Overview
Use this API to access a patient's immunisation history.
You can:
- get a patient's coronavirus (
COVID-19
) immunisation history, based on their NHS number
- get a patient's influenza (
FLU
) immunisation history, based on their NHS number
- get a patient's human papillomavirus (
HPV
) immunisation history, based on their NHS number
You cannot currently use this API to:
- get details of other types of immunisation
You get the following data:
- immunisation event details
- patient demographic details, as captured at the point of immunisation
The patient demographic details might differ from those held in the Personal Demographics Service (PDS). To get demographic details from PDS, use the Personal Demographics FHIR API.
Data availability, timing and quality
All immunisation records are verified to ensure the NHS number is correct before making them available via the API.
In most cases this is automatic, and the record is available within 48 hours of the immunisation event, sometimes sooner.
Where automated NHS number verification fails, we verify the NHS number manually, which can take longer.
In a very small number of cases, we are unable to verify the NHS number, and we do not make the immunisation record available at all.
The COVID-19
data store is limited to vaccinations from England, Wales and The Isle of Man for the last 4 years. It has been approved to be used for clinical use cases.
The FLU
data store is not yet populated and is planned to contain vaccination events captured through a point of care system in England for the last year. It has been approved to be used for clinical use cases.
The HPV
data store is not yet populated and is planned to be limited at first with vaccinations captured by the NHAIS system and in England only. It has been approved for use in clinical use cases.
Who can use this API
This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.
You must demonstrate you have a valid use case as part of digital onboarding.
You must do this before you can go live (see 'Onboarding' below).
Who can access immunisation history records
Health and care organisations in England and the Isle of Man can access immunisation history records.
Legitimate direct care examples include NHS organisations delivering healthcare, local authorities delivering care, third sector and private sector health and care organisations, and developers delivering systems to health and care organisations.
Health and care organisations in Scotland, Northern Ireland and the Channel Islands access their own equivalents of this API.
Patients who receive health and social care or make use of NHS services in England, Wales and the Isle of Man.
API status and roadmap
This API is in production.
To see our roadmap, or to suggest, comment or vote on features for this API, see our interactive product backlog.
If you have any other queries, contact us.
Service level
This API is a platinum service, meaning it is operational and supported 24 x 7 x 365.
For more details, see service levels.
Technology
This API is RESTful.
It conforms to the FHIR global standard for health care data exchange, specifically to FHIR R4 (v4.0.1), except that it does not support the capabilities interaction.
It includes some country-specific FHIR extensions, which conform to FHIR UK Core, specifically fhir.r4.ukcore.stu1 0.5.1.
You do not need to know much about FHIR to use this API - FHIR APIs are just RESTful APIs that follow specific rules.
In particular:
- resource names are capitalised and singular, and use US spellings, for example
/Immunization
not /immunisations
- array names are singular, for example
entry
not entries
for address lines
- data items that are country-specific and thus not included in the FHIR global base resources are usually wrapped in an
extension
object
There are libraries and SDKs available to help with FHIR API integration.
Network access
This API is available on the internet and, indirectly, on the Health and Social Care Network (HSCN).
For more details see Network access for APIs.
Security and authorisation
This API has two access modes:
- application-restricted access
- user-restricted access
Application-restricted access
This access mode is application-restricted, meaning we authenticate the calling application but not the end user.
To use this access mode, use the following security pattern:
User-restricted access
Use this user-restricted access mode if the end user is a patient:
- the end user must have their identity verified to 'high' (P9) level
- the NHS number in the request must match the NHS number in the NHS login account
To use this access mode, use the following security pattern:
Environments and testing
Environment |
Base URL |
Sandbox |
https://sandbox.api.service.nhs.uk/immunisation-history/FHIR/R4/ |
Integration test |
https://int.api.service.nhs.uk/immunisation-history/FHIR/R4/ |
Production |
https://api.service.nhs.uk/immunisation-history/FHIR/R4/ |
Sandbox testing
Our sandbox environment:
- is for early developer testing
- only covers a limited set of scenarios
- is open access, so does not allow you to test authorisation
For details of sandbox test scenarios, or to try out the sandbox using our 'Try this API' feature, see the documentation for each endpoint.
Alternatively, you can try out the sandbox using our Postman collection:
Integration testing
Our integration test environment:
- is for formal integration testing
- includes authorisation
It also includes ready-to-use immunisation history test data.
For more details see integration testing with our RESTful APIs.
Onboarding
You need to get your software approved by us before it can go live with this API. We call this onboarding. The onboarding process can sometimes be quite long, so it’s worth planning well ahead.
As part of this process, you need to demonstrate that you can manage risks and that your software conforms technically with the requirements for this API.
Information on this page might impact the design of your software. For details, see Onboarding support information.
To understand how our online digital onboarding process works, see digital onboarding.
To get started, sign in or create a developer account, then select 'product onboarding'.
Errors
We use standard HTTP status codes to show whether an API request succeeded or not. They are usually in the range:
- 200 to 299 if it succeeded, including code 202 if it was accepted by an API that needs to wait for further action
- 400 to 499 if it failed because of a client error by your application
- 500 to 599 if it failed because of an error on our server
Errors specific to each API are shown in the Endpoints section, under Response. See our reference guide for more on errors.
Given an NHS number, get the patient's immunisation history.
Also returns the patient's demographic details, as captured at the point of immunisation.
You can try out the sandbox using the 'Try this API' feature on this page.
The request was valid, and the response contains immunisation history and associated patient details.
If there are no immunisations for the given NHS number, the response bundle will be empty.