accuRx take security very seriously. To ensure that the patient is who they say they are, patients who you see as 'matched' pass 'two factor authentication'. As well as asking for their name, date of birth, gender and postcode, we ask the patient to enter a contact number, with preference for a mobile number. If they provide a mobile number, we can send them a 6 digit code by SMS text. They will be prompted to enter this code on the website, which allows us to know that they have access to the mobile phone number they claim is theirs.
If they do not have a mobile phone, if the phone number does not match that on the GP’s record, or if for any reason they cannot pass the two-factor authentication, the patient can still easily submit their request. Once the patient submits their request, their details are used to search the Patient Demographic Service (PDS) - the NHS database of patients. There are a number of possible outcomes, which are displayed on the incoming requests:
- Matched: if the patient has submitted their contact details correctly, and they can show that they are in possession of the same mobile phone as held on the practice records, (by passing a two-factor authentication process) we classify them as ‘matched’, i.e. we believe they have proven their identity.
- Suggested match: if we have enough of the patient’s details to find them on the PDS, but they haven’t passed the two-factor authentication, they will be a ‘suggested’ match, i.e. we think they are who they say they are, but cannot confirm this. The practice is advised to confirm the patient’s identity as they see fit, via e.g. a phone call
- Unmatched: if we cannot find any suggested matches on the PDS with the information that is given, the patient is ‘unmatched’, i.e. we do not know who the patient is, other than what they have told us.
It is important that all practice staff understand whether incoming requests are from matched or unmatched patients. Before saving information to medical records, check if you need to verify the patient's identity and if the query is a legitimate request.