NHS Mail and Secure Email

NHS.mail – Secure, Fast and Free Communication

To create new NHS Mail accounts, Registered Care Providers should publish their Data Security and Protection Toolkit (DSPT) to “Approaching Standards”, which means answering just 27 questions about how you manage Data Protection and Cyber Security risks.

The DSPT is a free annual self-assessment and publishing to either “Approaching Standards” or “Standards Met” ensures NHS mail remains available to Care Providers for free.

The DSPT may also be your key to unlocking other NHS digital platforms, it helps answer KLOEs,  it is about to become a contractual requirement for commissioned services and is a recognised way of asserting GDPR compliance. Lots of support and guidance around DSPT, including registering and publishing, can be found here.

All NHSmail account users – PLEASE NOTE!

NHSmail personal user accounts will be deactivated after 30 days of inactivity.

If you have a nhs.net user account, to keep it active please ensure you are using it regularly. Please log into the NHSmail portal at least every 30 days and send an email from your account.

*For more information regarding deactivated or deleted accounts, see the FAQs in the ‘Guidance Documents’ section below.


Some NHS Trusts are now requiring care providers to have NHSmail in place to share hospital discharge information.
The national policy is that mail containing health and care information sent to and from health and social care organisations must meet the Secure Email Standard (DCB1596). There are two routes care providers can take to ensure their email meets the secure email standard (DCB1596):

  1. NHSmail
  2. Secure email accreditation

For each of these you must first complete and publish the Data Security and Protection Toolkit to at least ‘Approaching Standards’.

To minimise delays to hospital discharges, please ensure you have either one of these forms of secure email in place.

There is more information about secure email here

To stay hidden
What is secure email?

Email was developed when the Internet was a much smaller place, to standardize simple messaging between people using different kinds of computers. Because of this, and changes to the Data Protection Laws (GDPR), anyone who collects or sends personal data must now use a secure email, such as NHS Mail. NHS Mail is currently available for free to Care Providers, by filing a simple form. We can help you.

To support delivery of care, Providers have NHS Mail or a secure email, to enable e-prescriptions, share information across systems and essential digital services

There are 2 routes you can take to ensure your email is secure by NHS England Standards:

NHSmail – see more information below

Secure email accreditation – more information available here

Signing up to NHSmail

Once you have completed your DSPT and met either ‘Approaching Standards’ or ‘Standards Met’, you are eligible for NHSmail.

Sign up at this link: NHSmail 2 Portal Home

The application will be processed by the national administration service, who will send you your log-in details.

Each home can have a shared mailbox which multiple members of staff can have access to, allowing users to send emails ‘on behalf’ of the mailbox. A shared mailbox needs to have at least one “owner” and one “member” linked to the shared account and only the nominated owner(s) can delegate access to the mailbox to others. See Training Guide for NHSmail for how to give and remove access.

Please note that registering for NHS mail is for new users only.

If you have an NHS mail account already then please see the FAQs below and the Training Guide for NHSmail.

Self Management

Larger providers with multiple sites, who have the necessary IT infrastructure and resourcing to carry out administration activities for their own NHSmail accounts, co-ordinated by their own Local Administrators can take the Self Management route.  To apply, please complete the self-management application form here.

Please also note, this is for CQC registered services only.

Registering for non-CQC registered organisations

If your organisation has been commissioned locally and the commissioning organisation have stipulated the need for NHSmail, they should provide you with sponsor email accounts for the duration of your contract with them.

If you are supporting the NHS nationally, complete the NHS access process form here and submit this to feedback@nhs.net

Help with NHSmail

If you have a query or are experiencing issues with NHSmail refer to the guidance documents and FAQs below under ‘Guidance Documents’.

If you are unable to find an answer to your query, email or call the National Administration Service Helpdesk via the details below.

Email: helpdesk@nhs.net 

Phone number: 0333 200 1133

Guidance Documents

To find out how to sign into your account, reset a password, change password, add people to a shared mailbox and more, access this document:

Training Guide for NHSmail

The below guidance document provides information on how to safely share personal confidential data via email.

Sharing Sensitive Information by Email

In addition to the above resources, please see below for some FAQs regarding NHSmail.

My account has been deactivated. How do I recover it?

You can reactivate your account by signing into it as usual (including your shared site mailbox).

If this does not work, email, or call the national administration service:


0333 200 1133

User accounts are deactivated or deleted as unused accounts present a security risk to the NHSmail platform.

Disabled accounts are classified as inactive whilst in a disabled state, they will remain on the platform for 18 months with no additional activity required.

New user accounts that have been set up but have not accepted the Acceptable Use Policy (AUP) or set security questions will be moved to inactive within 30 days from creation.

User accounts move from:

  • Active to deleted if 60+ days of no activity
  • Active to inactive if 30-60 days of no activity
  • Inactive to deleted if 30+ days in inactive state
  • Accounts that move to deleted state will then have 30 days to be restored, if required.

If your account has been deleted, please call the Helpdesk.  They will be able to confirm if your account can be restored or not.  If not, you will need to request a new account.

What do I do if I am locked out of my NHSmail account?

Email or call the national administration service:


0333 200 1133

If you are unable to answer your security questions, the helpdesk will use your mobile phone number to authenticate you. If you do not have a mobile number on the directory, the shared mailbox owner will need to contact the helpdesk to confirm they can authenticate you and reset your password.

People have left the organisation and we have lost access to the shared mailbox. How do I regain access?

Call the national administration service:

0333 200 1133

(Do not email)

Keep note of the Incident Ticket Number allocated to you as this will be needed for any follow up support needed.

What do I do if I am moving to another social care provider or leaving social care altogether?

If you are leaving your organisation, you need to email helpdesk@nhs.net to notify them so that they can mark your account as a ‘leaver’. After 30 days, accounts marked as ‘leavers’ will be permanently deleted.

If you are moving to another social care provider, you will also need to inform helpdesk@nhs.net so they can mark you as a ‘joiner’ to your new organisation.

For more information, access the Leavers and Joiners Guide

What do I do if my name changes?

If your name changes, for example, you get married and change your surname, you should email helpdesk@nhs.net , who will edit your name and update your email address.

Your old email address will remain associated with your new account. If another user sends an email to your old email, it will be re-directed to your new email address.

How do I hide my mobile number from the NHS Directory?

It is not recommended for any user to remove their mobile number, especially if you are the owner of shared mailbox, as this will be used by the helpdesk for any authentication checks.

However, to hide your mobile number:

  1. Log in to your account
  2. Click ‘Profile’ in the navigation bar at top of the screen
  3. Click on ‘My Profile’ tab

Click ‘Hide mobile number from address book’ option

How many user accounts I am allowed?

The default account allowance is up to 10 named user accounts and 1 shared mailbox per site

If you require more than 10 accounts, this is the process to follow:

You will need to provide:

  • Justification for requiring the 10 plus accounts.
  • How many additional accounts are required
  • Confirmation that you already have access to 10 mailboxes and that they are actively being used.  (NAS helpdesk can check the activity of the SMB to see how many active/inactive users are already linked and will prompt the user to ensure any inactive accounts are logged into before the request can be progressed.)


  1. Once this has been sent to the helpdesk, they will issue you with a ticket reference number – keep a note of that.
  2. If they deem your justification is acceptable, and the Minimum Data Set (MDS) is met, the NAS helpdesk will ask you to complete an excel spreadsheet which they will send to you, detailing the new user details for each new account requested.  However, if the justification is not acceptable, the helpdesk will seek further guidance from NHS Digital and discuss solutions with you.
  3. The NAS helpdesk actions the request – once NAS has the MDS, they will aim to complete the request in 5 working days.
  4. NAS helpdesk will inform the user and update the automated ticket number that has been raised.


Email template (to be completed by care provider and sent to NAS helpdesk – as mentioned above)

Dear Care Admin Team,

We require new user accounts for our shared mailbox. The new users will take our shared mailbox total to over ten users. We require these extra accounts because [insert justification reason]

Number of new users required: x

Data breaches reported in the social care sector 2022 H1

The ICO’s analysis for the first half of 2022 shows the most common data breach incidents reported by social care organisations in that 6 month period were:

  • Data emailed to incorrect recipient
  • Loss/theft of paperwork or data left in insecure location
  • Unauthorised access to information


What you can do to stay safe:

  • Double check you have the correct recipient in your To or CC fields or are using the Bcc field when necessary.  This can be reinforced through ensuring your induction and annual refresher training covers data protection and cyber security good practice.  NHSmail will do the rest to keep sensitive information secure.

Using NHSmail will reduce the need for paperwork and reduce the risk of data being lost or stolen as it is a secure service.

  • Ensure you have good data protection and cyber security policies and procedures in place.
  • By completing and publishing your DSPT, this will tell you how best you can do this and is the prerequisite for your access to NHSmail.

List of Providers with NHS or Secure Mail