Skip to main content

Information security and patient information sharing - NHS e-Referral Service

Patients have a right to expect the NHS to keep their confidential information safe, whether that information is in electronic or paper form.

Patient Information

Patients have a right to expect the NHS to keep their confidential information safe, whether that information is in electronic or paper form. Regulatory bodies have also made it clear that, they expect the NHS to put in place the strongest safeguards available to protect patient information. A commitment to achieving this is set out in the NHS confidentiality code of practice.

The principles of information security management require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place. In the case of the NHS, the most sensitive data is patient record information.

In practice, this is applied through three cornerstones:

  • confidentiality – Information must be secured against unauthorised access
  • integrity – Information must be safeguarded against unauthorised modification
  • availability Information must be accessible to authorised users at times when they require it

Patient information controls within e-RS

Access to patient information is strictly controlled within the NHS e-Referral Service (e-RS). There are three main layers of control:

Registration for an NHS smartcard

NHS staff who want to use the e-RS application have to register in person with their organisation’s registration authority. They must prove their identity ‘beyond reasonable doubt’ and have their access approved by somebody within the organisation where they work. They are then issued with an NHS smartcard and they are asked to set a passcode only they know. Every time they access patient data, they must use both smartcard and the passcode.

Access Control

The information on the smartcard determines which parts of a patient’s information that staff member can access and what they can do (for example read only or add information).

A clinician may have different access rights to an administration role, for example.

Legitimate relationship with the patient

NHS staff will only be able to access a patient’s information on the e-RS application if they work in a team involved in that patient’s care.

As well as access controls, everyone using e-RS will have their details recordedwho they are and if they viewed, added or changed any information. This ‘audit trail’ will show any use of the system.

Guidance for organisations using e-RS

Using smartcards

Registered smartcard holders must keep their smartcard secure (for example, must not share their smartcard login details and passcode with others, or leave their smartcard logged into a reader when they are not using it). Otherwise, there is the potential for a third party to have unauthorised access to confidential patient information, including via the e-RS application, under the original user’s login details. This might result in a passer-by having access to patient information without having a legitimate relationship with that patient.

NHS staff must have a legitimate relationship with the patient in order to be authorised to view or access their information on e-RS. The e-RS application has an audit trail which stores data on the use of the application allowing appropriate staff to retrieve this data to check that those using the application are authorised to do so. If users do not keep their smartcard secure or share it with others they could be questioned about inappropriate access, which would be evident on the audit trail under their name.

All employees have a professional responsibility to ensure that they use their smartcards, login details and passcode appropriately. Organisations must stress these responsibilities to their employees when issuing smartcards and re- enforce them regularly monitoring smartcard usage and taking necessary disciplinary action where appropriate.

Allocating smartcard roles

Where an organisation gives an employee incorrect access control to the e- RS application this could allow them to initiate and process referrals, resulting in confidential patient information being viewed and used by employees who do not have an appropriate legitimate relationship with the patient. There is also the potential for referrals to be made incorrectly in the e- RS application which could affect patient safety and confidentiality.

Employees who do not have the appropriate access control and legitimate relationship with a patient should not be authorised to view or use that patient’s information. Organisations must ensure they follow the registration authority process when allocating access control to employees. The issuing of smartcards should be overseen by a Caldicott Guardian, who should be fully aware of access control regulations. Organisations should ensure their process for issuing smartcards is regularly audited and take immediate action when any inappropriate use of the e-RS application is discovered.

An overview of e-RS smartcard roles and the NHS staff roles to which they are typically applied is available on e-RS business roles page.

Accessing e-RS

Accessing the e-RS application to view a patient’s record without authorisation (such as for friends, relatives or colleagues) is completely inappropriate.

Employees should be aware that unauthorised access of the e-RS application is not permitted. Organisations have a responsibility to highlight this to employees and provide appropriate training.

Printing referral letters

If an NHS employee prints a hard copy of a referral letter for a consultant to review in the ’traditional way’, then there is the potential for these referral letters to go astray (as they always could). This could lead to the referral letter being found by a third party. This third party does not have a legitimate relationship with the patient, so they are not authorised to view or access this information. Most third parties would not use the information inappropriately. However, there is the possibility that the information could fall into the wrong hands.

The most secure method for reviewing referral letters is online. If providers choose to print referral letters for review, then these letters must not be taken into non-secure areas of the organisation. Organisations need to ensure that only consultants or other clinicians (for example, Allied Health Professionals) review these referral letters and that this is done in a secure environment. They should train their employees to adhere to these guidelines. Organisations should also ensure their employees understand that there is the potential for disciplinary action if these guidelines are not followed.

Personal demographics service

If a referrer is aware of a change in a patient’s address or telephone number but does not update this information in the personal demographics service (PDS), then there is the potential for incorrect address or telephone numbers to be used in clinical systems. This could result in confirmation letters being sent to the wrong address or telephone calls made to the wrong number.

The e-RS application sources patient contact details from the personal demographics service, the central source of demographic data. Organisations need to ensure that patient contact details are updated in the personal demographics service. This will help to ensure letters and telephone calls are always directed to the correct place.

Consent to call back flag

This flag indicates whether the patient is willing to be telephoned about their referral. The default setting of this flag is consent, meaning that the patient is willing to be telephoned. If a patient does not wish to be telephoned about their referral then this flag should be changed from the default setting.

Organisations need to ensure that the "consent to call back flag" is switched off for patients who do not give their consent to be called regarding their referral as this will reduced uneccessary calls made to patients.

Remote access

If an NHS employee uses the e-RS application at home, or another unsecured location, via a Virtual Private Network (VPN) connection to their organisation, then there is the potential for confidential patient information to be viewed by other people within that location, such as friends or relatives.

Organisations need to restrict use of the e-RS application to secure premises wherever possible. Organisations also need to ensure that there is strict guidance for the use of remote access to the e-RS application; train their employees to adhere to these guidelines; and take necessary disciplinary action where appropriate.

Your obligations

Patients have a right to expect that their information is held securely and that their confidentiality is protected. Privacy and confidentiality require that the e-RS application only permits those who have a genuine ‘need to know’ to access a patient’s information and then only where it is reasonable to believe that the patient concerned would not have objected, if asked for permission.

To support this, NHS Digital has a range of access controls. These controls provide robust safeguards, whilst also giving patients more control than ever before over who has access to their information.

Keeping information safe and secure requires the e-RS application to meet or exceed national and international security standards. The safeguards in the system are ‘state-of-the-art’ and will enable the NHS to meet legal requirements in a way that many older computer systems cannot.

It is essential that every organisation providing NHS services meets its Information Governance Statement of Compliance obligations to the required standards to safeguard NHS services. Data Protection and Human Rights legislation, combined with case law on confidentiality, provide considerable protection for patient information.

The effectiveness of information being held securely and protecting confidentiality in new IT systems depends on the staff who use them. It is important that organisations operate within existing access controls and have appropriate operating policies and procedures in place to ensure a patient’s privacy and confidentiality. Where appropriate, organisations should also take disciplinary action where staff have not followed these policies and procedures.

Last edited: 14 January 2020 4:01 pm