All Things Newz
Law \ Legal

New Health Information Management Systems Regulation: Why It Is Important – Healthcare

[ad_1]


To print this article, all you need is to be registered or login on Mondaq.com.

New Health Information Management Systems Regulation: Why It Is
important

The Health Information Management Systems
(“HIMS“) Regulation (the
Regulation“) has been published in the

Official Gazette
dated August 25, 2022. The purpose of the
Regulation is to regulate (i) the procedures and
principles regarding the rules to be followed by HIMS service
providers, (ii) procurement processes and
standards and (iii) the registration procedures
applicable to HIMS service providers.

While HIMSs have been regulated under the Circular No. 2015/17
on Health Information Systems Practices (“HIMS
Circular
“), which sets forth certain requirements
regarding HIMSs, including registration with the Record Registry
System (Kayıt Tescil Sistemi
KTS“), the Regulation introduces more
comprehensive rules regarding HIMSs and their procurement by health
institutions. In this regard, the Regulation sets forth the
obligations of health care service providers as well as of those
(HIMS service providers) providing IT outsourcing services
to health care service providers.

Summary

The Regulation has several crucial implications on the sector
players and the way they will carry out their operations. In this
context, the most critical issues brought about by the Regulation
are:

  • Restatement of KTS registration requirement for HIMS
    service providers

  • Data localization requirement for the data transferred by
    healthcare institution while procuring outsourcing services from
    HIMS service provider

  • Limitations on the data recording and transfer

  • Data backup requirement

  • Default designation of HIMS service provider as data
    processor of the health institution

  • Comprehensive certification obligations for HIMS service
    providers

  • The Ministry of Health’s auditing authority on HIMS
    service providers

The Regulator

The regulator, which enacted and will be responsible from the
implementation of the Regulation is the Ministry of Health
(“Ministry“) and Health Information
Systems General Directorate of the Ministry (“General
Directorate
“) will be the responsible unit within the
Ministry. 

Key Definitions and Concepts

  • Health Information Management Systems or
    HIMS” is defined as
    software referred to as Health Information Management
    Systems, which are used by health service providers for clinical,
    administrative or managerial purposes, which are capable of
    exchanging data with other information management systems when
    necessary
    .”

As the definition of HIMS is given in quite broad manner, the
companies providing IT outsourcing services to health care service
providers should determine whether their services fall within the
scope of HIMS.

  • HIMS Service Provider is defined as
    natural or legal persons registered and authorized to
    provide HIMS service in the Record Registry System
    “.

The Regulation states that the HIMS service provider will be
positioned as a data processor in terms of the personal data they
process within the scope of the health service provided and
therefore, must fulfill the relevant obligations stipulated in the
personal data protection legislation.

  • Health Care Service Providers:
    Although the Regulation does not define health care service
    providers, the definition can be derived from the Regulation on the
    Cascading of Health Service Providers, which is listed below.

“Primary health care service providers are health
institutions that provide outpatient or inpatient diagnosis and
treatment as defined in the relevant legislation”

“Secondary health care service providers are health
institutions that provide outpatient or inpatient diagnosis,
treatment and rehabilitation services as defined in the relevant
legislation”.

“Tertiary health care service providers are high-level
health service providers that have high technology and/or have the
infrastructure to provide training and research services for
diseases that require advanced examination and special treatment
defined in the relevant legislation”.

  • KTS: “Record Registration
    System”

The KTS was previously introduced and is currently operational
under the HIMS Circular. The HIMS service providers registered with
KTS as of today, are listed under the active list1
published online.

KTS Registration Process

  1. Submission of Documents

According to the Regulation, HIMS service providers are required
to register to the KTS in order to conduct their services. To
initiate the registration procedure; HIMS service providers need to
submit the below mentioned documents to the General Directorate via
an official letter or registered electronic mail to be sent to the
Ministry2:

  • Official letter for application of registration,

  • Copy of Trade Registry Gazette,

  • Document Indicating the Social Security Institution Workplace
    Registration Number,

  • Balance Sheet for the Last 3 (Three) Years, which shall be
    approved by a tax office or a certified public accountant,

  • Registration Certificate for Computer Programs and Databases,
    which is obtained from the Ministry of Culture and Tourism,

  • TS ISO/IEC 27001 Certificate (Certificate for Information
    Security Management)
    ,

  • 17021 Certificate of the Firm Issuing TS ISO/IEC 27001
    Certificate (Certificate for Conformity Assessment),

  • TS ISO/IEC 15504 (Certificate for Software Process
    Improvement and Capability Determination)
    (at least level 2)
    or Capability Maturity Model Integration certificate (at least
    level 3),

  • Signature Circular,

  • List of Produced Software,

  • Non-Disclosure Agreement,

  • Apostille (for the software produced abroad).

  1. Test of HIMS

Once the above-mentioned documents are approved by the Ministry,
the HIMS is subjected to certain tests, which are provided below,
that are focused on compliance with data submission and health
informatics standards:

  • Sağlık.Net Online Data Submission Status

  • HIMS Minimum Data Creation VEM Creation

  • Data Submission Status According to ICD-O Standard

  • Integration Status to Material Resources Management System

  • Integration Status to Central Physician Appointment System

  • Control of HIMS Screens by Path Sampling

  1. Official Registration to KTS and Following
    Steps

Once the registration process and the relevant tests are
completed, the HIMS service providers are included in the active
list and then announced on the publicly available website of the
Health Information Systems General Directorate of the Ministry
(“General Directorate“). Once a HIMS
service provider is added to the active list and announced, health
care providers will be able to procure services from the HIMS
service provider.

HIMS service providers in the active list may be audited. If the
deficiencies identified during these audits are not remedied within
a certain period of time, the provider will be placed on the
passive list and this process may ultimately result in complete
removal from the list.

Privacy and Localization

As mentioned, the Regulation has several crucial implications on
the sector players. In this regard, some important points to note
are:

  • Data Processor Status: The Regulation
    envisages that the HIMS service provider will be designated as a
    data processor in terms of the personal data they process within
    the scope of the health service they provide and therefore, must
    fulfill the relevant obligations stipulated in the personal data
    protection legislation. Given that the Regulation explicitly
    foresees that the HIMS service providers are data processor, this
    could be interpreted as a prohibition on HIMS service providers to
    process the data they receive from health institutions for their
    own purposes in a way that qualifies them as data controllers.

  • Explicit Data Localization
    Requirement:
    Article 16 of the Regulation introduces
    an explicit data localization requirement for personal health data
    by stating that all personal health data3 shall be
    stored within Türkiye and in a secure manner.

  • Recording and transferring
    data
    :
    In addition to above mentioned data
    localization requirement, the Regulation also regulates
    recording and transferring data. Accordingly, the
    Regulation states that, data obtained within the scope of health
    service provision and processes related to these services
    cannot be recorded or transferred to any place other than
    the data recording mediums of health service providers, central
    health data systems of the Ministry or other data recording mediums
    approved by the General Directorate
    .

  • Data backup: It is regulated that the
    HIMS service provider shall regularly take the database backups of
    HIMS and save these backups in the mediums of the HIMS service
    procurers or in the mediums determined by the Ministry, or
    both.

  • Anonymization: The
    Regulation states that personal data may only be anonymized by the
    HIMS service procurers. Additionally, personal data cannot be
    anonymized by the HIMS service provider without the authorization
    of the HIMS service procurers or the Ministry. If it is found out
    that personal data is processed for different purposes after their
    anonymization by the HIMS service provider, legal action is taken
    within the framework of the provisions of the relevant legislation,
    and especially of the Law on the Protection of Personal Data and
    the Turkish Penal Code.

  • Health care institutions providing service outside
    the country:
    The Regulation foresees that health care
    institutions providing service from outside of Türkiye are
    subjected to the legislation of the country where they provide
    services.

Noncompliance

As explained above, the registered HIMS service providers are
included in the active list and announced on the website of the
General Directorate. In this regard, the data mediums where
personal health data will be stored are audited and approved
remotely or on site by a commission established by the General
Directorate upon request.

Accordingly, in case noncompliance with data localization
requirements mentioned above is determined, the HIMS service
provider will be removed from KTS.

In such cases, from the date of removal from KTS, the software
access code of the HIMS service provider is deactivated within
three months at the latest (this period can be extended up to
six months)
. However, the HIMS service provider cannot provide
services to a new health care service provider until it is included
in the active list in KTS again.

Other Obligations and Significant Issues

  • Main obligations

    The Regulation sets forth certain obligations which HIMS service
    providers have to comply with. The most prominent of these are:

    • Registering with the KTS, in order to be able to operate in the
      health service provider.

    • The obligation to comply with instructions and rules set by the
      Ministry

    • Ensuring certain measures are put into place for the sake of
      guaranteeing the continuity of health services and data
      security.


  • Incident and log records

    It is regulated that HIMS service provider is responsible for
    taking the necessary measures to keep incident and log records
    produced in HIMSs, database mediums where HIMS data is stored, and
    software and hardware components within the scope of HIMS’s
    responsibility for the services provided under the contract, in
    order to ensure retrospective review in case of any information
    security breach event. These incident and log records shall be kept
    by qualified electronic certificate service providers established
    in Türkiye or by being signed with a qualified time stamp
    provided by the General Directorate.


  • Service procurement

    HIMS service procurement processes within the public health
    institutions are explained by detailing how the public procurement
    will be carried out and by listing requested information and
    documents.


  • Audit

    The Ministry may audit or have the HIMS service provider audited,
    ex officio or upon complaint. Nevertheless, the Regulation foresees
    that the audit cannot go beyond the scope of the service provided
    by the responsibility of the HIMS service provider.

    In the remote or on-site audits, audits are conducted on the
    following matters:

    • Existence and singularity of HIMS

    • Compliance with the workflows and business rules determined by
      the General Directorate.

    • Integration with and data transmission to the Ministry’s
      central data systems.

    • Compliance with the standards set by the General
      Directorate.

    • Current VEM version compatibility and data transfer
      capability.

    • The registration status of the HIMS service provider to
      KTS.

    • Compliance with personal data protection legislation and
      information security regulations.


    When the Ministry deems it necessary, it performs or has security
    and penetration tests performed for HIMS.

    If the deficiencies identified during these audits are not remedied
    within a certain period of time, the provider will be placed on the
    passive list and this process may ultimately result in complete
    removal from the list.


  • Competence score

    It is regulated that the HIMS service provider will be evaluated
    with the aim of providing better quality, uninterrupted and sound
    health service provision and the competence score assigned as a
    result of this evaluation will be published on the website of the
    General Directorate.

Enforcement Date

While the provision on incident and track records will enter
into force on 25.08.2023 and the competence score provision will
come into effect on 25.04.2024, other provisions entered into force
immediately, on 25.08.2022.

Footnotes

1
https://kayittescil.saglik.gov.tr/TR-54929/aktif-hbys-listesi.html

2 An explanation regarding these documents as well as
certain templates can be found
here
(Only available in Turkish)

3 Please note that the Regulation only mention
data” for the localization requirement, but it
can be argued that “data” should be interpreted as
“personal health data” when read in conjunction with
Article 16(3)’s first sentence, which limits the obligation to
personal health data. However, if the term “data” is
interpreted broadly, it is possible to conclude that all data
entering the HIMS system and received from the health institution
are subject to this localization requirement.

Article 16(3) of the
Regulation
: “The data environments where
personal health data will be stored are audited
and approved remotely or on site by a commission established by the
General Directorate upon request. Data shall only
be kept domestically and securely.”

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

[ad_2]

Source link

Related posts

California Department Of Public Health Issues COVID-19 Guidance On Expanded Definition Of ‘Close Contact’ – Health & Safety

Mecca, Sephora blamed as Napoleon Perdis enters administration – Insolvency/Bankruptcy

China Monthly Antitrust Update – June 2022 – Antitrust, EU Competition