Elga Regulation Amendment To 2015 - Elga-Vo-Nov 2015

Original Language Title: ELGA-Verordnungsnovelle 2015 – ELGA-VO-Nov 2015

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

373. Regulation of the Federal Minister for Health amending the ELGA Regulation 2015 (ELGA Regulation novella 2015-ELGA-VO-Nov 2015)

On the basis of § § 8 and 28 (2) of the German Health Telematics Act 2012 (GTelG 2012), BGBl. I n ° 111/2012, in the version of the DSG-Novelle 2014, BGBl. I n ° 83/2013, the following shall be prescribed:

The ELGA Regulation 2015, BGBl. II No 106/2015, shall be amended as follows:

1. In § 2 the following Z 2a is inserted after Z 2:

" 2a.

"Component Availability" means the availability of all functions of an ELGA component at the operator's data center output. "

2. In § 2 the following Z 3a and Z 3b are inserted after Z 3:

" 3a.

"security token": indirectly personal data structures that are used to authenticate correctly

a)

in the case of assignment (§ 14 para. 2 Z 1 lit. b GTelG 2012) or

b)

within a certain period of time without a new identity check in accordance with § 18 para. 4 GTelG 2012 (§ 18 para. 6 GTelG 2012)

ensure.

3b.

"Recovery point": the time of a backup copy in relation to the data to be backed up. "

3. In § 2 the Z 6 reads:

" 6.

"Withdrawal": declaration of intent pursuant to § 15 para. 4 GTelG 2012, by which a contradiction (§ 2 Z 5) is reversed, regardless of whether or not it is

a)

has been submitted in writing before the appeal or electronically by the access port; and

b)

relates to the entire contradiction or part of the objection (§ 2 Z 5). "

4. In § 4 (6), after the word "Signature Act" the parenthesis expression "(SigG)" inserted.

5. The following paragraph 8 is added to § 4:

"(8) Appeal in accordance with § 15 para. 2 GTelG 2012 and revocation pursuant to § 15 para. 4 GTelG 2012 can only be expressly declared."

(6) The following paragraph 3 is added to § 11:

"(3) The activity report shall be submitted to the ELGA system partners (§ 2 Z 11 GTelG 2012) and the decentralised locations of the ELGA ombudsman office for information, as well as to be published on www.bmg.gv.at."

7. § 13 (1) (3) and (4) are:

" 3.

in writing by way of an ELGA participant's post

a)

the name and the general academic degree of the ELGA participant,

b)

of the gender, the date of birth and the place of birth of the ELGA participant/ELGA participant, and

c)

the telephone number, address or e-mail address of the ELGA participant/ELGA participant for queries or

4.

in writing by a representative by post.

a)

the name and the general academic degree of the representative,

b)

of the gender, the date of birth and the birthplace of the representative and

c)

the telephone number, address or e-mail address of the representative/representative for questions. "

8. According to Article 13 (1), the following paragraphs 1a to 1c are inserted:

" (1a) The request sent by mail to the ELGA ombudsman must be accompanied by a copy of an official photo ID for the clear identification of the ELGA participant/ELGA participant. In addition, the request must be signed on its own hand.

(1b) In the case of representation,

1.

proof of the representation of the representative authority or the property as professional party representative/professional party representative of the question, which is sent by post to the ELGA ombudsman,

2.

for the clear identification of the representative, a copy of his/his official photo ID shall be enclosed, and

3.

The request will be signed by the representative on a personal basis.

(1c) A request which is made electronically without a qualified signature in accordance with § 2 Z 3a SigG shall not be suitable to provide proof of the unique identity. "

9. In Section 16 (1), the version number shall be: "2.05" by the version number "2.06" replaced.

10. In § 16 (1) Z 6, the word "and" replaced by a dash, in Z 7 the point by the word "and" replaced and the following Z 8 added:

" 8.

Implementation Guide Care ritualization report (version 2.06). "

11. § 16 (2) to (4) are:

"(2) Medical documents and medication data shall contain all the fields referred to in the implementation guides with the conformity criteria" Mandatory "(M)" Required " (R). The ELGA interoperability level shall be obtained from the actual use of fields referred to in the implementation guides with the compliance criteria "Mandatory" (M) and "Required" (R).

(3) The implementation guidelines according to paragraph 1, their checksums as well as their unique identifiers (OID according to § 10 paragraph 5 GTelG 2012) are to be published by the Federal Minister of Health at www.gesundheit.gv.at.

(4) Updates concerning compliance criteria "Mandatory" (M) and "Required" (R) ("main versions") shall be made available within the framework of this Regulation. Other updates ("minor versions") may also be published and used without amendment of this Regulation at www.gesundheit.gv.at. The main versions and implementation guides included in the Regulation for the first time may be used with the entry into force of this Regulation, and at the latest after a transitional period of 18 months, they shall be used, provided that this is done in accordance with paragraph 2. is required. "

12. In Section 17 (3), the paragraph shall be: "3" through the paragraph "2" replaced.

13. According to § 17, the following § § 17a to ° 17k shall be added together with the headings:

" Time Availability

§ 17a. (1) During the operation of ELGA components (§ 24 GTelG 2012), care must be taken to ensure that the availability of ELGA, in particular also outside the core period (paragraph 1), is not available. 2 Z 1), as high as possible.

(2) The operators of ELGA components (§ 24 GTelG 2012) have to ensure that

1.

the availability of components (§ 2 Z 2a) during the core period, i.e. on working days, which

a)

one Monday, Tuesday, Wednesday or Thursday, in the period from 8:30 am to 4:30 pm or

b)

are a Friday, in the time from 8:30 am to 1:30 pm

is always given up to a maximum of eleven hours per calendar quarter, and

2.

the reaction to disturbances and other requests must be carried out as soon as possible.

(3) The operators of ELGA components (§ 24 GTelG 2012) have to ensure that the period of time between two recovery points is as low as possible, but at least does not exceed 30 hours.

(4) The operators of ELGA components (§ 24 GTelG 2012) have to test the restoration of secured data at least once a year. This is to be documented in accordance with § 8 GTelG 2012.

Security requirements and protection

§ 17b. (1) In order to comply with the security requirements and to ensure the necessary protection of access, it is necessary to comply with

1.

organizational security requirements (§ § 17c to 17e),

2.

technical safety requirements (§ 17f),

3.

Security requirements for identification (§ 17g),

4.

Security requirements for test environments (§ 17h),

5.

Structural safety requirements (§ 17i) and

6.

Security requirements for personnel (§ 17j).

(2) The operators of ELGA components (§ 24 GTelG 2012) have

1.

to comply with the security requirements laid down in § § 17c to 17j also with regard to all services required for communication between the ELGA components (§ 24 GTelG 2012), and

2.

monitor compliance with these safety requirements on an ongoing basis.

Information Security Officer

§ 17c. (1) The operators of ELGA components (§ 24 GTelG 2012) have to appoint an agent for information security from their employees.

(2) Staff members shall report security incidents and problems directly or indirectly endangering ELGA directly to the Information Security Officer (s) who may be responsible for this information. shall communicate to the authorised representative of other operators.

(3) The operators of ELGA components (§ 24 GTelG 2012) may also exchange the following information with coordination networks for IT security, which are operated by contracting authorities of the public sector (§ 5 DSG 2000):

1.

Warning of security vulnerabilities, as well as

2.

Solutions for closing security gaps.

Risk Management

§ 17d. (1) All operators of ELGA components (§ 24 GTelG 2012) are obliged to comply with a risk management system.

(2) Risk management shall include in particular:

1.

the collection of security risks,

2.

the assessment of security risks,

3.

the appropriate response to security risks, and

4.

the documentation of the reaction according to § 8 GTelG 2012.

Security requirements for processes

§ 17e. (1) The operators of ELGA components (§ 24 GTelG 2012) have to participate in the ticket system of the service line (§ 8). The service line (§ 8) must be taken care of as efficiently as possible.

(2) The operators of ELGA components (§ 24 GTelG 2012) have the operating processes for the

1.

Collection of IT security incidents,

2.

response to IT security problems,

3.

Modification of the technical infrastructure of ELGA components,

4.

Integration and rolling out of new software,

5.

authentication of users, and

6.

Maintenance of the continuity of operations

document according to § 8 GTelG 2012.

Technical security requirements

§ 17f. (1) The operators of ELGA components (§ 24 GTelG 2012) have to ensure the topicality of the software used for ELGA purposes.

(2) The operators of ELGA components (§ 24 GTelG 2012) shall, by means of appropriate technical measures, ensure that the data they have passed on are free of viruses or other malware.

(3) ELGA health service providers and operators of ELGA components (§ 24 GTelG 2012) may only be provided with the information provided by these operators when passing on health data to operators of ELGA components (§ 24 GTelG 2012). Use certificates.

(4) The operators of ELGA components (§ 24 GTelG 2012) have to document the execution provisions of the certificates referred to in paragraph 3 in accordance with § 8 GTelG 2012.

(5) The operators of ELGA components (§ 24 GTelG 2012) have to guarantee the chronological synchronicity of the ELGA components.

(6) Volumes and documents to be disposed of are to be destroyed in such a way that they can no longer be read. The method used is to be documented in accordance with § 8 GTelG 2012.

(7) Terminal equipment through which ELGA can be used shall be protected from unauthorised access and use.

Security requirements for authentication

§ 17g. (1) Personal security tokens may be used indirectly in order to ensure that authentication has already been made.

(2) The security token referred to in paragraph 1 shall include the following data types:

1.

the unique identifier of the software service that issued the security token,

2.

the date and the date of the determination of identity,

3.

The area-specific identifier "GH" or a unique identifier (OID) of the ELGA health service provider,

4.

The area-specific identifier "GH" or a unique identifier of the ELGA participant,

5.

the quality of identification and

6.

the status of the security token.

(3) Security tokens may

1.

in networks according to § 6 (1) (1) GTelG 2012, not more than four hours, and

2.

in all other networks no longer than 20 minutes

be valid.

Security requirements for test environments

§ 17h. (1) The use of ELGA for test purposes must not be carried out with personal data of persons according to § 15 paragraph 1 Z 1 GTelG 2012.

(2) Test systems must be separated from production systems. The attitude of productive systems for the purpose of troubleshooting as well as for ensuring data quality and operational stability is permitted.

Construction safety requirements

§ 17i. The operators of ELGA components (§ 24 GTelG 2012) have to ensure that

1.

all access possibilities to premises, in which technical infrastructure of ELGA components (§ 24 GTelG 2012) is located, are monitored according to the technical status, as well as

2.

appropriate constructional and technical protection against burglary for premises in the sense of the Z 1.

Security requirements for staff

§ 17j. (1) The operators of ELGA components (§ 24 GTelG 2012) have

1.

to teach their employees about the relevant legislation,

2.

technically, to ensure that there is no use of health data outside the allowed roles,

3.

ensure that employees are assigned non-exclusive roles in the granting of user rights, and

4.

in the event of exit and change of staff, to ensure that the rights are fully reset.

(2) In the case of the transmission of authentication data, the person who passed on the authentication data is liable.

(3) At the end of the activity, any operating resources which may contain ELGA health data shall be returned.

(4) The employees of the operators of ELGA components (§ 24 GTelG 2012) are obligated to secrecy about all facts entrusted to them in the exercise of their profession or become aware of them. This obligation also exists at the end of their duties with the respective operator. In particular, compliance with the data usage principles in accordance with § 6 DSG 2000 as well as the data security measures pursuant to § 14 DSG 2000 must be ensured.

Message

§ 17k. (1) Prior to the recording of the operation of data storage and reference registers, the Federal Minister for Health shall be obliged to report the following:

1.

the name (s) or the name of the operator;

2.

the name of the legal entity, where the operator is not a natural person,

3.

the operator's identification indicators, including the unique electronic identifiers in accordance with Section 8 of the E-GovG,

4.

Information on the operator's professional, postal and electronic accessibility,

5.

the name and contact details of the persons authorised by the operator, who may apply for the issuing of certificates pursuant to § 17f (3) on behalf of the operator, and

6.

Information on the geographical location of the operator.

(2) The notification in accordance with paragraph 1 is to be attached to the IT security concept in accordance with § 8 GTelG 2012.

(3) The Federal Minister of Health has to prohibit operators of data storage and referral registers in accordance with § 24 (2) GTelG 2012 if the conditions of this Regulation are not complied with.

(4) The General Administrative Procedure Act 1991, BGBl, is subject to procedures for subsatiation in accordance with paragraph 3. No 51/1991. '

14. In Section 18 (5), the phrase "Pattern for a hang" through the phrase "as well as the legal representations of interests in accordance with paragraph 4 of the Annex to this Regulation" inserted.

15. In § 19, the phrase "their children" through the phrase "of children for which they are entitled to care," replaced.

16. In § 21, the following paragraph 1 is inserted after paragraph 1:

"(1a) ELGA health data according to § 16 (1) Z 8 are not covered by the obligation pursuant to paragraph 1."

17. In § 21, the following paragraph 8 is inserted after paragraph 7:

" (8) Up to the end of the 30. In accordance with Section 17k (1), notifications pursuant to Section 17k (1) shall be deemed to be complete even if they do not meet the requirements of § 17k paragraph 2. "

18. In § 22, the following paragraph 1 is inserted after the first paragraph of paragraph 1:

" (1a) § 2 Z 2a, 3a, 3b and 6, § 4 para. 6 and 8, § 11 para. 3, § 13 para. 1 Z 3 and 4 as well as Abs 1a to 1c, § 16, § 17 para. 3, § § 17a to 17k together with the transcripts, § 18 para. 5, § 19, § 21 (1a) and 8, § 23 and the Annex , in the version of the 2015 ELGA Regulation, BGBl. II No. 373/2015, enter into force on 27 November 2015. "

19. In § 23, the phrase "under notification number 2014 /629/A" through the phrase "under the Notificate numbers 2014 /629/A and 2015 /414/A" replaced.

20. According to § 23, the following: Annex attached:

Annex

Oberhauser