Authorisation for the outsourcing service provider

Authorisation for the outsourcing service provider

The authorisation for the outsourcing service provider is a Patient Data Repository functionality which allows the service organiser to give the service provider the right to access the patient data stored in its register, and allows the service provider to store the patient data created in the course of the treatment in its own register. The authorisation also covers the voucher-based provision of services.

  • The patient records created as part of the outsourced service belong to the service organiser’s patient register.
  • The register contains patient histories, test results, statements and other similar documents.
  • The provider of an outsourced service may store patient records directly from its own patient information system into the service organiser’s register in the Patient Data Repository. Archival requires the service organiser to issue an authorisation for the outsourcing service provider.

Outsourcing arrangements are set out in an agreement  

The organiser of an outsourced service is responsible for arranging the treatment. If the organiser is unable to provide the service, it can outsource it from a service provider. 

The service provider delivers the treatment or other service. The outsourcing organiser and provider must draw up an agreement on the provision of the service and any arrangements that involves.

The authorisation for the outsourcing service provider is drawn up on an OSVA form and stored by the organiser in the Patient Data Repository. Most of the information on the form is obtained directly from the patient information system or from a separate system.

With the authorisation, the outsourcing service organiser gives the service provider permission to access the organiser’s patient register in the Patient Data Repository. The authorisation applies exclusively to the organiser’s patient register. A Kanta data disclosure search is used to retrieve patient data created by other organisations from the Patient Data Repository.  

  • A population-level authorisation for the outsourcing service provider covers a service aimed at a large population and does not specify individual patients in advance. 
  • A patient-specific authorisation is used with outsourced services arranged for specific patients.
  • The outsourcing service provider must store the data produced in the outsourced service separate from documents created as part of its other operations. For such data, a separate outsourcing service register must be created to serve as a place of storing the patient documents which belong to each service organiser’s patient register and are specific to a data controller.
  • The service provider’s patient information system may be used to store data created during service delivery for the purpose of quality control, statistics and invoicing. Any copies must be destroyed once the purpose for which they were created is no longer applicable.

At present, the Patient Data Depository does not support situations where an outsourcing service provider contracts a third party to supply the service. In such situations, the service organiser will issue an authorisation for the outsourcing service provider also for the third-party provider.

For more on how to draw up an authorisation for the outsourcing service provider and its content, see Kanta-palvelujen verkkokoulussa Potilastiedon arkiston Ostopalvelun valtuutus -osiosta.

Authorisation for the outsourcing service provider: Requirements

Both the organiser and the provider must use the Patient Data Repository. In addition, each must have a certified information system.

The organiser must store in the Patient Data Repository a provider-specific authorisation (population-level/patient-specific), which allows the outsourcing service provider to access specific patient data as determined in advance by the service organiser. 

Permission to access the patient data can be valid either for a specific service transaction or a specific period. If the authorisation is issued at the population level, the service provider must be allowed to access all patient data stored in the organiser’s patient register. The service provider stores the created patient data directly in the organiser’s register.

  • There must also be an existing treatment relationship between the patient and the outsourcing service provider.
  • The Patient Data Depository automatically checks that such a relationship exists and that the authorisation is valid.

System requirements

The authorisation for the outsourcing service provider can be produced in the patient information system or for example in a separate voucher management system of the organiser. Such a separate system shall only be used to manage authorisations and not patient or treatment records.

  • The service organiser’s patient information system or separate system must be set up to create the authorisation for the outsourcing service provider and the functions associated with the authorisation.
  • In addition, the service provider’s patient information system must support such functions as search and the storage of patient data.  Where necessary, the provider’s information system must support the storage of the produced patient data in a service transaction created by the organiser.

Additional information about the authorisation for the outsourcing service provider

Last updated 11.07.2019