Written by Technical Team | Last updated 27.02.2026 | 6 minute read
The EMIS Patient Services API offers an interface for third-party developers looking to integrate their patient facing service with clinical data held within EMIS Web. Whether you’re enabling online appointment booking, prescription requests, or secure patient messaging, the API provides comprehensive functionality through a secure, version-controlled web service.
This article outlines key considerations when integrating with the EMIS Patient Services API, including authentication, clinical operations, and deployment best practices.
At the heart of the EMIS API is a strong emphasis on security and patient confidentiality. All operations occur within a Patient Session—a secure, stateful connection established using a cryptographically protected handshake process.
This handshake involves:
Each session is uniquely bound to a patient via a PatientRelationshipId and PatientRelationshipKey, which must be securely obtained during registration. Reuse of tokens or out-of-sequence messages will result in invalidation—mitigating replay attacks.
Third parties must securely store their client and server pre-shared keys and never transmit them. Instead, validation keys derived from them are used for mutual authentication.
Integration tip: Always create an End User Session first, then a ROSU (Service User) Session, and send the required headers on every call (X-API-ApplicationId, X-API-Version, X-API-EndUserSessionId, and X-API-SessionId where applicable). Sessions use a rolling 20-minute timeout, so refresh before expiry and validate practice support using Practice Meta / supported API version to prevent 400/404 errors when enabling online appointments, prescription requests, messaging, and medical record access.
The EMIS API exposes a wide range of clinical capabilities structured around typical patient interactions:
Developers can:
Practices configure the visibility and limits of appointment slots accessible via the API, including support for telephone consultations.
Through the prescribing endpoints, applications can:
All prescribing actions are subject to practice configuration, including optional patient comments.
The API allows read-only access to structured medical records including:
Calls like GetMedicalRecordData support fine-grained access, honouring practice-set restrictions on free text and visibility per patient or cohort. Documents must be retrieved separately using GetMedicalRecordDocumentContent, which returns base64-encoded HTML content.
When integrating with the EMIS Patient Services API for online appointment booking, repeat prescription requests, secure messaging, and medical record access, there are several architectural and operational factors that directly affect reliability and user experience.
The table below highlights important EMIS integration considerations that developers should account for when building production-ready patient facing applications against EMIS Web.
| Integration Area | Platform Behaviour | Implementation Impact |
|---|---|---|
| Session Lifecycle | All API calls require an End User Session, with additional ROSU sessions for authenticated patient actions. Sessions operate on a rolling 20-minute timeout. | Applications must manage session refresh logic to prevent mid-journey failures during booking, prescribing, or record viewing. |
| Header Validation | Strict header validation is enforced, including Application ID, API version, and session identifiers. | Incorrect or missing headers result in HTTP 400 responses, so centralised header management is recommended. |
| Practice-Level Controls | Practices configure appointment limits, booking windows, prescribing comments, and service visibility. | Feature availability can differ between practices, requiring dynamic UI behaviour rather than hardcoded assumptions. |
| Appointment Availability | Large slot volumes may be returned unless filtered by date range and session criteria. | Implement date filtering (for example, two-week windows) to optimise performance and reduce payload size. |
| User Access States | Restricted users may only access limited services, such as viewing appointments they personally booked. | Clear messaging is required to explain reduced functionality and prevent perceived system errors. |
| Medical Record Visibility | Clinical users can suppress specific record items from online services without notifying the API consumer. | Absence of data should not automatically be treated as an integration failure. |
| Clinical Coding | Some record identifiers are proprietary codes rather than SNOMED clinical codes. | Do not assume direct SNOMED mapping when processing structured clinical data. |
| Document Handling | Clinical documents are delivered as base64-encoded, compressed HTML content. | Applications must correctly decode and safely render document content before display. |
Before any patient-level data can be accessed, user registration must occur via one of two supported methods:
Both methods return the PatientRelationshipId and Key, enabling creation of the authenticated Patient Session.
The API also supports emergency resets of the account linkage key (ResetAccountLinkageKey) to mitigate compromised credentials.
API deployments across the EMIS Web estate are rolled out in stages, meaning not all practices will support the latest version at the same time. Developers are encouraged to use the GetClinicalVersionInformation endpoint with the practice’s ODS code to determine supported features.
Each schema version is backwards-compatible but not forwards-compatible—attempting to call future-version features against an older schema will fail.
Additionally, use the GetPracticeSettings and GetUserOptions endpoints to dynamically determine which services and features are enabled for a given user and practice.
What are common pitfalls developers face when integrating with the EMIS Patient Services API?
One of the most common issues is improper sequence handling in the patient session lifecycle, leading to invalid sessions. Another is neglecting to check for feature availability at the practice level, causing unexpected failures in live environments. It’s also vital to ensure proper handling of base64-encoded document content, particularly for document rendering.
Can I simulate all EMIS Patient Services API functionality in a test environment?
Not entirely. Certain features, like FindPractice, are restricted in test environments due to their reliance on live EMIS customer data. You can validate schema structure and expected behaviours, but some calls will intentionally fail or return mocked responses.
How should I manage EMIS Patient Services API version rollouts across different practices?
Use the GetClinicalVersionInformation endpoint at runtime to detect the API version in use at each practice. Tailor your feature set dynamically to match available functionality. Avoid hardcoding version-specific logic unless it’s strictly necessary.
Is there a preferred language or framework for building clients against the EMIS Patient Services API?
While EMIS provides WSDLs that work well with .NET tooling (e.g., svcutil), the API is standards-compliant SOAP, meaning you can integrate using any language that supports SOAP clients—Java, Python, Node.js, etc. However, attention must be given to replicating the cryptographic handshake accurately outside the .NET ecosystem.
What should I do if I suspect a session hijack or token misuse?
Immediately reset the AccountLinkageKey via the ResetAccountLinkageKey endpoint. This puts the account into a restricted state and requires in-person validation before services can resume. Also, review logs for token reuse or sequence anomalies that could indicate replay attacks.
Integrating with EMIS Patient Services API demands close attention to security protocols, structured workflows, and version control. With a clear understanding of the authentication model and supported clinical functions, developers can safely extend patient access to healthcare services via third-party applications.
For any EMIS integration, it is recommended to use the test environment first with the provided pre-shared keys and endpoints, ensuring full compliance before going live.
Is your team looking for help with EMIS Patient Services API integration? Click the button below.
Get in touch