Skip to content

Testing

Jump to bottom
Mike Hitchins edited this page Oct 14, 2021 · 1 revision

authorisation)\n\n## Environments and testing\n\n| Environment | Base URL |\n| ----------------- | ---------------------------------------------------------------------- |\n| Sandbox | https://sandbox.api.service.nhs.uk/personal-demographics/FHIR/R4/ |\n| Integration test | https://int.api.service.nhs.uk/personal-demographics/FHIR/R4/ |\n| Production | https://api.service.nhs.uk/personal-demographics/FHIR/R4/ |\n\n### Sandbox testing\nOur sandbox environment:\n* is for early developer testing\n* only covers a limited set of scenarios\n* is stateless, so does not actually persist any updates\n* is open access, so does not allow you to test authorisation\n\nFor details of sandbox test scenarios, or to try out the sandbox using our 'Try this API' feature, see the documentation for each endpoint.\n\nAlternatively, you can try out the sandbox using our Postman collection:\n\nRun in Postman\n\n### Integration testing\nOur integration test environment:\n* is for formal integration testing\n* is stateful, so persists updates\n* includes authorisation, with options for user-restricted access (with or without smartcards and application-restricted access\n \nFor read-only testing, you can either use our PDS FHIR API test data packs or set up your own test data.\n\nTo test updating patient details, you must set up your own test data.\n\nFor more details see integration testing with our RESTful APIs.\n\n### Production smoke testing\nYou must not use real patient data for smoke testing in the production environment.\n\nRather, use our production test patient.\n\n## Onboarding\nYou need to get your software approved by us before it can go live with this API. We call this onboarding. The onboarding process can sometimes be quite long, so it’s worth planning well ahead.\n\nTo onboard for this API, follow the Supplier Conformance Assessment List (SCAL) process.\n\nWhen following the general SCAL process steps, for this API you must do the following:\n\nIn step 1, to confirm your use case, you need to make a PDS access request, even if you already access PDS via another method.\n\nIn step 2, when requesting the SCAL, tell us which access mode you're using:\n- healthcare worker search and retrieve\n- healthcare worker update\n- application-restricted\n- patient access\n\nIn step 2, if using healthcare worker access mode, tell us which security pattern you are using:\n- NHS CIS2 - combined authentication and authorisation\n- NHS CIS2 - separate authentication and authorisation\n\nIn step 2, if using patient access mode, tell us which security pattern you are using:\n- NHS login - combined authentication and authorisation - available only upon request\n- NHS login - separate authentication and authorisation\n\nIn step 6, when implementing your clinical risk management process, you must review and integrate the PDS FHIR API hazard log into your own risk log. It's embedded within the PDS FHIR API tab in the SCAL.\n\nIn step 8, you need to review and complete the PDS FHIR API risk log to show that you have understood and mitigated the various risks. You might be asked to provide some evidence to prove that controls have been put in place. You can find the risk log embedded within the PDS FHIR API tab in the SCAL. This is separate from the clinical safety hazard log mentioned above.\n\nIn step 9, you must conduct penetration testing to CHECK standards.\n\nIn step 10, when you complete the Service Desk Registration Form, send it to [email protected].\n\nIn step 11, submit your completed SCAL to [email protected].\n\nIn step 14, to request production access, contact us at [email protected].\n","contact":{"name":"Personal Demographics Service FHIR API Support","url":"https://digital.nhs.uk/developer/help-and-support","email":"[email protected]"}},"servers":[{"url":"https://sandbox.api.service.nhs.uk/personal-demographics/FHIR/R4","description":"Sandbox environment."},{"url":"https://int.api.service.nhs.uk/personal-demographics/FHIR/R4","description":"Integration test environment."},{"url":"https://api.service.nhs.uk/personal-demographics/FHIR/R4","description":"Production environment."}],"paths":{"/Patient":{"parameters":[{"in":"header","name":"Authorization","description":"An OAuth 2.0 bearer token.\n\nRequired in all environments except sandbox.\n","required":false,"schema":{"type":"string","format":"^Bearer\ :ascii:+$","example":"Bearer g1112R_ccQ1Ebbb4gtHBP1aaaNM"}},{"in":"header","name":"NHSD-Session-URID","description":"\nThe user role ID (URID) for the current session. Also known as a user role profile ID (URPID).\n\nThis header is optional.\n\nIn Application-restricted access mode this header is ignored.\n\nIn Healthcare worker access mode if you send this header it must be valid for the logged-in user. See determine the user's role for guidance.\n","required":false,"schema":{"type":"string","pattern":"^[0-9]+$","example":"555254240100"}},{"in":"header","name":"X-Request-ID","required":false,"description":"A globally unique identifier (GUID) for the request, which we use to de-duplicate repeated requests and to trace the request if you contact our helpdesk.\n\nMust be a universally unique identifier (UUID) (ideally version 4).\n\nMirrored back in a response header.\n\nIf you re-send a failed request, use the same value in this header.\n","schema":{"type":"string","pattern":"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$","example":"60E0B220-8136-4CA5-AE46-1D97EF59D068"}},{"in":"header","name":"X-Correlation-ID","required":false,"description":"An optional ID which you can use to track transactions across multiple systems. It can take any value, but we recommend avoiding . characters.\n\nMirrored back in a response header.\n","schema":{"type":"string","example":"11C46F5F-CDEF-4865-94B2-0EE0EDCC26DA"}}],"get":{"summary":"Search for a patient","operationId":"search-patient","externalDocs":{"description":"ODS codes and documentation.","url":"https://fhir.nhs.uk/Id/ods-organization-code"},"description":"## Overview\nUse this endpoint to search for a patient in PDS.\n\nYou can search using various combinations of:\n * given name\n * family name\n * gender\n * postcode\n * date of birth - which can be a range\n * date of death - which can be a range\n * registered GP practice\n\n \nThere are various search options, such as fuzzy search, exact match, history and wildcards.\n\nThe behaviour of this endpoint depends on which access mode you are using:\n\n| Access mode | Behaviour |\n| ------------------------------ | ------------------------------------------ |\n| Application-restricted access | Only a single unique match returned |\n| Healthcare worker access | Up to 50 matching patient records returned |\n| Patient access | Not yet available |\n\n## Search options\nThe following sections explain the various search options.\nWhich options you choose depends very much on your use case, and getting it right is really important.\nIf you need help, contact us.\n\n### Application-restricted access mode\nIn this access mode, you only get a single matching patient record, and only if it's a unique match.\n\nUse search options that are likely to find a unique match. In our experience, the following is a good starting point:\n * search on given name, family name, postcode and date of birth - this combination should uniquely identify a patient\n * for given name, use the first three characters and a wildcard, for example to search for Annabel, use Ann* - this caters for different name spellings and abbreviations\n * for postcode, use the first two characters and a wildcard, for example to search for LS11 6AD, use LS* - this caters for people who have moved locally but not updated PDS\n * use a non-fuzzy search - this reduces the chance of multiple matches\n * use a non-exact match - an exact match does not work with wildcards\n * include history - this increases the chance of a match\n\nFor more details, see the following sections.\n\n### Healthcare worker access mode\nIn this access mode - where the end user is a strongly authenticated healthcare worker - you can get up to 50 matching patient records.\nThis allows the end user to choose the best match.\n\nUse search parameters that are relevant to your use case - for example date of death is not always appropriate.\n\nTo protect patient privacy, design your search to minimise the number of matching patients.\nFor example, you could:\n * encourage users to enter as many search parameters as they can\n * force users to try a non-fuzzy search first and then only offer a fuzzy search if they cannot find the patient\n\nFor more details, see the following sections.\n\n### Non-fuzzy search\nA non-fuzzy search:\n * allows wildcards in names and postcodes\n * does not match homophones or transposed names\n * can optionally search history, such as previous names and addresses\n\nIt is less likely to return multiple matches than a fuzzy search, so is more suitable for finding a unique match.\n\nThe minimum search parameters are:\n * family name - which can include wildcards\n * date of birth - which can be a range\n\n \n### Fuzzy search\nA fuzzy search:\n * matches common homophones, such as Smith and Smythe, using the Soundex algorithm\n * checks for transposed names, such as Adam Thomas and Thomas Adam\n * always searches history, such as previous names and addresses\n\nIt is more likely to include multiple matches than a non-fuzzy search, so is not ideal for finding a unique match.\n\nIt is also more likely to include false positives - other patients that match the search criteria.\nTherefore, for privacy reasons, it is better to use it only if a non-fuzzy match has failed.\n\nYou must use one of the following search parameter combinations:\n * given name, family name and date of birth\n * family name, date of birth, gender and postcode\n * given name, date of birth, gender and postcode\n\nIf you include the date of death or registered GP practice query parameters, they are not used in the search. However they do affect the patient's matching score - a mismatch reduces the returned score.\n\n### History\nPDS holds historic information, including previous names and addresses.\n\nA fuzzy search always includes history. For a non-fuzzy search, you can request to include history.\n\nSearching history can match patients where only a previous name or address is known, or if a patient provides a previous name or address on the assumption that their record hasn’t been updated.\n\n### Exact match\nYou can request an exact match.\nThis might be useful if you are verifying an NHS number against details you already believe to be correct.\nIt is unlikely to work well with wildcards or fuzzy search.\n\n### Names\nMatching names can be difficult due to:\n * multiple given names, such as in Jane Anne Smith\n * multiple or double-barrelled surnames, such as in Michael Smith-Jones\n * homophones, such as Smith and Smythe or Ann and Anne\n * abbreviated names, such as Bob instead of Robert\n * transposed names, such as Adam Thomas instead of Thomas Adam\n * previous names, such as maiden names\n * special characters such as in O'Reilly, Jones-Smith or Kociński\n * spelling mistakes, either in the search criteria or in PDS\n\nTo deal with some of these issues:\n * we always search all given names\n * we search across all types of name - usual, nickname and temporary\n * a fuzzy search matches homophones, transposed names and previous names\n * for a non fuzzy search, you can optionally use wildcards and search previous names\n\n### Gender\nPDS has four options for gender - male, female, other and unknown.\nFor some people, the gender held in PDS might not match the gender they identify with.\n\nIn these cases, searching by gender might not find the patient.\nThese are edge cases but are important to consider because gender can be a sensitive issue for the people in question.\n\nIn general,

Clone this wiki locally