EN 
NL 
DE 
From 1 July, a number of provisions from the Additional provisions on data processing in healthcare act the Wabvpz in force.
Patients, like you and me, already have the right to request a free inspection of your medical records. That is because this is already regulated in the AVG, but also in the WGBO (Medical Treatment Agreement Act). If you wish to inspect and receive a copy of your medical file, you can request this from your healthcare provider. In practice, physically requesting your medical records is a barrier, which is why nobody actually does this.
Wabvpz
Thus, on 1 July 2020, some provisions of this law will come into force.
Electronic viewing: Article 15d states that you can have a free electronic inspection if you request it.
Logging: Article 15e provides that the patient can also request a logging overview. So that it is clear who has looked into his medical record or made adjustments. Not having a proper logging system in the Haga hospital has been a problem at the Personal Data Authority previously resulted in a fine. The Wabvpz also refers to NEN7513 regarding logging requirements.
This new law is an addition to the WGBO, regarding electronic retrieval free of charge. In addition, you are entitled to the complete medical file and not just the medical treatment. The Wabvpz has a broader scope of application and is valid for all healthcare providers maintaining patient records.
NEN7510 certification
Because the healthcare provider must now provide an electronic insight to the patient, this has implications for the healthcare information system (HIS, HIS, AIS, etc.) The system must comply with the Besluit elektronische gegevensverwerking door zorgaanbieders (Begz) comply with NEN7510, NEN7512. (see Article 3) In doing so, the healthcare provider is allowed to decide how the data is provided to the patient, as long as it is secure. Indeed, the law even states that this is of great importance. Exchanging can be done via a healthcare portal or a Personal Health Environment (PBL - MEDMIJ), which also allows logging in only if the security level is sufficient. Think 2FA. If this is not possible for the time being, inspection can take place at the practice, for example, or making a copy available on a secure USB stick or, for example, via a secure e-mail.
By the way, compliance with NEN7510 is already mandatory for all healthcare providers from 15/12/2020. Article 3.4.a even stipulates the following;
"one of the legal entity independent organisation has determined, after investigation, that the legal entity and the system it manages comply with the provisions of NEN 7510 and NEN 7512 and has included that finding in an audit report prepared by that organisation on behalf of the legal entity"
Not many healthcare organisations are aware of this specific rule, but it is very important as evidence for IGJ. Of course, we sometimes hear that care providers have never had a visit from IGJ and until then think of 'all attention to care' This is fine as long as it goes well. A healthcare provider has become an IT organisation and this has to be done in a safe way. It is a 'licence to operate' which is simply expected by all your patients. The moment there is an unexpected information security incident of such a nature that it has to be reported to the AP as a data breach, a problem arises. The AP works with IGJ and enquiries will be made as to the extent to which the organisation can demonstrate compliance with NEN7510. If the healthcare provider cannot demonstrate this (impartially), IGJ will certainly also investigate further on NEN7510 compliance itself.
Having an impartial audit and even certification is important for trust in the healthcare provider itself and the board.
Information security is part of simply providing good care.
Photo source; Volkskrant/press group
