NHSmail is a centrally funded and managed secure email and communications service which is approved by the NHS for exchanging patient data.
For a number of years, community pharmacies in England have been able to request a shared NHSmail account. To access a shared NHSmail mailbox, users must have their own personal NHSmail address which is linked to the shared mailbox. This is to allow different staff members to access the mailbox without sharing of login details.
The NHSmail service is available anywhere, over either the NHS N3 network or the open internet. The service can be viewed through a free web based client or alternatively pharmacies can choose to connect the service to a local email client they have purchased, for example Microsoft Outlook.
The key benefit of the service is its security, which means it can be used for transmission of patient information between health professionals. Examples of the types of information that can be transmitted through the service include patient MUR information and hospital discharge communications.
How to get a shared NHSmail account - Pharmacy Quality Scheme and NUMSAS
Having a shared NHSmail account for your community pharmacy is a gateway criterion for the Pharmacy Quality Scheme and it is also necessary for any pharmacy contractor that wishes to provide the NHS Urgent Medicine Supply Advanced Service; this will also be a requirement for contractors wishing to provide the Community Pharmacist Consultation Service, which is due to commence in October 2019.
If you want to obtain a shared NHSmail account for your pharmacy, you can do this via the NHSmail registration portal. Working through this process will include the creation of up to three personal NHSmail accounts which will be used to access the shared NHSmail account. The process is explained in PSNC Briefing 058.17 How to complete the NHSmail registration process. During the registration process, if you are unable to locate your pharmacy within the portal, please contact email@example.com and they will support you through the process (also see section below).
Once you have completed your registration using the portal, you will be sent login details for the personal accounts so that you can activate them and then log into your shared NHSmail account. When you first login to your personal NHSmail account, review and accept the user agreement which should pop up on your screen. Each NHSmail user within your pharmacy can activate their account by logging in using their individual login details; activation applies to each person. After each staff member has accepted the user agreement, each person should receive an email which explains that activation has taken place. If you are having difficulties with activating your account, contact firstname.lastname@example.org who will support you through the process.
Already have an NHSmail account for your pharmacy?
Some pharmacies already have an NHSmail account for their pharmacy. This may be a shared mailbox, which users log into using a personal NHSmail account (i.e. the shared mailbox cannot be logged into directly), or it may be an NHSmail account which has been created for the pharmacy using a personal NHSmail account. NHS England and NHS Digital want all pharmacies to have shared mailboxes which can only be accessed by authorised users who log in using their personal NHSmail account. This is also the only type of account which will meet the gateway criterion for the Pharmacy Quality Scheme.
If you already have a pharmacy NHSmail account, but it is not a shared mailbox, follow the above process to request a shared NHSmail account.
Technical queries and escalation
In the event of a technical NHSmail query:
1. Please contact email@example.com so that emails go directly to the national NHSmail team managing pharmacy accounts.
[The general NHSmail national helpdesk may be able to help in some scenarios (0333 200 1133), however it is recommended for pharmacy staff to please email the NHSmail pharmacy admin team rather than to call the general NHSmail helpdesk.]
2. Your email should be short and should include your question, name, position, pharmacy name + ODS (F) code, and your contact telephone number.
3. The NHSmail pharmacy admin team may email or phone you to request further information to progress your query.
4. Please make use of the incident reference number (INC number) provided, and you may re-open a ticket if you are not satisfied after one has been closed.
5. Keep all of the emails just in case further escalation is required. You may escalate such emails to PSNC by emailing PSNC if you have a single or systemic issues that you are struggling to resolve with the NHSmail pharmacy admin team and you have tried the above.
NHS Digital has developed a guide which explains how to make use of NHSmail: Guide for community pharmacies using NHSmail (November 2017). This guide includes information about:
- logging in;
- the Shared Mailbox Owner;
- email signatures;
- setting auto responses;
- what to do if your name changes;
- training links;
- forgotten password process;
- locked account process;
- using the NHS Directory to find people; and
- service status.
The NHS Digital Mobile configuration guide for NHSmail explains the requirements for use of NHSmail on mobile devices such as Smartphones. The guide explains that mobile app NHSmail usage currently ‘does not support shared mailboxes’ but that personal accounts can be accessed. Pharmacy contractors may access NHSmail via their Smartphone web browser. Pharmacy contractors that wish to use NHSmail on mobile devices will also have to be aware of various practical considerations.*
*E.g. passcode settings, preventing access by others, adjusting auto-preview of messages on home-screens, ability to remotely wipe the device if stolen, and storage plus archive settings. Read more within the Mobile configuration guide for NHSmail mentioned earlier. Further practical considerations listed within the ‘Practical considerations’ section below.
Q. One of our staff members already has an NHSmail address. Should I enter their name into the registration portal?
No. If there is a person in your pharmacy who already has an NHSmail personal account (ending in @nhs.net), they should not be included in the details you submit to the NHSmail registration portal to avoid a duplicate account being created. Once the shared NHSmail account is set up for the pharmacy, the Pharmacy Shared Mailbox Owner will be able to link the staff member’s personal NHSmail account to the shared mailbox address.
Q. Can personal NHSmail accounts be linked to more than one pharmacy shared NHSmail account?
Q. How many personal NHSmail accounts can be set up per pharmacy?
Except in exceptional circumstances, up to 10 new personal NHSmail accounts can be created per pharmacy. Contractors should consider which staff members are most appropriate to have access to the shared NHSmail address. For example, locum staff would not require access if another staff member on duty does have access; this does not need to be a pharmacist.
Q. How do I activate my personal NHSmail account?
Once you have received your username (sent to the email address which you registered with) and the temporary password sent to your mobile phone number, you can activate your account by:
- Navigating to nhs.net;
- clicking the login button;
- entering your NHSmail username;
- typing the password sent to your mobile phone;
- reviewing and accepting the user agreement which should pop up on your screen; and
- then you should receive an email confirming that you have activated the account.
Note that activation applies to each person.
More information on how to activate your account is available in Guide for community pharmacies using NHSmail (November 2017).
Q. I have not received a password for my pharmacy’s shared mailbox; how do I activate the shared mailbox?
You do not need to activate a shared mailbox and you will not receive a password for a shared mailbox, because all authorised users of the shared mailbox access the mailbox using their personal NHSmail account. Activation applies to each person.
Q. I would like more than ten individual NHSmail accounts to link to the shared NHSmail mailbox; how do I get more than three individuals accounts?
Up to 10 individual NHSmail accounts should be suitable for most pharmacy contractors. However, your local NHS England team will be able to authorise more than 10 accounts to access the shared mailbox, but they will only do this where this is requested with a valid reason for needing them.
Q. Do I need a password to use my NHSmail account? What is the password policy?
Yes, every staff member requires their own username and password to access NHSmail for both their personal and any shared mailbox they have been authorised to access. You will need to ensure your account remains active by changing your password at least every 365 days otherwise it may be de-activated or removed from the service.
NHS Digital introduced an improved NHSmail password policy from May 2019, which included less frequent password changes.
NHSmail users’ passwords will become valid for 365 days instead of the previous 90-day expiry. This change follows PSNC, on behalf of the Community Pharmacy IT Group (CP ITG), lobbying NHS Digital about its approach to frequent forced password changes for national systems including NHSmail. PSNC asked NHS Digital to consider applying the National Cyber Security Centre’s (NCSC) guidance that states:
“Regular password changing harms rather than improves security, so avoid placing this burden on users”.
NHSmail users will be notified they must change their password within 45 days of the new policy’s introduction. The new policy also adopts some of the NCSC’s other password guidelines; new NHSmail passwords must follow criteria including:
- a minimum length of 10 characters without requiring a mix of character types;
- not matching your previous four passwords;
- not detected as a common password, e.g. password1234; and
- not detected as a breached password (a password used for an account that has previously been compromised).
Top tip: NCSC recommend that a strong and memorable password is created by choosing three random words, e.g. ‘planeyellowbread’.
Q. I have received details of the pharmacy’s shared NHSmail account but not my personal NHSmail account. What do I do?
If you have received details of your shared NHSmail account and not your personal NHSmail account, you should email firstname.lastname@example.org, explaining the issue and providing your first name and surname, the pharmacy’s ODS code (F code) and the email address of the pharmacy shared mailbox.
Q. I have received details of my personal NHSmail account but not the pharmacy’s shared NHSmail account. What do I do?
If you have received details of your personal NHSmail account and not your shared NHSmail account, you should email email@example.com, explaining the issue and providing your first name and surname and pharmacy’s ODS code (F code).
Q. I’m an extended hours pharmacy; how many people can access the shared mailbox in my pharmacy?
There is no restriction on the number of users who can be given access to a shared mailbox via their personal NHSmail account.
Q. If I email firstname.lastname@example.org how quickly will I get a response?
The Pharmacy admin team will endeavour to respond to your enquiry as soon as possible. The Pharmacy service desk is available between 9am – 5pm Monday – Friday excluding bank holidays and can be contacted at email@example.com.
Outside of these hours, simple tasks like password resets can be performed by the NHSmail National Service Desk (0333 200 1133). More complex tasks, that arise out of hours, can be logged by emailing firstname.lastname@example.org or by calling the National Service Desk (0333 200 1133) and these issues will be dealt with by the Pharmacy admin team when they are next available.
Q. What is the process for locum pharmacists wishing to obtain an NHSmail account because of the NUMSAS pilot?
NHSmail accounts can be requested by a pharmacy participating in the NUMSAS pilot – including for their locum pharmacists. If you require an NHSmail account outside of the NUMSAS roll out process you will need to wait until the new national process is available.
Q. Why is a mobile phone number needed to set up my account?
A mobile phone number needs to be provided when applying for an NHSmail account as temporary passwords are sent via a text message to the mobile number provided.
When you log in to your account for the first time you are asked to accept the Acceptable Use Policy (AUP). At this stage you will also be asked to set up security questions. These are required as you will need to be able to answer these questions if you are locked out of your account or have forgotten your password so that you can perform a self-service password reset. If you require a password reset and are unable to answer your security questions (or have not set them up yet) the helpdesk will use the mobile phone number that you provide to authenticate you. The mobile phone number will also be listed on the NHSmail Directory in association with you as explained within the next question.
Q. The mobile number I provided will be added to the NHSmail Directory. Why is this? Can I hide the mobile number?
Please note the mobile phone number that you provided as part of your NHSmail application is automatically added to the NHSmail directory but you can opt for this to not be visible. Guidance on how to do this is available in the Guide for Community Pharmacies using NHSmail (see the ‘Using NHSmail’ section above). It is not recommended that you remove the mobile phone number as this will be used by the helpdesk as part of the authentication checks. NHS Digital recommend ensuring that the mobile phone number which is listed remains up to date.
Q. What if I forget my password, am unable to answer my security questions and do not have a mobile phone number which can be used as authentication?
You will need to speak to the shared mailbox owner of your premises account and they will need to contact the helpdesk to confirm they can authenticate you and ask them to reset your password. The national helpdesk will ask the shared mailbox owner to confirm the mobile phone number for the temporary password to be sent to. It is the responsibility of the shared mailbox owner to ensure local validation checks on individuals have been completed.
Q. I am a shared mailbox owner, what is the mobile phone number I provided used for?
Shared mailbox owners are required to supply a mobile phone number that they have access to, and be the primary point of contact for the national helpdesk to liaise with – if another staff member in the branch forgets their password and is unable to answer their security questions and that staff member does not have a mobile phone number listed.
Q. What if I cannot take my mobile phone to work?
If you are unable to take your mobile phone to work and are therefore unable to activate your account from a work computer you can log into your account for the first time from a home computer. You will receive an email to your personal email address which you supplied when registering which will contain your new email address and instructions on how to log into your account. If you do not have a home computer or the Internet you can make a note of your password and set up your account when you are at work. However, it is recommended that you have your mobile phone on you when signing into your account for the first time as the password will contain a mix of different characters and upper and lower case letters.
Q. What to do if you are moving to another community pharmacy or leaving pharmacy altogether?
If you are leaving your pharmacy you will need to notify the shared mailbox owner who will remove your NHSmail account from the shared mailbox for the pharmacy that you are leaving. Your NHSmail account can be added to any new community pharmacy that you join by contacting the shared mailbox owner for that site. If you are the shared mailbox owner you will need to contact the national helpdesk desk at email@example.com or by calling 0333 200 1133 and ask for your permissions to be removed from the shared mailbox and advise who should now be added as the shared mailbox owner.
If you are leaving the pharmacy sector or not taking up a new role at another community pharmacy, please contact the pharmacy national helpdesk at firstname.lastname@example.org who will mark your account as a ‘leaver’. Your account will be permanently deleted after 30 days.
Pharmacy team members that transfer from a community pharmacy to clinical pharmacy roles with an NHS Organisation can transfer their NHSmail account to their new role by asking the NHSmail Local Administrator in their new organisation to mark their account as a ‘joiner’. This must be done within 30 days of the account being marked as a ‘leaver’ to ensure it is not deleted.
Note: NHSmail accounts that are marked as ‘leavers’ are permanently deleted after 30 days if no new organisation is identified. Additionally, NHSmail accounts that are not utilised for 90 days are de-activated and will be permanently deleted after a further period.
Q. What to do if a new staff member is joining the community pharmacy and requires an NHSmail account? (Or what to do if you require additional accounts beyond the standard ten accounts?)
If you are joining a community pharmacy and already have an NHSmail account you will need to ask the shared mailbox owner to add your account to the premises shared mailbox. If you do not have an NHSmail account you will need to inform the shared mailbox owner. If the pharmacy has less than 10 user accounts the shared mailbox owner will need to contact the pharmacy national helpdesk at email@example.com to ask for your personal account to be created. You will need to provide the shared mailbox owner with your personal mobile phone number as your password will be sent to you via a text message. For further information on the use of mobile phone numbers see the Guide for community pharmacies using NHSmail.
If your pharmacy already has 10 user accounts the shared mailbox owner will need to email your NHS England local area team with reasons for why more than 10 accounts are required and ask them if they are happy to approve your additional account. If your additional request is approved NHS England will need to email the pharmacy national helpdesk at firstname.lastname@example.org stating that your additional account has been approved and ask for the account to be created. Again, you will need to provide your personal mobile phone number as your password will be sent to you via a text message.
You may need to ensure your personal account is linked to the shared account after your personal account has just been created. Either the NHSmail pharmacy owner, or the pharmacy admin helpdesk should be able to help with the linking.
Practical considerations related to use of NHSmail
There are a range of points that need to be considered when planning how NHSmail accounts should be used. The following issues to consider have been collated from feedback from pharmacists that have already used NHSmail.
- How often will the account be checked? Email is a useful additional communication channel, but if the information being communicated to the pharmacy is time sensitive, the pharmacy must have procedures in place to ensure email is checked on a frequent basis;
- NHSmail supports the sending of attachments – problems can sometimes arise when attachments are sent to the pharmacy to view or edit, but the pharmacy doesn’t have the necessary software on their computer to support this. As there is a risk that unapproved software could interfere with the operation of a PMR system or invalidate a pharmacy’s maintenance contract with their supplier, it is important to check with suppliers before loading software on to pharmacy computers;
- Links in emails to external websites – many pharmacies have strict controls on what websites can be accessed from the pharmacy computer. In some cases staff can only access a list of sites that have been pre-approved by a company Head Office;
- Managing access rights – who will have access to the shared mailbox and how will this access be managed? What processes are in place to ensure access rights are maintained when there are staff changes?
- Storing information received – storing records of clinical communications is important for clinical governance reasons. NHSmail is designed to support the transfer of information, not the storage of information. Whilst some information could be copied across to the notes in the patient’s pharmacy record, particular consideration will need to be given to how attached documents are stored (including arrangements for data back-up and appropriate access controls);
- Sending patient information – NHSmail is the only NHS approved method for exchanging patient data by email, but only if both sender and recipient use an NHSmail account or if sending to another government secure domain such as GSi (*.gsi.gov.uk) or CJX (*.police.uk or .pnn.police.uk). In addition to ensuring the recipient account is secure, it is important to check that the recipient is prepared to accept the information by email, check that information is being sent to the correct email address and indicate the sensitive nature of data in the header;
- Information Governance – appropriate information governance procedures need to be put in place if NHSmail is used to transfer sensitive information. As NHSmail can be accessed anywhere, it is not possible to limit access rights to a particular location, for example from within a pharmacy. Also NHSmail can be linked to a wide range of mobile devices – if this option is used, provision needs to be made for the event that they are stolen or lost, for example a process to activate self-wipe capability. Approaches by which safeguards around the use of NHSmail could be integrated into existing IG resources required for compliance with the NHS Information Governance Toolkit include:
- Outlining the expectations on staff use of NHSmail in the pharmacy confidentiality code of conduct (Requirement 214).
- Outlining how personal information will be handled if received by email, for example in the pharmacy’s safe haven procedures (Requirement 322).
- Providing guidance on the use of NHSmail in the pharmacy’s data transfer procedures (Requirement 322).
- Where the service is accessed from mobile devices, providing additional guidelines for staff on mobile computing (Requirement 318).
- General guidance on the NHS Information Governance requirements can be found in the NHS IG section of this website.
- Regulatory information in business letters – a requirement was introduced by the Companies (Registrar, Languages and Trading Disclosures) Regulations 2006 for companies in the UK to include certain regulatory information (e.g. company registration number, place of registration and registered office address) in their ‘business letters’ (which includes emails). In October 2009, similar requirements were introduced for sole traders and partnerships (with special provision for partnerships of more than 20 persons) and Limited Liability Partnerships. Although individuals can set up personal ‘email signatures’ in NHSmail, there is no way at present, via the NHSmail service to set up an automatic footer/signature stamp so that a company can ensure all emails sent by their employees contain the necessary information. Failure to include the information required in the Regulations would be a breach of the Companies Act 1985, and could render companies liable to a substantial fine.
Skype for Business Messaging (via NHSmail)
In the future, community pharmacy staff may be able to “instant message” other NHSmail users via Skype for Business, for free, as part of the core NHSmail service.
For example, this could allow community pharmacy staff to communicate / instant message with:
- Staff from other community pharmacies;
- GP practice staff; or
- Care Home staff.
Return to the IT section: Communications across healthcare