What APIs would be used for an application that acquires patient data from NHS

If I developed an app that patients signed up and gave us consent to obtain their patient data from NHS what APIs would I use to obtain this data. We want GP data and also any hospitalization data. Also, what is the process with the NHS to get access to this data?

Hi @ll25654

You ask a very good, reasonable and coherent question. Unfortunately, the NHS does not have a good, reasonable and coherent answer for you.

If the NHS were like any other large enterprise in 2018, there would be a single point of access for dev accounts, API authorisations, developer documentation, API integrations, SDKs etc - and all would be well documented and easy to use. This is definitely not the case at present. Things are getting slowly better, but unfortunately probably not fast enough to be of any use to you.

The best source of information on this is via https://developer.nhs.uk/apis/ and some other members of this forum can be greatly helpful, I’m sure @mayfield.g.kev or @adam.hatherly will be along in a minute, and they actually do know what they’re talking about, whereas I am a bit peripheral to all this.

I’ll go into a little more detail to explain what data there is and how you would get it.

The National NHS ‘APIs’ for patient data access have no way currently for a single patient to delegate access authorisation to you as an organisation in this way. Your organisation would need to essentially go through NHS Spine accreditation in order to gain access to the ‘Spine firehose’ and then you would access data for the patients who join your service.

The NHS Spine is a service for NHS Demographics, ePrescribing, eReferral, and a number of other central services.

To get GP data you would need to integrate individually with each of the GP system suppliers, depending which GP system that patient’s GP is with. Alternatively there are services such as the Medical Interoperability Gateway (MIG) which will do this integration for you, and this is probably the best way to go forward.

GP Connect is an API designed to address this issue described above, although I’m not sure if the issues around delegation of individual consent have been addressed for GP Connect either. (Part of the problem here is that the UK does not yet have a robust and secure Citizen ID system in place, so it would be very hard for you to verify irrefutably the identity of a patient, and you need this if they are to give you consent to access their records.)

From what it says in GP Connect’s documentation though, it’s not ready for full use, and is in development.

To get usable hospitalisation data is harder. There is no standard information set or API for details of hospital admissions, although there is a requirement for discharge summaries to be sent to the GP within 24 hours of discharge, so you could leverage this to get details of the admission, although there will be a latency and the data is not structured, it’s a PDF.

There are a few processes to go through. One is Spine accreditation. The others will depend upon how you decide you want to access GP data - whether it’s direct with the GP system suppliers (which I’ll warn you can be arduous and slow), via the MIG, or via the GP Connect APIs.

There are people on this forum who can help you better than I can, but I thought this would be a good general primer of the current situation, which isn’t great, but rest assured, people are working on it.


Sorry I can’t give definite answers and some of this is opinion.

Health has a number of API’s and I believe internationally the most popular API is the Argonaut FHIR API (HL7v2 is more popular but that is used for point to point messaging). In the UK we have a closely related API called Care Connect API and this is a working demo. If you’d asked this a year ago I would have assumed the US suppliers would have provided UK versions by now.
For Organisations you do have this API FHIR® ODS Lookup API

The security mechanisms with these API’s hasn’t been defined but most developers normally go for OAuth2. For authentication take a look at NHS Care Identity Service which looks to be bringing in openId (OAuth2) as a standard and would work without smart cards?
Also SMART-on-FHIR (OAuth2) provides a very useful set of authorisation methods (I believe many of the US suppliers use this), including a method of allowing 3rd party apps to be launched from EPR systems. So if your hospital had a Cerner EPR you could write an app which adds extra functionality and uses data held with Cerner via the Argonaut/CareConnectAPI - believe this would also work for stand alone/mobile apps.

Thank you guys so much for the quick and informational responses. So this will be working with the UK NHS, I have looked into careconnect API and I thought that is probably the API that will be used. I guess my question now is what is the method for gaining live access to the careconnect API? Also, is this only GP data or does this include hospitalization data too? Do you have to be involved in direct care or will they give access to you with the patients authorization?


This is going to be a lot more painful than you anticipate!!

Right now it is virtually impossible to get data out of GP systems without specific commercial agreements. It is even more difficult to get data out of hospital systems. This will change for the better with Care-Connect and GP-Connect but both are not ready yet and it will be some time before the GP vendors have these fully safety-tested.

That is the easy bit. You will find it very difficult to get access to patient data without the agreement of both the system vendor and certainly the healthcare provider, who have significant responsibilities as the ‘data controller’ under the Data Protection Act. Fundamentally you are unlikely to get access just with patient authorisation.

The other future direction is Patient Held Records like Helm http://ripple.foundation/tag/leeds/ which might be of interest but it very much depends on what you intend to do with your app. Are you able to say more or is this commercially sensitive?

My own company inidus is working in and around this area and it ain’t easy, particularly the governance issues. I’d be happy to chat offline if that was helpful.

Ian’s comments on consent and data protection is correct.

You don’t really have a common set of API’s at the moment, you have instead many API’s that are similar to Care Connect API, they will have a way of searching for a Patient, Encounter, Conditions etc (via SOAP interfaces with XML payloads) but are not generally available without talking to each supplier+organisation.