New Health Information Management Systems Regulation: Why It Is Important – Healthcare

New Health Information Management Systems Regulation: Why It Is
important

The Health Information Management Systems
(“HIMS“) Regulation (the
“Regulation“) has been published in the

Official Gazette dated August 25, 2022. The purpose of the
Regulation is to regulate (i) the procedures and
principles regarding the rules to be followed by HIMS service
providers, (ii) procurement processes and
standards and (iii) the registration procedures
applicable to HIMS service providers.

While HIMSs have been regulated under the Circular No. 2015/17
on Health Information Systems Practices (“HIMS
Circular“), which sets forth certain requirements
regarding HIMSs, including registration with the Record Registry
System (Kayıt Tescil Sistemi –
“KTS“), the Regulation introduces more
comprehensive rules regarding HIMSs and their procurement by health
institutions. In this regard, the Regulation sets forth the
obligations of health care service providers as well as of those
(HIMS service providers) providing IT outsourcing services
to health care service providers.

Summary

The Regulation has several crucial implications on the sector
players and the way they will carry out their operations. In this
context, the most critical issues brought about by the Regulation
are:

• Restatement of KTS registration requirement for HIMS
  service providers




• Data localization requirement for the data transferred by
  healthcare institution while procuring outsourcing services from
  HIMS service provider




• Limitations on the data recording and transfer




• Data backup requirement




• Default designation of HIMS service provider as data
  processor of the health institution




• Comprehensive certification obligations for HIMS service
  providers




• The Ministry of Health’s auditing authority on HIMS
  service providers

The Regulator

The regulator, which enacted and will be responsible from the
implementation of the Regulation is the Ministry of Health
(“Ministry“) and Health Information
Systems General Directorate of the Ministry (“General
Directorate“) will be the responsible unit within the
Ministry. 

Key Definitions and Concepts

• Health Information Management Systems or
  “HIMS” is defined as
  “software referred to as Health Information Management
  Systems, which are used by health service providers for clinical,
  administrative or managerial purposes, which are capable of
  exchanging data with other information management systems when
  necessary.”

As the definition of HIMS is given in quite broad manner, the
companies providing IT outsourcing services to health care service
providers should determine whether their services fall within the
scope of HIMS.

• HIMS Service Provider is defined as
  “natural or legal persons registered and authorized to
  provide HIMS service in the Record Registry System“.

The Regulation states that the HIMS service provider will be
positioned as a data processor in terms of the personal data they
process within the scope of the health service provided and
therefore, must fulfill the relevant obligations stipulated in the
personal data protection legislation.

• Health Care Service Providers:
  Although the Regulation does not define health care service
  providers, the definition can be derived from the Regulation on the
  Cascading of Health Service Providers, which is listed below.

“Primary health care service providers are health
institutions that provide outpatient or inpatient diagnosis and
treatment as defined in the relevant legislation”

“Secondary health care service providers are health
institutions that provide outpatient or inpatient diagnosis,
treatment and rehabilitation services as defined in the relevant
legislation”.

“Tertiary health care service providers are high-level
health service providers that have high technology and/or have the
infrastructure to provide training and research services for
diseases that require advanced examination and special treatment
defined in the relevant legislation”.

• KTS: “Record Registration
  System”

The KTS was previously introduced and is currently operational
under the HIMS Circular. The HIMS service providers registered with
KTS as of today, are listed under the active list¹
published online.

KTS Registration Process

1. Submission of Documents

According to the Regulation, HIMS service providers are required
to register to the KTS in order to conduct their services. To
initiate the registration procedure; HIMS service providers need to
submit the below mentioned documents to the General Directorate via
an official letter or registered electronic mail to be sent to the
Ministry²:

• Official letter for application of registration,




• Copy of Trade Registry Gazette,




• Document Indicating the Social Security Institution Workplace
  Registration Number,




• Balance Sheet for the Last 3 (Three) Years, which shall be
  approved by a tax office or a certified public accountant,




• Registration Certificate for Computer Programs and Databases,
  which is obtained from the Ministry of Culture and Tourism,




• TS ISO/IEC 27001 Certificate (Certificate for Information
  Security Management),




• 17021 Certificate of the Firm Issuing TS ISO/IEC 27001
  Certificate (Certificate for Conformity Assessment),




• TS ISO/IEC 15504 (Certificate for Software Process
  Improvement and Capability Determination) (at least level 2)
  or Capability Maturity Model Integration certificate (at least
  level 3),




• Signature Circular,




• List of Produced Software,




• Non-Disclosure Agreement,




• Apostille (for the software produced abroad).

2. Test of HIMS

Once the above-mentioned documents are approved by the Ministry,
the HIMS is subjected to certain tests, which are provided below,
that are focused on compliance with data submission and health
informatics standards:

• Sağlık.Net Online Data Submission Status




• HIMS Minimum Data Creation VEM Creation




• Data Submission Status According to ICD-O Standard




• Integration Status to Material Resources Management System




• Integration Status to Central Physician Appointment System




• Control of HIMS Screens by Path Sampling

3. Official Registration to KTS and Following
   Steps

Once the registration process and the relevant tests are
completed, the HIMS service providers are included in the active
list and then announced on the publicly available website of the
Health Information Systems General Directorate of the Ministry
(“General Directorate“). Once a HIMS
service provider is added to the active list and announced, health
care providers will be able to procure services from the HIMS
service provider.

HIMS service providers in the active list may be audited. If the
deficiencies identified during these audits are not remedied within
a certain period of time, the provider will be placed on the
passive list and this process may ultimately result in complete
removal from the list.

Privacy and Localization

As mentioned, the Regulation has several crucial implications on
the sector players. In this regard, some important points to note
are:

• Data Processor Status: The Regulation
  envisages that the HIMS service provider will be designated as a
  data processor in terms of the personal data they process within
  the scope of the health service they provide and therefore, must
  fulfill the relevant obligations stipulated in the personal data
  protection legislation. Given that the Regulation explicitly
  foresees that the HIMS service providers are data processor, this
  could be interpreted as a prohibition on HIMS service providers to
  process the data they receive from health institutions for their
  own purposes in a way that qualifies them as data controllers.

• Explicit Data Localization
  Requirement: Article 16 of the Regulation introduces
  an explicit data localization requirement for personal health data
  by stating that all personal health data³ shall be
  stored within Türkiye and in a secure manner.

• Recording and transferring
  data: In addition to above mentioned data
  localization requirement, the Regulation also regulates
  recording and transferring data. Accordingly, the
  Regulation states that, data obtained within the scope of health
  service provision and processes related to these services
  cannot be recorded or transferred to any place other than
  the data recording mediums of health service providers, central
  health data systems of the Ministry or other data recording mediums
  approved by the General Directorate.

• Data backup: It is regulated that the
  HIMS service provider shall regularly take the database backups of
  HIMS and save these backups in the mediums of the HIMS service
  procurers or in the mediums determined by the Ministry, or
  both.

• Anonymization: The
  Regulation states that personal data may only be anonymized by the
  HIMS service procurers. Additionally, personal data cannot be
  anonymized by the HIMS service provider without the authorization
  of the HIMS service procurers or the Ministry. If it is found out
  that personal data is processed for different purposes after their
  anonymization by the HIMS service provider, legal action is taken
  within the framework of the provisions of the relevant legislation,
  and especially of the Law on the Protection of Personal Data and
  the Turkish Penal Code.

• Health care institutions providing service outside
  the country: The Regulation foresees that health care
  institutions providing service from outside of Türkiye are
  subjected to the legislation of the country where they provide
  services.

Noncompliance

As explained above, the registered HIMS service providers are
included in the active list and announced on the website of the
General Directorate. In this regard, the data mediums where
personal health data will be stored are audited and approved
remotely or on site by a commission established by the General
Directorate upon request.

Accordingly, in case noncompliance with data localization
requirements mentioned above is determined, the HIMS service
provider will be removed from KTS.

In such cases, from the date of removal from KTS, the software
access code of the HIMS service provider is deactivated within
three months at the latest (this period can be extended up to
six months). However, the HIMS service provider cannot provide
services to a new health care service provider until it is included
in the active list in KTS again.

Other Obligations and Significant Issues

• Main obligations

  The Regulation sets forth certain obligations which HIMS service
  providers have to comply with. The most prominent of these are:
  

  • Registering with the KTS, in order to be able to operate in the
    health service provider.

  
  

  • The obligation to comply with instructions and rules set by the
    Ministry

  
  

  • Ensuring certain measures are put into place for the sake of
    guaranteeing the continuity of health services and data
    security.




• Incident and log records

  It is regulated that HIMS service provider is responsible for
  taking the necessary measures to keep incident and log records
  produced in HIMSs, database mediums where HIMS data is stored, and
  software and hardware components within the scope of HIMS’s
  responsibility for the services provided under the contract, in
  order to ensure retrospective review in case of any information
  security breach event. These incident and log records shall be kept
  by qualified electronic certificate service providers established
  in Türkiye or by being signed with a qualified time stamp
  provided by the General Directorate.




• Service procurement

  HIMS service procurement processes within the public health
  institutions are explained by detailing how the public procurement
  will be carried out and by listing requested information and
  documents.




• Audit

  The Ministry may audit or have the HIMS service provider audited,
  ex officio or upon complaint. Nevertheless, the Regulation foresees
  that the audit cannot go beyond the scope of the service provided
  by the responsibility of the HIMS service provider.

  In the remote or on-site audits, audits are conducted on the
  following matters:

  • Existence and singularity of HIMS

  
  

  • Compliance with the workflows and business rules determined by
    the General Directorate.

  
  

  • Integration with and data transmission to the Ministry’s
    central data systems.

  
  

  • Compliance with the standards set by the General
    Directorate.

  
  

  • Current VEM version compatibility and data transfer
    capability.

  
  

  • The registration status of the HIMS service provider to
    KTS.

  
  

  • Compliance with personal data protection legislation and
    information security regulations.

  
  

  When the Ministry deems it necessary, it performs or has security
  and penetration tests performed for HIMS.

  If the deficiencies identified during these audits are not remedied
  within a certain period of time, the provider will be placed on the
  passive list and this process may ultimately result in complete
  removal from the list.




• Competence score

  It is regulated that the HIMS service provider will be evaluated
  with the aim of providing better quality, uninterrupted and sound
  health service provision and the competence score assigned as a
  result of this evaluation will be published on the website of the
  General Directorate.

Enforcement Date

While the provision on incident and track records will enter
into force on 25.08.2023 and the competence score provision will
come into effect on 25.04.2024, other provisions entered into force
immediately, on 25.08.2022.

Footnotes

1
https://kayittescil.saglik.gov.tr/TR-54929/aktif-hbys-listesi.html

2 An explanation regarding these documents as well as
certain templates can be found
here (Only available in Turkish)

3 Please note that the Regulation only mention
“data” for the localization requirement, but it
can be argued that “data” should be interpreted as
“personal health data” when read in conjunction with
Article 16(3)’s first sentence, which limits the obligation to
personal health data. However, if the term “data” is
interpreted broadly, it is possible to conclude that all data
entering the HIMS system and received from the health institution
are subject to this localization requirement.

Article 16(3) of the
Regulation: “The data environments where
personal health data will be stored are audited
and approved remotely or on site by a commission established by the
General Directorate upon request. Data shall only
be kept domestically and securely.”

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.