Search loading...


Explore and Make use of Nationally Defined Messaging APIs



Glossary of terms used in the GP Connect FHIR® API specification


The action or process used to ensure that a system supplier meets necessary criteria to use the GP Connect services.

Accredited System Identifier (ASID)

A unique number allocated to a system on accreditation for connection to Spine.

Active patient

An Active patient as defined by GP Connect is any patient on a provider's system that has Not Left and is Not Deceased. The patient SHALL have also been traced and verified using PDS before their details are shared through the GP Connect API.

The concept of Active is related to the patient's registration status rather than to the patient's registration type. A provider's system may have a number of different statuses which should be considered Active, many of those statuses may apply to a number of different registration type.

Application Programming Interface (API)

A set of functions and procedures that allows the creation of applications which access the features or data of an application or other service to deliver specific cross-organisational business capability. The aim of GP Connect FHIR® APIs is to provide access to data and workflow within GP clinical systems.


The GP Connect FHIR® APIs are managed within ‘capabilities’ that focus on a particular business area of general practice and wider cross-organisational interoperability. Capabilities are organised within ‘capability packs’, which include:

  • Appointment Management
  • Access Record HTML
  • Access Record Structured

Certificate Revocation List (CRL)

A list of digital certificates that have been revoked by the issuing certificate authority before their scheduled expiration date and should no longer be trusted.

Clinical Authority To Release (CATR)

Granted by NHS Digital Clinical Safety Group. It confirms that all clinical safety documents have been completed to the required standard.

Clinical safety

The process of evaluating clinical safety risk. See clinical risk management standards.

Combined Message Handling Server and Accredited System (CMA) endpoint

An endpoint registered with Spine for a single system.

Connection agreement

A legal and commercial agreement between NHS Digital and a supplier that is using NHS Digital services to provide or consume (GP) data (previously known as Terms of Use).

Consumer application

A technically accredited software application that uses GP Connect FHIR® APIs.

Consumer supplier

The developer of an application that uses GP Connect FHIR® API – for example, a system supplier in an acute or mental health care setting.

Cross-Origin Resource Sharing (CORS)

A mechanism that allows restricted resources (such as fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.

Demographics Batch Service (DBS)

A mechanism that allows NHS and other organisations to submit a file of patient information to the Spine for tracing against the Personal Demographics Service (PDS). This requires a secure network connection. It is an offline service, and provides batch responses to batch trace requests, so smart cards are not required.

Development Milestone Achievement Certificate (DevMAC)

Awarded to the provider of an API to certify it has met the specification requirements and is ready to deploy as a pilot (applies to GP principal clinical system suppliers).

Direct Patient Care

Defined by the Caldicott Review as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It also includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, personal satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

Electronic Prescribing and Medicines Administration (EPMA)

The management of computerised prescription systems that enable clinicians to access, record and share information about patients’ medication.

End User Organisation (EUO)

An organisation that uses a GP Connect service (or commissions the development of a new GP Connect service ) to access GP data from more than one clinical system provider to improve direct patient care. For example:

  • a GP practice that is part of a federation, club or hub and is sharing data with other practices in the group
  • a Commissioning Support Unit (CSU)
  • an acute or mental health trust that is receiving GP data from a group of practices in its area
  • an A&E or 111 service that is receiving data or booking appointments on behalf of a patient

End User Organisation Policy (EUOP)

The legal and commercial agreement between NHS Digital and an end user organisation.

Fast Healthcare Interoperability Resources (FHIR®)

A standard describing data formats and elements (known as ‘resources’) and an application programming interface (API) for exchanging electronic health records. The standard was created by the Health Level Seven International (HL7) health-care standards organisation.


A group of GP practices working together within the context of a locally-defined agreement to deliver services such as out of hours care. GP federations go by many names: federations, networks, collaborations, joint ventures, alliances. These terms are often used interchangeably to describe multiple practices coming together in some form of collaboration.

First of Type (FoT)

A scheme that facilitates the onboarding, testing, governance, assurance and live deployment stage of an end user organisation and its consuming system on its journey to consuming a GP Connect FHIR® API. FoT also represents the process by which the provider API fulfilment is proven to meet set criteria prior to gaining approval for wider rollout and piloting.

Five Year Forward View (FYFV)

A planning document published by NHS England in 2014 that outlined the challenges facing the NHS and detailed a shared view of what needed to change to overcome them.

Fully Qualified Domain Name (FQDN)

The complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts - the hostname and the domain name.

GP Systems of Choice (GPSoC) contract

A contractual framework to supply IT systems and services to GP practices and associated organisations in England. Suppliers gain approval to offer services through a centrally controlled contract.

GP principal clinical systems suppliers

The name given to a group of suppliers that provide GPs with the core system available under the GPSoC contract (also known as 'providers'). The current suppliers are:

  • EMIS Health
  • Microtest
  • TPP
  • Vision

JSON Web Token (JWT)

A digital access token created to the open standard that facilitates the safe transfer of information between two parties. Tokens are composed of a header, a payload, and a signature.

Lightweight Directory Access Protocol (LDAP)

An open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

MHS endpoint

An endpoint registered with Spine for use with multiple systems via a message handling server. Each system has its own ASID.

Message Handling Server (MHS)

A middleware system that handles messaging to and from Spine.

Network Time Protocol (NTP)

A networking protocol for clock synchronisation between computer systems over packet-switched, variable-latency data networks.

Open Systems Interconnection (OSI)

A conceptual model that characterises and standardises the communication functions of a computing system without regard to its underlying internal structure and technology.

Organisational Data Service (ODS)

NHS Digital team responsible for publishing organisation and practitioner codes, along with related national policies and standards. Also responsible for the maintenance of the organisation and person nodes of the Spine Directory Service.

Personal Demographics Service (PDS)

The national electronic database of patient demographic information. Each person’s electronic NHS care record comprises demographic information - address, date of birth and NHS number; and medical information. GP Connect systems use the PDS to obtain a patient’s NHS number, date of birth and current GP organisation.

Privacy Enhanced Mail (PEM)

A file format for storing and sending cryptographic keys, certificates, and other data.

Provider supplier

The provider of a clinical system that is the source of GP data.

Provider system

A GP clinical system that provides data through the GP Connect FHIR® APIs.

Proxy server

A server that acts as an intermediary for requests from clients seeking resources from other servers.

Release candidate (RC)

In the context of a development of the GP Connect specification, denotes that the specification is close to completion and is being reviewed by external parties (including providers and consumers) and is subject to corrections and minor change.

Role Based Access Control (RBAC)

An integral part of the Spine security process.


A collection of national applications, services and directories operated by NHS Digital that supports the health and social care sector in the exchange of information in national and local IT systems.

Spine Directory Service (SDS)

Central directory of organisations, users and services for consumption by Spine-related applications. GP Connect systems use SDS data about NHS-registered users and accredited systems and services.

Spine Secure Proxy (SSP)

A forward proxy used as a front end to control and protect access to GP principal clinical systems exposing FHIR®-based RESTful APIs. SSP also validates the existence of a data-sharing relationship between requesting and providing organisations. Also known as ‘Spine Security Proxy’.

Target Operating Model (TOM)

Part of an assessment framework and a NHS Digital self-certification tool. It acts as a risk management vehicle, enabling safe distributed risk ownership and responsibility amongst the participants involved - from NHS Digital to the supplier, and the end user organisation (EUO). For a consumer supplier, it is designed to document the details of a product including technical, information governance (IG), clinical safety and functionality. For the end user organisation, the TOM highlights their responsibilities in terms of ensuring that a local system meets the technical, IG, clinical safety and functionality required for the business context and relies on the EUO assuming local responsibility for assurance and risk ownership of the deploying product.

Threat Protection System (TPS)

A category of security solutions that defend against sophisticated malware or hacking-based attacks targeting sensitive data.

Transport Layer Security (TLS)

A cryptographic protocol that provides communications security over a computer network.

All content is available under the Open Government Licence v3.0, except where otherwise stated