The infrastructure and general support required to operate these services (namely desktops, printers, network connectivity) can at the discretion of the CCG be funded and provided as “enhanced” services where this allows the practice to operate more efficiently subject to practice compliance with any local technical and security policies and change control procedures. Systems that only support the practice as a business for example. Payroll, HR systems, billing systems and associated hardware. Email systems other than NHS Mail. |
General practice legal and regulatory obligations
Requirement | Legal and regulatory obligations for example assigning a DPO, Caldicott Guardian, serious incident reporting etc.
Practice compliance with:
|
Exemption | CCGs are required to offer General practices a DPO service which the practice can then designate as their named DPO. Practices are still entitled to select an alternative DPO of their choice although CCGs are not expected to fund this if a DPO function has already been offered.
Where a CCG (or a GP IT Delivery Partner) has information necessary for the practice to comply with its legal and regulatory obligations (above) the CCG should make reasonable efforts to provide this to the practice. |
Services | Software to support redaction when processing patient record documentation for patients or third parties for example SAR, legal and insurance reports (refer to procurement checklist)
Health and Safety regulation compliance, including PAT and DSE requirements, associated with the practice premises buildings and estate and where staff are working at home or remotely (regardless of equipment ownership). |
Dispensing general practices
Requirement | Digital capabilities required to support the dispensing operations in practices which hold a dispensing contract. |
Exemption | Digital capabilities required to support the personal administration of medications within practices for example vaccinations. |
Services | The infrastructure and general support required to operate these services (ie desktops, printers, network connectivity) can at the discretion of the CCG be funded and provided as “enhanced” services where this allows the practice to operate more efficiently. |
Applicable standards, guidance and controls | EPS Dispensing Systems Compliance Specification. |
General practice websites
Requirement | General Practice websites including:
|
Exemption | Online patient facing digital capabilities as defined in Core and Mandated Requirements. Note the practice website must provide a link for the public/patients to these online services. |
Services | Responsive service to resolve performance and access issues and to implement necessary changes as required to fulfil the practice GP Contract obligations.
Website design and maintenance. Website hosting requirements. Integration (links) with GP online services. The core digital offer which all practices must provide to patients should include:
|
Applicable standards, guidance and controls | GMS Regulations require that where General practices have a website specifically defined information and access to patient online services will be published on the website.
The GP Contract framework requires all practices to have an up-to- date and informative online presence, with key information being available as standardised metadata for other platforms to use (for example the Access to Service Information (A2SI) Directory of Services Standard). The GMS Regulations also place restrictions on the advertising and hosting of private GP services including through practice websites. W3C Website Accessibility Initiative: Equality Act 2010 (EQA). Equality and Human Rights Commission: Statutory Code of Practice for “Services, public functions and associations” under the EQA (the Code). The Privacy and Electronic Communications Regulations (PECR) |
General practice operating costs
Requirement | Examples include:
|
Applicable standards, guidance and controls | Where specified in the local Warranted Environment Specification (WES) or otherwise where specified by the equipment manufacturer and digital system consumables purchased or used by the practice in the operation of the Managed GP IT Infrastructure must meet these specifications. |
General practice buildings and estate
Requirement | Building and estate including environment to house securely any practice-based IT equipment.
Environmental requirements as required for any practice-based IT equipment for example physical security, fire suppression and air conditioning/cooling equipment. Health and Safety regulation compliance associated with the buildings and estate including DSE and PAT requirements for IT equipment operated by staff on practice premises (regardless of equipment ownership). Building Security. Power supply for IT Equipment (including cabling and outlets). |
Applicable standards, guidance and controls | Using online consultations in primary care: implementation toolkit |
Guidance contents
- Foreword
- Executive summary
- Introduction
- The CCG practice agreement
- Requirements and capabilities
- Funding
- Commissioning, procurement and contract management
- Assurance
- Addressing the challenges
- Transition arrangements and timescales
- Appendix A – Schedule of GP digital requirements and capabilities
- Appendix B – Responsibilities and accountabilities
- Appendix C – Applicable national frameworks
- Appendix D –Digital primary care maturity assurance tool indicators
- Appendix E – Commissioning GP IT enabling services
- Appendix F – Commissioning advanced GP telephony services
- Appendix G – Procurement checklist
- Appendix H – General practice quick reference
- Appendix I – Glossary of terms