Medico-legal: The issue of confidentiality when emailing patients

Dr Anthea Martin of the MDDUS advises on medico-legal matters concerning emailing patients.

Patient information must remain secure (Photo: iStock)
Patient information must remain secure (Photo: iStock)

The use of email is part of everyday life for most GPs and patients, and there are a number of benefits in communicating electronically. It can be an efficient and simple way of dealing with routine enquiries, such as rescheduling appointments or repeat prescriptions without the need for face-to-face consultations.

Patients can send a message to their practice at any time of the day or night and staff can respond at their convenience. Electronic communication can also increase access to care for the homebound or patients living in remote areas.

In this era of increasing reliance on primary care services, email and other means of remote communication offer an additional way of managing patient demand.

But with the benefits come a number of risks, involving data security and patient confidentiality.

Key points
  • Patients must opt in to receive electronic communication
  • Agree levels of disclosure with patients
  • Be mindful of Data Protection Act requirements and GMC guidance Confidentiality
  • Ensure staff are suitably trained and there are appropriate security arrangements in place
  • Don't discuss clinical matters by email or text - this is not a substitute for face-to-face consultation.


At a time when there is much debate surrounding the sharing of patient information, GPs must have their patients' express and explicit consent. Patients must opt in before receiving any form of electronic communication - even for something straightforward, such as an appointment reminder.

At MDDUS, we have dealt with calls from members concerned about what information is appropriate to share with patients by email, as well as questions relating to encryption of patient data.

To avoid any potential breach of confidentiality, GPs must agree levels of disclosure. Does a patient want to be contacted by email or text for vaccinations, rescheduling appointments or repeat prescriptions, or for more personal matters, such as test results?

It is important to consider who has access to an email account or mobile phone - it might not be only the patient. Personal circumstances and relationships with families vary and you should not presume to know what patients might want to keep private.

Healthcare professionals should familiarise themselves with policies and procedures issued by their employer or contracting body, which are designed to protect patients' privacy. They must also be mindful of the requirements of the Data Protection Act 1998, which requires information to be fairly and lawfully processed.

Doctors who fail to protect patient information risk incurring a fine from the Information Commissioner's Office (ICO), while failure to secure electronic medical records could result in a GMC hearing or even criminal charges.

The GMC guidance, Confidentiality, states: 'If you are responsible for the management of patient records or other patient information, you should make sure they are held securely and that any staff you manage are trained and understand their responsibilities. You should make use of expertise when selecting and developing systems to record, access and send electronic data.'


Practice staff should be suitably trained, with robust procedures in place, and only the minimum amount of detail necessary should be disclosed. Data encryption can reduce some of the risks, but no system can be completely secure so consider confidentiality risks in all exchanges with patients and colleagues.

GPs should refrain from discussing clinical matters by email and it should not be considered a substitute for face-to-face consultations. Where practicable, any email communication should be sent from a secure NHS email address and extra care should be taken when sending group emails.

Group emails

One common mistake we have encountered at MDDUS is group emails being sent without the use of 'Bcc' (blind carbon copy), meaning that everyone on the email list can see all the other recipients. The correct way of sending group emails is to put your own address in the 'To' field and 'Bcc' all recipients.

Failure to do so in effect constitutes a breach of confidentiality for every patient on the list and the practice would be in violation of the Data Protection Act and may face action from the GMC and ICO.

Any electronic exchange with a patient should be considered part of their medical records and recorded.

  • Dr Martin is joint head of medical division at the MDDUS

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins


Already registered?

Sign in

Follow Us:

Just published

Hair loss - red flag symptoms

Hair loss - red flag symptoms

Dr Tillmann Jacobi provides an overview of serious conditions that may underlie this...

NHS app will not meet July rollout deadline, NHS England confirms

NHS app will not meet July rollout deadline, NHS England confirms

The NHS app will not be fully functional in every GP practice in England by the 'ambitious'...

MIMS Learning Live now bigger than ever

MIMS Learning Live now bigger than ever

It is now less than two weeks until MIMS Learning Live: South opens its doors to...

GMC sets out expectations for doctors' reflective practice

GMC sets out expectations for doctors' reflective practice

The GMC has joined forces with eight other healthcare regulators to highlight the...

Babylon GP at Hand opens doors to NHS patients in second major city

Babylon GP at Hand opens doors to NHS patients in second major city

Babylon GP at Hand has begun recruiting NHS patients in Birmingham, in a move that...

Setting up our PCN has been hard work, but I'm positive about the future

Setting up our PCN has been hard work, but I'm positive about the future

As primary care networks (PCNs) prepare to go live on 1 July, network clinical director...