Standard Operating Procedure for Email Communication with Patients/Clients and their Families/Carers
Version: V3
Ratified by: Technology Programme Board (TPB)
Date ratified: 14/04/2022
Job Title of author: IG and IT Projects Manager
Reviewed by Committee or Expert Group TPB
Related procedural documents IGPOL65 Transferring of Personal Information
Review date: 14/04/2025
It is the responsibility of users to ensure that you are using the most up to date document template – ie obtained via the intranet.
In developing/reviewing this procedure Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date
Author Status
V1 June 2017 IG& IT Projects Manager Ratified
V2 June 2019 IG & IT Projects Manager
Comment
V3 January 2022 IG and IT Projects manager
Update to new template and amended expiry date to review date
Update to a new template and review
1. Introduction
With more and more people preferring to use email as a way of communicating, people are requesting to receive information about their care and treatment by email. Whist email is quick, reliable and secure within the organisation, most individuals do not have access to an NHS mail account and commonly use less secure email services such as Gmail, Hotmail, Yahoo, AOL mail.
The Organisation has a responsibility under the Data Protection Act 1998 to ensure that personal confidential data is held securely and that appropriate consent is in place for the sharing of information.
There are many risks associated with the use of email which need to be understood by service users and staff. Some of these are outlined in Appendix 4.
The Caldicott2 Review Panel concluded that “personal confidential data can be shared with individuals via email when the individual has explicitly consented and they have been informed of any potential risk”
For the purpose of this document the term “individual” refers to patients, clients, service users, their families, carers and representatives.
2. Purpose
These procedures outline steps that must be taken when emailing individuals as well as good practice guidelines.
3. Scope
These procedures apply to communicating patient confidential information with patients/ clients and their families/ carers via email.
4. Considerations
It is important to consider whether email is the best method of communication in all circumstances. When responding to complicated or difficult problems or conveying particularly sensitive information it may be better to consider a telephone call or a face-to-face meeting to address these scenarios.
If requiring confirmation that information has been received, please be advised that an Email Read Receipt is not a reliable indication and should not be relied upon. Confirmation should be sought from the recipient if required.
5. Procedure
Remember all email communication on behalf of the organisation must be sent from a secure NHS email address and never from a private email account. It must also be attached to the individual’s electronic care record.
Always use the secure functionality in NHS Mail by including the word secure in square brackets [Secure] in the subject line of the email when sending patient
identifiable information to a non-secure email. The decision on whether to use the secure functionality should be based on whether the email contains sensitive information and whether there will be repercussions if lost.
For example, sending a generic service leaflet to a patient would not warrant the use of Encryption.
If you receive a request from a person to receive communications by emails, and your line manager has agreed to communicate in this way, then you must first ensure that the following is in place.
• Agree within your team a generic email account that can be used for communicating with individuals. This should be a generic NHS mail account which is monitored daily and has an out of office message which signposts people to other contacts in case of emergency, during nonoffice working hours and details of expected response times.
• Ensure that an email signature is set for the account and complies with Provide’s requirements for email signatures.
• Implement a process that covers;
1. members of the team sending an email to the generic account for onward transmission to the individual, with timescales
2. who is the owner of the generic account and therefore takes responsibility for forwarding on messages, within timescales?
3. who is responsible for storing the email appropriately?
4. a process to raise a concern if the volume of emails from a particular individual becomes unmanageable.
Once the above is in place, then the following process should be completed with each individual:
• Present the Individual with the consent form (appendix 1) and ask them to review and sign. The consent form can also be emailed to the individual where a face-to-face appointment with the individual is not possible.
• The form must then be filed in the patient’s care record. In the case of an emailed consent form, a copy of the email providing consent should also be filed. (File under Letter Type “Consent for Email Communication”)
• The Email address specified should be checked and updated on their care record.
• Services using SystmOne must verify that they have been provided with the correct email address by following the instructions under Appendix 2 before sending any Confidential Information.
You now have consent to share appropriate and relevant information with that person by email. Consent needs to be reviewed on a regular basis i.e. at each episode of care or as part of checking demographic details to ensure that they are still happy to receive information by Email and also to verify that their email address is the same and has not changed.
If at any point, an email that has been sent by the organisation to a person and is returned with an undeliverable message (Mailer Daemon – message failure notification) no further email messages should be sent. Please record the message failure and the date received in the care record. Please remember to communicate the information by other appropriate means.
Please remember that if you wish to communicate with an individual’s carer or a member of their family, you will need the consent of the individual to do this. If the person lacks capacity to give consent then an MCA2 will need to be completed and a ‘best interest decision’ must be made and recorded. The information contained in this document will still apply.
6. SystmOne Specific Procedures
If your service uses TPP SystmOne then the following should be followed:
The patient consent form must be scanned on to the patient’s record (Under Communications and Letters)
Verify the patient’s email address as per Appendix 2 before sending any Confidential Information.
Do not use SystmOne to send emails as it will not trigger the encryption. Letter’s/ Documents can be viewed in SystmOne and then sent as a PDF using the Service generic account
Emails can be added to the patient record by saving as a Word document then dragging and dropping or copy and pasting into communications & Letters via document processing. The document should be saved under letter type “Email”.
7. Email Standards and Responsibilities
It is the responsibility of all staff to ensure that any email communication is in line with this guidance and that the wishes of the individuals are recorded and adhered to at all times.
Staff must report any incidents or issues where information was shared inappropriately or to the wrong individual, via the organisation’s incident reporting system, Datix.
Remember to communicate in a professional manner at all times, as if you were writing a letter to the individual.
Never use the ‘Reply All’ button or distribution lists
Double check the email address to ensure that you are sending to the correct recipient. If the email is to be sent to another person(s) with the consent of the individual, ensure the contact details of the recipient(s) is/ are accurate and consider whether the recipient(s) need to be copied in for all conversations.
Consider the length of the email trail.
• Is it appropriate to include previous conversations with the current response?
• Keep email trail to one theme/topic
Reread your email for grammatical and/or spelling mistakes and the contents before hitting the send button.
Avoid the use of abbreviations or acronyms. If this is absolutely necessary, ensure these are clearly explained.
When sending attachments, consider the size and the file type. It is preferable to send attachments in Portable Document Format (pdf) unless you are expecting them to edit the document. If it is a signed document then you must convert the document to pdf format before sending.
Services should, use approved letter templates instead of re-creating standard emails for different request types. Letters can be saved as a PDF and emailed.
Emails are an important part of the person’s record and should be handled in accordance with organisation’s policies and procedures, i.e. recorded on the individuals care record in accordance with the organisation’s Retention and Disposal Schedule
Emails should not be retained for any longer than necessary in an Inbox or Sent Items.
Once the email is recorded in the individual’s care record delete the email from the Inbox, Sent Items and Deleted Items.
8. Training and Awareness
There is no formal training required, however support may be provided by the IT service desk in the setting up of a generic email account. Awareness will be raised to staff through Staff Bulletin, MetaCompliance, via IG refresher training and the intranet.
The patient should be emailed the “Accessing encrypted emails guide” as an initiation of the emailing communication.
9. Monitoring and Review
This document will be reviewed every two years or after any significant change which impacts upon the content, or as a result of an incident being reported for a potential breach of confidentiality by email. The Information Governance Team is responsible for updating this document and ensuring that it is reflective of best practice and relevant statutory, NHS and local standards.
