373 regulation of the Federal Minister of health to amend the ELGA regulation 2015 (ELGA regulation amendment to 2015 - ELGA-VO-Nov 2015)
On the basis of §§ 8 and 28 para 2 of the Gesundheitstelematikgesetzes 2012 (2012 GTelG), Federal Law Gazette I no. 111/2012, as amended by the amendment to the DSG 2014, Federal Law Gazette I is no. 83/2013, prescribed the following:
The ELGA regulation 2015, Federal Law Gazette II No. 106/2015, is amended as follows:
1. in section 2, 2a is inserted after the Z 2 following Z:
"2a."Component availability": the availability of all features of an ELGA component at the output of the data centre of the operator."
2. in article 2, 3 following Z 3a and Z are inserted after the Z 3B:
"3 a." security token "(: indirekt personenbezogene Datenstrukturen, die die korrekte Authentifizierung a) assignment (§ 14 para 2 subpara 1 lit." b GTelG 2012) or b) within a GTelG period without renewed identity verification according to § 18 para 4 specific 2012 (§ 18 paragraph 6 GTelG 2012) make sure.
"3."Restore point": the time of a backup copy on the data to be backed up."
3. in article 2, the No. 6 reads:
"6"withdrawal": Declaration of intention pursuant to § 15 para 4 GTelG 2012, with an opposition (§ 2 Z 5) (reversed, regardless of whether they a) (was tabled in writing before the opposition site or electronically through of the access portal and b) on the entire opposition or a part of the opposition (§ 2 Z 5) refers to."
4. in article 4, paragraph 6, of the parenthetical expression (SigG) is inserted after the word "Law".
5. § 4 the following paragraph 8 is added:
"(8) contradictions in accordance with § 15 para 2 GTelG 2012 and revocation pursuant to § 15 para 4 GTelG 2012 can be explained only explicitly."
6 the following paragraph 3 is added to § in 11:
"(3) the activity report is the ELGA system partners (§ 2 Z 11 GTelG 2012) and to forward the remote locations of the ELGA Ombudsman's Office for information, and to publish on www.bmg.gv.at."
7 § 13 para 1 Nos. 3 and 4 are:
"(3. schriftlich auf dem Postweg von ELGA-Teilnehmer/Inne/n durch Angabe a) (name, as well as any academic qualifications the ELGA participant of ELGA participant, b) (gender, date of birth, and place of birth the ELGA participant of ELGA participant, as well as c) (phone number, address or E-mail address the ELGA participant of ELGA participant for questions or 4th in writing on the mail of representative Wu by specifying a) of the name, as well as any academic qualifications the representative / representative" "(, b) of the sex of the birth date of the birthplace of representative / of the representative, and c) the telephone number, address, or email address of representative / representative for questions."
8. after article 13, paragraph 1 shall be inserted following paragraph 1a to 1 c:
"(1a) the request that mail delivered to the ELGA Ombudsman's Office, the need to uniquely identify ELGA participant of ELGA participant be enclosed a copy of an official photo ID." The request must be in addition by hand signed.
(1B) In the case of representation must
1. a proof of the power of attorney or of the property than professional party representative/carriage party officials of the request that mail delivered to the ELGA ombuds office, enclosed, 2nd to uniquely identify the representative / representative a copy of their/his official government-issued photo identification document enclosed be, and 3. the request by hand by the representative / be signed by the representative.
(1C) a request, which will be electronically submitted Z 3a SigG without qualified signature according to § 2, is not suitable to provide the proof of unique identity. "
9. in article 16, paragraph 1, the version "2.05" with the version number will be replaced "2.06".
10. in article 16, paragraph 1, no. 6 is attached the word "and" the point replaced by a comma, in no. 7 with the word "and" replaced and following Z 8:
"8 Implementation guidance care situation report (version 2.06)."
11 § 16 para 2 to 4 are:
"(2) medical documents and medication data have to contain all fields that are referred to in the Implementierungsleitfäden with the conformity criteria of"Mandatory"(M)"Required"(R). The compliance level of ELGA inter interoperability arises from the actual use of fields that are referred to in the Implementierungsleitfäden with the conformity criteria of "Mandatory" (M) and "Required" (R).
(3) the Implementierungsleitfäden referred to in paragraph 1, their checksums, as well as their unique identifiers (OID in accordance with § 10 paragraph 5 GTelG 2012) are to release under www.gesundheit.gv.at of the Federal Minister of health.
(4) updates that affect conformance criteria "Mandatory" (M) and "Required" (R) ("major releases") are published in the framework of this regulation. Other updates ("minor") may be published without amending this regulation under www.gesundheit.gv.at, and it can be used. Major versions and Implementierungsleitfäden recorded for the first time in the regulation may be used with the entry into force of this regulation, at the latest after a transitional period of 18 months they must be used, if necessary in accordance with paragraph 2."
12. in article 17, para. 3, the digit "3" by the number "2" is replaced.
13. after article 17 following §§ 17a be added ° 17 k including headings:
§ 17a. (1) for the operation of ELGA components (section 24 GTelG 2012) is sure that the availability of ELGA, especially outside core hours (para. 2 Z 1), as high as possible.
(2) the operator of ELGA components (section 24 GTelG 2012) have to make sure that
1. the availability of component (§ 2 Z 2 a) during core hours, i.e. on weekdays, the a) are a Monday, Tuesday, Wednesday or Thursday, in the period from 8:30 to 16:30 h or b) a Friday are, is always given in the period from 8:30 to 13:30 h to maximum eleven hours per calendar quarter, and 2. the response to errors and other requests as quickly as possible has to be done.
(3) the operator of ELGA components (section 24 GTelG 2012) have to make sure that the period between two recovery points is as low as possible, in any case, does not exceed 30 hours.
(4) the operator of ELGA components (section 24 GTelG 2012) have at least once a year to test the restore of backed up data. This is in accordance with § 8 2012 to document GTelG.
Security requirements and access protection
Article 17 b (1) to comply with the safety requirements and guaranteeing necessary access protection requires compliance by
1 organizational security requirements (§§ 17 c-17e), 2. technical safety requirements (section 17f), 3 security requirements for the identification (section 17 g), 4. safety requirements for test environments (§ 17 h), 5 structural safety requirements (section 17i) and 6 security requirements to the personnel (section 17j).
(2) the operator of ELGA components (section 24 GTelG 2012) have
1 which in the §§ 17 c safety requirements intended to 17j also in respect of all services, to the communication between the components of the ELGA (§ 24 GTelG 2012) are required to comply with, as well as to monitor 2. ongoing compliance with the security requirements.
Consultant for information security
§ 17c. (1) the operator of ELGA components (section 24 GTelG 2012) have to appoint one / responsible/s for the information security of their employees.
(2) employees have security incidents and problems, which directly or indirectly can cause danger to ELGA, immediately notify responsible for information security which, who sent this information, where appropriate, the representative of other operators.
(3) the operator of ELGA components (section 24 GTelG 2012) the following information with the security coordination networks may by the public sector, (§ 5 DSG 2000) be operated, replace:
1. warnings of vulnerabilities, as well as 2 approaches to close security gaps.
§ 17 d. (1) all operators of ELGA components are to comply with a risk management (§ 24 GTelG 2012) commitment.
(2) the risk management includes in particular:
1. the detection of vulnerabilities, 2. the assessment of security risks, 3. the adequate response to security risks, as well as 4. documentation of response in accordance with § 8 GTelG 2012.
Safety requirements for processes
section 17e. (1) the operator of ELGA components (section 24 GTelG 2012) have to participate in the ticket system of the ServiceLine (§ 8). The ServiceLine (§ 8) has to ensure an efficient processing.
(2) the operator of ELGA components (section 24 GTelG 2012) have the operating processes to the
1. acquisition of IT security incidents, 2. response to IT-security issues, 3. change of ELGA components of the technical infrastructure, 4. inclusion and rollout new software to document 5. authentication of users, as well as 6 maintaining of continuity in accordance with § 8 GTelG 2012.
Technical security requirements
section 17f. (1) the operator of ELGA components (section 24 GTelG 2012) have for the timeliness of software used for purposes by ELGA to ensure.
(2) the operator of ELGA components (section 24 GTelG 2012) have appropriate technical measures to ensure that the data provided by them are free of viruses or other malicious software.
3 ELGA health service providers and operators of ELGA components (section 24 GTelG 2012) must, when transferring health data to operators by ELGA components (§ 24 GTelG 2012), use only the certificates provided by these operators.
(4) the operator of ELGA components (section 24 GTelG 2012) the implementation provisions of the certificates mentioned in paragraph 3 in accordance with § 8 have 2012 to document GTelG.
(5) the operator of ELGA components (section 24 GTelG 2012) have the temporal synchrony of the ELGA components to ensure.
(6) to be disposed data carriers and documents are said to destroy that they can no longer be read. The method used is to document GTelG 2012 in accordance with § 8.
(7) devices can be used on the ELGA are to protect against unauthorized access and use.
Safety requirements for authentication
section 17 g. (1) to ensure the authentication has already been indirectly personal security token must be used.
(2) referred to in paragraph 1, the following data types may include security token:
1. the unique identifier of the software services, which issued the security token, 2. the date and the time of identity detection, 3. the sector-specific personal identifier "GH" or a unique identifier (OID) of the ELGA health service provider, 4. the sector-specific personal identifier "GH" or a unique identifier the ELGA participant of ELGA participant, 5. the quality of the identification as well as 6 the status of the security token.
(3) security token must
1. in networks pursuant to § 6 paragraph 1 Z 1 GTelG 2012 not longer than four hours, and 2. in all other networks be not longer than 20 minutes valid.
Safety requirements for test environments
§ 17 h. (1) the use of ELGA for testing purposes must not perform 1 GTelG 2012 Z with real data of persons referred to in article 15, paragraph 1.
(2) test systems are to separate from production systems. The attitude of productive systems for purposes of troubleshooting, as well as the assurance of data quality and operational stability is allowed.
Structural safety requirements
section 17i. The operators of ELGA components (section 24 GTelG 2012) have to make sure that
1 all the possibilities of access to premises, where is technical infrastructure by ELGA components (section 24 GTelG 2012) is, the technical standards according to be monitored, and 2. an appropriate constructional and technical intrusion protection for premises within the meaning of no. 1 is intended.
Security requirements for personnel
section 17j. (1) the operator of ELGA components (section 24 GTelG 2012) have
1. your employees about the relevant legislation to teach, 2. to ensure that there is no use of health data outside the permissible roller 3. when assigning user permissions to ensure that employee-seekers are allocated roles mutually not technically and 4 outlet and switch from employee-seekers to ensure that a full reset of permissions takes place.
(2) in the case of the passing of authentication information, who passed the authentication data is liable.
(3) in the case of termination of activity, any resources that can contain ELGA health data are to be returned.
(4) employees of operators of ELGA components (section 24 GTelG 2012) are sworn to secrecy about all entrusted to them in the exercise of their profession or known facts. This obligation exists even after joining the respective operators. In particular is DSG 2000 as well as the for adherence to the principles of data use in accordance with article 6 in accordance with § 14 DSG 2000 to ensure data security measures.
§ 17 k. (1) before commencing operations of data storage and reference tabs, a message with the following contents is the Federal Minister of health to:
1. name (s) or name of the operator, 2. the designation of the legal entity, if the operator is not a natural person, 3. identifiers of the operator including the unique electronic identifiers in accordance with § 8 E-GovG, 4. information to the professional, postal and electronic accessibility of the operator, 5. name and contact data of persons authorized by the operator, who may apply for the issuance of certificates under section 17f para 3 in the name of the operator, and 6 information to the geographical localization of the operator.
(2) the IT security concept in accordance with article 8 the notification referred to in paragraph 1 is to settle GTelG 2012.
(3) the Federal Minister of health has operators of data storage and reference registers in accordance with § 24 para 2 GTelG 2012 operating decision to prohibit, if the conditions of this regulation are not fulfilled.
(4) on procedures for the prohibition referred to in paragraph 3 the General Administrative Procedure Act is in 1991, to apply Federal Law Gazette No. 51/1991,."
14. in article 18, paragraph 5, the phrase "Pattern for a posting" by the phrase is "as well as the legal representatives in accordance with para 4 pattern for a posting in accordance with the annex to this regulation" inserted.
15. in paragraph 19, the phrase "their children" is replaced by the phrase "of children, they are entitled to custody,".
16. in paragraph 21, after paragraph 1 of the following paragraph 1a is inserted:
"(1a) ELGA health data in accordance with article 16, paragraph 1 Z 8 are covered from the obligation referred to in paragraph 1."
17. in article 21, the following paragraph 8 is inserted after paragraph 7:
"(8) until the expiry of 30 June 2016 shall apply ° messages according to § 17 k paragraph 1 even as complete, if they meet the requirements of § 17 k para 2 No."
18. in section 22, paragraph 1 the following paragraph 1a is inserted:
"(1a) section 2 Z 2a, 3a, 3B and 6, § 4 par. 6 and 8, article 11, para. 3, article 13, paragraph 1 Nos. 3 and 4, as well as ABS 1a along with up to 1 c, § 16, § 17 para 3, the §§ 17a to 17 k headings, article 18, par. 5, article 19, § 21 para 1a and 8, article 23, as well as the facility, as amended by regulation amendment to the ELGA 2015, Federal Law Gazette II No. 373/2015" ", enter into force on 27 November 2015."
19. in article 23, the phrase "see Notifikationsnummer 2014/629/A" is replaced by the phrase "under the Notifikationsnummern of 2014/629/A and 2015/414/A".
20 following conditioning is appended. after article 23: