Test Plan - Version 1.0

1. Executive Summary

Objective:

To validate the correctness, reliability, and security of key NHS PDS FHIR API endpoints—specifically Patient Search and Patient Read—by verifying response accuracy, data integrity, error handling, and authentication behavior under both valid and invalid conditions. The goal is to ensure compliance with HL7 FHIR R4 standards and safe integration with third-party healthcare applications.

Business Value:

Accurate patient identification is critical in healthcare systems. This audit reduces the risk of clinical errors caused by incorrect or ambiguous patient data, ensures the protection of sensitive medical and psychological information, and supports efficient and reliable clinician workflows.

2. Scope of Testing

This audit focuses on the core backend functionality of the NHS PDS FHIR API, specifically the validation of patient identification workflows through API interactions.

In Scope

• Patient Search (Patient Search Endpoint): Validation of search behavior using family name, gender, and birthdate, including:
  • Exact match vs. partial match behavior
  • Case sensitivity (e.g., "smith" vs "Smith")
  • Handling of multiple result sets
  • No-result scenarios and appropriate API responses
• Patient Data Retrieval (Patient Read Endpoint): Validation of full patient record retrieval using a valid NHS Number, including:
  • Response structure and field completeness
  • Data consistency across responses
  • Conformance to FHIR JSON schema
• Error Handling & Response Codes: Verification of correct HTTP status codes and error responses, including:
  • 400 Bad Request (invalid input)
  • 401 Unauthorized (authentication failures)
  • 404 Not Found (non-existent resources)
  • 422 Unprocessable Entity (semantic validation errors)
• Authentication & Security Behavior: Validation of API access control mechanisms:
  • Missing or invalid API keys
  • Expired or malformed tokens
  • Unauthorized access attempts
• Internationalization (i18n): Validation of system support for UTF-8 characters and international naming conventions (e.g., "Díaz", "O'Neill")

Out of Scope

• UI / Frontend Testing: This project focuses exclusively on backend API validation.
• Performance & Load Testing: No stress or load testing will be conducted. Only basic response-time observations in the sandbox environment are included.
• Database-Level Validation: Direct database verification is not included due to restricted access to backend systems.

3. Technical Stack & Environment