Compliance - A user's guide

The law around messaging is changing

Ill-served by inefficient, out-dated communication systems based on landlines and bleepers, up to 89% of UK doctors now use consumer messaging services like WhatsApp, Messenger, Skype, Snapchat or Telegram to supplement communication. These services might be encrypted but they are not compliant with NHS Information Governance rules or new healthcare data protection legislation such as the European General Data Protection Regulation (GDPR). As a result, using them to send patient identifiable information can automatically qualify as a data breach


What's GDPR?

If you're running a GP practice, a private health practice or a health trust then by law from 25th May 2018 you must publicly report any data breaches that occur within your business - and you can be fined up to 4% of your annual turnover for each one! It will not take many such breaches to destroy your finances... and this is why we've created Hospify. 

Don't take our word for it. Read more about it here and here. The General Data Protection Regulation is going to have an enormous effect on British and European businesses, Brexit notwithstanding (the GDPR's tenets are already part of UK law). It's worth reading Information Commissioner Elizabeth Denham's recent keynote speech on the subject, which outlines the impact the new legislation will have. 

"GDPR brings a more 21st century approach," notes Denham. "The right of consumers to data portability is new, as is mandatory data breach reporting, higher standards of consent, and significantly larger fines for when companies get things wrong." This is the tough new regulatory environment that Hospify has been built for - an environment in which the consequences of hospital staff using non-compliant comms like WhatsApp, Viber, Facebook Messenger, Snapchat, Slack, Skype and Telegram are going to be very severe.


What's wrong with normal chat apps?

These everyday chat apps might be encrypted but that alone is not enough to make them align with UK and EU health data laws. Have you ever received a picture on WhatsApp? Have a look in your phone's main photo gallery. The picture will most likely appear there, as well as in WhatsApp itself. This is because nearly everyone's devices automatically backup such pictures to cloud services that are likely to be geographically-located outside of Europe. Even if you switch the feature off, gaffs by Apple and others can mean it gets switched back on without your knowledge. And of course these apps send messages via non-European cloud services as a matter of course and, worse, store them there beyond the easy access of subject data access requests.

These are just some of the many ways in which standard consumer apps fall foul of the law when it comes to patient-identifiable health data. But Hospify is different. Hospify is specifically designed, not just to deliver messages securely, but to keep them confined to your device instead of floating around in a server cloud that could be located anywhere on the planet (the new legislation insists that all EU health data is only transmitted by servers that are physically situated in Europe).


How do I comply?

Given that these new rules are coming - and in some cases are already here - what can you do to comply with them before you get fined? Firstly tell your healthcare colleagues, staff and patients to stop using WhatsApp and other apps like it when they're at work, and to install and use Hospify instead. On the surface, they won't notice a great deal of difference; Hospify looks and feels much like any other messaging app. But underneath, there's all the difference in the world. 

Secondly, to be fully compliant, health professionals who make the wise decision to switch over to Hospify need to tell their patients they're doing it. Don't worry - you don't have to tell them one by one! All you have to do is put a sentence or two in the privacy policy on your Trust's or practice's website. Something along these lines should do it:

"In order to protect patient confidentiality and abide with European health data protection guidelines, all staff in this Trust/medical practice use Hospify when they communicate using their mobile devices in the course of their work. Hospify securely encrypts messages, passes them from handset to handset, holds no information about its users communications on its servers, and keeps all communications within the European Economic Area, so abiding by UK data protection and the terms of the European General Data Protection Regulation. For more information please visit"

And that's it. You're done!

Five principles of good data hygiene

Before discussing or sending any information over any digital channel,whether web, email or chat, it’s worth thinking through the following simple checklist.


1. WHAT is the nature of the data you’re sending?

Is it sensitive? Is it about someone else? If so, can you make them anonymous (take out their name if you’re sending a text; crop out their face or other distinguishing features, if it’s a picture). If you can’t anonymise them, are you using a fully compliant service like Hospify?

2. WHY are you sending it?

If you are sending information about someone in the course of providing them with healthcare, you do not need their direct consent as long as you are doing it in the course of your job and are handling it in a sensible and responsible manner (this is called “fair process without consent”). If this doesn’t cover what you’re doing, you probably need to get their permission first.

3. WHERE is the data going?

Are you sure that the servers the data will travel through and be stored on are all in the UK or Europe? Do you know where the data will be stored? Will the data be deleted once it’s been sent? (Clue: Using a service like Hospify really helps with this!)

4. WHO defines the guidelines for handling the data?

If you’re sending the data in the course of your job, your responsibilities in handling data will be defined by your employer. You should therefore make sure you’re familiar with their information governance (IG) policies. These should include a set of recommendations for best practice.

5. WHEN do you stop needing the data?

Once you’re finished with the data, the best thing to do is delete it from your phone. If you think there’s a medical or legal reason to keep it, you should make sure you record it in the patient’s medical record or pass it to the appropriate manager for proper archiving.

Download our leaflet!


You can print out this leaflet onto two sheets of A4 paper and pin it up on your workplace noticeboard to increase awareness about the role Hospify can play in improving data compliance. If you're feeling enterprising you can do a double-sided print onto a single sheet of paper, fold it in half, and turn it into a leaflet and distribute it that way. And if you don't feel like printing anything, email us on, and we'll send you a pack of pre-printed leaflets and pens to hand out to your colleagues to encourage them to start messaging with Hospify!