Key Benefits:
305. Ordinance of the Federal Minister of Health for the Documentation in the Outpatient Sector
According to § 4 para. 2, § 5a (2) and § 6g of the Federal Act on Documentation in Health Care, BGBl. No 745/1996, as last amended by the Federal Law Gazette (BGBl). I No 81/2013, shall be arranged:
Section 1
General
§ 1. (1) This Regulation shall apply to data transfers to the outpatient sector in accordance with the main item B of the Federal Act on Documentation in the Health Care System. It shall be
| 1. |
the data transmissions in the intramural outpatient area |
|||||||||
| a) |
between national fund-financed hospitals (hospitals), the SV-bearers, the main association of the Austrian social insurance institutions (hereinafter the main association) and the Federal Ministry of Health, as well as |
|||||||||
| b) |
between hospitals, the State Health Fund and the Federal Ministry of Health, as well as |
|||||||||
| 2. |
the data transfer in the extramural outpatient area between the SV-bearers, the main association and the Federal Ministry of Health |
|||||||||
| , |
||||||||||
(2) This Regulation shall not apply to the data transfers between service providers in the extramural outpatient sector and the SV carriers.
Section 2
Data transmission and breakdown of characteristics
§ 2. All data transmissions have to be encrypted. In addition, the data transfer between the State Health Fund and the Federal Ministry of Health has been transferred via an Internet application run by the Federal Ministry of Health and the data transmission between the main association of the The Austrian Social Security Agency (Hauptverband) as well as the pseudonymisation office established at the Hauptverband (main association) and the Federal Ministry of Health (Federal Ministry of Health) are to be carried out via the SV data hub.
§ 3. The data transfers shall be in accordance with the requirements of Appendix 1.
§ 4. (1) The data transfers shall consist of the following types of records according to Appendix 2 and the content (features) specified therein, in accordance with the conditions set out in paragraphs 2 to 5:
| 1. |
Set type A01: Contact-Basic data, |
|||||||||
| 2. |
Set-type A02: Diagnoses, provided that this is provided for in the framework of model projects of the Federal Health Agency and these are published on the website of the Federal Ministry of Health, |
|||||||||
| 3. |
Subtype A03: Benefits, |
|||||||||
| 4. |
Record type L01: master data provider/provider, |
|||||||||
| 5. |
Record type P01: pseudonym performance provider, |
|||||||||
| 6. |
Record type P02: pseudonym nominee/beneficiary and |
|||||||||
| 7. |
Record type S01: Test and summary record. |
|||||||||
| The content of the content (characteristics) must be in accordance with the provisions of Appendix 3. |
||||||||||
(2) The data transfer between the institutions of hospitals which are settled via Landeshealthfonds (Fonds-KA), and the State Health Fund according to § 6a of the Federal Act on Documentation in the Health Care System has the record types A01, A02, A03 and S01 in any case for all contacts of non-stationary beneficiaries/beneficiaries.
(3) The data transfer between the State Health Fund and the Federal Ministry of Health pursuant to Section 6b of the Federal Law on Documentation in the Health Care System has in any case the record types A01, A02, A03 and S01 for all contacts of non-stationary benefit recipients/beneficiaries.
(4) The data transfer between the main association and the Federal Ministry of Health pursuant to § 6c of the Federal Act on the Documentation in the Health Care System has for the extramural outpatient area the record types A01, A02, A03, L01 and S01 to .
(5) The data transfer between the pseudonymisation office established at the main association and the Federal Ministry of Health pursuant to § 6c of the Federal Act on Documentation in the Health Care System has for the extramural outpatient area include the record types P01, P02 as well as S01 and for the intramural outpatient area the record types P02 as well as S01.
§ 5. (1) In the event of missing data from a quarter, these data shall be transmitted at the next possible date together with one of the following quarterly reports.
(2) In the case of data to be subsequently corrected for a quarter, the corresponding quarterly report shall be corrected and shall be transmitted immediately to the fullest extent.
(3) In the case of data to be subsequently deleted from a quarter, the corresponding quarterly report must be cleaned up and transmitted again immediately to the fullest extent.
Section 3
Generation of the pseudonyms as well as the technical and organizational framework conditions for the pseudonymifications
§ 6. (1) The pseudonym of the service provider/provider of services shall be based on the HMAC algorithm from the contract partner identifier of the service provider/provider in the social security system within a hardware security module (HSM) and then encrypt within the HSM.
(2) The pseudonym of the beneficiary/beneficiary is to be found by means of the HMAC algorithm from the area-specific personal identifier (bPK) for the area of health documentation (GH-GD) within a hardware security module (HSM). and then encrypt within the HSM.
(3) The first configuration of the HSM has to be found in the premises of the pseudonymisation office established at the main association (serving as a data protection service officer) in the presence of a representative of the Federal Ministry for Health (as a data protection adjudicating entity) and under the supervision of a confirmation body according to § 19 of the Signature Act. The entire process is to be logged.
(4) After the initial configuration in accordance with paragraph 3, the backup copy of the cryptographic keys used shall be handed over to a confirmation office in accordance with § 19 of the Signature Act and shall be kept safe and secret by this law. The backup copy may only be used on behalf of the Federal Minister for Health and for the following purposes:
| 1. |
to restore the configuration of an HSM in the case of a fault, and |
|||||||||
| 2. |
for additional required HSM configurations (extension case). |
|||||||||
These configurations are available on the premises of the pseudonymisation body established at the main association, with the presence of a representative of the Federal Ministry of Health and under the supervision of a confirmation body in accordance with Section 19 of the Signature Act. The entire process is to be logged.
§ 7. (1) Compliance with data protection in the context of pseudonymisation and related processes must be verified and confirmed by an independent/independent external/external reviewer/reviewer at regular audits.
(2) An audit is to be carried out for the first time prior to the beginning of the pseudonymisations in accordance with § 6 and subsequently, at least every two years, on a regular basis.
(3) The pseudonymisation body established at the main association shall support the conduct of the audits by its own staff and ensure that the external reviewer/reviewer has access to all of the audits for the performance of the audits required information.
(4) The selection and the assignment of the external reviewer/reviewer shall be made by the Federal Ministry of Health.
Section 4
One-way derivation (hashed) of the record ID
§ 8. As an algorithm for the one-way derivative (hash-derivation) of the non-rechargeable record ID from the recording number, or the serial number according to § § 6b and 6c of the Federal Act on Documentation in the Health Care System is to use the cryptological hash function SHA-256.
Section 5
Data security measures
§ 9. (1) All institutions involved in reporting on the outpatient sector shall, on the basis of an IT security concept, document all data security measures taken pursuant to § 14 DSG 2000 and the provisions of this Federal Act. This documentation must show that both access and disclosure of the data are properly carried out and that the data are not accessible to unauthorized persons.
(2) Confidentiality in the electronic transmission of health data shall be ensured by ensuring that the electronic transmission of health data is carried out through networks in accordance with the state of the art in the Network security against unauthorised access is secured by at least
| 1. |
the protection of data traffic by means of cryptographic or structural measures, |
|||||||||
| 2. |
Access to the network exclusively for a closed or discernible user group and |
|||||||||
| 3. |
the authentication of the users |
|||||||||
| . |
||||||||||
(3) Access to the raw data contained in the Data Warehouse DIAG (Section 4 (3) of the Federal Law on Documentation in Health Care), including the stored pseudonyms pursuant to § 5a (1) (1) (1) and (6c) (1) (2) of the Federal Act on The documentation in the health care system, is only permitted for the persons employed in the Federal Ministry of Health directly with the production and maintenance of the DIAG. The persons authorized for the use of the DIAG for analytical purposes have no access to the raw data contained and to the stored pseudonyms in accordance with § 5a (1) (1) (1) and (6c) (1) (2) of the Federal Act on Documentation in the Health Sector.
(4) Each institution involved in the reporting system via the outpatient sector has demonstrably ensured that each of the employees/employees entitled to access the information shall be provided prior to the access to the data or data. issued a declaration of confidentiality prior to the use of the DIAG.
6.
Entry into force and transitional provisions
§ 10. (1) This Regulation shall be applied for the first time to the data reports for the reference year 2014.
(2) By way of derogation from paragraph 1, this Regulation shall apply to data reports within the framework of model projects of the Federal Health Agency already for the reference year 2013. These are the data for the data message to the 1. Quarter 2013 related record types P01 (pseudonym performance providers/performers) and P02 (pseudonym nominee/beneficiary) from the pseudonymisation site established at the main association at the latest together with the Data reporting for the second quarter of 2013 to the Federal Ministry of Health to be transmitted.
(3) With the entry into force of this Regulation, the Ordinance of the Federal Minister of Health on the implementation of § § 6 and 9 of the Federal Act on Documentation in the Health Care (Health Documentation Law Implementing Regulation) shall enter into force. BGBl. II No 202/2010).
Stöger
