IG and Security: Accumail
A more detailed look at security and Information Governance for Accumail
Seoyeon avatar
Written by Seoyeon
Updated over a week ago

The Headlines

Accurx is an approved NHS Digital supplier. Accumail is compliant with the NHS Secure Email Standard (DCB 1596). We have followed the secure email accreditation process to ensure patient sensitive and confidential information is kept secure.

For more general questions about Accurx's Information Governance and Security policies, please see our overview.

Do you have a DPIA?

As the data controller, when using Accurx, it is your responsibility to complete a DPIA. As a data processor, we cannot complete it for you. However, to be as helpful as we can, we have filled in the key parts of a template DPIA for GP practices and for other healthcare organisations.

How secure is email?

NHS email addresses are considered secure if they are compliant with the NHS Secure Email Standard (DCB 1596). Accurx has undertaken self-accreditation with this standard to ensure that any personal confidential data exchanged electronically is encrypted end-to-end.

End-to-end encryption means that only you and your intended recipient can access and read the email, ensuring personal or confidential information is secure and preventing it from interception or falling into the wrong hands.

As all outgoing emails are sent via the Accurx nhs.net inbox, any emails sent to trusted domains are automatically encrypted end-to-end and therefore compliant and secure.

We do, however, allow emails to be sent to all nhs.uk addresses and domains taken from the following NHS care providers list even if they've not been accredited as trusted domains. You'll know when you're sending to a domain that isn't accredited if you see a warning message like the one in the screenshot below.

Any emails to sent to these addresses cannot be guaranteed as encrypted end-to-end.

Who has access to the patient data?

All Accurx users are authenticated by requiring:

  • An NHS email (nhs.net or nhs.uk or NHS care provider domains) to register for an account

  • EMIS Web or TPP SystmOne profiles

  • Approval from an administrator from their GP Practice

This ensures that only approved users, who are currently working at the practice, can access the email feature. All patient information is pulled from Emis Web or SystmOne, ensuring users can only access data of patients registered at their GP practice.

All outgoing emails are sent via the Accurx nhs.net inbox to trusted domains, with the exception of those sent to non-accredited nhs.uk and NHS care provider addresses which are signaled as not encrypted end-to-end by the warning message shown in the screenshot above.

What is a trusted domain?

A trusted domain is one which is compliant with DCB 1596 and we can therefore send to with end-to-end encryption. Examples of these domains include nhs.net, secure nhs.uk, pnn.police.uk and gov.uk addresses. A full list of domains that are accredited to the NHS Secure Email Standard is available here. This list is kept up to date by NHS England and the organisations must review their accreditation on an annual basis.

Accumail also allows you to email all nhs.uk addresses and domains taken from the following NHS care providers list, but we cannot guarantee the email is encrypted end-to-end. We will let you know when you're sending to an email address that is not accredited by showing the warning message shown in the screenshot above.

What measures are in place to protect patients and their data?

  • Users have to agree to an acceptable use policy when they log into the Accurx platform.

  • The Accurx email inbox is monitored by the Clinical Lead to ensure emails are matched and tracked appropriately and important emails are not missed.

  • Full audit trails are kept of all emails sent and received.

  • Outgoing messages and replies can be saved to the patient record at the users discretion.

Did this answer your question?