You are here

Hexpress Health Support Office Good

Inspection Summary

Overall summary & rating


Updated 17 July 2019

Letter from the Chief Inspector of General Practice

We rated this service as Good overall. (Previous inspection July 2018 – compliant with all regulations (not rated)).

The key questions are rated as:

Are services safe? – Good

Are services effective? – Good

Are services caring? – Good

Are services responsive? – Good

Are services well-led? – Good

We carried out an announced comprehensive inspection at Hexpress Health Support Office on 9 May 2019 as part of our inspection programme.

Hexpress Health Support Office (Hexpress) provides an online prescribing service to patients aged 18 years and over. Patients wishing to use the service access it via one of their websites, where they are able to select the medicine they wish to obtain from a list of available medicines; patients are then required to provide information to verify their identity and complete an online questionnaire relating to their medical history. The information supplied by the patient is then reviewed by one of Hexpress’ doctors, and where appropriate, a prescription is issued, and the medicine is dispensed to the patient by Hexpress’ own pharmacy, where it is delivered by post, courier, or via a collection point.

At this inspection we found:

  • The service had good systems to manage risk so that safety incidents were less likely to happen. When they did happen, the service learned from them and improved their processes.
  • The service had policies in place for activities such as recruitment and staff training; however, whilst we were satisfied that these activities were undertaken in line with the requirements of regulations, the service did not always follow their own policies.
  • The provider had processes in place to ensure patient confidentiality. Doctors worked from their personal laptops, but the provider’s system could only be accessed via an encrypted, password protected portal.
  • The service routinely reviewed the effectiveness and appropriateness of the care it provided via reviews of samples of patient records; however, it did not carry-out clinical audits for areas such as antibiotic prescribing to demonstrate a commitment to learning and improving the quality of service it provides. The service had risk-assessed each of the medicines available to be prescribed and had limited the medicines available according to the level of risk.
  • The information requested from patients prior to a prescription being issued allowed the service to appropriately verify the patients’ identity and enabled prescribing doctors to consider the patients’ medical history when making prescribing decisions. Patients were asked to input information about their presenting condition and information about any relevant monitoring tests, but there was no facility for supporting information (such as photographs in the case of skin conditions, or copies of test result letters in the case of conditions such as diabetes) to be uploaded to the system to support clinical decision making and review progress.
  • Staff involved and treated people with compassion, kindness, dignity and respect.
  • Patients could access care and treatment from the service within an appropriate timescale for their needs.
  • The provider had given some thought to how patient records would be stored for the legally required retention period in the event that they ceased to trade; however, they had not made specific provision for this.
  • There was a strong focus on continuous learning and improvement at all levels of the organisation.

The areas where the provider should make improvements are:

  • Review the appropriateness of their service model with reference to the General Pharmaceutical Council’s guidance on distance supply of prescription only medicines.
  • Review whether it would be beneficial to add the facility for patients to upload documents and photographs as part of the prescribing process.
  • Review the need to carry-out clinical audit for areas such as antibiotic prescribing to ensure that national guidance is being followed.
  • Ensure that the working practices of the service reflect internal policy.
  • Put in place provision for patient records to be stored in line with legal requirements should the service cease to trade.
  • Review whether there are any benefits to issuing staff with specific laptops for undertaking reviews of patient information.

Dr Rosie Benneyworth BM BS BMedSci MRCGP

Chief Inspector of Primary Medical Services and Integrated Care

Inspection areas



Updated 17 July 2019

We rated safe as Good because:

Keeping people safe and safeguarded from abuse

Staff employed at the headquarters had received training in safeguarding and whistleblowing and knew the signs of abuse. All staff had access to the safeguarding policies and where to report a safeguarding concern. There was a dedicated email address for staff to use to report safeguarding concerns to the service’s internal safeguarding lead; the safeguarding policy also listed contact details for relevant external organisations. All the doctors had received adult and level three child safeguarding training.

The service did not treat children. Software was in place to verify patients’ identity and age as part of the online ordering process; if this process found that an individual aged under 18 was attempting to access the service, their order would be automatically rejected, and they would be blocked from the online ordering system.

Monitoring health & safety and responding to risks

The provider headquarters was located within modern offices which housed the IT system and a range of administration staff. Patients were not treated on the premises; doctors mainly carried out their roles in reviewing medicines requests and issuing prescriptions from their homes, but could also work from the provider headquarters. All staff based in the premises had received training in health and safety including fire safety.

The provider expected that all doctors would conduct consultations in private and maintain patient confidentiality; this was covered in the doctors’ induction. Doctors worked from their personal laptops, but the provider’s system could only be accessed via an encrypted, password protected portal. Doctors were required to complete a home working risk assessment to ensure their working environment was safe.

There were processes in place to manage any emerging medical issues during direct contact with the service (for example, during telephone calls between patients and call centre staff). Processes were in place for managing test results and referrals. The provider’s patient records system did not allow for incoming documents (such as test results) to be saved; however, we saw examples of incoming information being saved to the system in the form of notes made on the patients’ record. The service was not intended for routine use by patients with either long term conditions or as an emergency service.

All medicines available for purchase had been assessed for risk. Where a medicine was identified as higher risk, the provider had put measures in place to address this; for example, they had identified certain medicines which would only be prescribed if the patient consented to their registered GP being informed, they had also put limits on the number of prescriptions which could be issued in a given time period for certain medicines, and on the quantities of medicines which could be supplied.

A range of clinical and non-clinical meetings were held with staff, where standing agenda items covered topics such as significant events, complaints and service issues. Clinical meetings also included case reviews and clinical updates. We saw evidence of meeting minutes to show where some of these topics had been discussed.

Staffing and Recruitment

There were enough staff, including doctors, to meet the demands for the service and there was a rota for the doctors. The prescribing doctors were paid on a sessional basis.

The provider had a selection and recruitment process in place for all staff. There were a number of checks that, according to the provider’s recruitment policy, were required to be undertaken prior to commencing employment, such as references and Disclosure and Barring service (DBS) checks. (DBS checks identify whether a person has a criminal record or is on an official list of people barred from working in roles where they may have contact with children or adults who may be vulnerable.).

Potential doctor employees had to be registered with the General Medical Council (GMC). They had to provide evidence of having professional indemnity cover, an up to date appraisal and certificates relating to their qualification and training.

Newly recruited doctors were supported during their induction period and an induction plan was in place to ensure all processes had been covered. We were told that doctors did not start assessing medicines requests and issuing prescriptions until they had spent time shadowing an established member of staff.

We reviewed six staff files and found that in two cases (one doctor, one member of the non-clinical team), references had been requested but had not been received. The service explained that in these cases, they were satisfied that the checks completed via the DBS and GMC (in the case of the doctor) were adequate to assure them that these members of staff were safe to have contact with patients and patient information; however, this approach was not consistent with the service’s own policy. The provider kept records for all staff including the doctors and there was a system in place that flagged up when any refresher training was due, or when documentation was due for renewal such as professional registrations or indemnity cover.

Prescribing safety

All medicines available to be prescribed to patients had been selected by the provider following consideration of the risks of prescribing via an online form. The questions on the online form were specific to the medicine being requested by the patient to ensure that prescribing was appropriate and evidence based. The doctors could only prescribe from a set list of medicines which the provider had risk-assessed. There were no controlled drugs on this list and systems were in place to prevent the misuse of medicines; for example there was a system to automatically alert clinicians to frequent requests of medicines from the same patient.

When emergency supplies of medicines were prescribed, there was a clear record of the decisions made and a flag placed on the provider’s system to alert prescribers of repeated requests. Where the patient had provided consent, the service contacted their regular GP to advise them that the prescription had been issued. There were certain medicines which the provider would only prescribe if the patient consented to their registered GP being informed.

Once the doctor prescribed the medicine and dosage of choice, relevant instructions were given to the patient regarding when and how to take the medicine, the purpose of the medicine and any likely side effects and what they should do if they became unwell.

The provider offered short-term supply of medicines for a number of long term conditions such as diabetes, hypertension and asthma. Patients were asked to input details of recent monitoring results for these conditions such as blood pressure and HbA1C readings; however, the provider did not ask patients to supply a copy of these results (for example through uploading the original document). Antibiotics were prescribed according national guidance. The service encouraged good antimicrobial stewardship by only prescribing from a limited list of antibiotics which was based on national guidance; however, there was no process in place to audit the prescribing of antibiotics.

There were protocols in place for identifying and verifying the patient, in accordance with General Medical Council guidance.

Once prescribed, medicines were typically dispensed via the service’s own pharmacy and delivered via Recorded Delivery post or via collection from designated collection points. Where the patient selected “same day” delivery (available only for deliveries within Greater London), the prescription was dispensed by a designated Central London pharmacy and delivered by courier. The service had a system in place to assure themselves of the quality of the dispensing process. There were systems in place to ensure that the correct person received the correct medicine.

Information to deliver safe care and treatment

On registering with the service, and at each consultation, patient identity was verified. The doctors had access to the patient’s previous records held by the service.

Management and learning from safety incidents and alerts

There were systems in place for identifying, investigating and learning from incidents relating to the safety of patients and staff members. We reviewed three incidents and found that these had been fully investigated, discussed and as a result action taken in the form of a change in processes. For example, an incident had occurred where an order for emergency contraception was processed despite the order being placed from the account of a male patient. In this case the order was cancelled and the patient was refunded. In response, the provider conducted a full review to identify missed opportunities to identify the issue at the initial processing stage, and discussed the incident with doctors to identify system changes which would allow gender discrepencies to be flagged.

We saw evidence that learning from incidents was shared with staff via regular meetings and email updates.

During discussions with the provider about their handling of incidents and complaints, they were able to provide examples which demonstrated that they were aware of and complied with the requirements of the duty of candour by explaining to the patient what went wrong, offering an apology and advising them of any action taken.



Updated 17 July 2019

We rated effective as



Assessment and treatment

We reviewed 13 examples of medical records that demonstrated that each doctor assessed patients’ needs and delivered care in line with relevant and current evidence based guidance and standards, including National Institute for Health and Care Excellence (NICE) evidence based practice. Where necessary, patients were required to input the results of blood tests via the online prescription request form; however, there was no facility or requirement for patients to upload original test result documents. There was no facility for patients to upload photographs as part of the prescription request (for example, where a prescription for acne treatment was requested).

Patients completed an online form which included their past medical history. The online forms were specific to the medicine being requested. We reviewed 13 medical records which were complete records. We saw that adequate notes were recorded and the doctors had access to all previous notes.

The doctors providing the service were aware of both the strengths (speed, convenience, choice of time) and the limitations (inability to perform physical examination) of working remotely from patients. They worked carefully to maximise the benefits and minimise the risks for patients. If a patient needed further examination they were directed to an appropriate agency.

The service monitored prescribing decisions and carried out clinical notes audits to improve patient outcomes; this was done by the clinical lead reviewing records of 2% of each doctor’s prescribing decisions per month. The outcomes of these reviews were fed back to individual doctors and used to identify trends which required more systemic intervention.

Quality improvement

The service collected and monitored information on patients’ care and treatment outcomes.

  • The service used information about patients’ outcomes to make improvements.

  • The service took part in quality improvement activity, for example reviews of consultations. We saw evidence that the provider carried-out monthly reviews of 2% of prescription requests handled by each doctor, and that this was used to identify trends and improve quality. For example, reviews had identified that the quality of clinical note taking was weak in 42% of the notes reviewed; in response to this, additional training had been provided to doctors and the patient records system had been revised so that it was not possible for a prescription to be authorised unless a note was made. Following these interventions, the provider’s re-audit found that appropriate notes were being recorded in 95% of cases.

Staff training

All staff completed induction training which included training on using the patient records system, familiarisation with the service’s policies and processes, and shadowing established members of staff. Staff also completed other training on a regular basis including child and adult safeguarding, information governance, Mental Capacity Act and fire safety. The service manager had a training matrix which identified when training was due.

The doctors registered with the service received specific induction training prior to issuing prescriptions. An induction log was held in each staff file and signed off when completed. The doctors told us they received excellent support if there were any technical issues or clinical queries and could access policies. When updates were made to the IT systems, the doctors received further online training.

All staff received regular performance reviews.

Coordinating patient care and information sharing

Before providing treatment, doctors at the service ensured they had adequate knowledge of the patient’s health and their medicines history.

All patients were asked for consent to share details of any medicines prescribed with their registered GP on each occasion they used the service. The provider had risk assessed the treatments they offered. They had identified medicines that were not suitable for prescribing if the patient did not give their consent to share information with their GP, or they were not registered with a GP. For example, in cases where they prescribed a short-term course of medicines for the treatment of long term conditions such as asthma. Where patients agreed to share their information, we saw evidence of letters sent to their registered GP in line with GMC guidance.

Supporting patients to live healthier lives

The service identified patients who may be in need of extra support and had a range of information available on the website. For example, there was an online blog available via the service’s website which included information about topical issues such as managing asthma and controlling symptoms of irritable bowel syndrome.

In their consultation records we found patients were given advice on healthy living as appropriate.



Updated 17 July 2019

We rated caring as



Compassion, dignity and respect

We were told that the doctors worked in a private room, and assessments of doctors’ home working environments were conducted as part of their induction.

We did not speak to patients directly on the days of the inspection; however, 58 patients who had used Hexpress’ service provided feedback about the service directly to CQC as part of our inspection process, all of which was positive. The service collected patient feedback directly using Trust Pilot. The service told us that all patients were sent an email with a link to the Trust Pilot site following the completion of their order. The service monitored this feedback and we saw evidence that it was discussed during governance meetings; the service was rated 4.8 out of 5 stars overall by Trust Pilot.

Involvement in decisions about care and treatment

Patient information guides about how to use the service and technical issues were available. There was a dedicated team to respond to any enquiries.

Patients had access to information about the doctors working for the service.

Patients were able to access notes made about them by the service via a formal request to the provider.



Updated 17 July 2019

We rated responsive as



Responding to and meeting patients’ needs

The service was available to patients in England via four different websites (;;; Patients wishing to use the service accessed one of these websites and selected the medicine they wished to purchase. They were then directed to complete an online form, providing details to allow the service to confirm their identity, and details of their medical history; patients were also given the option of providing details of their registered GP. Prescription requests were then considered by one of the service’s doctors, and where appropriate, a prescription was issued which was dispensed by the service’s pharmacy and either delivered directly to the patient’s address or a designated collection point, or made available for the patient to collect from the pharmacy. The service offered a same-day delivery service for delivery addresses within Greater London, which were dispensed by a partner pharmacy and delivered to the patient by courier.

The provider made it clear to patients what the limitations of the service were.

Tackling inequity and promoting equality

The provider offered consultations to anyone who requested and paid the appropriate fee, and did not discriminate against any client group.

Patients could access a brief description of the doctors available. Staff were fluent in a range of languages, were available to communicate with patients where necessary and the service also had access to a translation service.

Managing complaints

Information about how to make a complaint was available on the service’s web site. The provider had developed a complaints policy and procedure. The policy contained appropriate timescales for dealing with the complaint. There was escalation guidance within the policy. We reviewed the complaint system and noted that comments and complaints made to the service were recorded. We reviewed one complaint in detail out of six received in the past 12 months.

The provider was able to demonstrate that the complaints we reviewed were handled correctly and patients received a satisfactory response. There was evidence of learning as a result of complaints, changes to the service had been made following complaints, and had been communicated to staff.

Consent to care and treatment

There was clear information on the service’s website with regards to how the service worked and what costs applied including a set of frequently asked questions for further supporting information. The website had a set of terms and conditions and details on how the patient could contact them with any enquiries. The service operated a transparent pricing structure with the price displayed on the website for each medicine being the complete price paid by the patient (there were no separate charges for prescriptions or delivery).

All staff had received training about the Mental Capacity Act 2005. Staff understood and sought patients’ consent to care and treatment in line with legislation and guidance.



Updated 17 July 2019

We rated well-led as Good because:

Business Strategy and Governance arrangements

The provider told us they had a clear vision to work together to provide a high quality responsive service that put caring and patient safety at its heart.

There was a clear organisational structure and staff were aware of their own roles and responsibilities. There was a range of service specific policies which were available to all staff. These were reviewed and updated when necessary.

The service had policies in place for activities such as recruitment and staff training; however, whilst we were satisfied that these activities were undertaken in line with the requirements of regulations, the service did not always follow their own policies.

There were a variety of daily, weekly and monthly checks in place to monitor the performance of the service. These included random spot checks for consultations. The information from these checks was used to provide specific feedback to each doctor and to feed into a wider programme of development. Performance was discussed in monthly governance meetings and ensured a comprehensive understanding of the performance of the service was maintained.

There were arrangements for identifying, recording and managing risks, issues and implementing mitigating actions.

Care and treatment records were complete, accurate, and securely kept.

Leadership, values and culture

The service had an interim Clinical Director in place (the previous permanent Clinical Director having recently left). The Clinical Director had responsibility for any medical issues arising and they were contactable daily; there were systems in place to address any absence of this clinician. We were told that the service was in the process of recruiting a permanent member of staff to this role, whereby the interim post holder would continue to work for the service as an independent clinical advisor to the Board.

The service had an open and transparent culture. We were told that if there were unexpected or unintended safety incidents, the service would give affected patients reasonable support, truthful information and a verbal and written apology. This was supported by an operational policy.

Safety and Security of Patient Information

Systems were in place to ensure that all patient information was stored and kept confidential.

There were policies and IT systems in place to protect the storage and use of all patient information. The service could provide a clear audit trail of who had access to records and from where and when. The service was registered with the Information Commissioner’s Office. There were business contingency plans in place to minimise the risk of losing patient data.

The provider had given some thought to how patient records would be stored for the legally required retention period in the event that they ceased to trade; however, they had not made specific provision for this.

Seeking and acting on feedback from patients and staff

Patients could rate the service they received via Trust Pilot; patients were sent a link to the Trust Pilot site following the completion of their order, and the service’s Trust Pilot rating was published on their website. This feedback was constantly monitored and discussed in the provider’s governance meetings.

There was evidence that the doctors could provide feedback about the quality of the operating system and any change requests were logged, discussed and decisions made for the improvements to be implemented.

The provider had a whistleblowing policy in place. (A whistle blower is someone who can raise concerns about practice or staff within the organisation.) The Registered Manager was the named person for dealing with any issues raised under whistleblowing.

Continuous Improvement

The service consistently sought ways to improve. All staff were involved in discussions about how to run and develop the service, and were encouraged to identify opportunities to improve the service delivered. The service had engaged an independent medical advisor to provide impartial advice and guidance to the Board on clinical issues.

We saw from minutes of staff meetings where previous interactions and consultations were discussed.

Staff told us that the team meetings were the place where they could raise concerns and discuss areas of improvement; governance meetings were held monthly and Board meetings were held quarterly. Each team had meetings to discuss issues relating to their specific area; for example, the Customer Service Team met monthly. In response to feedback from remote-working doctors about a lack of team cohesion, the service had introduced quarterly face-to-face off site meetings for doctors and key management staff; these were held on Saturdays to ensure that staff could attend without their work obligations being impacted.

There was a quality improvement strategy and plan in place to monitor quality and to make improvements, for example, through audits of consultations and reviews of patient feedback.