Authorisation of outsourcing service providers

Authorisation of outsourcing service providers

Authorisation for an outsourcing service provider makes it easier to process patient data in outsourcing services. The authorisation allows the service provider to store patient data directly in the service organiser’s register in the Kanta services.

Kanta’s authorisation of an outsourcing service provider can be used to process patient data if the party responsible for providing a health service (e.g. a wellbeing services county) purchases the service from another health care provider as an outsourced service or using service vouchers. This allows information to move quickly and securely between the service organiser and the service provider.

The service organiser is responsible for the patient’s treatment, so the patient data generated in connection with the outsourced service belong to the service organiser's patient register. With authorisation of an outsourcing service provider, information can conveniently be stored directly in the correct register. 

Deployment of the authorisation of an outsourcing service provider functionality

The authorisation of an outsourcing service provider is a form with which the service organiser assigns access rights to the service provider (access or storage rights).

Authorisation for an outsourcing service provider allows

  • the service provider to store the information from their own patient information system directly in the service organiser’s register in Kanta.
  • the service provider to access the service organiser's patient register to access any information that is necessary for the implementation of the treatment. The data can be accessed regardless of whether the patient has restricted the sharing of their data.

The manner of organisation of the outsourced service determines whether patient-specific or register-specific authorisation is used.

A patient-specific authorisation is used when an outsourcing service or voucher-based service is provided for a specific patient.

A patient-specific authorisation allows the service provider to access either all patient documents or specific patient documents indicated in the authorisation that have been stored for the patient in question by the service organiser in the Patient Data Repository.

In addition, the service provider is given the right to store the patient’s documents in the service organiser’s register.

Register-specific authorisation is intended for situations in which patients cannot be identified in advance. For example, out-of-hours emergency services, laboratory services or imaging services may be outsourced from an external provider. In this case, authorisation can be issued for an entire register so that it applies to all patients included in the service organiser's patient register.

The service organiser and service provider create an outsourcing service provider agreement that specifies whether the service provider can access all patient documents in the service organiser’s register. If the service organiser does not allow access to its register, the service provider can retrieve the necessary information from Kanta in accordance with normal data sharing policies. 

The service provider is always given the right to store the information generated by the outsourcing service provider in the service organiser’s register.

An authorised outsourced imaging service provider will have access to the imaging results and patient documents stored in the service organiser’s register. In addition, the authorisation of outsourcing service providers makes it possible to store the images directly on the service organiser's register.


An updated version of the authorisation of an outsourcing service provider is available

The updated authorisation of outsourcing service providers will make it easier to organise voucher-based outsourcing services, for example. When creating an authorisation of an outsourcing service provider, the service organiser may leave the provider’s information blank. The service provider’s information can be added to the authorisation later on once the patient has selected a service provider. 

The service organiser may also use the authorisation of an outsourcing service provider to provide the service provider with additional information on the service to be provided.

Information system providers should be contacted to determine when the updated authorisation of outsourcing service providers will be available in the systems.

How to start using the authorisation of outsourcing service providers

The deployment of the authorisation function for outsourcing service providers requires that both the service organiser and provider use the Patient Data Repository. In addition, the authorisation function for outsourcing service providers must have been implemented in both the organiser’s and provider’s patient information systems.

When the authorisation of outsourcing service providers is used for imaging materials, at least the service provider must use the Imaging Data Repository. The service organiser must also have a certified viewer if it wishes to view the images produced as an outsourced service via the Imaging Data Repository.

To deploy the authorisation of outsourcing service providers function:

Contact your information system provider to ensure that the authorisation of outsourcing service providers can be used in your patient information system.

Ensure that the other party (service organiser or service provider) in the outsourced service is also ready to begin using the authorisation for outsourcing service providers. 

Conduct a deployment test together with the other party in the outsourcing service before deployment. The test is carried out using the test case for either a patient-specific or register-specific authorisation of an outsourcing service provider in accordance with instructions. Both the service organiser and service provider play a role in the testing.

A deployment test must be carried out whenever the service organiser or service provider activates the functionality in the system for the first time.

Report a successful deployment test to Kela together with the other party in the outsourcing service. 

If deployment involves a large number of service providers using the same system at once, a report of one successful deployment test is sufficient. However, we recommend that the technical functionality of the authorisation of outsourcing service providers is also verified with other service providers. 

Further information

Last updated 16.8.2024