NTA 7516 is a data protection standard introduced in May 2019 as a way of protecting all forms of healthcare data in the Netherlands. The legislation impacts any organization which handles personal healthcare data, including healthcare providers, insurers, municipalities, occupational health services - the list goes on.
NTA 7516 clarifies what is necessary with regard to the mailing of personal health information to ensure that a number of GDPR requirements are met. The standard ensures that sensitive data is handled securely by prescribing that organizations must work with a communication service provider who is NTA 7516 certified.
Is the NTA 7516 relevant to you?
If you handle personal health information by email, you must use an NTA 7516 certified email product to ensure compliance. So, not only healthcare organizations (such as general practitioners, hospitals, surgeries etc) but educational establishments, municipalities, and financial services providers are impacted by NTA 7516, too.
Related data protection laws
GDPR – Guidance around the safe use of email platforms according to the General Data Protection Regulation (GDPR) is clarified by the NTA 7516 as the legislation establishes specific functionality requirements for the secure handling of data
WGBO – The NTA 7516 requires professionals who handle healthcare information to authenticate recipient identities
WvGGZ – In the The Compulsory Mental Health Care Act (WvGGZ) fact sheet, the VNG explains the impact of the WvGGZ on municipalities; NTA 7516 is explicitly mentioned a number of times as a requirement as a basis for secure exchange of information in the WvGGZ chain
What does NTA 7516 require?
As with all data protection standards, there are three primary elements of the NTA 7516: integrity, availability, and confidentiality.
Availability: The NTA 7516 requires that an organization’s communications software must be available 99.8% of the time and, in the event of a service outage, the outage must last no longer than 24 hours. If data is lost, the organization must be informed within 24 hours.
Integrity: Multi factor authentication (2FA/MFA) must be utilized to ensure only the intended recipient accesses data. This also means that the content of a communication must not be amended once it has been sent to the recipient. If the content of the message changes, the sender and receiver must both be informed. In addition, the sender must be stated in every communication (for example, if the message was sent by an authorized representative or secretary).
Confidentiality: The communication must only be accessible to the sender and recipient. Access to the messages may only be granted via multi-factor authentication.
In addition to these three pillars, NTA 7516 also places great emphasis on the ease of use of communications software. NTA 7516 certified platforms must provide a user-friendly experience for both the sender and recipient of sensitive healthcare data.
It must be clear to the recipient that the software used to share data is NTA 7516 compliant; they must also be able to securely engage with the communication (i.e. save the information in their preferred location, reply to or forward the information on), without having to create an account with the platform.
Interoperability and NTA 7516
Certificated NTA 7516 providers must be interoperable. This means that the receiving party is unaffected if the sending party has made a different choice. For example, just like you don't know whether a caller’s provider is KPN, T-mobile, or Vodafone, an organization’s preferred communications provider will function seamlessly with an alternative provider.
Are you NTA 7516 compliant?
Zivver was a driving force behind NTA 7516 and is an approved provider; Zivver users can operate with confidence knowing their digital communications are protected, and compliance with evolving data protection laws is assured.
To learn more about compliance and the NTA 7516, as well as how we can support your organization in meeting legislative requirements, download our NTA 7516 checklist.