Patient records, informed consents, laboratory reports with end-to-end encryption. Article 9 UK GDPR compliant for special category health data. Pathway for import from patients (WhatsApp) and labs (email) with whitelisting.
The affiliated lab sends test results by email. The patient asks for a copy, you forward with Gmail. The message arrives with the name of the test in the subject line: special category data travelling through Google servers, indexed, backed up on iCloud. Technically the worst scenario for Article 9 health data.
Before an invasive treatment, the patient signs informed consent on paper. You scan it, file it in a folder on the desktop. Three years later, medico-legal dispute: "did you really obtain consent for that specific procedure?" The scan has low-resolution handwriting, no proof of when it was signed, no demonstrable link to that patient on that day.
Radiology on DICOM, lab reports in PDF in Gmail archive, clinical notes in the practice management software, photographs of dermatological follow-up on WhatsApp. Reconstructing the clinical history of a patient who returns after 5 years is an hour of aggregation across four systems, with high risk of error.
Patient sends the signed consent photograph via WhatsApp, the affiliated laboratory sends the report by email. Forward to a dedicated practice address: everything lands encrypted in the correct patient folder. No desktop download, no traffic through Gmail or vanilla WhatsApp. Article 9 GDPR health data handled in volatile memory for the technical time of the checks, never written in plain text to disk.
Each patient has their vault, structured for clinical practice: anamnesis, visits, consents, lab reports, imaging. Access logged to each individual access for Art. 9 accountability. Granular permissions if practice has associates: each clinician sees only assigned patients.
Consent forms are signed digitally with PIN + 2FA. RFC 3161 timestamp, cryptographic link to the specific patient, to the specific procedure, to the specific day. In case of dispute, evidence is mathematical: patient X consented to procedure Y on date Z at time W.
The patient has access to their records via personal portal. They can see their visit history, download their reports, request copies. No more email exchanges of sensitive medical content.
Affiliated laboratories and external specialists can be invited as "external suppliers" with access only to the specific patient for the specific episode. Access time-boxed (e.g., 60 days from the request). All interactions traced.
UK GDPR requires health data retention adequate to medical purpose: NHS retention is typically 8 years after end of episode. Private practice retention varies by specialty. Securoo configures retention per case, with certified deletion at expiry.
Dr Anderson runs a private dermatology practice. A new patient books a consultation for a dermatological concern. Instead of asking to fill a paper form in the waiting room, Dr Anderson opens Securoo and creates the area "Brown — First consultation 2026-03".
Sends the patient an SMS with a personalised link. The patient, from home, uploads: medical history questionnaire (pre-compiled), photographs of the affected area, identity document. Each upload encrypted on their device.
Day of consultation: Dr Anderson has already seen everything before the visit. Prescribes a biopsy, generates the informed consent form directly in the platform. The patient reads, signs with certified acknowledgement. Consent linked to the specific procedure, the specific day, specific patient.
The affiliated lab receives the biopsy sample. Sends the histological report by email to the dedicated Securoo address. Dr Anderson sees the report appear in the patient's folder, reviews it, writes the clinical note, shares the outcome with the patient via the secure portal.
Two years later, the patient returns for a follow-up with another specialist in the same practice. The colleague is invited to the patient's folder: reads the complete history in 3 minutes, without having to reconstruct anything. The patient is surprised: "you already have my whole story?"
Before Securoo, before each new patient I asked to print the history questionnaire, fill it on paper, then I scanned it in the evening. Three hours a week, for 300 patients a year. Now they fill it at home, signed digitally. Hours saved that I can spend on patients.
Securoo's technical controls align with the DSPT requirements for health data processors. For practices directly contracting with NHS, we provide supporting documentation for your DSPT submission. Note: the DSPT is obtained by your practice, not by us — we are the processor that helps you meet it.
No. Securoo is a document vault, not an EPR. Works alongside EPR systems (SystmOne, EMIS, Cliniko). In the EPR you keep structured clinical data; in Securoo you keep document-based data (consents, PDFs, images), cryptographically linked back to the patient.
Our digital consent is an advanced electronic signature (PIN sent by email + RFC 3161 timestamp). Under the Electronic Communications Act 2000, it has full legal validity for medical consent where specific formal requirements are not imposed by statute. The timestamp also evidences the *time spent reading* the document before signing — something a paper signature never proves. For research consents under specific statutes that explicitly require a qualified electronic signature, a separately-issued qualified signature is needed.
Audit trail and access logs directly support CQC expectations on information governance and patient confidentiality. Export a signed governance pack in one click. Regulations updated to match current CQC framework.
7 days free trial, no card required. Pre-configured for UK private medical practice. BMA and RCP member discounts available.
