Who has access to the patient data and what data do they have access to?
Users are authenticated by requiring: NHSmail to register for an account; TPP SystmOne or EMIS Web profiles; and, an administrator at their GP practice to approve them. This is to prevent people who do not actually and currently work at the provider organisation from accessing the accuRx system. Furthermore, patient demographic data is only pulled from either TPP SystmOne or EMIS Web principal care systems. This ensures that a user can only access data of patients registered at their practice.
What measures are in place to protect patients and their data?
- Users have to agree to an acceptable use policy that includes confirming that the service not be used to communicate SMS messages that are sensitive or clinically urgent messages.
- Full audit trails are kept of all user activity for clinical safety purposes.
- accuRx scans SMSs for abusive content and flags to its Clinical Lead if any are detected.
- Any video consultations are not recorded or stored.
How secure are the video consultations?
The video consultation service is hosted by Whereby, who are fully compliant with GDPR.
A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication is only visible to participants on the call and is not recorded or stored on any server. The connection prioritises ‘peer-to-peer’ between the clinician’s and patient’s phone and follows NHS best practice guidelines on health and social care cloud security. For a more detailed explanation of how the security around the video consultations works, see here.
Are they recorded?
No. The video and audio communication is only visible to participants on the call and is not recorded or stored in any form.
How is my personal mobile number used?
Your phone number is used to send you an SMS containing the link for the video consultation. Your phone number is not shared with the patient, or linked to your accuRx account.
Can I use my personal phone for the consultation?
Yes, as no patient data is stored on the clinician's phone.
If the clinician has a webcam and headset, the video consultation can be conducted on the clinician's desktop PC.
How do patient responses work?
Patient survey links are sent via SMS directly to a patient’s mobile phone. The links are encrypted in transit via HTTPS and responses are encrypted at rest via TDE. Patients are also asked to input their date of birth as identity verification, before being able to access the survey.
Is it safe to send documents over text?
Links to files or documents sent via SMS by healthcare staff directly to a patient’s mobile phone are encrypted in transit via HTTPS and responses are encrypted at rest via TDE. Patients are also asked to input their date of birth as identity verification, before being able to access the document. The document is only accessible for 14 days.
Where a link to sensitive data is shared (e.g. to a document), the patient has to verify their identity by typing in the date of birth.
Is it NHS approved?
We have Data Security and Protection Toolkit assurance (ODS code: 8JT17).
We also have the Cyber Essentials Plus certification.
In response to NHS guidance, we have built a number of tools to support practices responding to the COVID-19 outbreak. Further information can be found here.