Skip to main content

Guidance for sending secure email (including to patients)

NHSmail is a secure email service which means that data can be sent safely and securely to other email addresses which meet the same high standards of accreditation.

NHSmail also allows users to securely exchange information with insecure or non-accredited email services via the NHSmail encryption feature. This feature must be used if you are sending any personal or confidential information to a non-secure email address, such as a patient email address.

Encryption

You must never send personal, sensitive or confidential information to a non-secure email address unless it is encrypted.

Sending sensitive information to non-secure email addresses (including patients)

Encryption is an additional security tool which means users can communicate securely to any type of email account.

How to use encryption when sending from NHSmail

All you need to do is add the word [secure] in the subject line of a message - with the inclusion of the square brackets. 

Before using the service:

  • check local organisation policies and processes on sharing personal confidential data and sensitive information first which will take precedence over this guidance
  • ensure you are familiar with the NHSmail Encryption guidance and process 

You should only use the NHSmail encryption capability if approved to do so locally.

When a patient receives an encypted email, they will need to register for the service if they haven't done so already. 

Once registered they can then open the email in their internet browser. After logging in they will be able to view and reply to the email, confident that their information is safe and secure.

Patients will receive an email which looks like this:

Private and confidential

You have received an email message secured by Private Post. Please open the file called Encrypted_Message.htm to read the message.

Using [secure] in the subject line if sending an email from one NHSmail address to another

When sending email from NHSmail to another secure service you do not need to take any action.

You will know if you have an NHSmail email address because it will end in nhs.net. 

Please note that nhs.uk systems who have not met the accreditation standards are not considered secure.

Email addresses which meet the same high accreditation and security standards as NHSmail are rare. You can spot them by their endings. They will end in:

  • Nhs.net
  • Secure.nhs.uk
  • Gov.uk
  • Cjsm.net
  • Pnn.police.uk
  • Mod.uk
  • Parliament.uk

Sending sensitive information to patients if you don't use NHSmail

You must never send confidential information to or from an email address which does not meet the necessary standards of security.

Your email provider may have a way for you to encrypt emails so that you can send confidential information securely and to the appropriate security standards. Please refer to your organisation’s IT policies for guidance or speak to a member of your IT team for further information.

Further information is available in the full encryption guide for NHSmail.

Last edited: 19 February 2019 1:41 pm