Documents in English

General information

The Code is intended to contribute to a satisfactory level of information security and data protection in individual organizations, in joint systems and infrastructures, and within the sector generally. The Code is intended to ensure that organizations in compliance with the Code, has appropriate technical and organizational measures in place regarding information security and data protection for its processing of personal health data and personal data

The Code itself covers all aspects of information security as regulated by Norwegian law. In some instances, the Code of Conduct defines more stringent rules than the law itself.

The Code has been prepared and is administered by a steering group from the healthcare and care services sector. The Directorate for eHealth is the secretariat of the steering group, with permanent representation from Norsk Helsenett HF.

The Code consists of a main section with the substantial provisions. To this document several appendices are attached, spanning "guidelines" and some 30 thematically arranged best practice routines, in the Code denominated "fact sheets", providing guidance on e.g. how to perform risk analyses, how to establish back up-procedures, etc. Together, the main document, the guidelines and the fact sheets, aim to cover both the crucial and basic elements of the information security, as well as the more peripheral and remote ones.

History

An increasing amount of communication in the health sector, both internally, i.e. within a health service provider entity, and between such providers, is taking place electronically.

The fact that the information is collected, stored and spread electronically, in an extent hardly imaginable only a few years back, evoked a need for mechanisms safeguarding that all aspects of information security in the sector are handled adequately.

Consequently, in 2002, the Directorate for Health and Social Affairs invited affected organizations and authorities to establish a project group, whose objective was to compose a holistic set of information security rules for the sector.

A prerequisite was that the group's recommendations were to be in accordance with the data protection and information security principles laid down in EU Directive 95/46/EC (the Data Protection Directive).

As a result, on August 7th 2006, the Code of conduct for information security in the health sector ("the Code") was launched, ready to be used by small, medium-sized and large health service providers alike, and by the collaborating partners of these bodies, as a means to establish satisfactory information security.

Comply with the Code to get connected

The Code is supposedly the first of its kind in Europe; no other overall standards on information security in the health sector are yet developed in any of the EU/EEZ countries.

Norsk Helsenett SF ("Norwegian Health Network") is the provider of a national infrastructure for electronic communication in the health sector, helsenettet ("the health network"). In order to be linked to, and actually utilize, this network, the health service provider must enter into an "affiliation agreement" with the company.

By force of this agreement, the entity admitted to the infrastructure, is obliged to comply with the Code. By this mechanism, the health service providers ensure that the receivers of health-related data – i.e. collaborating partners of many kinds – within the network, all meet the standards of the Code, and thus of the legal provisions. Failing to meet the information security standards of the Code, may lead to the exclusion of the contract-breaching entity.

The Code can also be binding through other legal instruments, for example a data protection agreement (DPA).