The NHS Created the Permission. Not the Mechanism.
Since October 2025, private healthcare providers have a contractual right to access NHS GP records with explicit patient consent. But no standard mechanism exists for capturing that consent, governing the access, or proving lawful basis at scale. SafeMesh provides that mechanism.
The Gap Between Permission and Governance
The 2025/26 NHS GP Contract requires GP practices to enable read-only access to patient records for private healthcare providers — but only where the patient has explicitly consented and the provider is delivering direct care. The NHS identified this explicitly as an unmet market need: solutions for private providers to securely request and manage explicit patient permission for NHS GP record access.
The permission exists. What does not exist is the infrastructure for proving that permission was obtained, governed, and audited at scale. Every private healthcare provider who wants GP record access faces the same problem: how do you demonstrate, to CQC or ICO standards, a governed chain of consent and access for every NHS record you touch?
A consent tick-box in a booking flow is not sufficient. If challenged — by the ICO, in a negligence claim, or in a CQC inspection — the provider needs to produce a governed record showing who consented, to what, when, through which channel, and for what clinical purpose. That record must be tamper-evident, independently corroborable, and linked to the specific access event it authorised.
The Data (Use and Access) Act 2025
The DUAA received Royal Assent in June 2025. It does not replace UK GDPR or the Data Protection Act 2018 — it amends them. For private healthcare providers accessing NHS data, four provisions matter directly.
Empowers the Secretary of State to impose binding information standards on NHS IT suppliers. Enforcement tools include public censure and market exclusion.
Private providers have a procurement duty to work with compliant suppliers once standards come into force. Vendors already building to NHS FHIR, DSPT, and IHE specifications are positioned ahead.
Private providers cannot rely on the NHS's public task as their own lawful basis for processing patient data.
For special category health data, that means explicit consent — captured, proved, and auditable. Not implied. Not assumed.
Automated decisions involving special category health data remain restricted. Meaningful human involvement must be demonstrable, not symbolic.
Human acceptance as the clearing trigger — not system receipt — is directly aligned with this requirement.
Organisations must provide an electronic complaints mechanism, acknowledge within 30 days, and respond without undue delay.
ICO fines under PECR are raised to £17.5 million or 4% of global turnover. The Evidence Fabric produces the record that enables a complete response.
Four Steps. Seconds in Total. No Additional Steps for the Clinician.
For a private healthcare consultation involving access to a patient's NHS GP record, four things happen in sequence. The governance layer runs underneath the clinical workflow, not on top of it.
Before the consultation, SafeMesh checks whether the patient has already given consent for this type of access. If not, a consent request is sent through the most appropriate channel — the provider's app, SMS, or messaging platform. The request is plain-English. The patient's response is recorded in the Responsibility Ledger: who consented, through which channel, to what, when, and for what clinical purpose. A consent reference is generated. If the patient does not respond or declines, the clinician is notified before the consultation begins and the GP record access does not proceed.
When the clinician requests the patient's GP record, the consent reference travels with the request as proof of lawful access. Without it, the access is an assertion. With it, the access is evidenced and defensible.
The system writes a record into the Evidence Fabric: consent reference, clinician identity, patient identity, time of access, purpose, and record accessed. The patient's GP practice generates a matching record on their side. Both ends of the access event are documented, linked, and timestamped.
When the consultation is complete and a clinical action has been taken, the Responsibility Ledger records the outcome. The chain is closed: consent, access, action, outcome. Every transfer that carried clinical responsibility is governed end to end.
The clinician sees the patient record exactly as they would today. The governance layer adds no steps. It removes significant risk.
Operational Visibility: the Clearing Metric
The Clearing Metric measures the fraction of responsibility transfers that have completed within their clinical threshold. Every unresolved transfer shows up in the metric, with its age, until someone accepts responsibility and the clock stops.
How many consultations today have an open, unacknowledged governance event — a consent not confirmed, a referral not accepted, a handover not completed?
Which open governance events are within the safe window, and which have exceeded the clinical threshold and need immediate action? The tail matters more than the average.
The headline metric. A rate of 99.8% means 2 in every 1,000 responsibility transfers exceeded their clinical threshold. Trackable over time. Comparable across care pathways.
For private healthcare operators in commercial conversations with NHS partners, the Clearing Metric is the evidence that care pathways are governed in practice — not just by policy. A live rate, tracked over time, demonstrating that responsibility transfers resolve within clinical thresholds.
Why Existing Categories Do Not Solve This
Before explaining what SafeMesh does differently, it is worth being precise about why existing categories fail to solve the governance problem at care boundaries.
| Category | What it does | Why it does not solve the governance problem |
|---|---|---|
| EPR / Clinical System | Records clinical data, diagnoses, medications, letters. | Records what happened clinically. Does not record who was responsible under what authority, whether handovers completed, or whether consent for cross-boundary access was obtained and proved. |
| Workflow / Referral System | Routes tasks and documents between organisations. | Routes the work. Does not create a legally defensible chain of custody for responsibility. A referral sent is not a responsibility accepted. |
| Audit Log / Compliance Tool | Records system events for retrospective review. | Records events sequentially. Does not model responsibility state — who holds it, under what authority, whether it transferred correctly. |
| Document Exchange | Moves clinical documents between organisations. | Moves documents reliably. Does not answer whether the receiving organisation accepted responsibility for acting on the document, by when, or what happens if they do not. |
| Policy / Governance Framework | Describes how organisations should behave. | Describes governance. Does not execute it. A policy that says "explicit consent is required" does not produce the consent record. |
SafeMesh is not competing with any of these categories. It is the governance layer that makes them defensible when care crosses organisational boundaries.
Why the Foundation Matters
A Responsibility Ledger running on insecure infrastructure is not a governance record. It is documentation that might or might not reflect what actually happened. The moment its integrity is questioned — in a regulatory investigation, a serious incident review, or a negligence claim — its evidentiary value collapses.
Every SafeMesh deployment starts with an NHS-compliant AWS Landing Zone built before any governance software is deployed. Account separation, encrypted storage, immutable logs, UK data residency, and continuous security monitoring are built in from the foundation — not retrofitted after a security concern is raised.
Built before deployment. Account separation, encryption, immutable logs, UK data residency, continuous monitoring.
Independent verification of security posture, renewed annually. Compliance is documented, not claimed.
Named clinical safety officer, documented hazard log, clinical safety case. The deploying organisation is supported with artefacts for their DCB 0160 compliance.
All patient data stays in AWS UK regions. Enforced at the infrastructure level by Service Control Policy — not a configuration that could be accidentally changed.
A vendor who arrives without a compliant foundation is asking you to carry the security risk.
The NHS Single Patient Record
The NHS Single Patient Record programme is three to five years from live service, with no architecture decision yet made. When it arrives, it will require every provider — NHS and private — to demonstrate that care pathways are governed and auditable.
Private healthcare providers who build Responsibility Ledger infrastructure now will be positioned for that transition. Providers who wait will be building under pressure when the standard becomes mandatory. The governance infrastructure built today is the foundation for your position in the NHS digital ecosystem over the next decade.
Questions Private Healthcare Providers Ask
Is GP record access actually legal for private providers now?
Yes, since October 2025. The 2025/26 NHS GP Contract requires GP practices to enable read-only access to patient records for private healthcare providers where the patient has given explicit permission and the provider is delivering direct care. The legal framework exists. What has not existed until now is the mechanism for proving that permission was obtained, governed, and audited at scale.
What is explicit consent and why does it matter more for private providers?
For NHS providers, implied consent is sufficient. For private providers the bar is higher: the patient must actively give permission and the provider must be able to demonstrate it. The Data (Use and Access) Act 2025 clarifies that private providers cannot use the NHS's public task as their own lawful basis. For special category health data, that means explicit consent — captured, proved, and auditable.
A consent tick-box exists in our booking flow. Is that not sufficient?
If challenged by the ICO, in a negligence claim, or in a CQC inspection, you need to produce a governed record showing who consented, to what, when, through which channel, and for what clinical purpose. A tick-box is an interface element. It is not a governed consent record linked to the specific access event, timestamped, tamper-evident, and independently corroborable.
How does this integrate with our existing clinical system?
SafeMesh sits alongside your clinical system, not inside it. The consent step is presented through your existing booking or pre-consultation flow. The governance layer runs underneath the clinical workflow. Clinicians see the patient record exactly as they do today. The Responsibility Ledger entries, Evidence Fabric records, and Clearing Metric are all generated automatically — no additional steps for clinical staff.
What happens if a patient says no?
The refusal is recorded in the Responsibility Ledger — timestamped, governed, and auditable. The GP record access does not proceed. The consultation continues without GP record access, which is the current default for every private consultation. The refusal record is itself a compliance asset: you can demonstrate that you sought consent and respected the patient's decision.
Can the governance be bypassed — can a clinician skip the consent step?
No. The Constitutional Spine enforces a strict architectural separation between recording facts, evaluating them against rules, and accepting responsibility. No component spans all three layers. No service can silently grant permission. A pull request that tries to collapse those layers fails automated tests and cannot be deployed. At runtime, every combination of evaluation outputs maps to one of three outcomes: Permit, Deny, or Defer. There are no unhandled states.
Why does the infrastructure need to be built first?
The Responsibility Ledger only has evidentiary value if its integrity can be demonstrated. A ledger running on infrastructure that lacks immutable logs, has not been independently audited, or does not meet NHS data residency requirements is not a legally defensible governance record. Building the foundation first is what makes every governance record that follows trustworthy.
What about the NHS Single Patient Record — does that change things?
The SPR is three to five years from live service. When it arrives, it will require every provider to demonstrate governed, auditable care pathways. Providers who build Responsibility Ledger infrastructure now will be positioned for that transition. The governance infrastructure built today is the foundation for that position.
Start with a Boundary Audit
Find out where responsibility transfers across your patient pathways and where governance breaks down. The audit maps clinical, legal, and technical obligations at every boundary between your services and the NHS.