Recently, I was triggered by reading column in the Volkskrant in which it was argued that moving patients during the coronavirus pandemic is causing doctors and nurses to waste time. The lack of a national, electronic patient file and the moving of patients between regions has resulted in health-related information (e.g. X-rays) being burned onto DVDs and additional information requested by telephone being faxed. This is totally unnecessary and time-consuming work, because there is another solution.
These days, there are sufficient technical possibilities for sharing health-related information quickly and on an ad hoc basis without being restricted by the GDPR. Neither is it necessary to develop complex portals and complicated interfaces. A standard has been developed precisely with this in mind, namely the NTA 7516. It is a standard for the healthcare sector which provides guidelines on the safe sharing of health-related information.
The problems in the field of GDPR which hospitals used to face can now be resolved relatively simply. Incidentally, this applies not only to hospitals, but also to GPs, out-of-hours GP services, nursing homes, and even local authorities. In this blog, we provide a brief clarification.
Why is a solution required for the safe sharing of health-related information?
There is a quick and easy answer to this question. Since May 2018, regulations have been in place known as the GDPR (General Data Protection Regulation) and standard email no longer makes the grade.
The GDPR imposes requirements which make privacy protection even more important than it used to be. Traditional email solutions no longer fulfil these requirements if no additional technical and organisational measures are put in place.
It is important to remember that the GDPR applies to all organisations, associations, and foundations. Any organisation that processes personal data must comply with the legislation and regulations. In addition, every organisation has to be able to demonstrate that it is complying with the law.
One simple example of this is sharing large files via email solutions. IT administrators usually limit this to 20/50MB in order to prevent mail servers becoming flooded. Because current resources are inadequate, people soon look for an alternative way of sharing the information after all, as reflected in the example I just referred to about burning health-related information onto DVDs.
Many data breaches originate from ordinary email traffic
Conventional email applications are a contributing factor to the number of data breaches. Research has revealed that 40% of data breaches are the result of emailing to the wrong email address. If the email contained health-related information which then ended up in the wrong hands, you would want to be able the recall the message in question. Although conventional email solutions generally have a recall function, it is limited because the email in question still has to be on the server or still has to be unread. In short, there is no guarantee that a recall will be successful.
The NTA 7516 as a clarification of the GDPR
If you want to share health-related information safely, then it has to work everywhere AND be reliable. That is why the ‘Safe email’ project was initiated at the request of the Ministry of Health, Welfare and Sport (VWS) and the Healthcare Information Council [Informatieberaad Zorg]. Within the framework of this project, three components have been developed:
- The establishment of a set of standards.
- Interoperability between products.
- An implementation handbook.
The set of standards is known as the NTA 7516. NTA stands for ‘Netherlands Technical Agreements’ [Nederlandse Technische Afspraken] and is a fast-track way of drawing up specifications within a limited circle.
The NTA 7516 is partly intended to be a clarification of the GDPR. It describes in (technically) neutral terms the requirements which the communication of health-related information must fulfil in order to be safe.
The set of standards is useful for anyone who wants a flexible approach to health-related information
This set of standards applies to all healthcare professionals, including the organisations they work for in which health-related information is shared, and is also not dependent on the technology used, or the organisational processes of the sender or receiver.
What is more, it is intended to be used by suppliers of technical solutions and contains requirements which technical solutions have to fulfil. Interoperability is an extremely important aspect of this and means that the solutions offered by the various suppliers must work together without having to implement all kinds of additional and complicated links.
NTA 7516 mostly has to do with organising more effectively and a bit with technology
The NTA 7516 describes 21 requirements which an organisation has to fulfil. Of these, 19 requirements relate to policy, usage, and logging as fulfilled by an organisation. The other 2 requirements must be fulfilled by the technical solution supplier.
The set requirements are divided into five categories:
Is it obligatory and do I have to fulfil these requirements?
It is not (yet) obligatory to comply with the NTA, but you do have to comply with the GDPR. The GDPR states that emailing health-related information is permitted, but it must be done securely. Consequently, if you want to share health-related information on an ad hoc basis, you must do so without using standard email. Standard email alone is not enough and the same applies, of course to chatting, texting, DVDs, and faxing.
A solution for safe emailing and sharing large files
These days, various technical solutions are available on the market for the safe sharing of health-related information. The differences between them mainly relate to the balance between ease-of-use and security, but they are relatively easy to implement. What is important is that they have NTA 7516 certification for the safe sharing of health-related information via email or the sharing of large files.
Time is the ‘only’ thing it takes to organise the NTA 7516
Choosing and implementing a technical solution fulfils a limited number of requirements. There are also a number of organisational criteria that have to be arranged, such as the authorisation of the sender, the justification for transmission, or the use of a technical solution.
A technical solution makes it possible to share health-related information in an ad hoc, rapid, and safe way in accordance with the GDPR. The technical and organisational aspects are not that complicated to implement and maintain, but they do require attention and time.