Date published: 7 November, 2022
Date last updated: 13 March, 2024
Digital, General practice

NHS mail

Version 1, 7 November 2022

This guidance is part of the Working in a digitally transformed NHS section of the Good practice guidelines for GP electronic patient records.

Overview

NHSmail is a secure email and collaboration service approved and owned by NHS England for sharing patient identifiable and sensitive information.  The NHSmail gateway has advanced threat detection for malware, as well as phishing and spam detection.

At the time of writing, NHSmail is used by some 1.5 million health and care professionals.  Users can access emails, calendar, contacts, and tasks (Microsoft to Do) through an email desktop application such as Microsoft Outlook, via a web browser, and mobile devices.

The NHSmail service is hosted in Microsoft Exchange Online and provides users with a 4GB mailbox as standard.  It comes with an Exchange Online Archive for each mailbox which is initially provisioned at 100GB.  Each organisation can also permit up to 10% of their users to increase their allocated mailbox size from 4GB to 50GB, at no additional cost.

The maximum attachment size for all emails is 35MB.  All other collaboration and file sharing between NHS.net accounts can be supported by using the Microsoft 365 options available to NHSmail users. 

Secure sending of email and large file transfer between NHS.net and other domains can be supplemented by use of the NHSmail Egress product. 

Certain attachments are blocked by NHSmail, for example .exe (Windows executable files) .docm (macro enabled Word document) etc.  To view a list of the file extensions of all blocked and allowed files, see the attachments guide for NHSmail provided by support.nhs.net.

Scope

NHSmail is more than just an email service.  In 2020, the NHSmail service underwent a full refresh which saw the platform transition to Microsoft Office 365 (O365).

Access to O365 applications such as Microsoft Office Online (online versions of Word, PowerPoint, Excel, and OneNote), Teams, OneDrive and SharePoint is provided as standard to all NHSmail users.

Access to applications can be managed by local administrators to suit local organisation needs.  For more information on the full collaboration toolkit visit the O365 feature introduction article provided by support.nhs.net.

NHSmail no longer provides text (SMS) and fax services.  Central funding for these was withdrawn at the end of March 2015 and local arrangements are now in place.  SMS may however still be sent via generic NHSmail accounts, e.g. noreply@nhs.net, depending on local arrangements.

The GP contract states that practices should no longer use facsimile (fax) machines for either NHS or patient communications after April 2020.

NHSmail remains the only nationally commissioned emailing service for the NHS.

Help and support

Local administrators (LAs) are the prime contacts responsible for the administration of local NHSmail accounts.  They will help with resetting passwords (when you cannot use the self-service password reset) setting up shared mailboxes, and authorising distribution lists.

You will usually contact your administrator through your local ICT support desk.

Roles/responsibilities of practice staff in managing email accounts

NHSmail accounts are an invaluable resource which must be used appropriately.  Practice managers/deputies/administrators must ensure that these resources are used responsibly.

Practice staff must adhere to the following:

  • NHSmail must be used for business purposes only
  • incoming emails and any attachments must be checked for viruses/automatic virus checking must not be circumvented and antivirus software must be kept up to date
  • emails (both internal and external) must not contain unsuitable information or attachments, e.g. defamatory/discriminatory/bullying/harassing material, or comments
  • all emails sent externally must include a standard disclaimer
  • any confidential information (especially patient identifiable information) sent in an email to an address that does not end in @nhs.net must be encrypted, unless it is listed on the DCB1596 secure email standard.
  • care must be taken in addressing emails (especially when using ‘copies to’, address books and distribution lists) to ensure that emails are sent only to the intended recipients
  • never access, change, or use another person’s username/password/email account
  • note that email usage and content may be monitored to ensure compliance with local policy
  • penalties for misuse of NHSmail may invoke the practice disciplinary procedures

NHSmail applications

Practices need to be aware that NHSmail can be the default option in some applications where the main messaging application fails, for example in sending NHS 111 post-event messages (as set up in a local directory of services).

Features of NHSmail

The following are the key features of NHSmail:

  • access to email | via a desktop email client such as Microsoft Outlook, a web browser (Outlook Web Access at portal.nhs.net) or a mobile device
  • NHSmail is secure | it enables information governance assured and appropriately encrypted communication; and it also ensures compliance with the NHS secure email standard (DCB1596) and the General Data Protection Regulation (GDPR)
  • access to a personal calendar | for appointments and meetings and personally-set permission levels
  • a directory (people finder) | making it easy to search for the details (email, telephone number, organisation details) of other NHSmail users, as well as shared mailboxes, distribution lists, and NHS directory contacts
  • a personal address book | My Contacts to manually create contacts (email addresses and other details) or quickly add them from the national directory
  • an online archiving solution | to enable users to store and manage emails outside of their inbox, freeing up quota space and improving performance
  • shared mailboxes | a shared mailbox (generic mailbox) for an organisation meaning all staff who have access can send emails on behalf of the mailbox
  • Office applications | access to Microsoft Office Online including web versions of Microsoft Word, PowerPoint, Excel and OneNote, enabling creation, sharing and collaboration using the Office suite across all device types
  • access to Microsoft Teams | on any desktop or mobile device to enable video calls to colleagues and patients, securely share chat messages and file sharing, supported by online training for Teams
  • training | Microsoft run live virtual training or a regular basis for NHSmail users across all the available products – N365 Shared Tenant Virtual training – NHSmail Support
  • technical training | anyone who has a NHS.net account can gain access to the Microsoft Enterprise Skills Initiative for a deeper dive on technical training options
  • cloud storage | using Microsoft OneDrive to upload, store and access work files from multiple devices to enable secure document creation and collaboration, anywhere at any time
  • reporting facilities | to enable practices and other organisations to look at utilisation, exceptions, etc., available by contacting your local ICT service desk who may be able to provide these reports and along with guidance on how to generate them

NHSmail security considerations

NHSmail represents a secure, encrypted way to correspond with colleagues, including sharing sensitive personal information about patients and staff.  It is, however, very important to remain security aware when using the system to ensure risks are minimised.

To access NHSmail, health and care organisations must meet or exceed the Data Security and Protection Toolkit rating of ‘entry level’.

It is good practice and national policy not to have multiple accounts for a user who may have more than one NHS role.

Acceptable use policy

New NHSmail users must read and accept the Acceptable Use Policy.  This is regularly updated by support.nhs.net, so it is important to keep up to date with its contents and use NHSmail in accordance with the latest guidance.

Information governance and data security training

It is each user’s responsibility to ensure they are up to date with their local information governance and data security training. 

For guidance on how to keep your account and the NHSmail service safe from common cyber threats, including spam, junk, spoofing and phishing, please see the NHSmail cyber security guide.

Passwords and security questions

The NHSmail password policy was introduced in May 2019 to help keep the NHSmail service safe in line with the National Cyber Security Centre (NCSC) guidelines.

Passwords are valid for 365 days. All users will receive reminders to change their password via email 18, 10, 5, 2 and 1 day(s) before the expiry date.

All passwords must follow the following criteria:

  • minimum length of 10 characters, without requiring a mix of character types
  • not matching previous 4 passwords
  • not detected as a common password, for example Password123, Winter2018
  • not detected as a breached password (a password used for an account that has previously been compromised – breached passwords are sourced from an internet-based breach database)

Users must ensure their password and answers to their security questions for their NHSmail services are always kept confidential and secure.  They should notify their local administrator if they become aware of any unauthorised access to their NHSmail account or believe their account to have been compromised.

NOTE | users must never input their NHSmail password into any websites other than nhs.net sites, including social media sites.  You will never be asked for your NHSmail password; and you must not divulge this information to anyone, even if asked.

The NHSmail password policy page provides helpful reminders, along with direction on the following typical tasks:

Using NHSmail for clinical communications

Best practice

The following suggestions are based on typical tasks performed within a GP practice, but the principles can be applied in any healthcare or professional setting:

Do:

  • monitor inboxes to ensure clinical tasks requiring action are followed up
  • check outboxes for undelivered mail
  • have a business continuity plan to maintain for key services in case NHSmail becomes unavailable for any reason
  • add emails containing correspondence relevant to patients to the correct patient record promptly and accurately (such emails should also be deleted from mailboxes after a suitable period defined in your local data retention policy)
  • make it clear to patients and staff that NHSmail practice inboxes (or ‘generic’ or ‘shared’ inboxes) should not be used for urgent clinical advice
  • provide guidance to patients on the proper channels for communication with the practice (could be included within an autoreply)
  • record patient communication preferences in their record and respect those preferences – patients and service users should be able to change their preferences at any time and their records updated (the NHS central team provides a useful template for email and text messages)
  • use the Exchange online archive to keep inboxes within quota space and to improve performance
  • ensure that all email accounts are current, managing leavers, joiners, those on long term absence and temporary staff (including locums) in a timely manner
  • keep track on how practice inboxes (or ‘generic’ or ‘shared’ inboxes) are managed, accessed and where appropriate, how these are used in clinical systems and other accredited applications

Do not:

  • open or forward any suspicious messages, attachments, etc. – any such potentially harmful content can be reported to your local ICT service desk
  • use NHSmail as a document management system, as it is not designed to be one
  • use NHSmail accounts for social media and other third-party application subscriptions unrelated to your NHS work

Avoiding data breaches

As defined in the Data Protection Act 2018, a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. 

Unaddressed data breaches can lead to significant consequences along with heavy fines for those responsible.

According to the guidance and advice on the dangers of emails provided by the Medical Defence Union, confidentiality breaches are the most common type of breach with patients’ records.  This is where there is an unauthorised or accidental disclosure of, or access to, personal data.

Email addresses

Mistakes when sending emails can result in breaches of confidentiality.  This can be something as simple as mis-spelling an email address.  Take care when entering or selecting email addresses when composing an email.  For example, another@nhs.net and a.nother@nhs.net look similar.  Another common mistake can occur with email addresses containing numbers, such as another3@nhs.net and another4@nhs.net.

Using ‘Reply all’

Breaches of confidentiality have occurred when selecting the ‘Reply all’ button in an email instead of ‘Reply’.  When using the ‘Reply all’ function, you should make sure it is appropriate for your response to go to everyone included in the initial message.  To see the steps involved, see the guidance ‘Reply and Reply to all to an email‘ provided by support.nhs.net.

Bulk emails

If sending bulk emails to patients, extreme care should be taken, making note of patient preferences.  The Medical Defence Union (MDU) provides guidance on bulk emails and protecting the privacy of your recipients.

Carbon copy and blind carbon copy options

All NHSmail users must know the difference between the To, Carbon copy (Cc) and Blind carbon copy (Bcc) fields when composing, replying to, or forwarding emails.

Breaches have occurred when sending batch emails to a group of patients using the Cc field of an email instead of Bcc.  Training and guidance on using blind carbon copy is provided by support.nhs.net.

Using NHSmail on shared computers or unmanaged devices

If you are accessing your NHSmail account from a non-corporate device such as a home computer, personally owned laptop or in an internet café, you should only access the service via the web at www.nhs.net and not through an email programme such as Microsoft Outlook, unless you have explicit permission from your own organisation to do so.

Further practical guidance is provided in the article using NHSmail on shared computers or unmanaged devices on support.nhs.net.

Reporting a cyber incident

If you accidentally share sensitive or patient data with an incorrect recipient, it is your responsibility to report this in line with your local information governance policies and processes.

If you believe an account to be compromised, the practice should contact the ICT service desk immediately.

Central NHS teams protect the NHS from cyber attacks and monitors for new threats 24 hours a day.  Their teams support organisations across the NHS with advice, assessments, and training.

Urgent cyber security incidents in the NHS must be reported by email or telephone reported via a secure telephone.  In addition, the NHS provides cyber and data security services and resources, including a data security helpline for health and care organisations.

You can read more about cyber security in primary care in another article in this series.

NHSmail encryption feature

NHSmail includes an encryption feature that allows users to exchange information securely with users of non-accredited or non-secure email services, for example Gmail, Hotmail, etc.

When the NHSmail encryption feature should be used

When NHSmail users email other NHSmail users (for example, an @nhs.net email address emailing another @nhs.net email address) there is no need to use the encryption feature. 

If, however, sensitive information needs to be emailed outside NHSmail, then the encryption feature must be used.  This does not apply when sending emails to an organisation that has accredited to the secure email standard.  The NHS provides a list of all organisations that have accredited to the DCB1596 secure email standard.

If there is doubt or uncertainty, the NHSmail encryption feature should be used, which will encrypt the email unless the recipient is an accredited domain.

How to send encrypted emails

To view the steps, please read the guide to encryption in NHSmail.

It is important that this be read in its entirety, as the guide states: ‘Before using the encryption feature, please ensure you read and understand all guidance and instructions to ensure data remains secure.’

The guide covers the following:

  • important considerations before sending an encrypted email
  • how to send an encrypted email
  • how to revoke access to an encrypted email
  • help and FAQs

Receiving an encrypted email

Non-NHSmail users can receive encrypted emails sent from NHSmail accounts, for example a patient with a @gmail.com address receiving an encrypted email from a GP or nurse with an @nhs.net email address.

Guidance on accessing encrypted emails for non-NHSmail users sets out the steps involved.

The guide covers:

  • replying to and forwarding encrypted emails
  • creating an account to use encrypted email
  • requesting access to an encrypted email
  • keeping encrypted emails secure
  • help and FAQs

Related GPG content

Other helpful resources

Data breaches

Sharing sensitive information

Apple Mac NHSmail support

NHSmail helpdesk

National Administration Service (NAS)

  • For those who require assistance with NHSmail (e.g., unable to log on) and work within a pharmacy, optometry, social care, dentistry, or are an Independent midwife or GP locum, refer to the National Administration Service guide

Live service status

NHSmail supported platforms

  • Follow this link to see which browser versions, Microsoft Outlook versions, Windows operating systems and types of mobile devices of the following will work with NHSmail

OneDrive training

Date published: 7 November, 2022
Date last updated: 13 March, 2024