Identity verification

Version 1.1, 10 February 2023

This guidance is part of the Information governance and data protection section of the Good practice guidelines for GP electronic patient records.

Identity (ID) is defined as a combination of attributes (characteristics) that belong to a person.  A single attribute is not usually enough to tell one person apart from another, but a combination of attributes can be.

Identity verification is governed by national legal, professional and ethical standards. At the time of writing, patients prove who they are (often in different ways) for each NHS website, app, and GP practice they interact with. They are required to remember different logins and re-enter similar information many times. This is difficult for a person managing their own health and care, but if they are caring for others, it can be even more challenging.

Providers of frontline health services, including general practice, must ensure patients’ data and information held in their individual medical records remains secure and is accurate.  Verification of patient identity is an essential step towards this.

Identity verification when registering with a GP practice

For further information please see: How to register with a GP surgery – NHS (www.nhs.uk)

Identity verification when registering for online services

Before access to medical records and any online service is granted, patients willneed to prove their identity to practice staff.  It is good practice to have procedures and protocols in place to ensure a consistent and robust approach is taken to:

  • ensure patient confidentiality
  • provide secure access to personal, sensitive information

Practices will need to agree which members of staff are authorised to verify identity, whether by the presentation of documents or by vouching for an individual’s identity, and then register such patients for online access.  

Whilst one person may have more than one role in the process, registration on the clinical system ideally, as best practice, should be performed by someone other than the person verifying identity.  The names of both the person approving access, and the person performing registration, should be recorded in the system against the registered patient record

It is important that staff are appropriately trained to confirm a patient’s identity with confidence.

There are three acceptable ways of confirming patient identity:

1. Documentation

Most patients can prove their identity with documentation.  Two forms of documentation should be provided as evidence of identity, and one should contain a photo.  Acceptable documents include valid passports, photo driving licences and bank statements (issued within the last 3 months).

A full list of acceptable documents is published by the Cabinet Office.

2. Personal vouching

Practice staff can personally vouch for a patient they know.  They must be confident of the identity of the patient.  The name of the person vouching for an applicant’s identity, the method used, and date should be recorded in the patient record.

3. Vouching with confirmation of information held in the patient record

If a patient is registered with the practice but not known personally to any staff, it is acceptable to confirm the patient’s ID using additional security information. 

This should be information taken from a patient’s record, such as current medication, date of any recent hospital visit or procedure, full names of any other inhabitants at that address, etc.

NOTE | Any number of confirmation questions can be used but staff must be careful not to reveal any personal information from the medical record to the unconfirmed patient, and any such questioning should be done discreetly.

If practice staff are unable to satisfy themselves that the patient is who they say they are, then documentation must be sought.  Staff members should confirm in the patient record, under the online services link, that they have vouched for the patient, listing all information used.

Identity confirmation and authentication using NHS login

The NHS login allows patients to access lots of different health and care websites and apps.  It is a national identity platform which allows people to prove their identity once, in a manner which is convenient to them.   Having done so, they can then use their NHS login to access many digital health and care services, including GP online (patient facing) services. 

Levels of access to sites and services online is governed by the amount of information provided when registering for an NHS login.

The NHS login aims to build public confidence in, and encourage greater use of, local and national digital health and care services.  It also relieves practices of the need to confirm identity before giving access to online services.

There is a full guidance on the NHS login in another article in this series.

Identity confirmation when registering a proxy or next of kin

When dealing with requests for proxy access or registration as next of kin, practices should be alert to safeguarding issues and the risk of coercion. In all instances the patient must be competent to give permission for their proxy. Access levels can vary, depending on the patient’s needs and staff must ensure that the appropriate level of access is granted on each occasion.

Children and young people

Special considerations also apply to ID verification and online access by, and for children. A person with parental responsibility should generally be able to access their child’s records on the child’s behalf until the child is 11 years old. Practices will need a search to identify patients reaching age 11 and check if they have proxy access enabled.

Patients aged 11 with proxy access enabled should be contacted to see if parental online access should continue, be revoked, or be limited to specific online services for example, medication ordering, appointment booking etc.  If access continues, the patient is advised that they will need to tell the practice if they wish this to change.  It is, however, good practice for clinicians to take the opportunity during patient contact to review whether the service provided, including online access, is appropriate and meeting their needs.

If the child has provided explicit consent, then this should be noted on the patient record.  Where a child has capacity and wants to manage their own information, this should also be noted.  In some circumstances parental access can be judged to be in the best interests of the child (e.g. to protect the child from significant harm if they are refusing care or treatment).

Children aged 16 or older are usually considered to have the capacity to give or refuse consent, for treatment, or for parental access to their health records, unless there is a reason to suggest otherwise.  The GMC produces ethical guidance for clinicians’ on making decisions regarding children and young people 0-18 years.

Anyone wishing to register as a proxy for, or as next of kin to a patient must have their identity and, therefore, their eligibility, verified.  They must also demonstrate that they have the explicit consent of the competent patient to access their record or have been granted a Lasting Power of Attorney (LPA) to make health and welfare decisions on the patient’s behalf. 

Deceased patients

Access to the records of a deceased patient is restricted to the personal representative of the deceased and to family members who might have a claim arising from the death of the deceased.

Linked profiles

Linked profiles can be added to an individual’s NHS App allowing them proxy access.  In the case of access to another patient’s profile, practices must ensure that there are no safeguarding concerns, particularly but not exclusively, with regards to coercion or controlling behaviour. 

If a patient asks for proxy access, practices can set it up using their normal processes in the clinical system.  It will then be available in the patient’s NHS App and in any other online service which provides proxy access

Proxy access must be granted by the practice prior to the activation of a linked profile in the App.

Identity confirmation when making a subject access request

ID and patient consent must be validated before any information is released following receipt of a subject access request.

Ongoing and future developments

In April 2022 the government department for Digital, Culture, Media and Sport (DCMS) launched the development of the UK Digital Identity Trust Framework. This will provide legal recognition for a digital identity and enable a person with a digital identity and its associated attributes, from a certified provider, to use this as an alternative to physical identity documents such as passport, bills etc., enabling registration online, etc., at a GP practice.

As part of the Enabling Staff Movement programme NHS England is working with DCMS on how to use this new scheme to improve the onboarding process for staff, particularly for those staff such as junior doctors and bank staff who need to repeat identity and employment checks for each rotation or assignment.

Summary

The burden of checking ID and setting up users’ accounts currently sits squarely on the shoulders of the NHS front line, primarily practice staff.  It is good practice to have procedures and protocols in place to ensure a consistent and robust approach is taken to ensure patient confidentiality, whilst providing secure access to personal and sensitive information.

It is important that staff are appropriately trained to confirm patient identity with confidence.

The NHS login is a step towards moving identity verification away from GP online services.   Practices should take the opportunity to promote uptake of the NHS App or an alternative GP online service provider with their patient population.

Practices should also:

  • ensure staff are appropriately trained to confidently verify someone’s identity
  • ensure staff document the evidence used in patients’ records when vouching for a patient
  • promote the NHS login as this can ultimately reduce the administrative burden on practice staff
  • promote the NHS App
  • ensure caution when granting proxy access, particularly with regard to safeguarding and coercion or concerns about controlling behaviour

Other helpful resources