Patient Identifiable Data (PID) should only be exchanged electronically when encrypted. NHSmail email sent to secure domains is automatically encrypted and complies with the pan-government secure email standard. NHSmail is accredited to the Health and Social Care secure email standard and is suitable for sharing patient identifiable and sensitive information.
When sending emails outside of NHSmail, use [secure] at the start of the email subject. [Secure] is not case sensitive. The NHSmail service will assess whether encryption is required.
• If the domain the email is being sent to is accredited, the email will be sent securely and no further encryption is required.
• If the domain the email is being sent to is not accredited, and therefore insecure, the NHSmail service will programmatically enforce the use of the encryption tool to protect the email data. The recipient will need to log into the Trend Encryption Micro portal to unencrypt the email before it can be read.
NHSmail works with the Government Digital Service (GDS) to regularly update the list of accredited domains regularly
Guidance is available on how to use the NHSmail encryption service.
There is a sharing sensitive information guide which details how patient identifiable data should be securely exchanged.
Sending to legacy secure government domains
Email sent to legacy secure government domains listed below will automatically be sent securely and directly to the recipient’s email system:
*.gcsx.gov.uk for local government
*.gsi.gov.uk and *.gsx.gov.uk for central government
*.cjsm.net and *.pnn.police.uk for Police/Criminal Justice
*.mod.uk for Ministry of Defence
Note the legacy local and central government email domains (gcsx.gov.uk, gsi.gov.uk and gsx.gov.uk) will slowly stop being used and then switched off completely in March 2019, as all local and central government organisations migrate to using .gov.uk email addresses for all email communication as they adopt the government secure email standard.