New Health Information Management Systems Regulation: Why It Is important
The Health Information Management Systems ("HIMS") Regulation (the "Regulation") has been published in the Official Gazette dated August 25, 2022. The purpose of the Regulation is to regulate (i) the procedures and principles regarding the rules to be followed by HIMS service providers, (ii) procurement processes and standards and (iii) the registration procedures applicable to HIMS service providers.
While HIMSs have been regulated under the Circular No. 2015/17 on Health Information Systems Practices ("HIMS Circular"), which sets forth certain requirements regarding HIMSs, including registration with the Record Registry System (Kayıt Tescil Sistemi – "KTS"), the Regulation introduces more comprehensive rules regarding HIMSs and their procurement by health institutions. In this regard, the Regulation sets forth the obligations of health care service providers as well as of those (HIMS service providers) providing IT outsourcing services to health care service providers.
Summary
The Regulation has several crucial implications on the sector players and the way they will carry out their operations. In this context, the most critical issues brought about by the Regulation are:
- Restatement of KTS registration requirement for HIMS service providers
- Data localization requirement for the data transferred by healthcare institution while procuring outsourcing services from HIMS service provider
- Limitations on the data recording and transfer
- Data backup requirement
- Default designation of HIMS service provider as data processor of the health institution
- Comprehensive certification obligations for HIMS service providers
- The Ministry of Health's auditing authority on HIMS service providers
The Regulator
The regulator, which enacted and will be responsible from the implementation of the Regulation is the Ministry of Health ("Ministry") and Health Information Systems General Directorate of the Ministry ("General Directorate") will be the responsible unit within the Ministry.
Key Definitions and Concepts
- Health Information Management Systems or "HIMS" is defined as "software referred to as Health Information Management Systems, which are used by health service providers for clinical, administrative or managerial purposes, which are capable of exchanging data with other information management systems when necessary."
As the definition of HIMS is given in quite broad manner, the companies providing IT outsourcing services to health care service providers should determine whether their services fall within the scope of HIMS.
- HIMS Service Provider is defined as "natural or legal persons registered and authorized to provide HIMS service in the Record Registry System".
The Regulation states that the HIMS service provider will be positioned as a data processor in terms of the personal data they process within the scope of the health service provided and therefore, must fulfill the relevant obligations stipulated in the personal data protection legislation.
- Health Care Service Providers: Although the Regulation does not define health care service providers, the definition can be derived from the Regulation on the Cascading of Health Service Providers, which is listed below.
"Primary health care service providers are health institutions that provide outpatient or inpatient diagnosis and treatment as defined in the relevant legislation"
"Secondary health care service providers are health institutions that provide outpatient or inpatient diagnosis, treatment and rehabilitation services as defined in the relevant legislation".
"Tertiary health care service providers are high-level health service providers that have high technology and/or have the infrastructure to provide training and research services for diseases that require advanced examination and special treatment defined in the relevant legislation".
- KTS: "Record Registration System"
The KTS was previously introduced and is currently operational under the HIMS Circular. The HIMS service providers registered with KTS as of today, are listed under the active list1 published online.
KTS Registration Process
- Submission of Documents
According to the Regulation, HIMS service providers are required to register to the KTS in order to conduct their services. To initiate the registration procedure; HIMS service providers need to submit the below mentioned documents to the General Directorate via an official letter or registered electronic mail to be sent to the Ministry2:
- Official letter for application of registration,
- Copy of Trade Registry Gazette,
- Document Indicating the Social Security Institution Workplace Registration Number,
- Balance Sheet for the Last 3 (Three) Years, which shall be approved by a tax office or a certified public accountant,
- Registration Certificate for Computer Programs and Databases, which is obtained from the Ministry of Culture and Tourism,
- TS ISO/IEC 27001 Certificate (Certificate for Information Security Management),
- 17021 Certificate of the Firm Issuing TS ISO/IEC 27001 Certificate (Certificate for Conformity Assessment),
- TS ISO/IEC 15504 (Certificate for Software Process Improvement and Capability Determination) (at least level 2) or Capability Maturity Model Integration certificate (at least level 3),
- Signature Circular,
- List of Produced Software,
- Non-Disclosure Agreement,
- Apostille (for the software produced abroad).
- Test of HIMS
Once the above-mentioned documents are approved by the Ministry, the HIMS is subjected to certain tests, which are provided below, that are focused on compliance with data submission and health informatics standards:
- Sağlık.Net Online Data Submission Status
- HIMS Minimum Data Creation VEM Creation
- Data Submission Status According to ICD-O Standard
- Integration Status to Material Resources Management System
- Integration Status to Central Physician Appointment System
- Control of HIMS Screens by Path Sampling
- Official Registration to KTS and Following Steps
Once the registration process and the relevant tests are completed, the HIMS service providers are included in the active list and then announced on the publicly available website of the Health Information Systems General Directorate of the Ministry ("General Directorate"). Once a HIMS service provider is added to the active list and announced, health care providers will be able to procure services from the HIMS service provider.
HIMS service providers in the active list may be audited. If the deficiencies identified during these audits are not remedied within a certain period of time, the provider will be placed on the passive list and this process may ultimately result in complete removal from the list.
Privacy and Localization
As mentioned, the Regulation has several crucial implications on the sector players. In this regard, some important points to note are:
- Data Processor Status: The Regulation envisages that the HIMS service provider will be designated as a data processor in terms of the personal data they process within the scope of the health service they provide and therefore, must fulfill the relevant obligations stipulated in the personal data protection legislation. Given that the Regulation explicitly foresees that the HIMS service providers are data processor, this could be interpreted as a prohibition on HIMS service providers to process the data they receive from health institutions for their own purposes in a way that qualifies them as data controllers.
- Explicit Data Localization Requirement: Article 16 of the Regulation introduces an explicit data localization requirement for personal health data by stating that all personal health data3 shall be stored within Türkiye and in a secure manner.
- Recording and transferring data: In addition to above mentioned data localization requirement, the Regulation also regulates recording and transferring data. Accordingly, the Regulation states that, data obtained within the scope of health service provision and processes related to these services cannot be recorded or transferred to any place other than the data recording mediums of health service providers, central health data systems of the Ministry or other data recording mediums approved by the General Directorate.
- Data backup: It is regulated that the HIMS service provider shall regularly take the database backups of HIMS and save these backups in the mediums of the HIMS service procurers or in the mediums determined by the Ministry, or both.
- Anonymization: The Regulation states that personal data may only be anonymized by the HIMS service procurers. Additionally, personal data cannot be anonymized by the HIMS service provider without the authorization of the HIMS service procurers or the Ministry. If it is found out that personal data is processed for different purposes after their anonymization by the HIMS service provider, legal action is taken within the framework of the provisions of the relevant legislation, and especially of the Law on the Protection of Personal Data and the Turkish Penal Code.
- Health care institutions providing service outside the country: The Regulation foresees that health care institutions providing service from outside of Türkiye are subjected to the legislation of the country where they provide services.
Noncompliance
As explained above, the registered HIMS service providers are included in the active list and announced on the website of the General Directorate. In this regard, the data mediums where personal health data will be stored are audited and approved remotely or on site by a commission established by the General Directorate upon request.
Accordingly, in case noncompliance with data localization requirements mentioned above is determined, the HIMS service provider will be removed from KTS.
In such cases, from the date of removal from KTS, the software access code of the HIMS service provider is deactivated within three months at the latest (this period can be extended up to six months). However, the HIMS service provider cannot provide services to a new health care service provider until it is included in the active list in KTS again.
Other Obligations and Significant Issues
- Main obligations
The Regulation sets forth certain obligations which HIMS service providers have to comply with. The most prominent of these are:- Registering with the KTS, in order to be able to operate in the health service provider.
- The obligation to comply with instructions and rules set by the Ministry
- Ensuring certain measures are put into place for the sake of guaranteeing the continuity of health services and data security.
- Incident and log records
It is regulated that HIMS service provider is responsible for taking the necessary measures to keep incident and log records produced in HIMSs, database mediums where HIMS data is stored, and software and hardware components within the scope of HIMS's responsibility for the services provided under the contract, in order to ensure retrospective review in case of any information security breach event. These incident and log records shall be kept by qualified electronic certificate service providers established in Türkiye or by being signed with a qualified time stamp provided by the General Directorate. - Service procurement
HIMS service procurement processes within the public health institutions are explained by detailing how the public procurement will be carried out and by listing requested information and documents. - Audit
The Ministry may audit or have the HIMS service provider audited, ex officio or upon complaint. Nevertheless, the Regulation foresees that the audit cannot go beyond the scope of the service provided by the responsibility of the HIMS service provider.
In the remote or on-site audits, audits are conducted on the following matters:
- Existence and singularity of HIMS
- Compliance with the workflows and business rules determined by the General Directorate.
- Integration with and data transmission to the Ministry's central data systems.
- Compliance with the standards set by the General Directorate.
- Current VEM version compatibility and data transfer capability.
- The registration status of the HIMS service provider to KTS.
- Compliance with personal data protection legislation and information security regulations.
When the Ministry deems it necessary, it performs or has security and penetration tests performed for HIMS.
If the deficiencies identified during these audits are not remedied within a certain period of time, the provider will be placed on the passive list and this process may ultimately result in complete removal from the list. - Competence score
It is regulated that the HIMS service provider will be evaluated with the aim of providing better quality, uninterrupted and sound health service provision and the competence score assigned as a result of this evaluation will be published on the website of the General Directorate.
Enforcement Date
While the provision on incident and track records will enter into force on 25.08.2023 and the competence score provision will come into effect on 25.04.2024, other provisions entered into force immediately, on 25.08.2022.
Footnotes
1 https://kayittescil.saglik.gov.tr/TR-54929/aktif-hbys-listesi.html
2 An explanation regarding these documents as well as certain templates can be found here (Only available in Turkish)
3 Please note that the Regulation only mention "data" for the localization requirement, but it can be argued that "data" should be interpreted as "personal health data" when read in conjunction with Article 16(3)'s first sentence, which limits the obligation to personal health data. However, if the term "data" is interpreted broadly, it is possible to conclude that all data entering the HIMS system and received from the health institution are subject to this localization requirement.
Article 16(3) of the Regulation: "The data environments where personal health data will be stored are audited and approved remotely or on site by a commission established by the General Directorate upon request. Data shall only be kept domestically and securely."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.