The purpose of this notice is to provide guidance to system suppliers on how to proceed when a certificate of conformity is about to expire. The announcement has been prepared in cooperation between Kela, Finnish Institute for Health and Welfare (THL), Traficom and the National Supervisory Authority for Welfare and Health (Valvira).
All systems linking to the Kanta Services must undergo a conformity check consisting of the system supplier’s attestation that the system meets all functionality requirements, a successful completion of joint testing, and a certificate of conformity issued by a conformity assessment body. The certificate of conformity is valid for a maximum of five years. (laki sosiaali- ja terveydenhuollon asiakastietojen sähköisestä käsittelystä/Act on the Electronic Management of Client Data in Social and Health Services) (159/2007)
A significant number of certificates of conformity will expire in 2020-2021, with the first of them set to expire in March 2020. In accordance with the Kanta guldelines, system suppliers must contact Kela no later than six months before a certificate of conformity is scheduled to expire.
The status of a certificate of conformity can be checked by consulting the register of the National Supervisory Authority for Welfare and Health (Valvira) (In Finnish).
Regardless of the expiration date of the certificate of conformity, healthcare information systems must be upgraded to the 2016 level, and the functionality to act on behalf of a minor must be implemented by the end of 2020.
THL’s regulations 1/2015 and 2/2016 and the applicable definitions of the current essential requirements are available on the website of the Finnish Institute for Health and Welfare (In Finnish).
Patient Data Repository
With respect to the Patient Data Repository, the joint testing required to renew the certification is carried out in connection with the joint testing preceding the upgrade to the 2016 level and the implementation of the functionality to act on behalf of a minor. The information security auditing shall be carried out at the same time as the joint testing.
With respect of prescriptions, the joint testing required to renew the certification is carried out in connection with the joint testing preceding the implementation of the functionality to act on behalf of a minor. The information security auditing shall be carried out at the same time as the joint testing.
How to proceed
System suppliers should contact the Kanta joint testing team at Kela (email@example.com) as soon as possible, and in any case no later than six months before the certificate of conformity is set to expire.
For the purpose of renewing a certificate of conformity, system suppliers must contact Kela even if the certificate only requires an information security inspection (so-called intermediary service providers).
Registration for the joint testing of the abovementioned assets requires sending the form to Patient Data Repository and/or Prescription joint testing. The registration message must indicate if a certificate of conformity which is soon to expire will be renewed in connection with the joint testing.
Kela coordinates with the information security inspection bodies on the renewal of certificates of conformity. Before the renewal process is launched, the inspection body, Kela and the system provider meet to discuss the schedule and the relevant procedures. The actual enrollment for the information security auditing, as well as joint testing and auditing reports, follow the policies and documenting practices in place.
Social welfare and healthcare organisations
Some certificates of conformity for Class A systems integrated into the Kanta Services will expire in 2020-2021, the first of them as soon as March 2020.
Social welfare and healthcare organisations are requested to the check the conformity expiration dates of their patient and client information systems from the register of the National Supervisory Authority for Welfare and Health (Valvira).
By the end of 2020, the organisations should draw up a system development schedule with their system suppliers and place whatever orders are required for system implementations.