NHSmail is a centrally funded and managed secure email and communications service which is approved by the NHS for exchanging patient data.
For a number of years, community pharmacies in England have been able to request a shared NHSmail account. To access a shared NHSmail mailbox, users must have their own personal NHSmail address which is linked to the shared mailbox. This is to allow different staff members to access the mailbox without sharing of login details.
The NHSmail service is available anywhere, over either the NHS N3 network or the open internet. The service can be viewed through a free web based client or alternatively pharmacies can choose to connect the service to a local email client they have purchased, for example Microsoft Outlook.
The key benefit of the service is its security, which means it can be used for transmission of patient information between health professionals. Examples of the types of information that can be transmitted through the service include patient information relating to the New Medicine Service and hospital discharge communications.
How to obtain a shared NHSmail account
If you want to obtain a shared NHSmail account for your pharmacy, you can do this via the community pharmacy NHSmail registration portal.
Working through this process will include the creation of up to three personal NHSmail accounts which will be used to access the shared NHSmail account. The process is explained in PSNC Briefing 058.17 How to complete the NHSmail registration process.
Once you have completed your registration using the portal, you will be sent login details for the personal accounts so that you can activate them and then log into your shared NHSmail account.
When you first login to your personal NHSmail account, review and accept the user agreement which should pop up on your screen. Each NHSmail user within your pharmacy should activate their account by logging in using their individual login details. After each staff member has accepted the user agreement, they should receive an email which explains that activation has taken place.
If you are having difficulties with activating your account, contact firstname.lastname@example.org, who will support you through the process.
Problems finding your pharmacy in the registration portal
During the registration process, if you are unable to locate your pharmacy within the portal, please contact email@example.com and they will support you through the process (refer to the technical escalation section below).
If your pharmacy has had a shared NHSmail mailbox in the past, your pharmacy may not be selectable by default within the NHSmail registration portal. If your pharmacy is new or has a recently changed ODS code, there may also be a period of time until you can use the registration portal to set-up (see our ODS change checklist for more information) and this can also rely on other organisations such as PCSE, NHSBSA, and the NHS Digital ODS team to have processed the ODS code changes. You should also use the NHSmail technical escalation query set out within the section below.
Already have an NHSmail account for your pharmacy?
Some pharmacies already have an NHSmail account for their pharmacy. This may be a shared mailbox, which users log into using a personal NHSmail account (i.e. the shared mailbox cannot be logged into directly), or it may be an NHSmail account which has been created for the pharmacy using a personal NHSmail account. NHS England and NHS Digital want all pharmacies to have shared mailboxes which can only be accessed by authorised users who log in using their personal NHSmail account.
If you already have a pharmacy NHSmail account, but it is not a shared mailbox, follow the above process to request a shared NHSmail account.
Technical queries and escalation (raising and resolving technical queries)
In the event of a technical NHSmail query:
1. Please contact firstname.lastname@example.org so that emails go directly to the national NHSmail team managing pharmacy accounts.
2. Where possible send your email from your NHSmail inbox (from either your shared pharmacy mailbox or from your personal NHSmail inbox depending on the query type).
The general NHSmail national helpdesk may be able to help in certain limited scenarios (0333 200 1133), however it is strongly recommended that you email the NHSmail pharmacy admin team rather than calling the general NHSmail helpdesk.
3. Your email should be short and should include your question, name, position, pharmacy name, ODS code and your contact telephone number. It should also include relevant NHSmail email addresses (e.g. both the shared mailbox address and your personal NHSmail email address).
4. The NHSmail pharmacy admin team may email or phone you to request further information to progress your query. You may need to send a reply email to email@example.com to provide the information which is requested of you to progress the ticket.
5. Please make use of the incident reference number (INC number) provided, and you may re-open a ticket if you are not satisfied after one has been closed.
6. Keep all of the emails just in case further escalation is required. You may escalate to PSNC by emailing firstname.lastname@example.org (and including the email correspondence) if you have a single or systemic issues that you are struggling to resolve with the NHSmail pharmacy admin team and you have tried the above.
NHS Digital has developed a guide which explains how to make use of NHSmail: Guide for community pharmacies using NHSmail (November 2017). This guide includes information about:
- logging in;
- the Shared Mailbox Owner;
- email signatures;
- setting auto responses;
- what to do if your name changes;
- training links;
- forgotten password process;
- locked account process;
- using the NHS Directory to find people; and
- service status.
The NHS Digital Mobile configuration guide for NHSmail explains the requirements for use of NHSmail on mobile devices such as Smartphones. The guide explains that mobile app NHSmail usage currently ‘does not support shared mailboxes’ but that personal accounts can be accessed. Pharmacy contractors may access NHSmail via their Smartphone web browser. Pharmacy contractors that wish to use NHSmail on mobile devices will also have to be aware of various practical considerations.*
*E.g. passcode settings, preventing access by others, adjusting auto-preview of messages on home-screens, ability to remotely wipe the device if stolen, and storage plus archive settings. Read more within the Mobile configuration guide for NHSmail.
Q. One of our staff members already has an NHSmail address. Should I enter their name into the registration portal?
No. If there is a person in your pharmacy who already has an NHSmail personal account (ending in @nhs.net), they should not be included in the details you submit to the NHSmail registration portal to avoid a duplicate account being created. Once the shared NHSmail account is set up for the pharmacy, the Pharmacy Shared Mailbox Owner will be able to link the staff member’s personal NHSmail account to the shared mailbox address.
Q. Can personal NHSmail accounts be linked to more than one pharmacy shared NHSmail account?
Q. How many personal NHSmail accounts can be set up per pharmacy?
Except in exceptional circumstances, up to 10 new personal NHSmail accounts can be created per pharmacy. Contractors should consider which staff members are most appropriate to have access to the shared NHSmail address. For example, locum staff would not require access if another staff member on duty does have access; this does not need to be a pharmacist.
Q. How do I activate my personal NHSmail account?
Once you have received your username (sent to the email address which you registered with) and the temporary password sent to your mobile phone number, you can activate your account by:
- Navigating to nhs.net;
- clicking the login button;
- entering your NHSmail username;
- typing the password sent to your mobile phone;
- reviewing and accepting the user agreement which should pop up on your screen; and
- then you should receive an email confirming that you have activated the account.
Note that activation has to be undertaken by each person with an NHSmail account.
More information on how to activate your account is available in Guide for community pharmacies using NHSmail (November 2017).
Q. I have not received a password for my pharmacy’s shared mailbox; how do I activate the shared mailbox?
You do not need to activate a shared mailbox and you will not receive a password for a shared mailbox, because all authorised users of the shared mailbox access the mailbox using their personal NHSmail account.
Q. How is NHSmail accessed when the pharmacy is being covered by a locum pharmacist? Are there arrangements for locum staff to have personal NHSmail accounts?
A pharmacy shared mailbox for a pharmacy premises can now have up to ten individual accounts connected as a standard (see FAQ immediately below) and therefore all of the staff members that work regularly at the premises can be provided with an individual account which ‘links’ to the pharmacy shared mailbox. Individual accounts can be obtained by pharmacists, counter assistants, dispensers, technicians or anyone else within the team. Ensuring that a number of people can access the pharmacy shared mailbox can help to ensure that even if there are unexpected absences in the future, the team will be able to access the shared mailbox.
For those locum pharmacists that work regularly at a pharmacy premises, the pharmacy contractor with the pharmacy NHSmail owner are able to determine whether to link or unlink certain locum pharmacists’ individual accounts to the pharmacy shared mailbox. However, there is a process to go through for linking and unlinking, and the process might not be required where other members of the team can already access the shared mailbox.
For locum pharmacists that do not have an NHSmail individual account, but believe they are in need of one, they can request one if they secure a sponsoring organisation (e.g. local Clinical Commissioning Group (CCG), hospital, community pharmacy), and potentially to include some written support, to assist their request for an account and a case may need to be made to explain the reasoning that one is needed.
Q. I would like more than ten individual NHSmail accounts to link to the shared NHSmail mailbox; how do I get more than ten individual accounts and have these connected to the pharmacy’s shared mailbox?
Up to 10 individual NHSmail accounts should be suitable for most pharmacy contractors. However, your regional NHS England and NHS Improvement team will be able to authorise more than 10 accounts to access the shared mailbox, but they will only do this where this is requested with a valid reason for needing them.
Note: The standard limit of 10 as explained above, was increased, having previously been set at 3. The creation of a new personal NHSmail for a new member of staff at the pharmacy is explained within an FAQ below.
Q. Do I need a password to use my NHSmail account? What is the password policy?
Yes, every staff member requires their own username and password to access NHSmail for both their personal and any shared mailbox they have been authorised to access. You will need to ensure your account remains active by changing your password at least every 365 days otherwise it may be de-activated or removed from the service.
NHS Digital introduced an improved NHSmail password policy from May 2019, which included less frequent password changes.
NHSmail users’ passwords will become valid for 365 days instead of the previous 90-day expiry. This change follows PSNC, on behalf of the Community Pharmacy IT Group (CP ITG), lobbying NHS Digital about its approach to frequent forced password changes for national systems including NHSmail. PSNC asked NHS Digital to consider applying the National Cyber Security Centre’s (NCSC) guidance that states:
“Regular password changing harms rather than improves security, so avoid placing this burden on users”.
NHSmail users will be notified they must change their password within 45 days of the new policy’s introduction. The new policy also adopts some of the NCSC’s other password guidelines; new NHSmail passwords must follow criteria including:
- a minimum length of 10 characters without requiring a mix of character types;
- not matching your previous four passwords;
- not detected as a common password, e.g. password1234; and
- not detected as a breached password (a password used for an account that has previously been compromised).
Top tip: NCSC recommend that a strong and memorable password is created by choosing three random words, e.g. ‘planeyellowbread’.
Q. I have received details of the pharmacy’s shared NHSmail account but not my personal NHSmail account. What do I do?
If you have received details of your shared NHSmail account and not your personal NHSmail account, you should email email@example.com, explaining the issue and providing your first name and surname, the pharmacy’s ODS code and the email address of the pharmacy shared mailbox.
Q. I have received details of my personal NHSmail account but not the pharmacy’s shared NHSmail account. What do I do?
If you have received details of your personal NHSmail account and not your shared NHSmail account, you should email firstname.lastname@example.org, explaining the issue and providing your first name and surname and pharmacy’s ODS code.
Q. I’m an extended hours pharmacy; how many people can access the shared mailbox in my pharmacy?
There is no restriction on the number of users who can be given access to a shared mailbox via their personal NHSmail account.
Q. If I email email@example.com how quickly will I get a response?
The Pharmacy admin team will endeavour to respond to your enquiry as soon as possible. The Pharmacy service desk is available between 9am – 5pm Monday – Friday excluding bank holidays and can be contacted at firstname.lastname@example.org.
Outside of these hours, simple tasks like password resets can be performed by the NHSmail National Service Desk (0333 200 1133). More complex tasks, that arise out of hours, can be logged by emailing email@example.com or by calling the National Service Desk (0333 200 1133) and these issues will be dealt with by the Pharmacy admin team when they are next available.
Q. Why is a mobile phone number needed to set up my account? How will the phone number be used?
A mobile phone number needs to be provided when applying for an NHSmail account as temporary passwords are sent via a text message to the mobile number provided.
When you log in to your account for the first time you are asked to accept the Acceptable Use Policy (AUP). At this stage you will also be asked to set up security questions. These are required as you will need to be able to answer these questions if you are locked out of your account or have forgotten your password so that you can perform a self-service password reset. If you require a password reset and are unable to answer your security questions (or have not set them up yet) the helpdesk will use the mobile phone number that you provide to authenticate you.
A change was made during summer 2019 so that all existing NHSmail users connected to the pharmacy directory ‘container’, and any subsequent new NHSmail users connected to the pharmacy directory, have started to have their mobile number hidden from the NHS Directory automatically. Many community pharmacy NHSmail users reported not having access to a work mobile phone, so this means that personal mobile phone numbers were listed.
You can choose to unhide your mobile number so that it appears in the NHS Directory by following the How to hide / unhide your mobile phone number from the NHS Directory guidance (NHSmail support site guidance).
Note: The pharmacy admin NHSmail helpdesk will continue to have access to an NHSmail user’s mobile phone number, regardless of whether it’s hidden in the NHS Directory or not. This access is required for authenticating a user for password resets, account lockouts and also for contacting users who become inactive on the NHSmail platform.
The NHS Directory can only be accessed by legitimate users of NHSmail
Q. How can I unhide my mobile number from the NHS Directory?
By default, your mobile number entered during the registration process should be hidden from the NHS Directory, but may be visible to the pharmacy admin NHSmail helpdesk. You can choose to unhide your mobile number from the NHS Directory by following the How to unhide / hide your mobile phone number from the NHS Directory guidance (NHSmail support site guidance). The NHS Directory can only be accessed by legitimate users of NHSmail. Read the FAQ above for further information.
Q. What if I forget my password, am unable to answer my security questions and do not have a mobile phone number which can be used as authentication?
You will need to speak to the shared mailbox owner of your premises account and they will need to contact the helpdesk to confirm they can authenticate you and ask them to reset your password. The national helpdesk will ask the shared mailbox owner to confirm the mobile phone number for the temporary password to be sent to. It is the responsibility of the shared mailbox owner to ensure local validation checks on individuals have been completed.
Q. I am a shared mailbox owner, what is the mobile phone number I provided used for?
Shared mailbox owners are required to supply a mobile phone number that they have access to, and be the primary point of contact for the national helpdesk to liaise with – if another staff member in the pharmacy forgets their password and is unable to answer their security questions and that staff member does not have a mobile phone number listed.
Q. What if I cannot take my mobile phone to work?
If you are unable to take your mobile phone to work and are therefore unable to activate your account from a work computer you can log into your account for the first time from another computer, e.g at home. You will receive an email to your personal email address which you supplied when registering which will contain your new email address and instructions on how to log into your account. If you do not have a home computer or internet access, you can make a note of your password and set up your account when you are at work. However, it is recommended that you have your mobile phone on you when signing into your account for the first time as the password will contain a mix of different characters and upper and lower case letters.
Q. What to do if you are moving to another community pharmacy or leaving pharmacy altogether?
If you are leaving your pharmacy you will need to notify the shared mailbox owner who will remove your NHSmail account from the shared mailbox for the pharmacy that you are leaving. Your NHSmail account can be added to any new community pharmacy that you join by contacting the shared mailbox owner for that site. If you are the shared mailbox owner you will need to contact the national helpdesk desk at firstname.lastname@example.org or by calling 0333 200 1133 and ask for your permissions to be removed from the shared mailbox and advise who should now be added as the shared mailbox owner.
If you are leaving the pharmacy sector or not taking up a new role at another community pharmacy, please contact the pharmacy national helpdesk at email@example.com who will mark your account as a ‘leaver’. Your account will be permanently deleted after 30 days.
Pharmacy team members that transfer from a community pharmacy to clinical pharmacy roles with an NHS organisation can transfer their NHSmail account to their new role by asking the NHSmail Local Administrator in their new organisation to mark their account as a ‘joiner’. This must be done within 30 days of the account being marked as a ‘leaver’ to ensure it is not deleted.
Note: NHSmail accounts that are marked as ‘leavers’ are permanently deleted after 30 days if no new organisation is identified. Additionally, NHSmail accounts that are not utilised for 90 days are de-activated and will be permanently deleted after a further period.
Q. What do I do if a new staff member is joining the community pharmacy and requires an NHSmail account to be created/linked? (Or what to do if you require additional accounts beyond the standard ten accounts linked?)
If you are joining a community pharmacy and already have an NHSmail account, you will need to ask the shared mailbox owner to link your account to the premises shared mailbox. If required, firstname.lastname@example.org may also assist with the linking.
If the new staff member does not have a personal account already, and the pharmacy has less than 10 user accounts, the shared mailbox owner will need to contact the pharmacy national helpdesk at email@example.com to ask for your personal account to be created. The new staff member will need to provide the shared mailbox owner with their personal mobile phone number as the password will be sent to via a text message. For further information on the use of mobile phone numbers see the Guide for community pharmacies using NHSmail.
If your pharmacy already has 10 user accounts, the shared mailbox owner will need to email the regional NHS England and NHS Improvement team, stating the reasons why more than 10 accounts are required to be connected to the shared mailbox, and asking them to approve an additional account being created. If the additional request is approved, the regional team will need to email the pharmacy national helpdesk at firstname.lastname@example.org stating that your additional account has been approved and asking for the account to be created and linked. Again, the new staff member will need to provide their personal mobile phone number as their password will be sent to them via a text message.
The new staff member should ensure their personal account is linked to the shared account after their personal account has been created. Either the NHSmail pharmacy owner, or the pharmacy admin helpdesk should be able to help with the linking.
For IT considerations refer to: PSNC’s checklist: Change of pharmacy circumstance guide: ODS codes and planning required should your ODS code change. In regards to NHSmail:
Q. What to do with NHSmail for consolidations?
When a community pharmacy changes consolidation occurs, the current shared mailbox owner of a pharmacy ‘closing’ into another should proactively take steps to transfer ownership to the new owner by sending an email from the shared mailbox to the national administration service requesting appropriate action. For any current community pharmacy staff members who have an NHSmail user account linked to the shared mailbox and are ceasing to be employed at the pharmacy, please send an email from the shared mailbox to the national administration service requesting for these users to be removed.
Note: Please ensure that there is a staff member working at the community pharmacy who always has an NHSmail account linked to the shared mailbox.
Q. What is is the process in case of a pharmacy change (e.g. ODS/ownership/location change)?
The IT/ODS change checklist mentions this topic and more detailed information is set out below.
- If your ODS code or address will change, you should contact the NHSmail Pharmacy Admin team (email@example.com) to ask them to adjust your NHSmail premises shared account email address as needed. Your new email address might include the new ODS code / address if there is one. Your old email address may be retired and/or may redirect to the appropriate account. If any pharmacy staff members who have a personal NHSmail account which has access to the premises shared account are ceasing to be employed at the pharmacy, follow please contact NHSmail Admin to request their removal from the shared mailbox and also link those new staff needed. Make sure that you still have staff members with personal NHSmail accounts which can access the premises shared account. During ownership changes the outgoing owner may support transfer of an older mailbox to ensure continuity of a mailbox – e.g. so there is not delay/disruption of emails relating to patient referrals communicated to older shared addresses. An outgoing owner may make requests to NHSmail. The incoming owner may need to make arrangements with the outgoing owner prior to the change date. The outgoing and incoming owner may also need to make sure that appropriate arrangements are in place for example if there is a transfer of the mailbox that relevant emails are deleted if needed – ensuring patient expectations continue to be met. If required all emails may be deleted or a fresh account may be set-up. Both the outgoing and incoming owner will need to complete the Data Security and Protection Toolkit once within each financial year although it may be permissible that where the change date is close the Toolkit deadline that the incoming owner will complete entry level in order to support NHSmail usage with the full Toolkit completed later.
- After the change: Check that adjustments have been made by sending a test email to your account, and then checking that you can login and view the email [you could check the right staff are linked and that shared mailbox and the individual accounts work as expected]. If the incoming owner was unable to finalise arrangements, there is a chance that a new shared mailbox may be required. Note that the pharmacy might not appear by default within the pharmacy shared mailbox registration portal because this portal may typically include the list of pharmacies which have not had a shared mailbox. A ticket to firstname.lastname@example.org may support the pharmacy being added to this portal list, if required.
Practical considerations related to use of NHSmail
There are a range of points that need to be considered when planning how NHSmail accounts should be used. The following issues to consider have been collated from feedback from pharmacists that have already used NHSmail.
- How often will the account be checked? Email is a useful additional communication channel, but if the information being communicated to the pharmacy is time sensitive, the pharmacy must have procedures in place to ensure email is checked on a frequent basis;
- NHSmail supports the sending of attachments – problems can sometimes arise when attachments are sent to the pharmacy to view or edit, but the pharmacy doesn’t have the necessary software on their computer to support this. As there is a risk that unapproved software could interfere with the operation of a PMR system or invalidate a pharmacy’s maintenance contract with their supplier, it is important to check with suppliers before loading software on to pharmacy computers;
- Links in emails to external websites – many pharmacies have strict controls on what websites can be accessed from the pharmacy computer. In some cases staff can only access a list of sites that have been pre-approved by a company Head Office;
- Managing access rights – who will have access to the shared mailbox and how will this access be managed? What processes are in place to ensure access rights are maintained when there are staff changes?
- Storing information received – storing records of clinical communications is important for clinical governance reasons. NHSmail is designed to support the transfer of information, not the storage of information. Whilst some information could be copied across to the notes in the patient’s pharmacy record, particular consideration will need to be given to how attached documents are stored (including arrangements for data back-up and appropriate access controls);
- Sending patient information – NHSmail is the only NHS approved method for exchanging patient data by email, but only if both sender and recipient use an NHSmail account or if sending to another government secure domain such as GSi (*.gsi.gov.uk) or CJX (*.police.uk or .pnn.police.uk). In addition to ensuring the recipient account is secure, it is important to check that the recipient is prepared to accept the information by email, check that information is being sent to the correct email address and indicate the sensitive nature of data in the header;
- Information Governance – appropriate information governance procedures need to be put in place if NHSmail is used to transfer sensitive information. As NHSmail can be accessed anywhere, it is not possible to limit access rights to a particular location, for example from within a pharmacy. Also NHSmail can be linked to a wide range of mobile devices – if this option is used, provision needs to be made for the event that they are stolen or lost, for example a process to activate self-wipe capability. Approaches by which safeguards around the use of NHSmail could be integrated into existing IG resources required for compliance with the NHS Information Governance Toolkit include:
- Outlining the expectations on staff use of NHSmail in the pharmacy confidentiality code of conduct (Requirement 214).
- Outlining how personal information will be handled if received by email, for example in the pharmacy’s safe haven procedures (Requirement 322).
- Providing guidance on the use of NHSmail in the pharmacy’s data transfer procedures (Requirement 322).
- Where the service is accessed from mobile devices, providing additional guidelines for staff on mobile computing (Requirement 318).
- General guidance on the NHS Information Governance requirements can be found in the NHS IG section of this website.
- Regulatory information in business letters – a requirement was introduced by the Companies (Registrar, Languages and Trading Disclosures) Regulations 2006 for companies in the UK to include certain regulatory information (e.g. company registration number, place of registration and registered office address) in their ‘business letters’ (which includes emails). In October 2009, similar requirements were introduced for sole traders and partnerships (with special provision for partnerships of more than 20 persons) and Limited Liability Partnerships. Although individuals can set up personal ‘email signatures’ in NHSmail, there is no way at present, via the NHSmail service to set up an automatic footer/signature stamp so that a company can ensure all emails sent by their employees contain the necessary information. Failure to include the information required in the Regulations would be a breach of the Companies Act 1985, and could render companies liable to a substantial fine.
Return to the IT section: Communications across healthcare