Prepare and plan

We have development environments available within which we have different realms. We can provide you with an environment that uses a simple username and password access that will enable you to experience NHS CIS2.

User IDs are needed for use in the development and integration environments. We will provide you with the information on how to access these environments and let you know what information we need from you after your first engagement call with us.

To access the development environment, please complete the development environment request form and follow the process as advised on the path to live (PTL). Once you are ready to commence your build, we can move you into the development environment healthcare realm.

More information on our integration environments and path to live process.

The Supplier Conformance Assessment List (SCAL) is for when you are developing your application. This can then be used to declare and record how your product meets or complies with a range of organisational, technical and compliance requirements. This includes those for Information Governance (IG), security, clinical safety and individual user interaction.

The information you provide will help to demonstrate that your application has been developed according to the standards for various quality and compliance requirements. If you have any queries about the information you provide in the SCAL, it is your responsibility to ensure they are addressed.

This document underpins the technical conformance process and is referenced in the Agreement that each client must sign as part of the onboarding process to implement authentication using NHS CIS2.

A product that integrates more than one NHS Digital service can be covered by a single SCAL. Each time you wish to integrate the same product with a further NHS Digital service, you must review and update tabs within the SCAL as needed.

As a software developer, you might come into contact with patient data, for example when supporting your end users. To ensure you have controls in place to keep patient data private and secure, you must complete the Data and Security Protection Toolkit (DSPT).

When you complete the DSPT, you’ll need to state your organisation profile.

You should use:

• ‘NHS Business Partner’ if your system directly processes patient data on a regular basis, for example a GP system
• ‘Company’ if your software only has technical access to patient data, for example a middleware system

Suppliers of healthcare software must ensure they follow clinical risk management processes that conform to the DCB0129 standard. End user organisations need to follow clinical risk management processes that conform to the DCB0160 standard.

You need to check whether your product is considered to be a medical device. If it is, you need to ensure you comply with the relevant legal requirements.

For more details see Medical devices: software applications (apps).

We will provide you with a go live checklist. This must be completed as you do each step and will help you prepare for your go live date and ensure you have completed all the required steps.

You should decide on a preferred go live date as early as possible. Based on what needs to be done, you should have an estimate of your high-level activities and milestones in order to achieve that date.

Once you have completed and returned all the necessary documentation, the next step involves starting the test and integration part of the process.