Information systems for social welfare and health care under the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare

Functional requirements apply to functions and data contents in the information system. The functional requirements are rooted in the substantive legislation governing social welfare and health care services, such as the Medicines Act and the Act on the Status and Rights of Patients. The functionalities and data contents required of information systems are described in detail in the THL document Classification of essential requirements (excel, thl.fi, in Finnish only). The purpose for which the information system is used determines which functionalities and data contents must be implemented in it.

The information system supplier must use the system form to describe the functionalities and data contents implemented in the system as appropriate for its purpose. If the system is in category A, the information system supplier must submit the system form:

• to Kela when signing up for the joint testing
• to the data security inspection body when signing up for data security assessment
• to Valvira when entering the information system in the Valvira information system database

If the system is in category B, the information system supplier must submit the system form to Valvira when entering the information system in the Valvira information system database. The minimum functional requirements for a category B information system are described in the profile Minimum functional requirements for systems intended for processing client or patient data issued by the National Institute for Health and Welfare (thl.fi, in Finnish only).

The details given on the system form must be up-to-date, correct and accurate as to the functionalities and data contents implemented in the system. 

See also

• THL Regulation 4/2021 on the classification and certification of information systems in social welfare and health care (pdf, thl.fi, in Finnish only) 
• THL Regulation 5/2021 on the essential functional and data security requirements for information systems in social welfare and health care (pdf, thl.fi, in Finnish only)
• THL Regulation 5/2021 Appendix 4 System form (excel, thl.fi, in Finnish only)

Interoperability means that information systems to be linked to the Kanta Services must store patient or client data in the Kanta Services in such a way that those data can be retrieved by and displayed in another information system. Transferring client and patient data between various service providers in social welfare and health care through the Kanta Services will only be possible if the information systems transferring data are interoperable. Interoperability requires that the information systems to be linked to the Kanta Services must be implemented according to nationally defined specifications. 

Interoperability is one of the essential requirements to be verified in the joint testing arranged by Kela that information systems in categories A2 and A3 must undergo. Kanta Services in category A3 are an exception, as they will not be separately joint tested. Further information on information system categories and classification can be found on the page Information system classification. 

After an acceptably completed joint testing, Kela will issue a joint testing statement and report to the information system supplier. Kela joint testing is a service provided free of charge.

Any questions concerning joint testing must be addressed to Kela Joint Testing at yhteistestaus@kanta.fi.

See also

• Kanta Services Specifications website (kanta.fi) 
• Kanta Services Testing website (kanta.fi)

Data security means that information systems used for processing client data in social welfare and patient data in health care comply with the national data security requirements relevant for their purpose in order to ensure the confidentiality, integrity and availability of client and patient data. The data security requirements for information systems are described in detail in the document Classification of essential requirements issued by the National Institute for Health and Welfare.

Confidentiality means that client and patient data can be accessed only by persons authorised to access them. In practice, confidentiality is ensured in a patient information system for instance by having the system verify that a care relationship exists before a user is allowed to access patient data.

Integrity means that client and patient data can only be amended by persons authorised to do so, which is verified for instance by the signature of the professional in question. Integrity also requires client and patient data to be up to date and unambiguous, meaning that there must be no discrepancies between the records in a patient information system and the corresponding records in the Kanta Services, for instance.

Availability means that client and patient data must be available to social welfare and health care personnel whenever they are needed. For instance, patient data stored in the Kanta Services must be retrievable by social welfare and health care service providers at all times. 

A data security audit must be performed on category A information systems to verify compliance with data security requirements. This audit is performed by a Traficom-approved data security inspection body, which will issue a data security certificate and report on an acceptably completed data security audit to the information system supplier. The data security certificate is valid for a maximum of three years, and its validity can be extended by a maximum of three years at a time.

The information system supplier may choose which Traficom-approved inspection body it will invite to perform the data security audit. A data security audit performed by a data security inspection body is a service for which a fee is charged. 

A data security audit performed by a data security inspection body is not required for category B information systems.Instead, the information system supplier is responsible for ensuring that the information system complies with the essential requirements relevant for its purpose. The information system supplier may choose to commission a data security audit by an inspection body for a category B information system. When registering a category B information system, the information system supplier must affirm that the information system is compliant with the essential requirements relevant for its purpose as per legislation and regulations on data security and privacy protection. The data security requirements for a category B information system are described in the profile Minimum functional requirements for systems intended for processing client or patient data issued by THL (excel, thl.fi, in Finnish only). 

See also

• Traficom-approved data security inspection bodies (traficom.fi)
• THL Regulation 5/2021 Appendix 4 System form (excel, thl.fi, in Finnish only)