Skip to main content
Back to articles

Protect Clinical Insights

Keeping Patient Messaging Apps Safe and Secure in Everyday Use

Practical steps to manage clinical safety and information governance risks in patient messaging workflows.

Published · 2 December 2025Topics: patient-communication, data-protection, clinical-safety
Staff member sending a compliant patient message via secure app

Why Patient Messaging Needs Safety Controls

Secure messaging tools can make follow-up communications faster, but they introduce risks: misrouted messages, delayed responses, clinical information lost outside the patient record, and patients using messaging for urgent issues.

Without clear boundaries and controls, patient messaging creates data protection and clinical safety risks.

Patient messaging platforms are digital health systems, which means they fall under DCB0160. You need to assess the risks and implement controls to manage them.

This guide shows the practical steps. It assumes you understand the basics—if you do not, start with:

The Main Risks

Patient messaging creates these common hazards:

Misrouted messages: Message sent to wrong patient, revealing confidential information.

Delayed responses: Patient waits for response while condition worsens.

Missed clinical actions: Important information buried in messaging thread, not actioned or recorded in patient record.

Patients using messaging for urgent issues: Patient messages about chest pain instead of calling 999.

Lost audit trail: Conversations happen outside EPR, no record of advice given.

Your controls must address these specific risks.

Define Permitted Use Cases

Be explicit about what messaging can and cannot be used for.

Permitted uses:

  • Appointment reminders and confirmations
  • Prescription collection notifications
  • Test results that do not require clinical discussion (normal results with pre-agreed thresholds)
  • Follow-up checks after clinician-led advice where patient has explicitly consented
  • Administrative queries (registration, records access)

Not permitted:

  • Emergency triage or urgent symptoms
  • Breaking bad news (cancer diagnoses, bereavement)
  • Complex clinical discussions requiring nuance or shared decision-making
  • Patients you have not seen recently (no clinical context)

If patients message about excluded topics, the protocol is immediate phone call or appointment, not continuing the conversation via message.

Document permitted uses in your clinical safety policy and publish them on your website so patients understand boundaries.

Set Response Time Standards

Patients need to know how quickly to expect a response and what to do if it is urgent.

Publish service levels clearly:

  • Administrative queries: Response within two working days
  • Clinical queries: Reviewed by clinician within one working day, response or callback same day
  • Urgent issues: Do not use messaging—call the practice or 999

Use auto-reply to acknowledge receipt immediately. Include:

  • Expected response time
  • Emergency signposting ("If this is urgent, call us on [number] or dial 999")
  • What to do if you have not heard back within the expected timeframe

Set service hours and automatic closures. If you are closed, messages should queue with clear indication of when you will respond, or be redirected to out-of-hours services.

Allocate Ownership and Cover

Messaging cannot be left to "whoever checks it." Assign explicit responsibility.

Daily responsibility: Reception or admin staff triage incoming messages each morning and during the day. Clinical queries are routed to duty clinicians via the task list.

Named deputies: Identify deputies to cover annual leave and sickness. If the primary person is absent, the deputy must know to check messages.

Escalation protocol: High-risk content (suicidal ideation, safeguarding concerns, severe symptoms) triggers immediate escalation to duty clinician for phone or in-person follow-up.

Record escalations and outcomes in the safety log and patient record.

Choose and Configure Secure Platforms

Use NHS-approved platforms or secure modules provided by your EPR supplier. Confirm they offer:

  • End-to-end encryption: Messages encrypted in transit and at rest
  • Audit trails: Who accessed which message when
  • Role-based access: Only authorized staff can view messages
  • Automatic logging: Message history exported to patient record

Limit access to authorized staff via NHSmail, smartcards, or multi-factor authentication. Do not use consumer apps (WhatsApp, SMS) for clinical messaging—they lack audit trails and encryption guarantees.

Configure automatic logging or export so message history is filed in the patient record without manual copying. Set retention policies aligned with NHS records management code—delete or archive messages securely once copied to EPR.

Maintain Information Governance Controls

Patient messaging involves personal and clinical data, so information governance is critical.

Data Protection Impact Assessment (DPIA): Conduct or update a DPIA covering messaging workflows. Identify risks (data breach, unauthorized access) and controls (encryption, access restrictions, staff training).

Privacy notices: Keep privacy notices current, explaining how messages are used, stored, and who has access. Patients must understand their data rights.

Staff training: Train staff on confidentiality, phishing risks, and verifying patient identity before sharing information. Locums and temporary staff must be briefed before they start.

Access audits: Audit access and message handling quarterly. Review logs for unusual activity (staff accessing messages outside their role, unusual access patterns). Investigate anomalies immediately.

Communicate Boundaries to Patients

Patients need to understand what messaging can and cannot be used for.

Publish guidance on your website and in waiting-room materials:

  • What messaging is for (appointment queries, prescription notifications, administrative questions)
  • What it is not for (urgent symptoms, complex clinical discussions)
  • Response times
  • What to do if it is urgent (call practice or 999)

Include consent statements in onboarding messages. Patients should explicitly consent to messaging and understand they can opt out easily.

Provide alternative channels for patients with accessibility needs or limited digital literacy (telephone, face-to-face, translation support).

Monitor and Improve

Track metrics to confirm your controls are working:

  • Message volume: Track total messages and identify trends
  • Response times: Measure time from receipt to response, flag breaches
  • Escalations: Count messages requiring urgent escalation, identify patterns
  • Repeat contacts: Patients messaging again because they did not get a response
  • Incidents: Messages misrouted, delays causing harm, clinical actions missed

Discuss findings in monthly safety or governance meetings. If metrics worsen, investigate whether controls have failed or need strengthening.

Review template messages regularly to keep advice accurate and consistent with current clinical guidance.

Common Pitfalls

Using consumer apps: WhatsApp, SMS, and email lack encryption, audit trails, and integration with EPR. Do not use them for clinical messaging.

Open-ended messaging: Conversations that drift over days without clear resolution or recording in EPR. Every conversation must have a documented outcome.

No cover for out-of-hours: Messages arriving when no one is monitoring. Set service hours and automatic closures to prevent messages piling up unattended.

Ignoring consent: Sharing confidential information without confirming patient identity or documenting consent. Always verify identity before responding.

Action Checklist

  • Define permitted use cases and document them in your clinical safety policy
  • Set response time standards and publish them for patients
  • Allocate daily responsibility and name deputies for cover
  • Choose NHS-approved platform with encryption, audit trails, and EPR integration
  • Conduct or update DPIA covering messaging workflows
  • Train staff on confidentiality, phishing, and identity verification
  • Publish patient-facing guidance on your website
  • Track metrics monthly and discuss in governance meetings
  • Conduct a DCB0160 assessment for your messaging platform

Resources to Bookmark

Key Takeaways

Safe patient messaging requires clear boundaries about permitted uses, explicit response time standards, and secure platforms with audit trails and EPR integration.

The main risks are misrouted messages, delayed responses, missed clinical actions, patients using messaging for urgent issues, and lost audit trails.

Your controls must be documented, communicated to patients, and monitored continuously. If metrics worsen, investigate whether controls have failed or need strengthening.