Anda di halaman 1dari 42

Ministry of Health Sri Lanka

National eHealth Standards and Guidelines

Draft Version 2.2.1.

September 2011

National eHealth Standards and Guidelines

Draft Version 2.2.1.

September 2011

Contents
List of Abbreviations .............................................................................................................................. iv Glossary ................................................................................................................................................... v List of Tables .......................................................................................................................................... vi List of Figures ........................................................................................................................................ vii Introduction ............................................................................................................................................ 1

Section 1. The Architectural Model of the National Health Information System ................................... 2 1.1. The main components of the architectural model ...................................................................... 2 Stakeholders ................................................................................................................................... 3 eHealth Systems.............................................................................................................................. 4 Communication Network ................................................................................................................ 5

Section 2. ICT Management .................................................................................................................... 7 2.1. Computer Hardware and Software Management ....................................................................... 7 Procurement Procedure ................................................................................................................. 7 Computer Hardware Management................................................................................................. 8 Software Management ................................................................................................................... 9 Maintenance ................................................................................................................................. 13 2.2. Human Resource Development ................................................................................................. 13 Section 3. Network and Connectivity.................................................................................................... 14 3.1. Network Architecture ................................................................................................................ 14 3.2. Network Management ............................................................................................................... 18

Section 4. Communication Interface .................................................................................................... 19 4.1. Websites of the state healthcare sector .................................................................................... 19 General guidelines ........................................................................................................................ 19 Associability guidelines ................................................................................................................. 19 Usability of the web site ............................................................................................................... 19 4.2. Health related domain names ................................................................................................... 20 Health related domain name registration directly under .lk domain ....................................... 20 Health related sub-domains under the domains of State Healthcare Sector Organisations ....... 20

ii

4.3. Email........................................................................................................................................... 22 Usage of eMail .............................................................................................................................. 22 eMail Account ............................................................................................................................... 22

Section 5. Ethics, Privacy, Confidentiality and Security of Information................................................ 24 5.1. Privacy and Confidentiality ........................................................................................................ 24 5.2. Security ...................................................................................................................................... 25 Information and related asset management. ............................................................................... 25 Human resources Security infrastructure. .................................................................................... 25 Physical and Environmental Security. ........................................................................................... 26 Communications and Operations Management........................................................................... 26 Access control ............................................................................................................................... 27 Information Security Incident Management ................................................................................ 28 5.3. Ethics .......................................................................................................................................... 28

Section 6. Data Interoperability standards ........................................................................................... 29 6.1 Personal Data .............................................................................................................................. 29 6.2 Data Interchange/Messaging Standards ..................................................................................... 33 6.3 Standardized Clinical Vocabulary ............................................................................................... 33

List of Related Official Documents ........................................................................................................ 34

iii

List of Abbreviations
CT DICOM DoHS EIA FERCSL HIN HL7 ICD IEEE ISO IP MCH MO MoH MRI P-LAN PDoHS PMoH PSTN RDHS SHN SNOMED-CT TCO TCP TIA URL VPN WAN WCAG Computed Tomography Digital Imaging and Communications in Medicine Department of Health Services Electronic Industries Association Forum of Ethical Review Committee of Sri Lanka Healthcare Identification Number Health Level 7 International Classification of Disease Institute of Electrical and Electronics Engineers International Organisation of Standardization Internet Protocol Maternal and Child Health Medical Officer Ministry of Health Magnetic Resonance Imaging Private Local Area Network Provincial Department of Health Services Provincial Ministry of Health Public Switched Telephone Network Regional Director of Health Services State Health Network Systematized Nomenclature of Medicine--Clinical Terms Tjnstemnnens Centralorganisation Transmission Control Protocol Telecommunications Industries Association Unified Resource Locator Virtual Private Network Wide Area Network Web Content Accessibility Guidelines

iv

Glossary
Health Information Unit: Unit under the Director Health Information of the Ministry of Health Firmware : fixed, usually rather small, programs and/or data structures that internally control various electronic devices. : Ministry of Health and Department of Health Services of Sri Lanka which is currently amalgamated merged with each other. : computer software that connects software components or people and their applications

Ministry of Health

Middleware

State healthcare sector: Any institute, division or unit in Sri Lanka providing or supporting healthcare and belong to a Ministry, a state department, a provincial department or a local authority. (This does not include healthcare institutes of state owned companies) Software : is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it.

List of Tables
Table 1 Table 2 Table 3 Proposed composition of the Technical Evaluation Committee The proposed structure of the software registry Confidentiality Levels 07 09 24

vi

List of Figures
Figure 1 Figure 2 Figure 3 Main Components of the architectural model System-stakeholder interaction The architectural model of the national Health Information System The State Health Network Overview The State Health Network Detail Institutional Private Local Area Network 02 03 06

Figure 4 Figure 5 Figure 6

16 17 18

vii

Introduction
Sri Lanka has achieved great standards in healthcare when compared to countries with same level of economic development. This is evident when one compares the traditional health indicators with the Gross National Product (GNP). This can be attributed to the free healthcare policy in the state health sector and the importance successive governments have given to the development of healthcare in this country. But the challenges that the health system is facing are changing.. We must adopt the healthcare system in order to face these new challenges. The Health Master Plan is one such initiative undertaken by the Ministry of Health. Healthcare is an information intense field, relevant, accurate and timely information is the key for evidence-based management in healthcare. Even though many aspects of healthcare in Sri Lanka have changed, the mode of information flow has largely remained manual and paper based in both the curative and preventive sectors. The paper based record system is inadequate to meet the needs of rapidly evolving present day medicine. The need to adopt an efficient information management system has been stressed in the Health Master Plan of Sri Lanka. Even though there are no large scale eHealth projects in Sri Lanka, Some healthcare institutions have adopted eHealth solutions on their own initiative. This was evident during a preliminary analysis of the current eHealth systems in the state curative healthcare sector of Sri Lanka. It is highly commendable that these institutes have adopted ICT on their own initiative, at various levels. At the same time it must also be pointed out that these systems were developed in an ad hoc manner without central co-ordination. These solutions have been produced with a local need in mind rather than of the general needs of the healthcare system. In introducing eHealth systems to the health sector of Sri Lanka, we must ensure that this aspect of being able to exchange information is available between systems. The National eHealth Policy of Sri Lanka and it accompanying document on National eHealth Guidelines and Standards for Sri Lanka aims to achieve uniformity in the eHealth solutions to be implemented in Sri Lanka. There is already an eGovernment policy that is in place in Sri Lanka. The eGovernment policy states that the relevant government institutions can amend the policy according to their specific needs. Even though the eGovernment policy is quite comprehensive it does not address some important and sensitive issues which are specific to the health sector.

Section 1. The Architectural Model of the National Health Information System


1.1. The main components of the architectural model
01.01.01 The national health information system architecture will be composed of the following three main components(Figure 01): 1. eHealth System 2. 3. Communication network Stakeholders

SR S FS

CH S

AS

eHealth System
PH S

SS

Figure 1. Main Components of the architectural model

Stakeholders

01.01.02

Stakeholder can be an individual, team, or organization with interests in, or concerns related to an eHealth system. Three categories of stakeholders are identified in the national health information system (Figure 02). I Health service managers/Administrators II Health service providers III Health service consumers Information should be available and accessible only to authenticated and authorized stakeholders depending on their access rights.

01.01.03

01.01.04

Computer Based Solutions in the State Health Sector

Systems
State Health Network

Internet Health Information Portal

Health Service Administrators

Health Service Consumers

Stakeholde Private Sector rs

State Sector

Health Service Providers

Stakeholder s
Figure 2. System-stakeholder interaction

eHealth Systems

01.01.05

Functionality of the health domain is classified in to the following Categories: i. Curative Health Services (CHS) ii. Preventive Health Services (PHS) iii. Supportive Health Services (SHS) iv. Financial Services (FS) v. Administrative Services (AS) vi. Statistics and Reporting Services (SRS)

Interdependencies

01.01.06

Each service mentioned above may be provided by one or more subsystems. There may be interdependencies of the sub-systems of different services as well as intra-dependencies of the sub-systems of the same service. Interdependencies and intra-dependencies of services should be taken into consideration when designing eHealth systems. Each sub-system mentioned above may be implemented as one or more modules, which should be loosely coupled, interoperable, platform independent and communication protocol independent. Implementation of the modules can be done sequentially or in parallel. Systems/module developers will ensure a participatory approach that allows relevant stakeholders to contribute to the development process. Each module of the eHealth system and data transferring should comply with data standards, security standards and software standards and hardware standards mentioned in this document.

01.01.07

01.01.08

01.01.09

01.01.10

01.01.11

Communication Network (Figure 02)

01.01.12 Stakeholders should communicate with eHealth systems through the communication network, which should be high speed, reliable, secure connections. 01.01.13 Communication network will be composed of the State Health Network and the Internet. 01.01.14 A Health Information Portal will provide health information and selected services to patients, citizens and healthcare professionals/workers through the internet. 01.01.15 There should be three types of communication methods. i. State sector stakeholder State Health Network eHealth Systems ii. State sector stakeholder Internet State Health Network eHealth Systems iii. Stakeholder Internet Health Information Portal 01.01.16 The above mentioned, i and ii communication methods should be allowed only to health service administrators/managers and health service providers of the state sector. 01.01.16 All stakeholders should be allowed to use communication method iii. 01.01.17 Intersystem communication shall be protected through secure, reliable messaging services and authenticating services, promising the reliable delivery of private, secure transmissions.

Figure 3.The detail architectural model of the National Health Information System

Computer Based Solutions in the State Health Sector


Supportive Services Curativ e Health Service Public Health Services
Administrativ e Services

Financial Service

Peer to Peer Communication Services

Statistics & Reporting Services

Shared eHealth Services

State Health Network


Communication Network

Internet
Health Information Portal

Managers /Administrators
Health Service Administrators State Sector Other Stakeholder
Line Ministry Provincial DoHS

Health Service Consumers


Ex: Patents Mass media NGO Researchers Insurance Companies Gen Public

Health Service Providers


Private Sector

Relevant Staff of the State Sector

Stakeholders

Section 2. ICT Management


2.1. Computer Hardware and Software Management

Procurement Procedure 02.01.01 The current applicable National Procurement Guidelines should be followed when purchasing hardware and software and in contracting services in the State Health Sector. A Technical Evaluation Committee is to be formed at Organizational or Institutional level for the purpose of procurement of hardware, software and services. The Composition of the Technical Evaluation Committee should be as follows:
Administrative representative

02.01.02

Head of the Institution/ Unit Director Health Information Unit MO (Medical Informatics) Subject specialist if required Representative from Bio Medical Engineering unit if required A Consultant from the relevant specialty. E.g Consultant Physician / Consultant Surgeon A representative from relevant staff

Technical Experts

Domain Experts

Table 1. Proposed composition of the Technical Evaluation Committee

Computer Hardware Management

02.01.03

Procurement of a given hardware must fulfil the Requirement set by the procuring organization or the institution. Special electronic medical equipment: Electronic medical equipment such as CT or MRI machines should be accompanied with a compatible workstation and software, where applicable. It is recommended to use ENERGY STAR, Canadian Standards Association International or TCO Certification recommended hardware. A hardware inventory must be maintained at each institutional level with detail of Specifications of a particular hardware.

02.01.04

02.01.05

02.01.06

Software Management

02.01.07 State Healthcare Sector eHealth Software Registry: The Health Information Unit of the Ministry of Health shall maintain a State Healthcare Sector eHealth Software Registry. This shall include any software used for diagnosis, treatment or prevention of any disorder, abnormal physical state or symptoms; used in the State healthcare sector. Any such system or software used in full scale or being piloted shall be included in the registry.
Name of the software Category (Could choose more than one) Curative sector Community Health Administration / Finance Other

Developer/Vendor/Local agent Personally identifiable data of Clients & Yes Patients entered No Type of the software Off the shelf Customized Built from the scratch Totally to the institute Organization Developer Joint Commercial Free Pilot phase : Full implementation : Decommissioning :

Ownership of the Source code (If not off-the-shelf)

License category Date of approval

Table 2. Proposed Structure of the software registry

Organisational Software Registries: Each State sector health organisation shall

maintain a registry for all the software approved to be used in the organisation. This can be maintained by the health information unit of the relevant organisation. These registries shall have three components. Section 1 ~ eHealth Systems Section 2 ~ Operating Systems & Data Bases Section 3 ~ Other Systems/ software Section 1 of the organisational software registries shall be maintained under the guidance of the Health Information Unit of the MoH. Other two sections could be maintained independently.

Acquisition of common off-the-shelf software

02.01.08

Government organizations should use only licensed software; such licenses can be for either proprietary software, or for open source software. Use of software without a valid license or making modifications and carrying out customizations to licensed software without adhering to the license conditions would be contrary to the Intellectual Property Act of 2003 and would result in legal penalties (both criminal and civil liability). Warranties: When securing proprietary or commercially off the shelf software, government organizations should ensure that the warranty terms would include a statement stating that the software would conform to the stated specifications and that the software would adhere to the required quality assurance standards. The warranty period should be negotiated in advance. It is essential to ensure that appropriate licenses fees are paid for, if required. If payments are required and a large number of users are involved, bulk or volume licenses could be negotiated with the software provider. This would entail costs which should be planned and budgeted by the entity concerned.

02.01.09

02.01.10

10

Agreements/Contracts on Software Development, Customisation or Piloting

02.01.11

State health sector organisations shall always have proper contract agreements with the relevant parties on development, customisation or piloting of software. This shall be applicable not only for contract where financial payments are done; but also to events where software is donated free of charge or software is a Copyleft but piloting or implementation involves a third party Piloting for software systems: Decision to implement a software system or a component(s) of software shall be done after a pilot, done at selected institutions/units followed by a proper evaluation. If pilot involves a third party; the evaluation shall be done independent from that third party. Customisation or modification to existing Software for the State Healthcare Sector: Government entities could hire software engineers or service providers to modify or customise licensed software. It is important to require the service provider to adhere to license conditions imposed by the creators or owners of such software. If existing software is customised to the need of the country or organisation it shall be of one of following two categories. i) FOSS / Copyleft software ii) Proprietary software but customised version to be owned by the relevant Healthcare Organisation Built From Scratch Software: the ownership of Intellectual Property rights would depend on the agreement between the parties. It is recommended to take the total ownership of the intellectual property right of software to the healthcare organization.
Agreements/Contracts on Software Development, Customisation or Piloting:

02.01.12

02.01.13

02.01.14

02.01.18

Agreements/Contracts shall be sufficiently comprehensive enough, covering all the important issues. The Health Information Unit will provide a standard software development contract template to be used for this purpose. The Institution may modify and use it in consultation with the legal officer of the Ministry of Health keeping in mind the following:

11

The following is an inclusive list of scopes recommended to be covered in an agreement/ contract: Functionality of the software (Requirement Specifications) Source code accessibility Whether the software is exclusive to the organisation or not Milestones of development process and percentage of payments (partial payments) after reaching each milestone Provisions for modifications to the specifications during the development process Providing with comprehensive software documentation Provision for the events of modifications and software Clause from developer declaring that software is compatible with existing legislations (of the country). Handling of critical and non-critical failures. Clauses handling dispute situations. This should include preventing remotely disabling features. The following are the provisions that developers or entities piloting a software are likely suggest to include but recommend not to allowed for: Conditions preventing smooth converting to different software by another vendor in the future. Broad exculpatory clauses which limits or exclude vendors liability Clauses prevents or limits the use of the software in an event of a change of the ownership of the institution (such as taking over a hospital from PDoHS to MoH) Conditions preventing or restricting divulging adverse features of the software or adverse events due to issues of the software. updates of the

12

Maintenance

02.01.19

The vendor must maintain hardware and software during the warranty period. A service agreement should be established with the vendor or another maintenance service provider after the warranty period expires.

2.2. Human Resource Development

02.02.1.

Planning health informatics human resources requirements should be undertaken as an on-going process taking in to consideration potential future needs. Periodical need identification and evaluation of competencies and skills of all health staff in relation to eHealth should be conducted, and those found to be lacking in such skills provided the opportunity for training. Continuous professional development for Healthcare IT staff shall be ensured. Transfer of an IT staff in the health sector must occur subject to a reasonable hand over period. Creation of carder which needs to be filled by Sri Lankan IT Service (SLICTS) should be done in consultation with the Health Information Unit of the Ministry of Health. Introduce need based IT curricula to institutes which train staff for the National Health Information System is recommended.

02.02.2.

02.02.3.

02.02.4.

02.02.5.

02.02.6.

13

Section 3. Network and Connectivity


3.1. Network Architecture
03.01.1. All physical networks should be based on client/ server architecture which is implemented using the TCP/IP Protocol suit. Standard Ethernet technologies should be the basis for all networks where appropriate. Further, to this it is recommended to follow the latest versions on networking (including mobile devices) and cabling standards on EIA (Electronic Industries Alliance), TIA (Telecommunications Industry Association), IEEE (Institute of Electrical and Electronics Engineers) and ISO (International Organization for Standardization). A reliable, dependable, secure, and safe Wide Area Network (WAN) called the State Health Network (SHN), which is a Virtual Private Network (VPN), is to be Established (Figure 4) All institutes under Ministry of Health and all provincial departments of health should connect to this SHN, which is also connected to the Internet through firewall (Figure 5) All devices within an institution shall be connected to a Private Local Area Network (P-LAN)-(Figure 6) A P-LAN must contain at least a Level 3 switch. These P-LANs are interconnected to the SHN in a WAN architecture. Within the SHN each LAN shall be uniquely identified. Data should be transmitted using the Secure Shell (SSH) Tunnelling Protocol throughout the SHN [WAN and P-LAN]. SHN disseminates the information needed for the Health Service Consumers and Private Sector Health Service providers via Health Information Portal (HIP) using a role based authentication mechanism. Within the SHN two levels of authentication shall be established. i. Institution in the SHN will be identified using an IP Based system. ii. Network users will be given a role-based access to the P-LAN.

03.01.2.

03.01.3.

03.01.4.

03.01.5.

03.01.6.

03.01.7.

03.01.8.

03.01.9.

14

03.01.10.

Based on these two levels of authentication each users operational capacity as either limited to the LAN or has field operational capacity. Management of P-LAN Accounts: P-LAN accounts should be created only after clearance by the administration of the institute and disabled on the same day of employees departure from the institute. In areas where throughputs 10 times faster than Fast Ethernet over copper cabling is needed Gigabit Ethernet described in IEEEs 802.3ab standard is recommended. A Cat 5 or higher cable is to be used in this instance. The maximum distance between communicating nodes on a 1000Base-T network is recommended as 200 meters. Where transmitting speeds of 10 Gbps over twisted pair is indicated in voice, video and image data transfers, IEEE 802.3an standard 10GBase-T is to be utilized. Routing Protocols: Open protocols must be used as much as possible to ensure freedom of hardware selection. Wired communication is preferred to wireless communication and hence wired communication should be used wherever possible.

03.01.11.

03.01.12.

03.01.13.

03.01.14.

03.01.15.

15

Figure 4. The State Health Network - Overview

16

Figure 5. One Subunit of the State Health Network in detail

17

Figure 6. Institutional Private Local Area Network

3.2. Network Management


03.02.1. When building new buildings in healthcare institutions they should be designed to support network infrastructure. Physical topology, physical cable layout and upgrades, access method, protocols, communication devices, operating systems, applications, and configurations should be documented. When upgrading a component in a device, the old component should be kept safe and nearby making allowances for a way to reverse hardware upgrade and replace it with the old hardware if needed.

03.02.2.

03.02.3.

18

Section 4. Communication Interface


4.1. Websites of the state healthcare sector
General guidelines

04.01.1.

All possible efforts should be made for content to be available in Sinhala, Tamil and English. The web pages should be Unicode compliant. Any Unicode font can be used but the website should be tested using nonProprietary Sinhala and Tamil fonts. Any complaints or concerns on health related content in a web site could be submitted to Health Information Unit of Ministry of Health. Contents of the websites linked to the Health Information Portal shall be periodically scrutinised by the relevant professional bodies or authorities. When in English the web content must comply with the Medical Ontology standard accepted in Sri Lanka. Once such standards are available in National languages, that should be applied to web content in local languages too. Heath related circulars, publications, white papers etc. should be published through the government health website.

04.01.2. 04.01.3.

04.01.4.

04.01.5.

04.01.6.

04.01.7.

Associability guidelines

04.01.8.

10 Quick Tips (1) by W3C are recommended to be used as the minimum guidelines for Accessibility. In addition to the minimum guidelines, it is recommended to follow the Web Content Accessibility Guidelines (WCAG) 2.0 (2) in institutions where the Intended users are more likely to be having difficulties. Level of conformance should be AA.
Usability of the web site

04.01.9.

04.01.10.

It is recommended to follow the Research-Based Web Design and Usability Guidelines by the HHS to improve user friendliness of websites.
19

4.2. Health related domain names


Health related domain name registration directly under .lk domain

04.02.1.

Use of health related generic words should be avoided when assigning domain names under .lk domain. This should include English generic words and Sinhala and Tamil Generic words in native script or transliterated to Latin script.

Health related sub-domains under the domains of State Healthcare Sector Organisations

04.02.2.

Health Information Unit of the relevant organisation shall be responsible for assigning URL for institutions & units of the organisation. MoH / DoHS : Health Information unit of the DoHS PDoHS : Health Information unit of the relevant PDoHS URL of the main healthcare organisations shall be as follows
e.g: Merged MoH & DoHS Provincial DoHS : helth.gov.lk : healthdept.<Province-code>gov.lk

04.02.3.

04.02.4.

URL of the unit related to healthcare under other State sector organisations are recommended to follow the following pattern
e.g: Medical Faculties of the universities Health Units under Municipality Councils : university url/medical : <Council-URL>/health

04.02.5.

All healthcare institutions shall have URL under the URL of the relevant organisation. URL for institutions/units under the MoH/DoHS XXX.health.gov.lk, (The XXX can be the full name of the institute or an abbreviation.)
e.g: NIHS Epidemiology Unit National Eye Hospital

04.02.6.

: nihs.health.gov.lk : epid.health.gov.lk : eye_hospital.health.gov.l

20

04.02.7.

URL for units directly under PDoHS and institutions under PDoHS <PDoHS-URL>/XXX_YYY (XXX=Type, YYY=Location if required)
e.g. healthdept.nw.gov.lk/rdhs_puththalama healthdept.nw.gov.lk/planning healthdept.nw.gov.lk/training center healthdept.nw.gov.lk/hospital_Polagahawela healthdept.nw.gov.lk/moh_Polagahawela

04.02.8.

Units of institutions (MoH or PDoHS) <institute-URL>/unit


1. e.g. eye_hospital.health.gov.lk/wd1 healthdept.nw.gov.lk/moh_polgahawela/public_health healthdept.nw.gov.lk/Hospital_polgahawela/pediatric1

21

4.3. Email
Usage of eMail

04.03.1.

email accounts on the organizations domain are used only organisational purposes. All official electronic communications should only be carried out using the official Email address. eMail shall be used as an alternative or complementary method to paper based mail hence all email shall follow the proper channel of communication. Official communications are encouraged to be done using as an attached pdf document (rather than editable text format attachment or text on body of the eMail) to enhance authenticity & to facilitate paper based flow & storage when required. Email account should only be used as a method of communication. Any communication sent or received shall be filed (in electronic format or in printed format) according to the standard organisational procedure. Mails to official email accounts could be accessible by the relevant officers designated assistant in order to enable prompt response in the absence of or when authorised by the officer to whom the mail is directed.
eMail Account

04.03.2.

04.03.3.

04.03.4.

04.03.5.

04.03.6.

04.03.7.

General email address for each institution shall be in the format of info_<institute(if required)>@<org-URL> to be used for communication purposes by public. State healthcare institution should ensure that this above mentioned mail account is checked frequently and mail directed to the relevant officers with minimum delay. Healthcare Institutions should designate a person to be responsible for checking and relaying to the appropriate officers, and for responding if necessary, email received to info_institute<org.URL)
2. e.g. 3. MoH 4. DoHS PDoHS RDHS Line ministry institution Institution under PDoHS

04.03.8.

: info_moh@health.gov.lk : info_dohs@health.gov.lk : info@healthdept.up.gov.lk : info_rdhs_badulaa@pdohs.up.gov.lk : info@nihs.health.gov.lk : info_moh_polhahawela@healthdept.nw.gov.lk

22

04.03.9.

Email accounts of officers: Organization should adopt the following nomenclature in providing email addresses the officers i.e. the user name should be standardized and the domain should be the organization URL. <designation>.<institution/Unit/location>@<org-URL)
5. e.g. DDG/Planning DDG/MSII Director, NHSL PDHS, Uva Province

pdhs@dohs.up.gov.lk Accountant, RDHS Kurunegala : accountant.rdhs-kg@healthdept.nw.gov.lk


PHM Kaduwela a PPA , Polgahawela hospital : phm.kaduwela@healthdept.wp.health.gov.lk : ppa2_hos_polgalawela@healthdept.nw.gov.lk

: : : :

ddgp@health.gov.lk ddgms2@health.gov.lk dir@nhsl.health.gov.lk

04.03.10.

Official accounts for non-officer employees shall subjected to case by case approval by head of the institution according to the need. designation.<institution/location>last name@<org-URL> An email address should be provided for employees by health care organisation under the recommendation of head of the relevant healthcare
institution.

04.03.11.

04.03.12.

Official emails should include a standard official signature: 1. name, 2. designation, 3. Institution 4. Organisation

23

Section 5. Ethics, Privacy, Confidentiality and Security of Information


5.1. Privacy and Confidentiality
05.01.1. Collection of individuals information should only be relevant to the intended purpose. Access to Confidential Information by the employees of any health institution should be granted strictly on a need to know or need to do basis; and such access should be revoked when the job role changes or terminates. Except where the disclosure is enforced by law, personally identifiable information should not be disclosed without informed written consent of the individual for other than the intended purpose. The individual has the right to appeal for a correction of his/her information in the event of any discrepancy. According to the differences in the sensitivity and confidentiality, two main different types of information can be identified: Type of Information
1. Personal Identified data/ Information 2. Pseudoo-annonymized Data/ Information 1. Aggregated Data 2. Non-Personal Data

05.01.2.

05.01.3.

05.01.4.

05.01.5.

Confidentiality Level
Highly confidential

eg
Name with Diagnosis Registering under an alias name

Confidential

Discovery of a new disease.

Table 03. Confidentiality Levels 05.01.6. In respect of the confidentiality maintained in a doctor patient/cliet relationship, online communication between them must also ensure the confidentiality.

24

5.2. Security
Information and related asset management.

05.02.1.

Health institutions shall identify and document the information and related assets of the institution. Health institutions shall assign personnel who are responsible for information and related assets. Health institutions shall classify and label these assets according to confidentiality level of information. Health institutions shall ensure storage, processing, transmission and disposal of the assets are done according to the confidentiality level of information. Health institutions shall electronically destroy documents keeping with par with according to the existing guidelines governing the paper document. Health institutions shall remove and physically destroy the storage device in the decommissioning process.

05.02.2.

05.02.3.

05.02.4.

05.02.5.

05.02.6.

Human resources Security infrastructure.

05.02.7.

Health institutions shall ensure that individuals information is accessed only by employees who have signed an information confidentiality agreement (Non Disclosure Agreement). Health institutions shall ensure that employees who are leaving the organization are bound to maintain the confidentiality of information which belongs to the organisation Health institutions shall ensure that third party personnel involved in various ways with the health information systems should sign non-disclosure agreements which should contain the penalties of disclosing confidential information. Health institutions shall ensure that employees should be given specific training on the Information security as appropriate to their job roles.
25

05.02.8.

05.02.9.

05.02.10.

Physical and Environmental Security.

05.02.11.

Institutions shall ensure that all computers and other ICT hardware equipment are placed in adequately secured locations. Institutions shall maintain a separate and access controlled room to hold critical computer equipment such as servers and networking equipment. Institutions shall collect and deactivate Identification cards, access cards, keys, and other means of access from employees who are leaving the institution/unit. Institutions shall ensure that the maintenance of equipment are performed on-site whenever possible, only by authorized and qualified maintenance personnel. Institutions shall arrange secure storage of confidential system documentation, either physically or electronically, and ensure controlled and secure access.

05.02.12.

05.02.13.

05.02.14.

05.02.15.

Communications and Operations Management.

05.02.16.

Institutions shall ensure that every entry, modification and removal is recorded in a log. Institutions shall ensure an appropriate back up procedure is designed and implemented. Institutions shall arrange routine backup procedures with an encryption algorithm such as MD5 or SHA1where necessary. Institutions shall make sure that backup information is given physical protection and regularly tested to ensure the reliability in an emergency situation. Institutions shall ensure the adoption of a host based anti-malware solution to protect the systems from malicious software. Institutions shall ensure that the virus definitions are up-to-date.

05.02.17.

05.02.18.

05.02.19.

05.02.20.

05.02.21.

26

05.02.22.

Institutions shall take necessary steps to ensure the security of information in transit, through cryptographic encryption. Data Authenticity must be ensured by the use of Digital Signatures. Information systems security audit must be performed once in three months internally and once in six months by a third party.

05.02.23. 05.02.24.

05.02.25.

Access control Institutions shall define and clearly document role based access control profiles. Institutions shall make sure that all the eHealth systems and networks in the organization follow the same access control and information classification policies. Institutions shall determine that access control comply with the confidentiality policies of the organization. Institutions shall ensure appropriate use of system administration privileges to protect against major security breaches. Institutions shall ensure proper use and maintenance of passwords by the health workers. I. Passwords should never be written down anywhere others have access or saved in computers II. Passwords shall never be shared or disclosed to others III. It is advisable to use an easy to remember password Institutions shall encourage users to use strong passwords. A strong password, I. should be at least eight characters in length II. should have more than one word connected with one or more digits or special characters III. should not contain any familiar numbers, names, or words IV. should have a short life Institutions shall have a clear and acceptable password retrieval procedure

05.02.26.

05.02.27.

05.02.28.

05.02.29.

05.02.30.

05.02.31.

27

Information Security Incident Management

05.02.32.

Institutions shall ensure that information security events and weaknesses are reported to the relevant authority in a timely manner.

5.3. Ethics
05.03.1. eHealth systems handling personally identifiable data of patients, clients or general public for research purposes ( this does not include data on staff in administrative of finance systems) should get ethical approval from an accepted ethics review committee coming under the Forum for Ethics Review Committees in Sri Lanka (FERCSL).

28

Section 6. Data Interoperability standards


6.1 Personal Data
06.01.1. Healthcare Identification Number (HIN)
Label Name Definition Format Description

HIN (Healthcare Identifier Number)


A personal identifier number for the healthcare recipients. Numerical III-YYYY-DDD-XX XX III Institute Code [Where the number was first issued] YYYY The year in which the number was issued DDD Day of the year in which the number was issued XX XX Serial Number Cannot be blank 123-2009-245-3456

Validation Examples Default Comments

06.03.1.

This number will be issued to the patient upon his first contact with the Sri Lankan health system and may be continued during his/her whole life. If the number is lost past records can be retrieved using an intelligence system, which will use the other relevant data to search for this purposes. The number wills not contain any personal details of the person and therefore it cannot be queried using his personal details. The record can be retrieved using the HIN with ease. Personal Title
Label Name Definition Format Validation Examples Default Comments Description

06.01.2.

06.01.3.

06.01.4.

Personal_Title
Title used by the person Character String Can be blank Baby, Mr. Master, Ms. Thero, Rev Baby of, Dr, Prof.

29

06.01.5.

Full Name
Label Name Definition Description

Full_Name
What patient says as his full name. In a situation where the patient cannot mention his/her name it would be Unknown until known No restriction on length Can only have alphabetical characters and dot/period. Can be blank. Abeykoon Mudiyansselage Nilmini Kaphena Arachige Chaminda Sylva Joseph Fernando Armugam Ambalavanar -

Format Validation Examples

Default Comments

06.01.6.

Gender
Label Name Definition Format Validation Examples Description

Gender
Gender or Sex of a Person 1 Alphabetical character. Cannot be blank. Max length is 1. M- Male F Female O Other / Unidentified

Default Comments

06.01.7.

Personal Civil Status


Label Name Definition Format Validation Examples Default Comments Description

Personal_Civil_Status
Civil status of a person Character string Can be blank Single, Married, Widowed, Divorced, Separated, Other

30

06.01.8.

Ethnicity
Label Name Definition Format Validation Examples Description

Ethnicity
Ethnicity of a person 2 Alphabetical character. Can be blank. Max length is 2. SI Sinhala ST Sri Lankan Tamil TI Tamils of Indian Origin SM Sri Lankan Moor BU Burger MA Malay WA Wadda OT Other

Default Comments

06.01.9.

Citizenship
Label Name Definition Format Validation Examples Default Comments Description

Citizenship
Citizenship of the person 2 Character string Can be blank Max length is 2 LK Sri Lankan NL Non Sri Lankan

06.01.10.

Personal Date of Birth


Label Name Definition Format Validation Examples Default Comments Description

Personal_Date_of_Birth
Date of birth of a person as registered with the RGD Date in ISO date format (ISO 8601) YYYY-MM-DD Must be in ISO format 2005-06-05

31

06.01.11.

Personal Date of Death


Label Name Definition Format Validation Examples Default Comments Description

Personal_Date_of_Death
Date of birth of a person as registered with the RGD Date in ISO date format (ISO 8601) YYYY-MM-DD Must be in ISO format 2005-06-05

06.01.12.

Address
Data Type Character String Character String Character String Character String Character String Sample Information

Data Element Remarks Personal_Address_Line_1 Personal_Address_Line_2 Optional Personal_Delivery_Post_Office Personal_Adddress_Postal_Code Personal_Address_Country Default Sri Lanka

06.01.13.

Contact Details
Remarks Preffered Alternate Prefffered Alternate Data Type Character String Character String Character String Character String Character String Sample Information +94-112-843236 +94-112-865289 +94-714-486246 abc@pqr.com dbf@mlp.lk

Data Element Personal_Land_Phone_1 Personal_Land_Phone_2 Personal_Mobile_Phone Personal_email_1 Personal_email_2

32

6.2 Data Interchange/Messaging Standards


06.02.1. It is recommended to adopt Version 3.0 of the Health Level Standard (HL 7, version 3.0) by Health Level Seven International as the data exchange standard in the healthcare domain. For transferring images between software programs in the medical domain DICOM (Digital Imaging and Communication in Medicine) standard by National Electrical Manufacturers Association, USA shall be used.

06.02.2.

6.3 Standardized Clinical Vocabulary


06.03.1. For the purpose of recording clinical data SNOMED CT (Systematized Nomenclature of Medicine Clinical Terms) by International Health Terminology Standards Development Organisation (IHTSDO) shall be used. For the purpose of statistical reporting of health related data ICD 10 (International Classification Disease) by WHO shall be used. Applications that record data in SNOMED CT should be able to cross map their data into ICD 10 for the purpose of reporting. A committee should be appointed to make suitable medical ontology for National Languages, which would in turn ensure uniformity of terminology and facilitate the translation process. All of the above mentioned standards must be freely available for the vendors who will be developing eHealth solutions. If a given standard is not an open and freely available suitable arrangements to be made to make it available for the use of vendors.

06.03.2.

06.03.3.

06.03.4.

06.03.5.

This document is prepared in English language. This will be translated in to Sinhla language and Tamil language. In case of a discrepancy, the English language version will prevail.

33

List of Related Official Documents


The is a list of legislations, regulations, policy documents and guideline documents of Sri Lanka relevant to e-Health.
Health Sector related

Medical Ordinance National Health Policy Health Master plan 2007-2016 Municipal Councils Ordinance

IT related

Information And Communication Technology Act, No. 27 of 2003 Information And Communication Technology (Amendment) Act, No. 33 of 2008 Electronic Transactions Act, No. 19 of 2006 Policy and Procedures for ICT Usage in Government (e-Government Policy) Minute of the Sri Lanka information and communication technology service (SLICTS) (Extraordinary gazette no. 1631/20 9th December 2009) Public Administration Circular 04/2011 Lanka Interoperability Framework (LIFe)

General, but relevant to e-Health

National Archives Act, No 48 of 1973

Intellectual Property Act, No. 36 of 2003 Companies Act, No. 07 of 2007 Financial Regulations of the Government of the Democratic Socialist Republic of Sri Lanka 1992 Guidelines for procurement of pharmaceuticals & medical devices 2006 (National Procurement Agency)

34