Overview

NHSmail is a secure encrypted email and collaboration service approved and owned by NHS England for sharing patient identifiable and sensitive information.  The NHSmail gateway has advanced threat detection for malware, as well as phishing and spam detection.

NHSmail is the only nationally commissioned emailing service for the NHS.

Follow this link for an overview of NHSmail services.

Help and support

Local administrators (LAs) are the prime contacts responsible for the administration of local NHSmail accounts.  They will help with resetting passwords (when you cannot use the self-service password reset) setting up shared mailboxes, and authorising distribution lists.

You will usually contact your administrator through your local ICT support desk.

Features of NHSmail

Follow this link for a summary of the key features of NHSmail.

Roles/responsibilities of practice staff in managing email accounts

NHSmail accounts are an invaluable resource which must be used appropriately.  Practice managers/deputies/administrators must ensure that these resources are used responsibly.

Practice staff must adhere to the following:

• NHSmail must be used for business purposes only
• incoming emails and any attachments must be checked for viruses/automatic virus checking must not be circumvented and antivirus software must be kept up to date
• emails (both internal and external) must not contain unsuitable information or attachments, e.g. defamatory/discriminatory/bullying/harassing material, or comments
• all emails sent externally must include a standard disclaimer
• any confidential information (especially patient identifiable information) sent in an email to an address that does not end in @nhs.net must be encrypted, unless it is listed on the DCB1596 secure email standard.
• care must be taken in addressing emails (especially when using ‘copies to’, address books and distribution lists) to ensure that emails are sent only to the intended recipients
• never access, change, or use another person’s username/password/email account
• note that email usage and content may be monitored to ensure compliance with local policy
• penalties for misuse of NHSmail may invoke the practice disciplinary procedures

NHSmail security considerations

To access NHSmail, health and care organisations must meet or exceed the Data Security and Protection Toolkit rating of ‘entry level’.

For guidance on how to keep your account and the NHSmail service safe from common cyber threats, including spam, junk, spoofing and phishing, please see the NHSmail cyber security guide.

It is good practice and national policy not to have multiple accounts for a user who may have more than one NHS role.

Acceptable use policy

New NHSmail users must read and accept the Acceptable Use Policy.  This is regularly updated by support.nhs.net, so it is important to keep up to date with its contents and use NHSmail in accordance with the latest guidance.

Passwords and security questions

The NHSmail password policy was introduced in May 2019 to help keep the NHSmail service safe in line with the National Cyber Security Centre (NCSC) guidelines.

The NHSmail password policy page also provides helpful reminders, along with direction on a range of typical tasks and issues, like changing passwords and unlocking accounts.

Using NHSmail for clinical communications

Best practice

The following suggestions are based on typical tasks performed within a GP practice, but the principles can be applied in any healthcare or professional setting:

Do:

• monitor inboxes to ensure clinical tasks requiring action are followed up
• check outboxes for undelivered mail
• have a business continuity plan to maintain for key services in case NHSmail becomes unavailable for any reason
• add emails containing correspondence relevant to patients to the correct patient record promptly and accurately (such emails should also be deleted from mailboxes after a suitable period defined in your local data retention policy)
• make it clear to patients and staff that NHSmail practice inboxes (or ‘generic’ or ‘shared’ inboxes) should not be used for urgent clinical advice
• provide guidance to patients on the proper channels for communication with the practice (could be included within an autoreply)
• record patient communication preferences in their record and respect those preferences – patients and service users should be able to change their preferences at any time and their records updated (the NHS central team provides a useful template for email and text messages)
• use the Exchange online archive to keep inboxes within quota space and to improve performance
• ensure that all email accounts are current, managing leavers, joiners, those on long term absence and temporary staff (including locums) in a timely manner
• keep track on how practice inboxes (or ‘generic’ or ‘shared’ inboxes) are managed, accessed and where appropriate, how these are used in clinical systems and other accredited applications

Do not:

• open or forward any suspicious messages, attachments, etc. – any such potentially harmful content can be reported to your local ICT service desk
• use NHSmail as a document management system, as it is not designed to be one
• use NHSmail accounts for social media and other third-party application subscriptions unrelated to your NHS work

Avoiding data breaches

As defined in the Data Protection Act 2018, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. 

Unaddressed data breaches can lead to significant consequences along with heavy fines for those responsible.

According to the guidance and advice on the dangers of emails provided by the Medical Defence Union, confidentiality breaches are the most common type of breach with patients’ records.  This is where there is an unauthorised or accidental disclosure of, or access to, personal data.

The NHS England pages on the Outlook web app policy provide helpful information about best practice in a range of email related actions e.g. ‘reply all’ and mailbox management.

If sending bulk emails to patients, extreme care should be taken, making note of patient preferences.  The Medical Defence Union (MDU) provides guidance on bulk emails and protecting the privacy of your recipients.

Carbon copy and blind carbon copy options

All NHSmail users must know the difference between the To, Carbon copy (Cc) and Blind carbon copy (Bcc) fields when composing, replying to, or forwarding emails.

Breaches have occurred when sending batch emails to a group of patients using the Cc field of an email instead of Bcc.  Training and guidance on using blind carbon copy is provided by support.nhs.net.

Using NHSmail on shared computers or unmanaged devices

If you are accessing your NHSmail account from a non-corporate device such as a home computer, personally owned laptop or in an internet café, you should only access the service via the web at www.nhs.net and not through an email programme such as Microsoft Outlook, unless you have explicit permission from your own organisation to do so.

Further practical guidance is provided in the article using NHSmail on shared computers or unmanaged devices on support.nhs.net.

Reporting a cyber incident

If you accidentally share sensitive or patient data with an incorrect recipient, it is your responsibility to report this in line with your local information governance policies and processes.

If you believe an account to be compromised, the practice should contact the ICT service desk immediately.

Urgent cyber security incidents in the NHS must be reported by email or telephone reported via a secure telephone

NHSmail encryption feature

NHSmail includes an encryption feature that allows users to exchange information securely with users of non-accredited or non-secure email services, for example Gmail, Hotmail, etc.  Follow this link for guidance on when and how to use the encryption feature.

Related GPG content

• Cyber security
• Information governance and data protection
• MS Teams and remote working
• Keeping GP records

Other helpful resources

Sharing sensitive information

• The following documents are available from the Sharing sensitive information page, provided by support.nhs.net
• Guide for health and social care email users | how email addresses are known to be secure (protected email in transit and upon receipt) and which addresses should use the email encryption tools
• Guide for health and social care organisations | information on the DCB1596 secure email specification, electronic and digital signatures
• Guide for government organisations | for government organisations that need to exchange personal confidential data and sensitive information with health and social care organisations with information on the NHSmail service

Apple Mac NHSmail support

• NHSmail support for Apple Mac users

NHSmail helpdesk

• For national helpdesk advice and support, email helpdesk@nhs.net or visit https://support.nhs.net/

National Administration Service (NAS)

• For those who require assistance with NHSmail (e.g. unable to log on) and work within a pharmacy, optometry, social care, dentistry, or are an independent midwife or GP locum, refer to the National Administration Service guide

Live service status

• Live information on the status of NHSmail services and any issues that may be impacting users

NHSmail supported platforms

• Follow this link to see which browser versions, Microsoft Outlook versions, Windows operating systems and types of mobile devices of the following will work with NHSmail

OneDrive training

• OneDrive training from Microsoft