Avoiding email dangers
-
Make sure patient information is sent securely.
-
Take care when sending bulk emails to many recipients.
-
Comply with regulations for use of personal information under data protection law.
Send and receive messages securely
Many healthcare organisations use email to communicate about clinical matters, including patient referrals, test requests and cancellations. The system can allow for information to be encrypted and sent securely.
Oranisations can also put in place steps to maintain patient safety and minimise clinical risk even further. For instance, the NHS has:
- A business continuity plan in case their email system becomes suddenly unavailable
- Processes for checking when a clinical communication has been received.
Take care when multi-tasking
If your healthcare organisation requires you to use multiple email accounts - such as your employer's account and any personal accounts - make sure you're in the habit of regularly checking them. An email about a claim or a request for a patient's record, for example, demands a specific deadline for a response.
- Check accounts regularly, or set up an automated response directing senders to your main address.
- Keep email signatures, letterheads or website contact details up to date.
- If you discover an important email has been overlooked, it is important to offer a prompt explanation and apology. You should also tell the sender when they can expect a response to their request.
If you're dealing with multiple email accounts, you should keep clinical information and patient data to your professional accounts only. Emailing confidential information to a potentially unsecure email address poses a security risk, and could lead to a breach of confidentiality. Some information can be difficult to erase permanently from a hard drive.
Bulk emails and protecting the privacy of your recipients
There have been several cases - including one high-profile incident at a London clinic - in which a breach of confidentiality occurred when patients' details were revealed through a mass email.
Here are some tips to help protect confidential information and avoid putting patients at risk.
-
Use 'BCC' when sending an email to several people. This means a copy of the email goes to every recipient, but only your email address is visible.
-
Using the 'To' or 'CC' email fields means all recipients will be able to see each other's email addresses. If the email is then forwarded, all the addresses will be included in the forwarded email as well.
-
If confidentiality is breached by sending bulk emails to several recipients, patients may be put at risk and/or complain.
-
If a mistake is made and bulk emails are sent in this way, tell the affected patients quickly so they can take appropriate steps if they want.
-
Your organisation should also give due consideration to informing the Information Commissioner's Office (ICO) if there's a risk to the data subject or if special category personal data is involved. See the ICO website for more details.
Other problems can happen if emails are sent to the wrong people.
-
When sending confidential patient information, take a moment to check the recipient's email address is correct. For example, an.other@nhs.net could easily be mistaken for am.other@nhs.net.
Use of personal information
-
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 govern the use of personal information. This includes using personal information for marketing purposes.
-
Unsolicited marketing can only be carried out if the person you're contacting has given you permission to do so.
-
There is a 'soft opt-in' rule, which applies if the messages are only 'marketing similar' products or services and where the person's details have been obtained while providing that service.
Emails and text messages are also specifically covered by the Privacy and Electronic Communications Regulations. These place restrictions on how unsolicited direct marketing by electronic mail is carried out.
-
'Electronic mail' encompasses email, text, picture, video, voicemail and answer phone messages, but not faxes.
-
Under the revised regulations, you must notify the ICO if a personal data breach occurs relating to the personal data you use for marketing.
-
Keep a log of any such breaches, including personal data you use for other purposes.
-
If you're sending bulk emails to patients, you will have to comply with GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.
-
Check you have the appropriate consent from the patient to approach them by email.
-
Make sure they can opt out of receiving such messages at any time.
As an MDU Connect policy holder, you and your team have access to expert medico-legal and dento-legal guidance and support.
We encourage you to address issues early to pre-empt problems, so contact us for specific advice or explore our resources.
This page was correct at publication on 15th April 2025. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.
Risk advisory partner
Sarah Jarvis
Risk advisory partner
Oliver Lord
Risk advisory partner
John Dale Skinner
Risk advisory partner
Kathryn Leask
Risk advisory partner
Jerard Ross
Risk advisory partner
Ed Farnan
Risk advisory partner – dental
Leo Briggs
Risk advisory partner – dental
Sarah Ide