Thông tư 53/2014/TT-BYT

CIRCULAR

ON REQUIREMENTS FOR PROVISION OF ONLINE HEALTHCARE SERVICES

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Government’s Decree No. 63/2012/ND-CP dated August 31, 2012 defining functions, tasks, entitlements and organizational structure of the Ministry of Finance;

At the request of the Director of Department of Information Technology;

The Minister of Health promulgates a Circular on requirements for provision of online healthcare services.

Article 1. Scope and regulated entities

1. This Circular deals with requirements for provision of online healthcare services in terms of information technology infrastructure, information security assurance, human resources and application of information technology.

2. This Circular applies to organizations and individuals involved in development and provision of online healthcare services in the territory of Vietnam (hereinafter referred to as “providers”).

Article 2. Definitions

For the purposes of this Circular, the terms below shall be construed as follows:

1. “health activities” include citizens’ health protection, improvement, and care in terms of preventive healthcare; medical examination and treatment and functional rehabilitation; medical survey, forensic medicine, forensic psychiatry; traditional medicine; reproductive health; medical devices; pharmacy; cosmetics; food safety; health insurance; population - family planning.

2. “online healthcare services” mean provision, transmission, collection, processing, storage and exchange of health information using information technology.

3. “HL 7 standard (Health Level 7)” means a set of international standards that provides a protocol for the management, exchange and integration of health data between health information systems to serve health activities.

4. “HL7 CDA standard (Health Level 7 Clinical Document Architecture)” means a document that specifies the structure and semantics of clinical data for the purpose of data exchange between interested parties.

5. “DICOM - Digital Imaging and Communications in Medicine” means an international standard for exchanging, storing, receiving, printing and sharing digital imaging between medical devices and health information system.

6. “ISO/IEEE 11073” means a family of ISO (International Organization for Standardization), IEEE (Institute of Electrical and Electronics Engineers), and CEN (European Committee for Standardization) joint standards to determine a protocol for connection, communication and exchange of data between applications and medical devices.

7. “SDMX” means an ISO/TS 17369:2005 standard for exchanging statistical data and metadata between units and organizations.

8. “SD MX-HD” means a standard that is established by the World Health Organization according to SDMX standard /TS 17369:2005 to assist health facilities in exchanging and sharing medical indicators and statistical metadata.

Article 3. Requirements for information technology infrastructure

1. Services provided using server and system software:

a) Ensure server infrastructure and associated equipment deliver sufficient performance and efficiency, and data processing and retrieval speed to satisfy requirements for provision of online healthcare services;

b) Ensure the server system operates in a highly available manner and provides a flexible backup for continuous operation.

c) Ensure the operating system and system software installed on servers are legit or have clear origin.

2. Network system:

a) Network system (telecommunications network, internet, wide area network, local area network, other connections) is designed and implemented in an appropriate manner, and includes bandwidth. In case of using telecommunications network, all rights and obligations prescribed in Article 16 of the Law on Telecommunications must be exercised and fulfilled.

b) Network equipment and network monitoring and analysis software must be legit or have clear origin;

c) Backup plan must be available to ensure operation of the network system.

3. Database:

a) Database used for provision of online healthcare services must be stable and be able to process and necessary data;

b) Database management system shall have clear origin or use open-source database widely used in the country and the world.

4. Workstation: there must be enough workstation with appropriate configuration suitable for online healthcare services.

Article 4. Requirements for information security assurance

1. Policies on information security must be formulated in accordance with regulations on ensuring security of State and the provider’s own information technology system.

2. Network system security:

a) Technical measures must be available to control access to the network system;

b) Measures for intrusion detection and prevention, and malicious code prevention must be available;

c) System patches and equipment’s configuration must be updated on a periodic basis;

d) Information security must be ensured when workstations are connected to network resources.

dd) Physical security at the location of the server systems must be ensured;

e) Network equipment, security equipment, antivirus software, network monitoring and analysis tools that are installed within the provider’s network must have clear origin.

3. Application software security

a) There must be regulations on error logging and error handling process, especially errors in assurance of security in checking and testing application software;

b) There must be software versions, including the source program that needs to be managed in a centralized manner, stored and secured. There must be regulations on granting privileges to each user to manipulate files;

c) Periodic plan for source code verification must be formulated to prevent malicious codes and vulnerabilities;

d) The application software vendor must undertake that its product contains no malicious code.

4. Data security:

a) There must be regulations on protecting and granting privileges to access database resources;

b) Access to database and actions performed on database configuration must be logged;

c) Where necessary, backup and data recovery plan must be formulated;

b) Proper encryption algorithms must be used to ensure security and processing capacity of the system;

dd) Database management system patches must be reviewed and updated on a periodic basis and according to the manufacturer’s recommendations;

e) Database attack prevention measures must be available.

5. Breakdown management:

a) There must be procedures for breakdown management, specifying responsibilities of relevant departments and steps and informing users and information technology system operators. In case the information technology infrastructure is outsourced, the service provider must offer breakdown handling procedures.

b) Breakdown and remedial measures for breakdown handling procedures must be reviewed and updated on a periodic basis;

c) Technical solutions must be adopted to promptly detect and deal with network system attacks.

d) There must be measures for preventing technology risks and disasters in a systematic manner to minimize risks in provision of online healthcare services.

Article 5. Requirements for human resources

1. Information technology personnel must be sufficient (in terms of quantity and qualification) to provide online healthcare services.

2. Regarding health facilities of special grade or grade 1 and medical universities, there must be an information technology department at least 5 persons, at least 60% of whom have an associate degree in information technology or higher.

3. Regarding health facilities of grade 2 or grade 3, there must be an information technology team at least 3 persons of whom has an intermediate professional education diploma in information technology or higher.

4. Advanced IT training must be provided for personnel involved in provision of online healthcare services.

5. In case of personnel outsourcing, the outsourced personnel must satisfy qualification requirements. The contract must contain their commitment to comply with Clause 5, Article 6 of this Circular.

Article 6. Requirements for information technology application

1. Requirements for information technology infrastructure specified in Article 3 of this Circular shall be satisfied.

2. Professional procedures shall be standardized to ensure effective application of information technology to provision of online healthcare services.

3. National and international standards shall be applied during design of information technology applications:

a) HL7 standard (HL7 version 2.x messaging, HL7 version 3 messaging, clinical documentation architecture (CDA);

b) DICOM;

c) ISO/IEEE 11073;

d) SDMX-HD;

dd) Standards issued together with the Circular No. 22/2013/BTTTT dated December 23, 2013 of the Minister of Information and Communications.

4. There must be regulations on management and application of information technology by the provider.

5. Patient data must be used in a manner that ensures patient's privacy in accordance with regulations of the Law on Medical Examination and Treatment.

6. Digital signature and digital certificate shall be used in accordance with regulations of the Government’s Decree No. 26/2007/ND-CP Government's Decree No.106/2011/ND-CP and Government’s Decree No. 170/2013/ND-CP.

7. Electronic medical records shall be made, retained and used as prescribed in Article 59 of the Law on Medical Examination and Treatment.

8. In case of outsourcing information technology application services, there must be a contract containing each party’s commitment to legally use information and responsibilities for breakdown occurrence.

Article 7. Effect

This Circular comes into force from March 01, 2015.

Article 8. Transitional clause

The entities that started to provide online healthcare services before the effective date of this Circular must fulfill the requirements specified in this Circular before January 01, 2017.

Article 9. Reference clause

In the cases where any of the legislative documents referred to in this Circular is amended or replaced, the newest one shall apply.

Article 10. Implementation

1. The Department of Information Technology - the Ministry of Health shall direct, provide guidance and inspect implementation of this Circular nationwide.

2. The Department of Health shall direct, provide guidance and inspect implementation of this Circular within its area.

3. Relevant entities shall establish and standardize professional procedures for provision of online healthcare services at the entities.

Difficulties that arise during implementation should be promptly reported to the Ministry of Health (the Department of Information Technology)./.