Securing health data

Processing health data entails high risks for patient privacy. That is why healthcare providers must adequately secure this data, both on a technical and organisational level. Special standards help to comply with the rules.

On this page

Legal standards for securing health data

NEN 7510 is an example of a standard for information security in healthcare. The Dutch Data Protection Authority (DPA) or, for example, the court can test against this standard.

The Dutch Data Protection Authority (DPA) or the court then checks whether healthcare providers are taking sufficient security measures. Good security is a statutory obligation (Article 32 of the General Data Protection Regulation).

Other examples of standards for information security in healthcare are:

  • ISO 9001;
  • Harmonisation of Accreditation (“HKZ”) in Healthcare;
  • Harmonisation of Accreditation (“HKZ”) for Small Organisations.

Specific obligations can be found in legislation. For example:

  • Article 10 of the Additional Provisions for the Processing of Personal Data in Healthcare (Additional Provisions) Act (Wabvpz) contains the option to determine by ministerial regulation the security requirements for the processing of the citizen service number (BSN) by healthcare providers.
  • Article 3 of the Decree on electronic data processing by healthcare providers stipulates that a healthcare provider must follow NEN 7510, NEN 7512 and NEN 7513 when using a healthcare information system and an electronic exchange system.

Health data in the cloud

No consent is required from patients to store their data in the cloud. However, there are things that healthcare providers must pay particular attention to:

  • Be critical of which cloud provider you choose.
  • If you use a cloud provider outside the European Union (EU), special rules apply.
  • Make arrangements in advance with the cloud provider to ensure that you continue to have access to the data if the cloud provider is taken over, goes bankrupt or if you want to terminate the collaboration.
  • Continue to monitor the cloud provider once the data is in the cloud.

For more information, see: Practical guide ‘Patient data in the cloud’ (in Dutch).

Sharing health data via email

Sharing health data via email is not prohibited. But there are plenty of other, more secure options for exchanging data with other healthcare providers.

If you do opt for email, you must be able to justify this properly. You must also ensure sufficient security. The security obligation also applies to this data exchange.

General rules for good security

In addition to consciously dealing with the above points, healthcare providers must comply with the general security rules set out in the GDPR.