NHS App delays repeat prescriptions

Yesterday, (2nd July 2018), Jeremy Hunt our Health Secretary, was shown in a BBC interview1 with Rory Cellan-Jones as saying:

“[the NHS app]…puts patients in control…”

So, I write this post with a frustrated mindset, because my experience yesterday morning of an app that claims to be:

‘in partnership with the NHS’ left me, shall we say, ‘disappointed’.

This is my account of being far from in control! I had been using a repeat prescription app quite happily for sometime, but what was working, is now no longer. The refreshed look removed functionality. Not much of an upgrade!

And these new issues require me to phone the already overloaded GP surgery to arrange a visit to request a trivial repeat prescription….

Have you used the repeat prescription website EMIS?

EMIS was a repeat prescription website that GP surgeries had access to. The new site claims:

more than half of GP practices are connected…

It ‘put[s] patients in control’ of their repeat prescriptions (I understand it can do other things dependent on your surgery’s adoption of the capability e.g. book appointments).

Recently it’s been ‘refreshed’ and now its: www.patientaccess.com ‘…in partnership with the NHS’.

Yesterday’s less than satisfactory experience

About 9am in the morning of 2nd July 2018, I went to the usual EMIS web address and saw the fresh look.

I like it. It’s clean and modern. Tick.

So, I wondered if the user experience would be improved? With the previous design, I thought the request a repeat prescription facility, was, how do I put this, hidden/not exactly obvious…

However, (you knew that was coming didn’t you…) the new look site began to put me through an email revalidation process, as (I imagine?) they had to move my data from their old system to their new one.

This it seems all hinges around my email address (more on that later).

Email revalidation? Why?

Point 1

Now, I really struggle with the moral concept of trying to deny patients their repeat prescriptions if they haven’t used the site for a while (my point 1 in the callout box) So, surely, that’s not the intention… that would risk lives that were dependent on maintenance of their prescriptions. So, why am I doing this?

Point 2

I was not asked about new Terms and Conditions (or if it did, I missed it – as I imagine 99% of users would). Repeat: why am I doing this?

I always struggle with the idea of this revalidation process. To me it seems that IT need to do the work not the user.

Usually, the ‘business’ justifications for revalidation are:

1. Lose inactive subscribers (because after a period of time you disactivate the migration process)
2. Insist on new Terms & Conditions

So what?

To me it seems there are two possible explanations for the insistence on revalidating my email address:

  1. IT were just lazy and should have imported the patient data into the new site.
  2. Or perhaps this was a way round GDPR dictates concerning movement of personal data?

Hmmm. 

Form not secure error?

Then things went wrong.

I logged in to the new site and began the revalidation process (starting with my daughter – just by chance).

I operate 4 accounts, as I’m lucky enough to have a wife and 2 kids (2 years and 6 years – which is pertinent in a moment).

My password browser plugin then tells me the form is not secure, although I see a padlock in the address bar?

What’s wrong with the SSL certificate?

I wondered if it was the password tool playing up or the site’s SSL certificate?

So, I looked a little deeper. Not going to get technical as to what is apparently wrong (because I’m not entirely sure! I need an IT whizz here).

After researching this issue some more this morning (3rd July 2018), I am inclined to consider its not a big issue and any data submitted is ‘probably’ secure2.

But probably doesn’t build trust. So, my point remains:

I was discouraged from proceeding (again) as I was led to understand that my personal data is at risk, should I fill in a form when the site is (apparently) not secure.

Next account: Mine. Fail

I ignored the insecure form error (gulp) and requested the repeat prescription for my daughter.

It went smoothly. Tick.

Good.

I duly logged out.

Then, I logged in with my own account details, and began the revalidation process again (as above). I entered my email address into the form and hit upon another problem:

My email address can only be associated with 1 account.

Now, perhaps I’m missing something here. Perhaps I can have 4 accounts with 1 email address.

I look forward to finding that out.

So my kids need their own email address?!

Its probably OK for most IT situations to insist that one email account is associated with one patient record, but its not OK to insist that a 6-year-old (let alone a 2-year-old) must have their own email address to get their prescriptions.

Certainly, there are ways around this (e.g. an alias or addition of characters to gmail addresses) but this presents a knowledge and user barrier. Fail.

I don’t have the time or inclination to fiddle with this, so I will have to resort to calling my GP surgery and requesting a repeat prescription over the telephone. That will go well I’m sure…

Patients in control?
Saving time and money?
Fail and Fail.

Again.

What are the possible solutions?

  1. Kick IT (and/or bin the revalidation process)
  2. Listen to the data ‘Police’ and jump through their hoops to make importing data into the new system GDPR compliant
  3. Secure the website form (seriously?!)
  4. Permit multiple accounts on one email address so families can use the site. (I see a hint about Proxy access coming soon – perhaps thats it?)

If securing the website doesn’t happen, then the free Opera browser comes with a built-in and unlimited VPN.

Summary

Why the revalidation process?

I think that IT need their ass kicked to do their job and import the data from the old site. And if the ‘data Police’ want things done in a certain way then do as your told!

Why the ‘school boy’ error of a not secure website form?

Come on sort it out!

Why can’t I use my email address with different accounts?

No, I’m not getting my kids an email address. Thank you very much.

Until this is resolved, the site is now useless for me as a family man.

For reference

What is a VPN?
A Virtual Private Network is a connection method used to add security and privacy to private and public networks, like WiFi Hotspots and the Internet. Virtual Private Networks are most often used by corporations to protect sensitive data.
Why would I need a VPN?
How about when the website you use to order your repeat prescriptions has a security certificate error…. Oh we covered that.
Anytime that you want to make your website activity safer. For instance if you used internet banking, HMRC or a health website.

Related

Here’s some personal data and privacy related posts from our blog: https://snorer.com/blog/data/

References

Here’s the BBC news article and about the best explanation I can find of this SSL certificate issue:

  1. BBC Health. NHS app: Will it cut down on wasted appointments? https://www.bbc.com/news/technology-44676493  [accessed 3rd July 2018]
  2. SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions: https://www.tenable.com/plugins/nessus/56284  [accessed 3rd July 2018]

All trademarks belong to their respective owners and are acknowledged. www.patientaccess.com  is the website of Patient Platform Ltd.

Post created by Adrian Zacher. Last updated 3rd July 2018.

What do you think?

Leave a comment right now. Let me know if you feel ‘in control’ of your data or if I’ve missed the point… Or if you know what is happening to the SSL certificate, when proxy access will arrive or how I can admin my kids repeat prescription requests…