Accurx is an approved NHS Digital supplier. accuMail is compliant with the NHS Secure Email Standard (DCB 1596) published by NHS Digital. We have followed the secure email accreditation process to ensure patient sensitive and confidential information is kept secure.
For more general questions about Accurx's Information Governance and Security policies, please see our overview.
Do you have a DPIA?
As the data controller, when using Accurx, it is your responsibility to complete a DPIA. As a data processor, we cannot complete it for you. However, to be as helpful as we can, we have filled in the key parts of a template DPIA for GP practices and for other healthcare organisations.
How secure is email?
NHS email addresses are considered secure if they are compliant with the NHS Secure email standard (DCB 1596). Accurx has undertaken self-accreditation with this standard to ensure that any personal confidential data exchanged electronically is encrypted end-to-end.
End-to-end encryption means that only you and your intended recipient can access and read the email, ensuring personal or confidential information is secure and preventing it from interception or falling into the wrong hands.
As all outgoing emails are sent via the Accurx nhs.net inbox, any emails sent to trusted domains are automatically encrypted end-to-end and therefore compliant and secure.
We do, however, allow emails to be sent to all nhs.uk addresses even if they've not been accredited as trusted domains. You'll know when you're sending to a domain which isn't accredited if you see a warning message like the one in the screenshot below.
Any emails to sent to these addresses cannot be guaranteed as encrypted end-to-end.
Who has access to the patient data?
All Accurx users are authenticated by requiring:
An NHS email (nhs.net or nhs.uk) to register for an account
EMIS Web or TPP SystmOne profiles
Approval from an administrator from their GP Practice
This ensures that only approved users, who are currently working at the practice, can access the email feature. All patient information is pulled from Emis Web or SystmOne, ensuring users can only access data of patients registered at their GP practice.
All outgoing emails are sent via the Accurx nhs.net inbox to trusted domains, with the exception of those sent to non-accredited nhs.uk addresses which are signalled as not encrypted end-to-end by the warning message shown in the screenshot above.
What is a trusted domain?
A trusted domain is one which is compliant with DCB 1596 and we can therefore send to with end-to-end encryption. Examples of these domains include nhs.net, secure nhs.uk, pnn.police.uk and gov.uk addresses.
NHS Digital maintains an allow list of secure nhs.uk email addresses that have undergone accreditation. This list is kept up to date by NHS Digital and the organisation must review their accreditation on an annual basis. You can see the list of approved organisations here.
If the nhs.uk email address you want to contact is not on the above list you will still be able to send to this address, but we cannot guarantee the email is encrypted end-to-end. We will let you know when you're sending to an email address which is not accredited by showing the warning message shown in the screenshot above.
What measures are in place to protect patients and their data?
Users have to agree to an acceptable use policy when they log into the Accurx platform.
The Accurx email inbox is monitored by the Clinical Lead to ensure emails are matched and tracked appropriately and important emails are not missed.
Full audit trails are kept of all emails sent and received.
Outgoing emails are saved to the patient record, replies can be edited and saved at the users discretion if containing sensitive information.