Applications with a back-end service that runs in a trusted environment can be linked to the Kanta PHR. The back-end service handles communications with the Kanta PHR. End-user-installed applications that do not connect to a back-end service are not supported at the moment.
Prior to joint testing, application suppliers must familiarize themselves with the national data content of Kanta PHR and test their application in the Kanta sandbox environment.
Should the application require resources or profiles which do not yet exist in the national data content, the necessary additions and changes must be approved in accordance with the development process specifications for data content.
The below figure shows the various stages involved in linking citizen-facing wellbeing applications.
Stages for the application supplier to integrate an application with PHR
1. Familiarisation with the FHIR standard and the national data content
The application supplier must become acquainted with the HL7 FHIR standard, the OAuth 2.0 authorisation protocol, PHR authorization guide and the national data content.
Application developers may access the Finnish PHR Chat forum, which is open to everyone and can be used to post questions and comments related to the topic. It is an English-language forum. Kela reviews and responds to questions on a weekly basis. Developers may also contact kanta@kanta.fi for further information.
2. Development and own testing in Sandbox environments
If an application needs new data content from outside the national data content, the application supplier must make a proposal on the expansion of the data content to be reviewed by the HL7 Finland Personal Health SIG development community in accordance with the data content development process.
It is highly advisable to test the application supplier’s own application independently in the Sandbox environments provided by the Kanta Services.
3. Certification
Certification of a wellbeing application
Wellbeing applications must conform to the requirements given in the Act on the Electronic Processing of Client Data in Health Care and Social Welfare (category A). For this reason, wellbeing applications that will make use of the Kanta PHR are required to pass a certification process. The certification of a wellbeing application includes joint testing coordinated by Kela’s Kanta Services, an information security assessment performed by an assessment institution approved by Traficom, and the registration of the application in the register maintained by Valvira.
Certification of professional applications
An application aimed for the use of social welfare and healthcare professionals must meet the requirements of the Client Data Act (class A). For that reason, professional applications utilising the PHR must pass the certification process required in the Act on the Electronic Processing of Client Data in Health Care and Social Welfare.
Preparation of the requirements for professional use and professional applications will proceed with the entry into force of the new Act on the Electronic Processing of Client Data in Health Care and Social Welfare. Pursuant to the next Act, the transition period is set to end on 1 January 2026, by which time the Kanta Services must have the capability to make wellbeing data from the Kanta PHR available to social welfare and health care service providers.
Joint testing
Joint testing for PHR means the verification of internal testing of the application and ensuring its functioning against the client testing environments of the Kanta Services.
Joint testing involves the application supplier themselves testing all the functionalities and data content that the application will use from the Kanta PHR and which are required in the appendix to the THL directive. Mandatory test cases include, e.g. authorization, functionalities by resource type and profile, compliance with the national data content, and display of data in MyKanta.
Joint testing is meant for testing in the last stage of the development work.
Developers may sign up for Kanta PHR join testing by submitting to the Kanta Services an application form for the Kanta PHR client test service (xlsx, in Finnish only) and a form detailing essential requirements for wellbeing applications (docx, in Finnish only) that can be found on the directives page of the Finnish Institute for Health and Welfare (THL)(Directive 6/2021 Appendix 1.). The forms are sent by email to kanta@kanta.fi.
Server-based applications need a test server certificate from the Digital and Population Data Services Agency (prev. PRC) for joint testing.
- Applications aimed at citizens shall apply for a wellbeing application server certificate. The certificate cannot be applied for until the application has been approved for testing and Kela has issued the organisation’s OID code to the application supplier. More detailed instructions for applying for the certificate are available in the separate guidelines.
- In the testing, the PRC server certificate for professional applications must be a SOTE server certificate, which must be at the access point used by the SOTE service provider that takes part in the testing. An existing certificate can be used as the certificate or it is possible to obtain a new one.
Application suppliers shall be responsible for ensuring that any other testing of the application is sufficiently comprehensive and performed at a high level of quality. Parties to and responsibilities in joint testing.
Data security assessment
Wellbeing applications must pass a data security assessment performed by an assessment institution approved by Traficom. Further information of data security assessment.
4. Start of production
Wellbeing application aimed at citizens
Before production use is started:
- Application suppliers must register their wellbeing applications with Valvira’s Information systems register. Further information is available on Valvira’s website (in Finnish).
- The application supplier accepts the delivery terms (pdf) and service description of PHR (pdf) and sends the rest of the application data to be published to the Kanta Services by email.
- If the application is server-based, the application supplier shall obtain DVV’s production server certificate (dvv.fi) (service certificate for wellbeing applications).
- The application is registered technically in the PHR service in the Kanta Services
- The application is added to the application list on the kanta.fi website two weeks after technical registration.
- Technical registration requires that the wellbeing application has been published in Valvira’s register.
- The application supplier ensures the functioning of production, after which the production use can be started.
Citizens start using the application by providing access rights for the application to PHR and the data contained in it and accept the patient information notice concerning the use of Kanta PHR (pdf).
Professional application
In professional applications, the social welfare and healthcare service provider deploys the PHR service with the professional application approved for PHR via the technical access point.
Before production use is started:
- After certification, the application supplier will complete the information of the application to be published for the Kanta Services by email (in future in Kanta Extranet)
- The first user organisation starting production use of the application = the social welfare and healthcare service provider
- ensures that the access point has a PRC production server certificate (SOTE server certificate)
- notifies Kanta Services that it has deployed the PHR service with the xxx application using an yyy technical access point.
- The social welfare and healthcare service provider and the access point are technically registered by Kela in the PHR service.
- The application supplier and the social welfare and healthcare service provider together ensure the functioning of production, after which the production use can be started.
For professional applications, the guidelines will be further specified as the new Act on the Electronic Processing of Client Data in Health Care and Social Welfare is implemented.
In the initial stage of the Kanta PHR service, wellbeing applications cannot yet use client data (Patient Records Archive, Client Data Archive for Social Welfare Services and Prescriptions). Deadlines are set out in the Act on the Electronic Processing of Client Data in Health Care and Social Welfare for the delivery of client data from the Kanta Services to wellbeing applications.
Interface and data content specifications as well as support materials for application developers are published on the kanta.fi website.
5. Changes to the wellbeing applications
Changes to the wellbeing applications integrated into the Personal Health Record must be reported to the Kanta Services with change notification (form in Finnish). The notice of change is sent by email to kanta@kanta.fi.