New regulation on producers of data systems in health care and social welfare
Producers of data systems used in health care and social welfare face new regulation in Finland. The purpose of the new obligations is to enhance data protection and data security as well as interoperability and functionality of data systems.
The new obligations arise from modifications to the Finnish Act on Electronic Processing of Patient and Customer Data (FI: "Laki sosiaali- ja terveydenhuollon asiakastietojen sähköisestä käsittelystä"), which governs electronic processing of patient data and data of customers in social welfare. The modifications entered into force on 1 April 2014, however some transition periods apply. The said Act is predominantly national Finnish legislation rather than based on EU legislation.
When do the new obligations apply?
The new obligations apply to a "data system". The definition of a data system is broad. Data system means software or system produced for the purpose of electronic processing of patient data in health care or customer data in social welfare, which is used to record and maintain patient records or social welfare records and data included therein. In addition, data system means a data file or data reserve composed of collected data and maintained by using automatic data processing, which the producer has specifically designed for the processing of patient records or social welfare records and data included therein. Data system also means certain transmission services.
Accordingly, in health care, the new obligations apply to systems used to record and maintain patient records. Patient records are broadly defined in the Finnish legislation and include any documents or technical recordings used, created or received in the course of organising and carrying out the treatment of a patient, which contain data relating to his/her state of health or other personal data. Among other things, recordings made by medical devices may be regarded as such data.
The aim is that the new obligations only concern data systems that are specifically intended for the processing of patient data in health care or customer data in social welfare. Examples of such data systems include patient data management systems, as well as software used in imaging and laboratory systems, which processes patient data.
On the other hand, for example, general word processing and financial administration programs are not subject to the new obligations. Also, software or systems used specifically in health care, but which do not process patient data, do not fall under the new obligations.
What is required by the new obligations?
The new obligations of data system producers are broadly and generally outlined below. The specific obligations imposed partly differ depending on whether the data system shall be connected to the Finnish national health care data system called "Kanta" (class A data systems) or shall not be connected to Kanta (class B data systems).
- A data system shall comply with essential requirements relating to interoperability, data security, data protection and functionality. The producer of a data system shall demonstrate compliance with the essential requirements as further set forth in the Act. The content of the essential requirements is currently being prepared by the Finnish National Institute for Health and Welfare and will be published later.
- The producer of a data system is responsible for designing, producing and classification of a data system (irrespective of whether carried out by the producer or a third party). The producer shall also have a quality system applicable to the design and production of a data system.
- The producer of a data system shall provide necessary information and instructions, subject to certain language requirements, on the implementation, operational use and maintenance of the data system.
- The producer shall notify the Finnish National Supervisory Authority for Welfare and Health (Valvira) of a data system to be taken into production use as well as termination of such use. Valvira maintains a public register of data systems.
- After taking the data system into operational use, the producer shall monitor and evaluate experiences of the data system, notify (among others)users of significant deviations from 'essential requirements' (see first bullet point), follow and implement changes in essential requirements, and store related data for 5 years after termination of the operational use.
Data systems subject to other regulation as well?
A data system used in health care may also be subject to the Finnish Medical Devices Act, including essential requirements on security of patients. This Act applies if the data system is regarded as "medical device", as defined in the said Act.
In practice, some data systems used in health care are subject to both the Finnish Medical Devices Act and the Act on Electronic Processing of Patient and Customer Data. Some data systems, on the other hand, are only subject to either of the said Acts. The applicability of each Act shall be considered on a case-by case basis, taking into account the functionality and purpose of the data system.
Further, the Finnish Personal Data Act applies if personal data is processed by the data system.
Both the Finnish Personal Data Act and the Finnish Medical Devices Act are based on EU Directives. These Directives are currently under reform and will likely be replaced by new EU regulations. New EU Data Protection Regulation and new EU Medical Devices Regulation are currently under preparation. After coming into force, these new Regulations may also impose new obligations on producers of data systems.
Developers and vendors of data systems will need to take the new regulation into consideration when designing and developing their data systems for the health care and social welfare market. The new regulation (including the impending new EU Data Protection Regulation) will inevitably also affect contracts including supply and license contracts as well as subcontractor contracts between developers or vendors of data systems for health care and social welfare and their subcontractors (such as, but not limited to, IaaS and PaaS contracts).
Similarly, providers of health care and social welfare services will need to take the new regulation into account when issuing requests for proposals, defining information security requirements and contracting for data systems.