Medico-legal: The issue of confidentiality when emailing patients

Dr Anthea Martin of the MDDUS advises on medico-legal matters concerning emailing patients.

Patient information must remain secure (Photo: iStock)
Patient information must remain secure (Photo: iStock)

The use of email is part of everyday life for most GPs and patients, and there are a number of benefits in communicating electronically. It can be an efficient and simple way of dealing with routine enquiries, such as rescheduling appointments or repeat prescriptions without the need for face-to-face consultations.

Patients can send a message to their practice at any time of the day or night and staff can respond at their convenience. Electronic communication can also increase access to care for the homebound or patients living in remote areas.

In this era of increasing reliance on primary care services, email and other means of remote communication offer an additional way of managing patient demand.

But with the benefits come a number of risks, involving data security and patient confidentiality.

Key points
  • Patients must opt in to receive electronic communication
  • Agree levels of disclosure with patients
  • Be mindful of Data Protection Act requirements and GMC guidance Confidentiality
  • Ensure staff are suitably trained and there are appropriate security arrangements in place
  • Don't discuss clinical matters by email or text - this is not a substitute for face-to-face consultation.


At a time when there is much debate surrounding the sharing of patient information, GPs must have their patients' express and explicit consent. Patients must opt in before receiving any form of electronic communication - even for something straightforward, such as an appointment reminder.

At MDDUS, we have dealt with calls from members concerned about what information is appropriate to share with patients by email, as well as questions relating to encryption of patient data.

To avoid any potential breach of confidentiality, GPs must agree levels of disclosure. Does a patient want to be contacted by email or text for vaccinations, rescheduling appointments or repeat prescriptions, or for more personal matters, such as test results?

It is important to consider who has access to an email account or mobile phone - it might not be only the patient. Personal circumstances and relationships with families vary and you should not presume to know what patients might want to keep private.

Healthcare professionals should familiarise themselves with policies and procedures issued by their employer or contracting body, which are designed to protect patients' privacy. They must also be mindful of the requirements of the Data Protection Act 1998, which requires information to be fairly and lawfully processed.

Doctors who fail to protect patient information risk incurring a fine from the Information Commissioner's Office (ICO), while failure to secure electronic medical records could result in a GMC hearing or even criminal charges.

The GMC guidance, Confidentiality, states: 'If you are responsible for the management of patient records or other patient information, you should make sure they are held securely and that any staff you manage are trained and understand their responsibilities. You should make use of expertise when selecting and developing systems to record, access and send electronic data.'


Practice staff should be suitably trained, with robust procedures in place, and only the minimum amount of detail necessary should be disclosed. Data encryption can reduce some of the risks, but no system can be completely secure so consider confidentiality risks in all exchanges with patients and colleagues.

GPs should refrain from discussing clinical matters by email and it should not be considered a substitute for face-to-face consultations. Where practicable, any email communication should be sent from a secure NHS email address and extra care should be taken when sending group emails.

Group emails

One common mistake we have encountered at MDDUS is group emails being sent without the use of 'Bcc' (blind carbon copy), meaning that everyone on the email list can see all the other recipients. The correct way of sending group emails is to put your own address in the 'To' field and 'Bcc' all recipients.

Failure to do so in effect constitutes a breach of confidentiality for every patient on the list and the practice would be in violation of the Data Protection Act and may face action from the GMC and ICO.

Any electronic exchange with a patient should be considered part of their medical records and recorded.

  • Dr Martin is joint head of medical division at the MDDUS

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins


Already registered?

Sign in

Follow Us:

Just published

GP training: Useful resources when preparing for the AKT

GP training: Useful resources when preparing for the AKT

Dr Branavan Anandasundaram highlights useful resources that GP trainees can use to...

GP training: How to succeed in the AKT

GP training: How to succeed in the AKT

Dr Branavan Anandasundaram passed the AKT earlier this year with a score of 89.5%....

Medico-legal: Advice on prescribing opioids

Medico-legal: Advice on prescribing opioids

The MDU's Dr Ellie Mein advises on how to avoid the medico-legal risks associated...

Map: How CQC ratings for general practice vary across England

Map: How CQC ratings for general practice vary across England

An overwhelming 95% of GP practices in England are rated either 'good' or 'outstanding'...

Rise in GP waiting times 'driving more patients to Google health advice'

Rise in GP waiting times 'driving more patients to Google health advice'

Longer waits for GP appointments may be pushing more patients to search for health...

GP locum rates continue to rise in most parts of the UK, poll reveals

GP locum rates continue to rise in most parts of the UK, poll reveals

Average hourly rates received by locums have risen across England over the past 12...