National Imaging Registry API

Use this API to access patient imaging records across NHS and private healthcare networks. The National Imaging Registry (NIR) API allows authorised systems to view a patient’s imaging history, including examinations, diagnostic reports, and imaging studies.

The NIR helps clinicians deliver faster, safer care by reducing unnecessary repeat imaging, improving decision-making, and supporting continuity of care when patients move between providers.

Key features include:

• access to a patient’s imaging history across NHS and private healthcare networks

• linked diagnostic reports with imaging studies

• retrieval of imaging studies for authorised use in direct care

• secure access with full governance in line with NHS data protection requirements

For more information about the service, including why the NIR has been developed and the wider vision, visit the National Imaging Registry service page. 

High-level federated discovery and retrieval: a consumer queries NIR once, NIR queries multiple regional networks, and the selected document is retrieved from the source network and returned to the consumer

This API is available for integration by imaging system suppliers. Suppliers may only connect to the NIR once they have:

• confirmed authorisation from their NHS or private healthcare customer organisation

• completed the required NHS assurance, security, and data governance checks

• implemented appropriate access controls in line with NHS data protection requirements

Healthcare organisations (NHS and private) are the end users of the service, but integration with the API can only be performed by their imaging system suppliers on their behalf.

The NIR API operates under a federated trust and governance model, as follows:

• access is only available to imaging system suppliers who have been authorised by their customer organisations and approved through NHS England’s Digital onboarding service

• participating organisations must accept and comply with the National Imaging Registry terms and conditions, which set out responsibilities for data protection, confidentiality, and appropriate use of shared imaging data

• oversight during the private beta phase is provided by the Diagnostics Digital Capabilities (DDC) programme, which confirms organisational readiness and manages onboarding

• all activity is subject to NHS England assurance, security, and compliance frameworks

This governance model ensures that imaging data is only accessed and shared for direct care purposes, under clear legal and operational controls.

These APIs and profiles complement the National Imaging Registry (NIR) by supporting patient identity validation, record location, and document exchange:

• Patient Demographics Service (PDS) API – while the NIR does not integrate directly with PDS, organisations are expected to have PDS deployed so that NHS numbers can be validated before using the NIR API

• National Record Locator (NRL) API – there is an intention to integrate the National Record Locator (NRL) with NIR so that imaging data can be shared more widely, enabling end users without specialised imaging systems to access relevant information

• Mobile access to Health Documents (MHD) profile API – in future, NIR will expose an MHD endpoint to support standardised document exchange in line with IHE profiles, improving interoperability across systems

This API is in beta.  

If you have any other queries, contact us.

This API is a bronze service, meaning it is operational and supported only during business hours (8am to 6pm), Monday to Friday excluding bank holidays.

For more details, see service levels.

This API is built on internationally recognised interoperability standards to enable the secure exchange of imaging records across NHS and private healthcare networks. It uses IHE profiles such as Cross-Community Access (XCA) and relies on established messaging frameworks (SOAP web services) to ensure consistent and reliable communication between systems.

Cross-Community Access (XCA)

The IHE Cross-Community Access (XCA) profile provides a standardised way for health IT systems to query and retrieve clinical documents, including imaging studies and reports, across organisational and network boundaries.

This supports the API in:

• providing a federated query model for discovering imaging records across multiple networks

• using SOAP-based messaging to ensure structured, reliable, and secure request/response interactions

• building on existing document sharing principles (via XDS) but extends them across community boundaries

• enabling NHS and private healthcare providers on this technology to access patient imaging data without bespoke point-to-point connections

XCA supports the NIR’s ability to act as a national broker of imaging records, supporting both discovery and retrieval functions.

IHE profiles (XCA endpoint)

The NIR API XCA endpoint makes use of the following IHE transactions:

• ITI-38 Cross Gateway Query – enables an imaging system supplier to issue a query across community boundaries to discover documents (for example, imaging study metadata and diagnostic reports) for a given patient

• ITI-39 Cross Gateway Retrieve – enables the requesting system to retrieve selected documents (for example, imaging studies and reports) from a remote community once they have been located

These transactions form the backbone of the NIR’s interoperability model, allowing imaging system suppliers to query and retrieve a patient’s imaging records across different NHS and private healthcare networks through a standardised, SOAP-based interface.

The NIR API can be accessed either:

• directly over the public internet using secure and authenticated connections, or

• indirectly via the Health and Social Care Network (HSCN), where connectivity is provided through participating local imaging networks

Key points:

• imaging system suppliers must onboard through their customer organisation’s approved access route (internet or HSCN via local network)

• direct HSCN connectivity is not currently supported; access through HSCN is only available indirectly via connected local networks

• all traffic must use secure, encrypted connections with approved certificates and endpoint protection

• the same access model applies for both test and live environments

Internet access is recommended for suppliers, while HSCN access is available indirectly for organisations connecting via their local networks.

The NIR API uses strong certificate-based authentication and secure messaging to ensure that only authorised suppliers and healthcare organisations can access imaging data. All access is restricted to approved imaging system suppliers acting on behalf of their customer organisations.

Key security features

• Mutual TLS (mTLS) – all connections use client and server certificates issued from the NHS private certificate authority. This ensures that only trusted gateways and systems can connect to the NIR. Certificates are rotated frequently, with revocation enforced via daily CRL updates

• WS-Security with SAML assertions – SOAP-based XCA messages (ITI-38 query, ITI-39 retrieve) include WS-security headers carrying signed SAML assertions. These follow the IHE Cross-Enterprise User Assertion (XUA) profile, ensuring user identity, role, organisation, and purpose of use are securely conveyed

• Default-deny access model – all unauthenticated or unauthorised requests are rejected early, with minimal error detail exposed

• Audit logging – all access attempts are logged, with audit data forwarded to NHS audit repositories. Application-level logs are retained securely for monitoring and operational purposes

• Data protection – the NIR does not persist clinical documents or imaging files; it acts as a stateless proxy, with all data encrypted in transit using TLS 1.2+

Who authorises access

• healthcare organisations (NHS or private) are responsible for authorising their chosen imaging system supplier to access the NIR on their behalf

• suppliers cannot onboard independently; organisational approval must be confirmed as part of the onboarding process

• NHS England validates this authorisation during digital onboarding, ensuring only approved suppliers working for approved organisations are granted access

NIR Error Handling is a technical guide to how error codes, error severities and HTTP statuses are determined and returned to the client.

The primary purpose of this document is to provide a technical reference for teams that are either developing or supporting NIR. However, it may also be used to inform content that will eventually be uploaded to the NIR API website.

Note: This is a living document and may be updated as new functionality and features are added to NIR - check with a member of the NIR delivery squad for the most up to date information.

In scope

1. How IHE error codes are consolidated and reported to the client from NIR.
2. How ResponseStatusType is determined.
3. How HTTP status codes are determined.
4. How error severity is determined.
5. Sample error messages.

Out of scope

1.  Specific instructions for how the requesting systems display or handle these errors.
2.  Guidance on what to do in the event of an incident.

Sandbox testing

Our sandbox environment:

• is for early developer testing
• only covers a limited set of scenarios
• is stateless, so does not actually persist any updates
• is open access, so does not allow you to test authorisation

You can try out the sandbox using our Postman Collection.
Right click the link above and save link as... to save the Postman Collection to your device.

Integration testing

Our integration test environment:

• is for formal integration testing
• is stateful, so persists updates
• includes authorisation

For testing, you can use our test data packs.

For testing you may need to load the data in our test packs (for example, patient details) into your local system. 

You will need to test using your own synthetic diagnostic reports and images.

Production smoke testing

You must not use real patient data for smoke testing in the production environment. You must use 9 series NHS numbers created by [email protected]. 

Onboarding to the NIR API is managed through the developer and integration hub. This service ensures that all suppliers and organisations meet the required assurance, security, and governance standards before being granted access.

While the NIR is in private beta, organisations must first engage with the Diagnostics Digital Capabilities (DDC) programme before beginning the onboarding process. For further details, email England diagnostics and add "National Imaging Registry" in the subject line.

Once approved, suppliers can proceed with the Digital Onboarding Service to complete the necessary checks and gain access to the NIR API in the test and live environments.