Using video conferencing and consultation tools
Published: October 2020
Updated: August 2023
Video conferencing and consultation tools are important. They are used for consultations with patients and service users. They are also used for communications between health and care professionals when working remotely. We encourage their use to support the delivery of care.
This guidance sets out how they can be used safely from an information governance perspective.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
Your health and care provider may offer you a video consultation as a way of communicating with you. This is a consultation carried out using your phone, tablet or computer. You can read more about this on the NHS website and watch a helpful video on contacting a GP remotely.
Your health and care organisation should be able to provide you with information about how your personal or confidential patient information is used during a video consultation. The following will help to protect your confidentiality:
- Make sure that you have a safe, quiet, confidential place that is free from interruptions for your consultation
- If another person is present in the room, you should consider making your health and care professional aware, particularly if the other person remains quiet or is not visible to the health and care professional. This helps your health and care professional avoid inadvertently breaking confidentiality
- Your health and care professional will inform you if anyone else is in the room with them and ask if you are comfortable with this, for example, if they have a student doctor working with them
- You may be asked to confirm your details, for example, name and date of birth to ensure you are the right patient or service user.
Recording sessions
- Your health and care professional will take notes as they would do in a face to face consultation. If your health and care professional wants to digitally record the consultation, they will need to ask your permission.
- If you wish to record the session with your own applications or another device, it is good practice for you to advise your health and care provider in advance and out of politeness check they are happy with this.
- If you have any concerns when offered a video consultation, please speak to your health and care organisation.
Guidance for healthcare workers
This guidance specifically covers information governance considerations for:
- video conferencing (with colleagues)
- video consultations (with patients or service users)
The principles are broadly the same, however there are some specific considerations for consultations with patients or service users.
Using video conferencing or consulting tools securely
These steps will help ensure that you use video conferencing and consultation tools securely:
- Follow your organisation's policies on information governance (IG) when conducting video conferencing or consultations. These should set out how it can be done safely, for example, confidential matters should only be discussed in a private space
- Download all necessary updates for your video conferencing or consultation solution(s) as they become available - these can contain important security patches
- Be aware of phishing risks with links or attachments in video chat
- Set a strong password when activating the video conferencing or consultation account
- Make sure you keep settings as private, for example, when sharing files with colleagues
- Only use devices that have been protected by adequate security
- Access training, if available, so that you feel comfortable using the technology
- For video group calls, for example, meetings with colleagues, hold people who have joined the conference in a waiting area until you have verified their identity
- Take care when using the chat function and remember that this may be seen by all those on the call, including those who have left a call before it finishes.
Specific considerations for consultations with patients and service users
You can find broader guidance on video consulting, including clinical safety considerations, in the ‘Principles of safe video consulting in general practice during COVID-19’ (PDF). You can also read specific guidance on remote intimate assessments (PDF).
Protecting confidentiality
- The consent of the patient or service user to accessing and using their confidential patient information during the video conferencing is implied by them accepting the invite and entering the consultation
- Where users do not have digital skills, they can be supported to use video technology by a carer, where available, with implied patient or service user consent to the carer being present during the consultation
- You should ensure that you verify the identity of the patient or service user when using a video consultation and check you have the correct notes
- You should safeguard personal or confidential patient information in the same way you would with any other consultation, for example, ensuring there are no patient or service user details visible, for example, white board in the background; conduct in a private area so passers-by can’t overhear
- Avoid inadvertent disclosure of information, for example, do not conduct the consultation in the presence of others without the patient or service user’s permission
- Be clear when the consultation has concluded and make sure the video consultation connection has finished before other conversations start
- When conducting video group consultations with patients or service users (antenatal classes or physiotherapy sessions) ensure that the patient or service user understands they are joining a group session. It is useful to set out the ground rules to protect confidentiality, for example, do not take screenshots or record the session.
Notes and recordings
- If you need to record the video consultation, you should seek the patient’s or service user’s explicit consent. If consent is provided, this should be noted in the patient’s or service user’s health and care record. If you intend to record consultations, then information must also be provided in privacy notices. Notes from the consultation should still be made in the patient or service user record
- In order to keep accurate records, the relevant outcomes should be documented within the patient or service user’s health and care record in the same way as you would do a face to face consultation.
Guidance for IG professionals
It is important that organisations use video conferencing and consulting solutions safely, both for consultations with patients or service users and for communication between colleagues.
Selecting a video conferencing or consulting tool
From an IG perspective, any video conferencing or consulting tool can be used provided there has been an appropriate local risk assessment.
Microsoft Teams has been made available for meetings between colleagues to support communications.
The Dynamic Purchasing Framework and the Digital Care Services or GP IT Futures frameworks provide a purchasing route for nationally assured video consultation solutions for primary care. You can find further information about funding and procurement processes for general practice on the FutureNHS collaboration platform.
Attend Anywhere has been procured nationally for 12 months to support video consulting in NHS Trusts and Foundation Trusts, however other tools may be in use in your organisation.
Data Protection Impact Assessment (DPIA)
A DPIA is a process to help identify data protection risks and should be in place before any video conferencing tool is used to support compliance with UK GDPR and Data Protection Act 2018. If your organisation is going to process and share personal or confidential patient information during the video consultation in ways not already covered by an existing DPIA, then a DPIA should be carried out. You should make an assessment on whether a DPIA is required.
The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. The Information Commissioner’s Office (ICO) has produced guidance on carrying out DPIAs and a template that you can refer to. NHS England and Improvement Primary Care team has published a DPIA template for video consultations. [Note you may need to request access to the workspace].
Risk assessments
It is important to note that it is an organisation’s own responsibility to perform risk assessments on any products that are used. This should look at all risks whereas a Data Protection Impact Assessment (DPIA) will look at an individual's data privacy rights. Guidance issued by the National Cyber Security Centre (NCSC) may be used to support your decision making. The key considerations include:
- Where is the app or tool sending the data?
- Are video calls encrypted end-to-end?
- Are people able to record meetings (with third party software) freely without authorisation from the host?
- Are there options for video consulting services that offer enhanced security or privacy features?
Ensuring safe use of video conferencing or consultation tools
You should take note of the recommendations below to support the safe use of video conferencing or consultation tools:
- If your organisation has chosen to use free solutions, you are unlikely to have any contract or service level agreement in place with the provider. Using Free solutions may mean you do not have any recourse to legal action in the event of system failure
- Local policies should make it clear that only corporate devices or personal mobile devices that have been protected by adequate security should be used. This is typically achieved through network security controls and the use of mobile device management solutions
- You must ensure that all necessary updates for your chosen video conferencing or consultation solution(s) are downloaded as they become available - these can contain important security updates
- You should ensure that staff are aware of privacy settings in any software you are supporting. For example, in Microsoft Teams, it is highly unlikely that anything should be shared as ‘Public’ - if the privacy setting is changed from private to public this gives access to all 1.2 million NHSmail users which includes the ability to view or edit any files placed in that Team
- If information is shared inappropriately, you should seek advice from your Caldicott Guardian, IG or senior staff.
For patient or service user consultations
- The product should support the health or care provider to initiate a video consultation with the patient or service user
- Check that the product being used for the service does not record and store the consultation as a default
- Be clear with patients when a video consultation may be offered and how it will take place. Privacy notices should include information about any third-party products you use to provide video consultation services, provide guidance on the secure use of your chosen solution and advise patients or service users if any personal or confidential patient information collected using these services is likely to be stored overseas.
Further information
- ICO blog on video conferencing
- ICO guidance on conducting Data Impact Assessments
- NHS England has published clinical safety and DPIA templates
- NHS England has published an Online Consultations Toolkit
- Royal College of General Practitioners’ guidance on remote intimate assessments is available
- Healthwatch England report on what makes virtual appointments good - The Doctor will Zoom you now is available.