GP practices General practitioner Practice manager England

Last updated:

Choosing an online consultation system

Swinton GPs, Male GP working at desk in surgery, M Venables, full consent

Primary care has led the way in adopting new technologies within the National Health Service (NHS).

Digital health records, online booking systems, Short Message Service (SMS) alerts, virtual consultations, online registration and repeat prescriptions, are some examples of the way technology is currently being used to enhance and improve patient care.

Online consultations are a recent addition to the vanguard.


Know the risks

We are aware that many practices and CCGs have already procured, and will be procuring online consultation systems, whilst not having an IT lead in place at their practice.

We are also aware door to door sales is becoming the norm with IT suppliers, and it is usually the GP who signs off the procurement of these systems, but without necessarily knowing what to be aware of.

We want to help you to make informed decisions, so we have developed a detailed checklist of the safety, governance, legal and regulatory requirements expected of online consultation systems.

Read on to find out more about the key issues.


  • What are online consultation systems?

    Typically these are App or web-based systems that facilitate communication and the transfer of information between the general practitioner (GP) and the patient.

    Some software platforms include algorithm-generated, tailored advice for patients (generally referred to as ‘artificial intelligence’ or AI).

    Some systems allow patients to book appointments, request repeat prescriptions and access their health records.


  • What are the concerns about online consultation systems?

    Are they really more efficient?

    A growing number of practices have adopted online consultation systems to help manage workload, triage patients using symptom checkers, and re-direct patients to self-care advice or other services.

    While the use of online services may be more convenient for some patients to use, currently there is no high quality evidence to demonstrate the efficacy of online consultations in the ability to reduce workload or improve clinical outcomes for patients.

    There has also not been any work done to evaluate the impact of online triage on other parts of the healthcare system, such as Accident & Emergency departments, Urgent Care Centres or Walk in Centres.


    Are the security and governance checks adequate?

    Online systems require significant assurances over security and governance in order to ensure the quality and safety of these systems, for both the patient and the clinician.

    In the competitive and expanding market of these systems, inadequate checks and poor quality products could make practices and clinicians both vulnerable and accountable to the failings of these systems, with the potential to cause harm to patients.


    Issues with compliance

    An evaluation conducted by the Joint GP IT (JGPIT) committee of the existing system suppliers currently being used by Clinical Commissioning Groups (CCGs) and practices, revealed significant shortcomings in compliance with the basic safety and governance requirements.

    The Care Quality Commission’s (CQC) new regime for inspecting online health services, has revealed nearly half of these providers are not providing a safe service for patients.

    Of 33 services that were inspected under the new system, 16 were deemed not to be providing a safe service, either in part or in full.

    The majority of these providers were also found not to be providing a well-led or effective service.


    How we can help

    Bearing in mind many GP practices do not have an IT lead, we want to help you to make informed decisions.

    Below is our 11-point checklist, grouped into the main topic areas you need to pay careful attention to when choosing an online consultation system.


  • Checklist - Safety and quality assurance

    1. Conformance with SCCI0129

    (Clinical risk management: its application in the manufacture of health IT systems, NHS Digital)

    Conformance with SCCI0129 is important to ensure that suppliers maintain adequate risk management processes.

    Compliance with this standard requires suppliers to have a clinical safety officer, who is accountable for the quality standards of the system.

    The standard ensures suppliers conduct regular risk analyses, maintain a hazard log and, evaluate the deployment and delivery of their systems. Suppliers are also required to ensure adequate risk management checks are conducted for third party products used in their systems.


    2. Conformance with SCCI0160

    (Clinical risk management: its application in the deployment and use of health IT systems, NHS Digital)

    The SCCI0160 standard complements SCCI0129, and is addressed to people within health organisations who are responsible for health IT systems, to carry out effective clinical risk management prior to deploying, using, maintaining or decommissioning health IT systems.


    3. Registration with the Medicines and Healthcare products Regulatory Agency (MHRA)

    (As a medical device with CE marking in line with the European Union (EU) medical device directive)

    Apps and software that qualifies as a medical device, must be CE marked in line with the EU medical devices directive.

    Medical devices can cover hardware, invasive and implantable devices, as well as software and monitoring tools.

    For the purpose of this guidance, systems that have a medical purpose need to be CE marked.

    Medical purpose can include but is not limited to:

    • Prevention of disease 
    • Diagnosis of disease, injury or handicap (including percentage risk scores) 
    • Monitoring of disease, injury or handicap

    For example, CE marking should be sought for systems such as triage tools, symptom checkers, or algorithmic decision trees.

    CE marking and regulation by the MHRA is important, as it offers assurances that the device and manufacturing is of a sufficient quality for its intended use.

    Upon registering with the MHRA, systems are subject to The Yellow Card Scheme, for adverse incidents, unexpected results, inaccuracies or concerns over safety.

    Where systems use a third-party symptom checker or alike, it is important to clarify the compliance with CE marking, governance and risk management.


  • Checklist - Management of data

    4. System suppliers should be compliant with the NHS Information Governance toolkit (IG level 2)

    The IG toolkit is a Department of Health (DH) policy delivery vehicle, that the Health and Social Care Information Centre (HSCIC) is commissioned to develop and maintain.

    It creates a single standard, combining legal requirements and central guidance as set out by the DH.

    As data handlers and data processors, it is important suppliers are compliant with this.

    Compliance demonstrates that organisations can maintain confidentiality and security of personal information, correctly handle data and, ensure protection from unauthorised access, loss, damage and destruction.

    Individual organisations have to submit their completed toolkits, which are evaluated for compliance and then published.

    IG assurances are required as part of the terms and conditions of using national systems and services.


    5. Cyber essentials (CE)

    (Cyber essential plus Certificate)

    Cyber security is a well-recognised problem within the NHS.

    When handling personal and patient information, it is imperative that systems are secure against malware, hacking and cyber-attacks.

    All suppliers should have a government approved Cyber essentials certificate or Cyber essentials plus certificate, which is preferable.

    Protection from malware and cyber-attacks has never been more relevant.

    The most recent WannaCry attack exploited a flaw in the Microsoft Windows operating system and propagated through much of the NHS, encrypting data and demanding ransoms for its return. However, different forms of malware may be transmitted in different ways. The initial transmission could be from an infected email, website or from a USB stick.

    Maintaining up-to-date operating systems, using antivirus software, and downloading from approved sites only, is crucial to prevent attacks.

    Devices and software must therefore be kept up-to-date. Despite the supplier being CE certified, users may still be vulnerable due to their operating systems and software being outdated.

    It is also important to ensure suppliers are not using unsupported operating systems or Internet browsers to access the online consultation systems.

    New vulnerabilities in software or devices can occur.

    For this reason, updates or ‘patches’ are released regularly to address any potential security breaches. Updates should be applied regularly in order to ensure maximum protection.

    Cyber safety should include firewalls to secure your connection, security settings for devices and software, controlled access to data and services based on job roles, ensuring a need-to-access basis.

    From April 2018 the new Data Security and Protection Toolkit (DSP Toolkit) replaces the Information Governance Toolkit (IG Toolkit).

    It will form part of a new framework for assuring that organisations are implementing the ten data security standards and meeting their statutory obligations on data protection and data security. This will include information governance, a General Data Protection Regulation (GDPR) checklist, and Cyber security.


    6. Patient Identification and Authentication

    Practices have a legal obligation to provide a secure and confidential service.

    Identity verification and authentication protects both patients and practices from unauthorised disclosure of personal or confidential information and any fraudulent activity.

    Practices must have processes in place to adequately authenticate and verify the identity of a patient, ensuring that the applicant for online access is the same person whose recorded identity the account is associated with.

    The verification process should allow an applicant to prove their identity, while preventing those trying to claim to be somebody they are not.

    Many system suppliers may take down the date of birth, name and address of patients in order for practices to verify them against their records. However this is not sufficient, as this information could be available to friends, parents or family members.

    The responsibility of verification and authentication falls on the practice.

    Where data breaches occur practices may be at risk of financial penalties. Where patients have consented to carers, parents or relatives communicating with the practice using online consultations, they should have a separate identity verification process and be granted authorisation by proxy.

    Correctly verifying the applicant’s identity is necessary when prescribing, advising treatment plans or making onward referrals to other healthcare professionals. Further information about the steps that can be taken may be found via NHS England, Patient Online Services in Primary Care, and Good Practice Guidance on Identify Verification.


    7. General data protection regulation (GDPR)

    The EU General Data Protection Regulation (GDPR) will come into effect in May 2018.

    For the purpose of the online consultation fund, it is worthwhile reviewing evidence of suppliers’ future compliance with GDPR. This will replace the Data Protection Act 1998.

    Within GDPR,  Practices are delegated as data controllers and suppliers as data processors.

    Both of these roles will be under greater scrutiny and will be legally required to demonstrate compliance with the regulation.

    The purpose of the regulation is to create greater transparency with the handling of data, as well as better informed consent with how data is used.

    Patients, as data subjects, will have greater access to their data and non-compliance with regulations will face greater penalties.

    When procuring systems from suppliers who act as data processors, it is crucial to check suppliers are compliant and conform to the regulation requirements.

    If any data breaches occur, system suppliers should support practices to report and investigate any data breaches, and, comply with the requirement to notify the Information Commissioners Office (ICO) within 72hours.

    Data disclosure requests from patients may include information processed by the online consultation systems, for this reason, it is imperative that records held by the supplier are as robust and accurate as possible, securely held within the U.K. and easily accessible to the practice.


    8. Record keeping

    Interoperability with existing GP operating systems enables data to be electronically transferred directly into the patient’s clinical records. Online consultation systems should use recognised clinical coding systems to facilitate this (e.g. SNOMED CT).

    Manually transferring clinical information from one clinical system to another can increase workload and the risk of errors, as well as negatively impacting on continuity of care for the patient.

    Where systems use artificial intelligence or symptom checkers to signpost patients to other services, it is important that this information is captured and relayed to the GP and integrated into the patient’s clinical records.


  • Checklist - Risk management

    9. Consent and capacity

    Guidance on consent published by the General Medical Council (GMC) states that consent is obtained via a two-way dialogue, with the amount of information shared tailored to the patient and guided by the patient’s individual circumstances.

    When using online systems to communicate with patients, it is important to ensure consent has been obtained, such as when ordering investigations or referring the patient remotely.

    The appropriateness of online consultations should be reviewed carefully for patients whom capacity may be of concern.

    The completion of an online form does not infer that the patient has capacity. Capacity is decision-specific and can change.

    This is important to consider when consenting patients to investigations or treatment digitally. It is also important to assess capacity when a patient declines advised investigations or treatment.

    Where family members, carers or relatives use online consultations on behalf of the patient, practices must ensure consent has been obtained.


    10. Safe guarding and safety netting

    Online consultations may not be appropriate for all patients; practices should take the necessary steps to check the appropriateness of the service for the patient. For example, practices should consider face-to-face consultations for the following patients:

    • Under the age of 16
    • Require a physical examination
    • Suffer from complex medical problems
    • Lack capacity
    • At higher risk of deterioration
    • Poly-pharmacy and controlled drugs
    • Complex psychosocial issues
    • Mental health concerns
    • Intimate issues (such as miscarriage)
    • Where there is a need to break bad news or complex ethical issues.

    Where patients are recognised as vulnerable adults or children in need, or on the child protection register, consider the balance between face-to-face and online consultations and a process to flag these patients.

    In circumstances where patients may not have regular access to an internet connection or computer technology, or, may not be IT literate, steps should be taken to provide alternate routes for consultation; either through face-to-face or telephone.

    Compared to face-to-face consultations, online consultations limit the scope of the information collation, continuity of care and, can present a safety risk. An error in triage could compromise safety and/or quality, leading to treatment delay, or even harm.


    11. Liability and risk

    When using digital systems, triaging tools and symptoms checkers, it is important to recognise the risks associated with the use of these systems.

    Inappropriate triaging of patients, wrong decisions from using symptom checkers, or failures in the electronic transfer of clinical data to the clinician, could all result in harm to the patient.

    Suppliers should be accountable for the performance of their systems and continue to improve the quality of their systems as a result of this.

    Systems that rely solely on transferring data via the Health and Social Care Network (HSCN – previously N3) to an account, without storing or capturing clinical data on a back-up server, can pose a significant risk.

    Server downtime or issues with network connectivity, including, can result in the failure of transmission of clinical data. Without an audit trail, root cause analysis and risk reduction will be challenging.

    Where suppliers rely on practice websites to host their systems, suppliers are unlikely to take responsibility for the security and protection of the host websites. Practices should check that their websites are secure with the necessary cyber essential certification to protect from malware, hacks and cyber attacks.

    Many system suppliers currently consent patients to disclaimers and terms and conditions to waive any accountability associated with using their systems and subsequent harm that may occur. This is unacceptable and could be subject to legal challenge.

    When procuring these systems it is important to check with the system supplier how patient data is used, for what purpose and what they are consenting patients to.

    We have reason to believe that some providers of online consultation tools may be seeking to introduce terms into their contract that purport to exclude all liability for loss or damage caused by using materials they have produced.

    Members should be cognisant that such broad waivers of liability are likely to be regarded as ineffective at law.

    Specifically the Unfair Contract Terms Act 1977 renders any attempt to exclude liability for death or personal injury caused by negligence as being ineffective at law. When a clause is rendered ineffective the whole clause is likely to fail with the effect that there is no limitation upon the liability of the provider of the online consultation tools.

    As always members should take specific professional legal advice before making any decisions how to proceed, and this information is provided for guidance only to alert you to a potential flaw in the contractual arrangement that some providers may be seeking to put in place.

    BMA members are entitled to discounted rates when seeking legal advice from BMA Law


  • How to get funding for online consultation systems

    A new £45 million fund for online consultations will be allocated to CCGs on a weighted capitation basis, once a plan for delivery by the CCG has been signed off by NHS England.

    This is a one-off transformation fund as part of the General Practice Forward View, (where a commitment was made to increase the use of online consultation systems),  and does not constitute a commitment to on-going funding after the 3-year period.

    On-going allocation of funding after year 1 will depend on evidence of uptake by practices and focused actions to realise the benefits of this approach for patients.

    CCGs will procure licences for systems on behalf of their practices, and in most areas procurement will be undertaken at scale across STP footprints.

    CCGs will have access to procurement advice from the national commercial and procurement hub for primary care IT.

    This hub will introduce a dynamic purchasing system or (DPS ‘framework’). The framework will provide assurance that all relevant standards for information governance, safety and software interoperability are met.

    We would strongly urge that only products that have met the standards in this framework are procured.

    If products are procured outside of this framework, then CCG’s and practices may not have the assurances they need that the system developers have met the highest standards of governance.


  • What GPC thinks

    GPC England has concerns about system suppliers who are consenting patients to using their personal and clinical data for commercial purposes. Where this is done through an NHS provided service, it can be both misleading and dangerous.

    GPC England’s concerns have been flagged to both NHS Digital and NHS England to address these issues. GPs and patients cannot be held liable for system failures out of their control.

    Read more about GPC England's stance on online consultations and consultation systems


  • Further help and related guidance