With the publication of the NTA 7516 on May 15, 2019, a field standard has been created for sending personal health information by email. Healthcare providers will have to take measures to comply with this standard.
As a supplier of secure email and initiator for the NTA 7516, we have worked hard for this standard at the Ministry of Health, Welfare and Sport and the “Information Council for Care” for the past two years and are proud that the NTA is now available. SecuMailer has made the necessary technical changes to provide secure emailing according to the NTA 7516 standard.
For whom is the NTA 7516 relevant?
Every professional who wants to send personal health information by e-mail must use an NTA 7516-safe email product such as SecuMailer and also meet the requirements of NTA 7516. Firstly, these are healthcare organisations, but also municipalities , health and safety services and emergency rooms. In addition, the security measures that the NTA 7516 regulates are also very suitable for other confidential (LoA level 3) information that, for example, is subject to professional discretion, such as lawyers, financial service providers and insurers.
What does the NTA 7516 regulate?
- Secure email between healthcare professionals
- Secure email with patients and carers
- 2 Factor Authentication (2FA) sender and recipient
- Differences between consultation room and waiting room information
- Encrypted connection requirements
- The importance of ease of use, managed interoperability
- In effect since May 2019
- Healthcare provider must use an NTA 7516 compliant product
Which laws are related to the NTA 7516?
- GDPR – Regulates privacy: medical data are special personal data
- WGBO – Establishes professional secrecy: healthcare professional must establish identity
- NTA 7516 – Secure email in healthcare: mandatory use of a secure email product
- WvGGZ – Mandatory mental health care: secure and fast communication required between municipalities and emergency services and GGZ
What is 2 factor authentication?
A login method where you use something you know, something you have or something you are and then combine two of these three properties. For example, a message on your phone with a login code. The two factors are then: something you have: your phone number; and something you know: the login code.
Because the personal health information cannot be read by just anyone, it is important that both the sender and the recipient are really who they are. To determine this, it is not enough to use a personal email address. Additional measures must be taken to establish identity.
For healthcare professionals, identifying who they are is easiest when they first log into their workplace during their shift. As a result, there is no need for extra security on the e-mail message, but this is done at the workplace.
How does SecuMailer arrange the 2FA?
SecuMailer does this by having the sender (our customer) log in to his workplace with extra measures and by sending the recipient a message on his telephone, after which the e-mail is delivered to the inbox.
If the recipient is an NTA 7516 healthcare professional, the recipient also logs in with 2FA at his workplace and receives the email.
What is Interoperability?
There are several providers of NTA 7516 secure email services. Agreements have been made between these different providers so that messages can be delivered securely without additional hassle for the healthcare provider. In practice, this means that you only need SecuMailer to be able to receive and deliver from the other providers free of charge and without additional login procedures. Every healthcare professional therefore only has to choose a provider and the providers take care of the settlement behind the scenes.
An important condition here is that the healthcare professional himself has taken sufficient measures to comply with NTA 7516.
What measures must the healthcare professional then take to set up the NTA 7516?
To make the organization NTA 7516 compliant, organizational measures and technical measures are required. The main ones are:
- Include information security policy for secure e-mail in the quality system
- 2FA at confidential or high level in the workplace
- Draw up rules regarding replacement in the event of absence and functional e-mailboxes
- Share secure email information with patients / clients
- Management of specific measures
- Prepare a self-declaration for NTA 7516 and change the DNS
- Take out a subscription with SecuMailer (or another provider of NTA 7516 secure email).
What happens when your organization connects to SecuMailer?
SecuMailer connects with a mail relay on the mail server of the customer and therefore has no negative impact on the customer’s client environment. This has the following advantages:
- No additional management is required.
- Users don’t need any adjustments, they just keep emailing like they already do.
- All emails are always sent encrypted, employees do not have to do anything.
- Secure recipients will simply receive the email in their inbox after the 2FA.
- All requirements of the forum standardisation have been fully fulfilled.
Is every system suitable for NTA 7516?
SecuMailer can be used by all applications and on all devices, also in collaboration with back office systems.
Is SecuMailer also ready for the WvGGZ?
Yes, SecuMailer has an active link with Khonraad. All municipalities and GGZ institutions that use SecuMailer are ready for the WvGGZ.
Bonus question: Is SecuMailer suitable for my organisation?
SecuMailer is suitable for professional organisations that like to email securely with the confidential data of their patients. The user-friendliness of SecuMailer is the best in the market because it does not use portals or plug-ins. If you want to experience this yourself, request a test connection today.