Written by Paul Brown | Last updated 21.06.2025 | 6 minute read
In the modern healthcare services, seamless integration between systems is critical for ensuring efficient data exchange and streamlined workflows. Access Rio, a widely used EPR in the NHS in England, supports integration through its robust set of APIs and reporting tools. These APIs enable organisations to interact securely with patient records, generate reports, and build customised solutions tailored to their needs. In this article, we explore the key features, security considerations, and processes involved in integrating with Access Rio.
Access Rio’s integration capabilities are built on a lightweight SOAP-based API framework. This framework offers a secure and reliable way to access data, perform CRUD operations, and run predefined reports. At its core, the integration system includes features like device and user authentication, transport security using SSL, and robust auditing mechanisms. By leveraging these APIs, healthcare organisations can access data in real time, automate routine processes, and maintain compliance with stringent data protection standards.
The integration APIs can be broadly categorised into two types: dynamic data retrieval APIs (e.g., fetching patient alerts or demographics) and report APIs (e.g., generating detailed patient summaries). Both types of APIs rely on underlying SQL queries that developers prepare and configure for specific use cases.
Access Rio employs a multi-layered security model to ensure data integrity and prevent unauthorised access. The system uses mutual TLS (mTLS), requiring both the client and server to present SSL certificates for secure communication. This guarantees endpoint authentication and encrypts all data exchanged over the network.
The authentication model includes two primary mechanisms:
For every successful authentication, the system generates an authentication token, which must be included in subsequent API calls. These tokens are short-lived, promoting secure, session-based interactions. Developers must account for token expiration by re-authenticating when necessary.
Dynamic APIs allow developers to retrieve real-time data using SQL queries tailored to specific needs. For example, the PatientAlertsGet API fetches alerts associated with a patient. Developers start by crafting a base SQL query to fetch the desired data. Variables within the SQL query, such as @clientId, are parameterised as $clientId$ for integration into the API.
Once the SQL query is ready, it is inserted into Access Rio’s database using the ExternalSystemApiReportOperations table. The system supports flexible configurations, enabling developers to define API-specific metadata such as response keys, action endpoints, and reply actions.
Report APIs, on the other hand, are used to generate structured data outputs, often in the form of tabular summaries or detailed XML. Unlike dynamic APIs, reports are hierarchical, consisting of a parent report with multiple sub-reports. For instance, the MedView report includes sections for demographics, admissions, documents, and referrals.
Each sub-report corresponds to a specific SQL query, and developers can define execution order, formatting options, and stylesheets (XSLT) for customised presentations. This flexibility allows for creating comprehensive, multi-part reports tailored to diverse requirements.
Access Rio APIs communicate using SOAP messages, which are structured into three main parts: the envelope, the header, and the body. The envelope serves as the outermost wrapper for the message, ensuring proper communication between the client and server. Within the envelope, the header contains essential authentication details, including the authentication token, the name of the target system (e.g., “RIO”), and the platform type, which is typically fixed as “API.” These details validate and secure the communication.
The body of the SOAP message specifies the API being invoked and includes the relevant parameters in a structured XML format. For example, when fetching patient alerts, the body would define the operation name (e.g., PatientAlertsGet) and include parameters such as clientId with associated values. Each parameter follows a specific schema defined by the WSDL file, ensuring compatibility and correct data formatting. The WSDL, generated after API configuration, provides developers with precise details on the required parameters, their types, and their structure, serving as a guide for crafting valid requests.
Integration with Access Rio ensures compliance with healthcare regulations like NHS DTAC by providing detailed audit trails. Every API call is logged, capturing details such as the method invoked, parameters passed, and authentication details. Depending on the deployment configuration, organisations can enable page-level auditing for individual API calls or application-level auditing for broader system interactions. These audit logs are invaluable for troubleshooting, performance analysis, and compliance reporting.
Before deploying APIs in a production environment, rigorous testing is essential. Developers commonly use tools like SOAPUI or Postman for crafting and sending SOAP requests. Access Rio also provides a public SDK endpoint for testing purposes, with an aggressive token expiration policy to simulate real-world scenarios.
When debugging, server logs stored in the <Rio Install Folder>/logs/CommonServices/ directory offer valuable insights. Common errors include invalid authentication tokens, improperly formatted data, and missing mandatory parameters. Each error is accompanied by a code and description, making it easier to pinpoint and resolve issues.
Integrating with Access Rio opens the door to numerous possibilities for healthcare organisations:
To integrate with Access Rio, organisations must ensure they meet key prerequisites:
Once these prerequisites are in place, developers can begin creating APIs by defining SQL queries, parameterising them, and inserting them into the system. Following proper testing and accreditation ensures that the APIs meet quality and performance standards.
Integrating with Access Rio provides healthcare organisations with the tools they need to enhance operational efficiency and improve patient care in community and mental health NHS trusts. With its secure APIs, robust auditing capabilities, and flexible configurations, Access Rio enables seamless data exchange and powerful customisations. By adhering to best practices in development, testing, and deployment, organisations can unlock the full potential of Access Rio integration, ensuring their systems work harmoniously to deliver better outcomes.
Is your team looking for help with Access Rio integration? Click the button below.
Get in touch