Texting, emailing and messaging patients and service users guidance for health and care professionals

It does not cover messages sent between you and other colleagues, or messages which are not related to health and care services, such as messages about charitable causes or research. See NHS England guidance on what is and isn’t direct marketing for practical examples of messages about health and care services, and an explanation of other types of messages which would be treated differently.

You should keep a record of all the emails, texts or other messages you send to patients and service users in their health or care record. Your entries in the record may be an exact copy of the text used in the messages you have sent, or a summary of what the message said. This will then be retained in line with the health or care record.

You may have systems that automatically store your communications with patients and service users for you. If this is the case, you don’t need to do it manually.

Recording information is important both for knowing what has been communicated to a patient or service user as part of their care, and for retrieving the information if the individual asks for it.

You do not need the consent of patients and service users to send them texts, emails or other messages about their individual care. See the section for information governance (IG) professionals for further information on the lawful basis for contacting patients about their care.

You should generally only send texts, emails and other messages about health and care services to people who the services directly relate to. For example:

• where an appointment reminder is being sent, it should only be sent to the person who the appointment has been made for
• where test results are sent, they should only be sent to the person who has been tested

There are only a few exceptional circumstances where it may be appropriate to send health and care messages to people who the services do not relate to. These are when:

• they have parental responsibility and are a proxy for the individual you wish to message
• an individual you wish to message does not have capacity and a best interests decision has been made for you to communicate with another person acting as their proxy
• you have the explicit consent of an individual you care for to share their health and care information with a proxy

For the circumstances described above, there should be notes written in the individual’s health and care record confirming that other people can receive messages on their behalf.

Even if you have explicit consent to share health and care messages with a proxy, you may occasionally be sending messages about services an individual feels particularly sensitive about, which would make it inappropriate to notify a proxy without checking with the individual first.

For example, you may be sending a message which reads “Your appointment is confirmed for today at 10:30”, with the context being that you are providing a Hepatitis B vaccine following a sexual assault or a liver function test which may indicate high alcohol intake.

Although there is no sensitive information in the message itself, it may prompt the proxy to ask the individual unwelcome questions about the nature of their appointment.

Speak to your Caldicott Guardian if you are ever unsure about sending communications related to services individuals might feel sensitive about.

It is good practice as part of registering and interacting with patients and service users to confirm their contact details and allow patients and service users to indicate their contact preferences. You should respect the contact preferences of patients and service users wherever it is possible to do so.

However, contact preferences do not prevent you from using non-preferred methods where patients and service users might not receive messages that are important for their care. For example, if a patient has indicated a contact preference for texts or letter rather than emails, but email is the only practical and affordable way to send important medical information, it would be acceptable to use email.

Objections

Objections are different to contact preferences. An objection is when a patient or service user contacts your organisation to ask never to be contacted in a certain way and gives a specific reason why. They can object to receiving all messages from your organisation, or object to specific types of messaging such as text or email.

It is important to understand the reason for the patient or service user’s objection so you can discuss it with them and make decisions about whether you have a strong reason to override it (see the overriding objections section).

You may have other information, not directly given by the patient or service user when objecting, which indicates to you the reason for their objection. In this case, you should discreetly have a conversation with the patient to understand the situation.

You should explain to the patient or service user how their objection to receiving messages about their care at all or via a particular communication method might impact their care. You may be able to resolve their concerns. However, you should generally respect their decision and ensure the objection is noted in their record.

You should always check whether an individual has registered an objection before communicating with them.

In certain circumstances, you may have a very strong reason to send a message to an individual which overrides their objection.

Any decision to overrule an individual’s objection should be considered carefully on a case-by-case basis, taking into account their circumstances and reasons for not wanting to be contacted. See the right to object section in the IG professionals section of this guidance for more information.

In the rare circumstance that a patient or service user is at risk of serious harm if they are contacted by a particular communication method, a conversation should be had as early as possible about whether it is appropriate to entirely remove details of that communication method from their record.

For example, if texts might reveal details of medical treatment to an abuser, you may discuss with a patient or service user that their mobile contact number could be removed from their record entirely.

If you are unsure what your organisation’s process is for identifying those who have objected to receiving messages or whether you can override an individual’s objection, ask your Data Protection Officer (DPO), Caldicott Guardian, IG team, or a senior member of staff within your organisation.

Each time you send a message to a patient or service user, there is a risk that the information will be compromised or seen by someone other than the intended recipient.

You should think carefully about what information you include in messages to reduce the risk of this happening. This is particularly important when sending emails, texts and other messages where the content might appear on devices’ locked screens.

It is acceptable to include confidential information in messages which you send through secure platforms, such as encrypted email or the NHS app, which require individuals to log in or enter a password to see the content of the message.

Unless you are using a platform which your organisation has approved for sending sensitive information, you should only include confidential patient information in messages where it is necessary to do so.

For example, when sending text messages about test results, it is better to indicate that results are ready and advise the recipient to call you directly or access them via a patient portal, than to refer directly to an individual’s health condition in the message. Where removing confidential information is impractical, you should keep it to the minimum amount necessary.

To help patients and service users recognise suspicious messages, you should take care to ensure your messages are drafted using professional, neutral language and good grammar.

See Stop! Think Fraud guidance for more information on the typical features of scam messages.

You should not use any app, service, platform or device which has not been approved by your organisation, except for in emergencies (see the emergencies section. Doing so exposes your organisation and any information you are sending to unnecessary risk.

Your organisation may have a policy about the communication methods which are acceptable for sending confidential patient information such as test results. For example, the policy may say that confidential patient information can be sent via encrypted email or via instant message using a particular secure platform such as the NHS App, but not via text.

Your organisation may also have specific policies about the use of personal devices.

You should take time to familiarise yourself with your organisation’s policies and procedures so that you can be assured that you are upholding your obligation to keep information safe whilst sending messages that are necessary to deliver your health and care services. If you are unsure, always check with your DPO, IG team, or a senior member of staff within your organisation.

If there is a genuine emergency where you urgently need to send a message to protect patients or service users, the safety of your patients and service users should take priority. You should send the message using the most practical communication method for the circumstances of the emergency.

If there is a senior member of staff on hand or an advice service you can discuss the decision with, you should do so, but you may have to make the decision yourself if no one is immediately available.

Once the emergency has been resolved, information governance issues outlined in this guidance should be discussed and addressed with your DPO, IG team or a senior member of staff.

Please see NHS England’s IG guidance on sharing health and care information during major incidents and emergencies for further advice.